ePrism Email Security Appliance User Guide - EdgeWave
ePrism Email Security Appliance User Guide - EdgeWave
ePrism Email Security Appliance User Guide - EdgeWave
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong><br />
<strong>User</strong> <strong>Guide</strong><br />
Software Version: 6.5.2<br />
Last Revision: 5/25/07
Preface 7<br />
CHAPTER 1 <strong>ePrism</strong> Overview 11<br />
What’s New in <strong>ePrism</strong> 6.5 12<br />
<strong>ePrism</strong> Overview 14<br />
<strong>ePrism</strong> Deployment 20<br />
How Messages are Processed by <strong>ePrism</strong> 22<br />
CHAPTER 2 Administering <strong>ePrism</strong> 27<br />
Connecting to <strong>ePrism</strong> 28<br />
Configuring the Admin <strong>User</strong> 32<br />
Web Server Options 35<br />
Customizing the <strong>ePrism</strong> Interface 36<br />
CHAPTER 3 Configuring Mail Delivery Settings 37<br />
Network Settings 38<br />
Virtual Interfaces 42<br />
Static Routes 45<br />
Mail Routing 46<br />
Mail Delivery Settings 48<br />
Mail Aliases 53<br />
Mail Mappings 55<br />
Virtual Mappings 57<br />
CHAPTER 4 Directory Services 59<br />
Directory Service Overview 60<br />
Directory Servers 61<br />
Directory <strong>User</strong>s and Groups 63<br />
LDAP Aliases 67<br />
LDAP Mappings 69<br />
LDAP Recipients 71<br />
LDAP Relay 73<br />
LDAP Routing 76<br />
CHAPTER 5 Mail <strong>Security</strong> and Encryption 79<br />
SMTP Mail Access 80<br />
Anti-Virus 82<br />
Threat Outbreak Control 85<br />
External <strong>Email</strong> Message Encryption 90<br />
Encrypting Mail Delivery Sessions 94<br />
SSL Certificates 97<br />
3
CHAPTER 6 Message Content Scanning 101<br />
Content Scanning Overview 102<br />
Attachment Control 103<br />
Attachment Content Scanning 106<br />
Objectionable Content Filter 110<br />
Pattern Based Message Filtering (PBMF) 112<br />
Malformed Mail 121<br />
Dictionaries 123<br />
Message Archiving 125<br />
CHAPTER 7 Intercept Anti-Spam 131<br />
Intercept Anti-Spam Feature Overview 132<br />
Trusted and Untrusted Mail Sources 134<br />
Configuring Intercept Anti-Spam 136<br />
Intercept Components 139<br />
Intercept Advanced Features 177<br />
Trusted and Blocked Senders 181<br />
Spam Quarantine 187<br />
CHAPTER 8 <strong>User</strong> Accounts and Remote Authentication 195<br />
POP3 and IMAP Access 196<br />
Local <strong>User</strong> Mailboxes 197<br />
Mirror Accounts 199<br />
Strong Authentication 200<br />
Remote Accounts and Directory Authentication 202<br />
Relocated <strong>User</strong>s 205<br />
Vacation Notification 206<br />
Tiered Administration 209<br />
CHAPTER 9 Secure WebMail and <strong>ePrism</strong> Mail Client 211<br />
Secure WebMail 212<br />
<strong>ePrism</strong> Mail Client 216<br />
CHAPTER 10 Policy Management 219<br />
Policy Overview 220<br />
Creating Policies 223<br />
Domain Policies 224<br />
Group Policies 226<br />
<strong>User</strong> Policies 231<br />
Managing Policies 233<br />
Policy Diagnostics 234<br />
4
CHAPTER 11 Threat Prevention 237<br />
Threat Prevention Overview 238<br />
Configuring Threat Prevention 239<br />
Creating Threat Prevention Rules 241<br />
Static Address Lists 251<br />
Dynamic Address Lists 253<br />
F5 Blocking 256<br />
Cisco Blocking 261<br />
Threat Prevention Status 264<br />
CHAPTER 12 HALO (High Availability and Load Optimization) 265<br />
CHAPTER 13 Reporting 283<br />
HALO Overview 266<br />
Configuring Clustering 268<br />
Cluster Management 274<br />
Configuring the F5 Load Balancer 278<br />
Queue Replication 279<br />
Viewing and Generating Reports 284<br />
Viewing the Mail History Database 294<br />
Viewing the System History Database 296<br />
Report Configuration 299<br />
CHAPTER 14 System Management 301<br />
System Status and Utilities 302<br />
Mail Queue Management 305<br />
Quarantine Management 306<br />
License Management 308<br />
Software Updates 311<br />
<strong>Security</strong> Connection 312<br />
Reboot and Shutdown 313<br />
Backup and Restore 314<br />
Centralized Management 321<br />
Problem Reporting 326<br />
Health Check 327<br />
CHAPTER 15 Monitoring System Activity 329<br />
Activity Screen 330<br />
System Log Files 332<br />
Offloading Log Files 335<br />
SNMP (Simple Network Management Protocol) 337<br />
Alarms 340<br />
5
CHAPTER 16 Troubleshooting Mail Delivery 343<br />
Troubleshooting Mail Delivery 344<br />
Troubleshooting Tools 345<br />
Examining Log Files 346<br />
Network and Mail Diagnostics 355<br />
Troubleshooting Content Issues 360<br />
APPENDIX A Using the <strong>ePrism</strong> System Console 363<br />
APPENDIX B Restoring <strong>ePrism</strong> to Factory Default Settings 367<br />
APPENDIX C Message Processing Order 369<br />
APPENDIX D Customizing Notification and Annotation Messages 371<br />
APPENDIX E Performance Tuning 375<br />
APPENDIX F SNMP MIBS 383<br />
Setting Default Performance Settings 376<br />
Advanced Settings 377<br />
MIB Files Summary 383<br />
MIB Files 387<br />
MIB OID Values 411<br />
APPENDIX G Third Party Copyrights and Licenses 417<br />
6
Preface<br />
Preface<br />
This <strong>User</strong> <strong>Guide</strong> provides detailed information on how to configure and manage your <strong>ePrism</strong><br />
<strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• Chapter 1 — “<strong>ePrism</strong> Overview” on page 11<br />
• Chapter 2 — “Administering <strong>ePrism</strong>” on page 27<br />
• Chapter 3 — “Configuring Mail Delivery Settings” on page 37<br />
• Chapter 4 — “Directory Services” on page 59<br />
• Chapter 5 — “Mail <strong>Security</strong> and Encryption” on page 79<br />
• Chapter 6 — “Message Content Scanning” on page 101<br />
• Chapter 7 — “Intercept Anti-Spam” on page 131<br />
• Chapter 8 — “<strong>User</strong> Accounts and Remote Authentication” on page 195<br />
• Chapter 9 — “Secure WebMail and <strong>ePrism</strong> Mail Client” on page 211<br />
• Chapter 10 — “Policy Management” on page 219<br />
• Chapter 11 — “Threat Prevention” on page 237<br />
• Chapter 12 — “HALO (High Availability and Load Optimization)” on page 265<br />
• Chapter 13— “Reporting” on page 283<br />
• Chapter 14 — “System Management” on page 301<br />
• Chapter 15 — “Monitoring System Activity” on page 329<br />
• Chapter 16 — “Troubleshooting Mail Delivery” on page 343<br />
The following sections contain supplemental information for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong><br />
<strong>Appliance</strong>:<br />
• Appendix A — “Using the <strong>ePrism</strong> System Console” on page 363<br />
• Appendix B — “Restoring <strong>ePrism</strong> to Factory Default Settings” on page 367<br />
• Appendix C — “Message Processing Order” on page 369<br />
• Appendix D — “Customizing Notification and Annotation Messages” on page 371<br />
• Appendix E — “Performance Tuning” on page 375<br />
• Appendix F — “SNMP MIBS” on page 383<br />
• Appendix G — “Third Party Copyrights and Licenses” on page 417<br />
7
Related Documentation<br />
If Release Notes are included with your product package, please read them for the latest<br />
information on installing and managing <strong>ePrism</strong>.<br />
The following documents are included as part of the <strong>ePrism</strong> documentation set:<br />
TABLE 1. <strong>ePrism</strong> Documentation<br />
Document<br />
Release Notes<br />
Installation<br />
<strong>Guide</strong><br />
<strong>User</strong> <strong>Guide</strong><br />
Intercept Anti-<br />
Spam Quick<br />
Start <strong>Guide</strong><br />
Description<br />
Provides up to date information on the product, including new<br />
features, improvements, bug fixes, and any known issues. If<br />
instructions in the Release Notes differ from the Installation <strong>Guide</strong><br />
or <strong>User</strong> <strong>Guide</strong>, use the instructions in the Release Notes.<br />
Provides detailed information on how to install and provide the initial<br />
configuration for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>.<br />
Provides detailed information on how to configure, administer, and<br />
troubleshoot the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>.<br />
Describes the basic configuration details and recommended<br />
strategies for <strong>ePrism</strong>’s Intercept Anti-Spam features.<br />
Conventions<br />
The following typographical conventions are used in this guide:<br />
TABLE 2. Typographical Conventions<br />
Typeface<br />
or Symbol Description Example<br />
italic Screen name or data field names Activity Screen, or SMTP Port<br />
bold<br />
courier<br />
font<br />
Bold<br />
courier<br />
Button names, Menu items, and<br />
Screen names<br />
Text displayed on the screen and File<br />
and Directory Names<br />
Text entered by the user<br />
Information that describes important<br />
features or instructions<br />
Select Basic Config ➝ Network<br />
on the menu and click the Apply<br />
button<br />
backup/backup.gzip<br />
Enter: example.com<br />
Please see the following section<br />
for more details<br />
Information that alerts you to potential<br />
problems and issues<br />
Use caution when enabling this<br />
feature<br />
8
Preface<br />
Contacting Technical Support<br />
St. Bernard Software telephone support is available Monday-Friday<br />
07:00am to 4:00pm (Pacific Standard Time)<br />
08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)<br />
15015 Avenue of Science<br />
San Diego, CA 92128<br />
Main: 858.676.2277<br />
FAX: 858.676.2299<br />
Technical Support: 858.676.5050<br />
Technical Support <strong>Email</strong>: <strong>ePrism</strong>-support@stbernard.com<br />
Europe, Asia, Africa (UTC)<br />
Unit 4, Riverside Way<br />
Watchmoor Park, Camberley<br />
Surrey, UK<br />
GU15 3YQ<br />
Main: 44.1276.401.640<br />
FAX: 44.1276.684.479<br />
Technical Support: 44.1276.401.642<br />
Technical Support <strong>Email</strong>: support@uk.stbernard.com<br />
Copyright Information<br />
© 2003-2007 St. Bernard Software, Inc. All rights reserved.<br />
St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or<br />
registered trademarks are hereby acknowledged.<br />
Information in this document is subject to change without notice.<br />
9
CHAPTER 1<br />
<strong>ePrism</strong> Overview<br />
This chapter provides an overview of the architecture and features of the <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• “What’s New in <strong>ePrism</strong> 6.5” on page 12<br />
• “<strong>ePrism</strong> Overview” on page 14<br />
• “<strong>ePrism</strong> Deployment” on page 20<br />
• “How Messages are Processed by <strong>ePrism</strong>” on page 22<br />
11
<strong>ePrism</strong> Overview<br />
What’s New in <strong>ePrism</strong> 6.5<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> version 6.5 adds several new features while considerably<br />
improving the functionality of existing features.<br />
Blocked Senders List<br />
The Blocked Senders List allows end users to specify a list of addresses from which they do not<br />
want to receive mail. These senders will be blocked from sending mail to that specific user via<br />
<strong>ePrism</strong>. If a sender is on the Blocked Senders List, the message can either be rejected with<br />
notification or discarded by <strong>ePrism</strong>.<br />
Blocked Senders are configured via Mail Delivery ➝ Anti-Spam ➝ Trusted/Blocked Senders<br />
on the menu.<br />
Virtual Interfaces<br />
Virtual Interfaces are used by <strong>ePrism</strong> to define additional interfaces and IP addresses to send<br />
and receive mail for specific domains. These Virtual Interfaces are associated with the existing<br />
physical network interfaces on <strong>ePrism</strong>. <strong>ePrism</strong> will send all outbound email for a specific domain<br />
using its specified IP address in the Virtual Interfaces configuration. <strong>ePrism</strong> selects the Virtual<br />
Interface to use for outgoing mail by matching the sender's domain to the domains associated<br />
with the configured Virtual Interfaces.<br />
Virtual Interfaces are configured via Basic Config ➝ Virtual Interfaces on the menu.<br />
Image Spam Analysis<br />
An Image Spam email message typically consists of random text or no text body and contains<br />
an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the<br />
spam message. These types of spam messages are difficult to detect because the message<br />
contains no helpful text or URL characteristics that can be scanned and analyzed.<br />
The Image Spam Analysis feature that performs advanced analysis of image attachments to<br />
help determine if the message is spam or legitimate mail. Similar to <strong>ePrism</strong>'s other Anti-Spam<br />
features that detect spam characteristics in the text of a message, the Image Spam Detection<br />
feature extracts certain characteristics of the attached image to determine if these<br />
characteristics are similar to those seen in actual spam messages.<br />
The Image Spam Detection feature uses the Token Analysis feature to analyze image spam<br />
messages. Token Analysis must be enabled for Image Spam detection to work.<br />
Enable the Image Analysis option via Mail Delivery ➝ Anti-Spam ➝ Intercept ➝ Token<br />
Analysis ➝ Advanced on the menu.<br />
12
What’s New in <strong>ePrism</strong> 6.5<br />
Intercept Anti-Spam Improvements<br />
The following improvements have been made to <strong>ePrism</strong>'s Intercept Anti-Spam feature:<br />
• The Intercept Anti-Spam engine has been enhanced to increase Intercept's effectiveness<br />
against the latest types of image spam and other spam messages.<br />
• The Intercept training engine and database have been updated to improve the efficiency<br />
and effectiveness of training for spam and legitimate mail.<br />
• Intercept's use of the BorderWare <strong>Security</strong> Network (BSN) and DNS/URL Block Lists has<br />
been improved to provide more effective reputation and block list contribution to the overall<br />
Intercept spam score decision for a message.<br />
• Bulk Analysis has been modified to reduce the probability of false positives in the Intercept<br />
spam decision. To revert to the previous behaviour and increase the emphasis on Bulk<br />
Analysis results, set the Bulk Analysis weight to 90 in the advanced Intercept settings,<br />
accessed via Mail Delivery ➝ Anti-Spam ➝ Intercept and clicking the Advanced button.<br />
LDAP Paging Support<br />
When querying an LDAP server, the amount of information returned may contain thousands of<br />
entries and sub-entries. Paging allows LDAP information to be retrieved in more manageable<br />
sections to control the rate of data being returned. Previously, <strong>ePrism</strong> could not retrieve more<br />
entries than the administrative limit configured by Microsoft Active Directory®, requiring the<br />
limit to be increased on the Active Directory server. Active Directory LDAP paging is now<br />
supported by <strong>ePrism</strong> and removes the requirement to manually set a higher maximum page<br />
size in Active Directory for use with <strong>ePrism</strong> LDAP user imports.<br />
13
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> is a dedicated Mail Firewall designed for deployment between internal mail servers and<br />
the Internet. <strong>ePrism</strong> supports the standard mail protocols for processing email messages while<br />
offering a secure method for their processing and delivery. <strong>ePrism</strong> has been designed<br />
specifically to resist operating system attacks and protect mail servers from direct SMTP and<br />
HTTP connections.<br />
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> is generally configured to accept all mail for a domain or sub-domain, store and process<br />
mail according to specified security policies, and deliver the mail to one or more internal mail<br />
servers for collection by users. <strong>ePrism</strong> is ideally suited for deployment in parallel with an existing<br />
firewall, on a DMZ, or on an internal network.<br />
See “<strong>ePrism</strong> Deployment” on page 20 for more detailed information on deploying <strong>ePrism</strong>.<br />
Mail Delivery <strong>Security</strong><br />
<strong>ePrism</strong> has a sophisticated mail delivery system with several security features and benefits to<br />
ensure that the identifying information about your company’s email infrastructure remains<br />
private.<br />
• For a company with multiple domain names, <strong>ePrism</strong> can accept, process and deliver mail to<br />
private email servers.<br />
• For a company with multiple private email servers, the <strong>ePrism</strong> can route mail based on the<br />
domain or subdomain to separate groups of email users.<br />
• <strong>Security</strong> features such as mail mappings and address masquerading allow the ability to hide<br />
references to internal host names.<br />
Content Scanning and Filtering<br />
<strong>ePrism</strong> implements attachment controls, attachment content scanning, and content filtering<br />
based on pattern and text matching. These controls prevent the following issues:<br />
• Breaches of confidentiality<br />
• Legal liability from offensive content<br />
• Personal abuse of company resources<br />
• Compliance policies<br />
Attachment controls are based on the following characteristics:<br />
• File Extension Suffix — The suffix of the file is checked to determine the attachment type,<br />
such as .exe, or .jpg.<br />
• MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to<br />
identify the content type of the message.<br />
• Content Analysis — The file is analyzed from the beginning to look for characteristics that<br />
can identify the file type. This analysis ensures that the attachment controls are not<br />
circumvented by simply renaming a file.<br />
14
<strong>ePrism</strong> Overview<br />
• Deep Content Scanning — Attachments such as PDFs or Microsoft Word documents can<br />
be analyzed for words or phrases that match a pattern filter or compliance dictionary.<br />
Virus Scanning<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> features optional virus scanning based on Kaspersky<br />
Anti-Virus. Messages in both inbound and outbound directions can be scanned for viruses and<br />
malicious programs. <strong>ePrism</strong>’s high performance virus scanning provides a vital layer of<br />
protection against viruses for your entire organization. Automatic pattern file updates ensure<br />
that the latest viruses are detected.<br />
Threat Outbreak Control<br />
The Threat Outbreak Control feature provides customers with zero-day protection against early<br />
virus outbreaks. For most virus attacks, the time from the moment the virus is released to the<br />
time a pattern file is available to protect against the virus can be several hours. During this<br />
period, mail recipients are vulnerable to potential threats. <strong>ePrism</strong>'s Threat Outbreak Controls<br />
can detect and take action against early virus outbreaks to contain the virus threat.<br />
Malformed Message Protection<br />
Similar to malformed data packets used to subvert networks, malformed messages allow<br />
viruses and other attacks to avoid detection, crash systems, and lock up mail servers. <strong>ePrism</strong><br />
ensures that only correctly formatted messages are allowed into your mail systems. Message<br />
integrity checking protects your mail servers and clients and improves the effectiveness of<br />
existing virus scanning implementations.<br />
Intercept Anti-Spam<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> provides a complete and robust set of anti-spam features<br />
specifically designed to protect against the full spectrum of current and evolving spam threats.<br />
<strong>ePrism</strong>’s Intercept Anti-Spam engine can combine the results of several Anti-Spam features to<br />
provide a better informed decision on whether a message is spam or legitimate mail. These<br />
features include:<br />
• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the<br />
client address or header parameters such as HELO or Envelope-From and Envelope-To.<br />
• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in the<br />
envelope/header/body of a message.<br />
• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and<br />
phrases that are matched against a message.<br />
• Mail Anomalies — Checks various aspects of the incoming message for issues such as<br />
unauthorized SMTP pipelining, missing headers, and mismatched identification fields.<br />
Checks for recent spam and viruses from a specific IP address can also be enabled which<br />
is used in conjunction with the Threat Prevention feature.<br />
• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor<br />
reputation. Messages can also be rejected immediately regardless of the results of other<br />
Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows<br />
administrators to specify how many DNSBLs must trigger to consider the sender as<br />
unreliable.<br />
15
<strong>ePrism</strong> Overview<br />
• URL Block List — Detects spam by examining the URLs in a message and querying a<br />
SURBL (Spam URI Realtime Block Lists) server to determine if this URL has been used in<br />
spam messages.<br />
• Bulk Analysis — Detect bulk mail spam by checking mail sent to a large numbers of users.<br />
• Token Analysis — Detects spam based on advanced content analysis using databases of<br />
known spam and valid mail. This feature is also specially engineered to effectively detect<br />
Image spam.<br />
• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS<br />
records to identify the source of a message.<br />
• DomainKeys Authentication — Performs a check of a sending host’s DomainKeys DNS<br />
records to identify the source of a message.<br />
Threat Prevention<br />
<strong>ePrism</strong>’s Threat Prevention capabilities that allow organizations to detect and block incoming<br />
threats in real-time. Threat types can be monitored and recorded to track client IP behaviour and<br />
reputation. By examining mail flow patterns, <strong>ePrism</strong> detects whether a sending host is behaving<br />
maliciously by sending out viruses, spam, or attempting denial-of-service (DoS) attacks. By<br />
instantly recognizing these types of mail patterns, <strong>ePrism</strong> can be an effective solution against<br />
immediate attacks. <strong>ePrism</strong>’s Threat Prevention feature can block or throttle inbound mail<br />
connections before the content is processed to lessen the impact of a large number of inbound<br />
messages.<br />
Trusted and Blocked Senders List<br />
These features allow users to create their own personal Trusted and Blocked Senders Lists<br />
based on a sender’s email address. The Trusted email addresses will be exempt from <strong>ePrism</strong>’s<br />
spam controls allowing users to trust legitimate senders, while email addresses on the Blocked<br />
Senders List will be prevented from sending mail to that user via <strong>ePrism</strong>.<br />
Spam Quarantine<br />
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual<br />
user. <strong>User</strong>s will be able to connect to <strong>ePrism</strong> either directly or through a summary email to view<br />
and manage their own quarantined spam. Messages can be deleted, or moved to the user’s<br />
local mail folders. Automatic notification emails can be sent to end users notifying them of the<br />
existence of messages in their personal quarantine area.<br />
Secure WebMail<br />
<strong>ePrism</strong>’s Secure WebMail provides remote access support to internal mail servers. With Secure<br />
WebMail, users can access their mailboxes using email web clients such as Outlook® Web<br />
Access, Lotus iNotes, or <strong>ePrism</strong>’s own web mail client. <strong>ePrism</strong> addresses the security issues<br />
currently preventing deployment of web mail services by providing the following protection:<br />
• Strong authentication (including integration with Active Directory)<br />
• Encrypted sessions<br />
• Advanced session control to prevent information leaks on workstations<br />
16
<strong>ePrism</strong> Overview<br />
Authentication<br />
<strong>ePrism</strong> supports the following authentication methods for administrators, WebMail users,<br />
Trusted Senders List, and Spam Quarantine purposes:<br />
• <strong>User</strong> ID and Password<br />
• RADIUS and LDAP<br />
• RSA SecurID® tokens<br />
• SafeWord and CRYPTOCard tokens<br />
Mail Delivery Encryption<br />
All mail delivered to and from <strong>ePrism</strong> can be encrypted using TLS (Transport Layer <strong>Security</strong>).<br />
This includes connections to remote systems, local internal mail systems, or internal mail<br />
clients. Encrypted messages are delivered with complete confidentiality both locally and<br />
remotely.<br />
Encryption can be used for the following:<br />
• Secure mail delivery on the Internet to prevent anyone from viewing email while in transit.<br />
• Secure mail delivery across a LAN to prevent malicious users from viewing email other than<br />
their own.<br />
• Create policies for secure mail delivery to branch offices, remote users and business<br />
partners.<br />
• <strong>ePrism</strong> supports TLS/SSL encryption for all user and administrative sessions.<br />
• TLS/SSL is used to encrypt SMTP sessions effectively preventing eavesdropping and<br />
interception.<br />
Local <strong>User</strong> Mailboxes<br />
<strong>ePrism</strong> can host user mailboxes and act as a fully functioning mail server for small offices.<br />
<strong>ePrism</strong> fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for<br />
retrieving and sending mail.<br />
HALO (High Availability and Load Optimization)<br />
<strong>ePrism</strong> is the first email firewall to provide enterprises with a fail-safe clustering architecture for<br />
high availability. HALO ensures email is never lost due to individual system failure through its<br />
unique security, cluster management, load balancing and optimization, and "stateful failover"<br />
queue replication capabilities. All systems can be clustered together to increase additional<br />
capacity, throughput, or provide load balancing and optional high availability.<br />
Cluster Management<br />
The cluster management feature allows administrators to manage <strong>ePrism</strong> clusters and to<br />
synchronize configuration settings across all systems in the cluster. Combined reports and<br />
email database searches may be derived from clustered systems. Specific features include:<br />
• Configuration Replication — This function allows systems to be added to clusters and to<br />
assume the configuration of a defined "master" Cluster Console system.<br />
17
<strong>ePrism</strong> Overview<br />
• Cluster Synchronization — Systems within a cluster can be synchronized to the defined<br />
"master" system. Any changes to the configuration of the Cluster Console master are<br />
reflected in the configuration of all systems in the cluster.<br />
• Cluster Reporting — <strong>ePrism</strong> reports can be generated for a single system or for all<br />
systems in a cluster. The email database can be searched by system or by cluster. The<br />
history and status of any message can be instantly retrieved regardless of which system<br />
processed the message.<br />
Load Balancing and Optimization<br />
A basic requirement of high availability is to have an automated or semi-automated mechanism<br />
for switching the mail stream between available systems in the cluster, depending on their<br />
individual availability or health.<br />
Utilizing DNS round-robin techniques or dedicated load balancing hardware, email can be<br />
directed to <strong>ePrism</strong> systems in a cluster depending on their availability and current load.<br />
Queue Replication<br />
To prevent the loss of email messages during a system failure, <strong>ePrism</strong> has created a unique<br />
solution with "stateful failover" queue replication technology that replicates queues and<br />
intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a<br />
cluster should fail and there exists undelivered mail in its queue, a mirror system can take<br />
ownership of that queue’s messages and successfully process and deliver them. This ensures<br />
that no email messages are ever lost.<br />
Policy Controls<br />
Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment<br />
control to be customized and applied based on the group membership, domain membership, or<br />
email address of the recipient. <strong>User</strong> groups can be imported from an LDAP-based directory, and<br />
then policies can be created to apply customized settings to these groups.<br />
For example, you can set up an Attachment Control Policy to allow your Development group to<br />
accept and send executable files (.exe), while configuring your attachment control settings for<br />
all your other departments to block this file type to prevent the spread of viruses among the<br />
general users.<br />
Directory Service Support<br />
<strong>ePrism</strong> integrates with LDAP (Lightweight Directory Access Protocol) directory services such as<br />
Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:<br />
• LDAP lookup prior to internal delivery — <strong>ePrism</strong> can check for the existence of an<br />
internal user via LDAP before delivering a message. This feature allows you to reject mail to<br />
unknown addresses in relay domains, reducing the number of attempted deliveries of spam<br />
messages for non-existent local addresses. This check can be performed directly to an<br />
LDAP server or to a cached directory stored locally on <strong>ePrism</strong>.<br />
• Group/<strong>User</strong> Imports — An LDAP lookup will determine the group membership of a user<br />
when applying policy-based controls. LDAP users can also be imported and mirrored on<br />
<strong>ePrism</strong> to be used for services such as the Spam Quarantine.<br />
• Authentication — LDAP can be used for authenticating IMAP access, user mailbox, and<br />
WebMail logins.<br />
18
<strong>ePrism</strong> Overview<br />
Manageability<br />
• SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP<br />
Relay.<br />
• Mail Routing — LDAP can be used to lookup Mail Routes for a domain to deliver mail to its<br />
destination server.<br />
<strong>ePrism</strong> provides a complete range of monitoring and diagnostics tools to monitor the system<br />
and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional<br />
security, while comprehensive logs record all mail activity.<br />
• Web Browser-based Management — The web browser management interface displays a<br />
live view of system activity and traffic flows. The management interface can be configured<br />
to display this information for one or many systems, including systems in a local cluster or<br />
systems that are being centrally managed.<br />
• Reporting and Auditing — The reporting and audit features deliver a comprehensive set<br />
of statistics that may be generated at any time or scheduled for automatic delivery. <strong>ePrism</strong><br />
includes a wide range of predefined reports, including information on system health, mail<br />
processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily<br />
create customized reports.<br />
• Enterprise integration with SNMP — Using SNMP (Simple Network Management<br />
Protocol), <strong>ePrism</strong> can generate both information and traps to be used by SNMP monitoring<br />
tools. This extends the administrator’s view of <strong>ePrism</strong> and allows an instant view of<br />
significant system events, including traffic flows and system failures.<br />
• Alarms — <strong>ePrism</strong> can generate system alarms that can automatically notify the<br />
administrator via email and console alerts of a system condition that requires attention.<br />
• Archiving — Archiving support allows organizations to define additional mail handling<br />
controls for inbound and outbound mail. These features are especially important for<br />
organizations that must archive certain types of mail for regulatory compliance or for<br />
corporate security policies.<br />
<strong>Security</strong> Connection<br />
The <strong>Security</strong> Connection provides an automated software update service. By enabling the<br />
<strong>Security</strong> Connection, you are automatically notified of any new patches and updates for the<br />
<strong>ePrism</strong> software. St. Bernard continuously monitors for new vulnerabilities and issues new<br />
updates to defend against them, ensuring that you have them as soon as they are available.<br />
Internationalization<br />
<strong>ePrism</strong> supports internationalization for annotations, notification messages, and mail database<br />
views. For example, a message is sent to someone who is on vacation and the message used<br />
character set ISO-2022-JP (Japanese), the vacation notification sent back will be in the same<br />
character set. The mail history database can also be viewed using international character sets.<br />
19
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> is designed to be situated between mail servers and the Internet so that there are no<br />
direct SMTP (Simple Mail Transport Protocol) connections between external and internal<br />
servers.<br />
<strong>ePrism</strong> is typically installed in one of three locations:<br />
• In parallel with the firewall<br />
• On your DMZ (Demilitarized Zone)<br />
• Behind the existing firewall on the Internal network<br />
SMTP TCP port 25 traffic is redirected from either the external interface of the firewall or from<br />
the external router to <strong>ePrism</strong>. When the mail is accepted and processed, <strong>ePrism</strong> initiates an<br />
SMTP connection to the internal mail server to deliver the mail.<br />
<strong>ePrism</strong> in Parallel with the Firewall<br />
The preferred deployment strategy for <strong>ePrism</strong> is to be situated in parallel with an existing<br />
network Firewall. <strong>ePrism</strong>’s inherent firewall security architecture eliminates the risk associated<br />
with deploying an appliance on the perimeter of a network. This parallel deployment eliminates<br />
any mail traffic on the firewall and decreases its overall load.<br />
20
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> on the DMZ<br />
Deploying <strong>ePrism</strong> on the DMZ is an equally secure method of deployment configuration. This<br />
type of deployment prevents any direct connection from the Internet to the internal servers, but<br />
does not ease the existing load on the firewall.<br />
<strong>ePrism</strong> on the Internal Network<br />
<strong>ePrism</strong> can also be deployed on the Internal Network. Although this configuration allows a<br />
direct connection from the Internet into the internal network, it is a perfectly legitimate<br />
configuration when dictated by existing network resources.<br />
21
<strong>ePrism</strong> Overview<br />
How Messages are Processed by <strong>ePrism</strong><br />
The following sections describe the sequence in which the various <strong>ePrism</strong> security features are<br />
applied to any inbound and outbound mail messages and how these settings affect their<br />
delivery.<br />
Trusted Mail<br />
<strong>ePrism</strong> only processes mail through the spam filters when a message originates from an<br />
"untrusted" source. Trusted sources bypass the spam controls. By default, mail that arrives on a<br />
particular network interface from the same subnet is "trusted".<br />
There are two ways to control how sources of mail are identified and trusted:<br />
1. The network interface the mail arrives on<br />
2. A specified IP address (or address block), or server or domain name<br />
See “Trusted and Untrusted Mail Sources” on page 134 for information on configuring trusted<br />
and untrusted sources.<br />
Inbound and Outbound Scanning<br />
For features that scan both inbound and outbound mail, the following rules apply:<br />
• Mail from trusted source to local recipient — Inbound<br />
• Mail from trusted source to non-local recipient — Outbound<br />
• Mail from untrusted source to local recipient — Inbound<br />
• Mail from untrusted source to non-local recipient — Inbound<br />
SMTP Connection<br />
An SMTP connection request is made from another system. <strong>ePrism</strong> accepts the connection<br />
request unless one of the following checks (if enabled) is triggered:<br />
• Reject on Threat Prevention — Rejects mail when the client is rejected by the Threat<br />
Prevention feature.<br />
• Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP<br />
commands ahead of time without knowing that the mail server actually supports SMTP<br />
command pipelining. This stops messages from bulk mail software that use SMTP<br />
command pipelining improperly to speed up deliveries.<br />
• Reject on expired <strong>ePrism</strong> license — Rejects mail if the <strong>ePrism</strong> license has expired.<br />
• Specific Access Pattern and Pattern Based Message Filter (Reject) — Rejects mail<br />
based on SAP and PBMF for the HELO, Envelope-TO, Envelope-From, and Client IP fields.<br />
• Reject on DNS Block list — Rejects mail if the sender is on a DNSBL and <strong>ePrism</strong> is set to<br />
reject on DNSBL.<br />
• Reject on BSN (Reputation, Infected, Dial-up) — Rejects mail based on statistics<br />
provided by the St. Bernard <strong>Security</strong> Network.<br />
At this point, trusted or local networks skip any further "Reject" checks.<br />
22
How Messages are Processed by <strong>ePrism</strong><br />
• Reject on unknown sender domain — Rejects mail when the sender mail address has no<br />
DNS A or MX record.<br />
• Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has<br />
no PTR (address to name) record in the DNS, or when the PTR record does not have a<br />
matching A (name to address) record. This setting is rarely used because many servers on<br />
the Internet do not have valid reverse DNS records, and enabling it may result in rejecting<br />
mail from legitimate sources.<br />
• Reject on missing sender MX — Rejects mail when the sender’s mail address is missing<br />
a DNS MX record.<br />
• Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM<br />
command is not in fully-qualified domain form (FQDN).<br />
• Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The<br />
system will perform an LDAP lookup on the recipient’s address to ensure they exist before<br />
delivering the message.<br />
Mail Header and Message Properties<br />
The connection is now accepted. The message will be accepted for processing unless one of<br />
the following occurs:<br />
• Reject on missing addresses — Rejects mail when no recipients in the To: field, or no<br />
senders in the From: field were specified in the message headers.<br />
• Maximum number of recipients — Rejects mail if the number of recipients exceeds the<br />
specified maximum (default is 1000).<br />
• Maximum message size — Rejects mail if the message size exceeds the maximum.<br />
Malformed Content, Virus Checking, and Attachment Control<br />
Messages are scanned for malformed and very malformed messages, viruses, and specific<br />
attachments. If there is a problem, <strong>ePrism</strong> can be configured with a variety of actions, such as<br />
sending the message to the administrative Quarantine folder.<br />
Threat Outbreak Control<br />
Messages are scanned by Threat Outbreak control to look for virus-like behaviour. These<br />
messages can be quarantined until updated Anti-Virus pattern files are available to rescan<br />
them.<br />
OCF (Objectionable Content Filter)<br />
Messages are scanned for objectionable content using a pre-defined list of words, and a<br />
configurable action is taken.<br />
Pattern Based Message Filters and Specific Access Patterns<br />
The messages are scanned to see if they match any existing Pattern Based Message Filters<br />
(PBMF), or Specific Access Patterns (SAP) set to "Trust" or "Allow Relaying".<br />
23
<strong>ePrism</strong> Overview<br />
Trusted and Blocked Senders List<br />
If a sender is on a user’s Trusted Sender’s List, the message will skip all remaining checks. If<br />
the sender is on a user’s Blocked Sender’s List, the message will be rejected or discarded<br />
depending on the configuration.<br />
Attachment Content Scanning<br />
Encryption<br />
Deep scanning is performed on attachments for blocked words and phrases.<br />
If enabled, outbound messages are encrypted before being delivered.<br />
Anti-Spam Processing<br />
If the message arrives from an "untrusted" source, it will be processed for spam by the Intercept<br />
Anti-Spam engine. All Intercept features that are enabled will contribute to the final spam score<br />
of a message.<br />
Mail Mappings<br />
The message is now accepted for processing and the following occurs:<br />
• If the recipient address is not for a domain or sub-domain for which <strong>ePrism</strong> is configured to<br />
accept mail (either as an inbound mail route or a virtual domain) then the message is<br />
rejected.<br />
• If the recipient address is mapped in the Mail Mappings table, then the "To" field in the<br />
message header will be modified as required.<br />
Virtual Mappings<br />
The message is now examined for a match in the Virtual Mapping table. If such a mapping is<br />
found, the envelope-header recipient field will be modified as required. LDAP virtual mappings<br />
will then be processed. Virtual mappings are useful for the following:<br />
• Acting as a wildcard mail mapping, such as any user for example.com goes to<br />
mail.example.com. You can create exceptions to this rule in the mail mappings for<br />
particular users.<br />
• ISPs who need to accept mail for several domains and the envelope-header recipient field<br />
needs to be rewritten for further delivery.<br />
• To deliver to internal servers, use Mail Delivery ➝ Routing ➝ Mail Routing.<br />
In all cases, mappings rely on successful DNS lookups for an MX record.<br />
Relocated <strong>User</strong>s<br />
When mail is sent to an address that is listed in the relocated user table, the message is<br />
bounced back with a message informing the sender of the relocated user’s new contact<br />
information.<br />
24
How Messages are Processed by <strong>ePrism</strong><br />
Mail Aliases<br />
When mail needs to be delivered locally, the local delivery agent runs each local recipient name<br />
through the aliases database. An alias results in the creation of a new mail message to be<br />
created for the named address or addresses. This mail message is then entered back into the<br />
system to be mapped, routed, and so on. This process also occurs with local user accounts for<br />
whom a "forwarder address" has been configured. Local user accounts will be treated like<br />
aliases in this case.<br />
Local aliases are typically used to implement distribution lists or to direct mail for standard<br />
aliases such as mail to the "postmaster" account. LDAP aliases are then processed. LDAP<br />
functionality can be used to search for mail aliases on directory services such as Active<br />
Directory.<br />
Mail Routing<br />
During the mail routing process, there is no modification made to the mail header or the<br />
envelope. A mail route specifies two things:<br />
• Which domains <strong>ePrism</strong> will accept mail for (other than itself).<br />
• Which hosts the mail should be delivered to.<br />
The message is now delivered to its destination.<br />
See “Message Processing Order” on page 369 for a summary of the message processing<br />
order.<br />
25
CHAPTER 2<br />
Administering <strong>ePrism</strong><br />
This chapter describes how to administer and configure basic settings for the <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> Gateway, and contains the following topics:<br />
• “Connecting to <strong>ePrism</strong>” on page 28<br />
• “Configuring the Admin <strong>User</strong>” on page 32<br />
• “Web Server Options” on page 35<br />
• “Customizing the <strong>ePrism</strong> Interface” on page 36<br />
27
Administering <strong>ePrism</strong><br />
Connecting to <strong>ePrism</strong><br />
To administer <strong>ePrism</strong> using the web browser administrative interface, launch a web browser on<br />
your computer and enter the IP address or hostname for <strong>ePrism</strong> as the URL in the location bar.<br />
Your system must be listed in your DNS server to be able to connect via the hostname.<br />
Supported web browsers:<br />
• Microsoft Internet Explorer 6 and greater<br />
• Firefox 1.0 and greater<br />
• Mozilla 1.0 and greater<br />
• Netscape 6.0 and greater<br />
• Safari 1.0 and greater<br />
The login screen will then appear. Enter your admin ID and password.<br />
When logged in, the main <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> Gateway Activity screen and main menu will<br />
appear.<br />
28
Connecting to <strong>ePrism</strong><br />
Navigating the Main Menu<br />
The main menu consists of the following main categories:<br />
Activity<br />
The Activity screen provides you with a variety of information on mail processing activity, such<br />
as the number of messages in the mail queue, the number of different types of messages<br />
received and sent, and current message activity. If you are running a HALO cluster, you will<br />
also have a Cluster Activity option that will show you the activity statistics for the entire<br />
cluster.<br />
Basic Config<br />
The Basic Config menu allows you to configure some of the basic settings for <strong>ePrism</strong> including:<br />
• Admin Account<br />
• Alarms<br />
• Customization<br />
• Directory Services (LDAP)<br />
• Network<br />
• Performance<br />
• Static Routes<br />
• SNMP Configuration<br />
• Web Server Configuration<br />
• Virtual Interfaces<br />
Mail Delivery<br />
The Mail Delivery menu allows you to configure the features that affect mail delivery, including<br />
all mail security and anti-spam settings. It includes the following features:<br />
• Anti-Spam (Intercept)<br />
• Anti-Virus<br />
• Outbreak Control<br />
• Content Management<br />
• Mail Access<br />
• Threat Prevention<br />
• Policy<br />
• SMTP <strong>Security</strong><br />
• Encryption<br />
• Archiving<br />
• Delivery Settings<br />
• Routing<br />
• DomainKeys Signing<br />
29
Administering <strong>ePrism</strong><br />
<strong>User</strong> Accounts<br />
The <strong>User</strong> Accounts menu allows you to create local accounts on the <strong>ePrism</strong> and enable POP<br />
and IMAP access. Management of mirrored user accounts created by LDAP, Remote<br />
Authentication, and Secure WebMail are also configured here. It includes the following features:<br />
• Local Accounts<br />
• Mirrored Accounts (Only displayed if mirrored accounts exist)<br />
• Relocated <strong>User</strong>s<br />
• Vacations<br />
• POP3 and IMAP<br />
• Secure WebMail<br />
• Remote Authentication<br />
• SecureID Configuration<br />
HALO<br />
The HALO (High Availability and Load Optimization) menu is used to configure and manage<br />
clustered <strong>ePrism</strong> systems, and includes the following features:<br />
• Cluster Administration<br />
• Queue Replication<br />
• F5 Integration<br />
Status/Reporting<br />
The Status/Reporting menu allows you to view the current status of system services, manage<br />
your mail queue and the quarantine area, and review reports and logs. The menu includes the<br />
following features:<br />
• Status & Utility<br />
• Mail Queue<br />
• Quarantine<br />
• Reporting<br />
• System Logs<br />
• Problem Reporting<br />
• Health Check<br />
• Threat Prevention Status<br />
Management<br />
The Management menu contains options for various <strong>ePrism</strong> system administration tasks such<br />
as backup and restore, license management, and software updates. The menu includes the<br />
following features:<br />
• Backup & Restore<br />
• Centralized Management<br />
• License Management<br />
• Reboot & Shutdown<br />
• Software Updates<br />
• <strong>Security</strong> Connection<br />
• SSL Certificates<br />
30
Connecting to <strong>ePrism</strong><br />
<strong>ePrism</strong> System Console<br />
You can access the <strong>ePrism</strong> system console by connecting a monitor and keyboard to <strong>ePrism</strong>.<br />
The system console provides a limited subset of administrative tasks and is only recommended<br />
for use during initial installation and network troubleshooting. Routine administration should be<br />
performed via the web browser administration interface. When accessing the system console,<br />
you will be prompted for the <strong>User</strong>ID and Password for the administrative user.<br />
See “Using the <strong>ePrism</strong> System Console” on page 363 for more detailed information on using<br />
the system console.<br />
31
Administering <strong>ePrism</strong><br />
Configuring the Admin <strong>User</strong><br />
The primary admin account is created during the <strong>ePrism</strong> installation. Select Basic Config ➝<br />
Admin Account from the menu to modify the password or strong authentication methods for<br />
the admin user.<br />
It is recommended that you create additional admin users and use those accounts to manage <strong>ePrism</strong><br />
instead of the primary admin account. The primary admin account password should then be written down<br />
and stored in a safe and secure place.<br />
Login Lockout<br />
If login credentials for an admin user are not properly entered after five times in a row, the<br />
account will be locked out for 30 minutes. This lockout can be reset by rebooting <strong>ePrism</strong>.<br />
Strong Authentication<br />
You can also configure strong authentication for the admin user. These methods of<br />
authentication require a hardware token that provides a response to the login challenge.<br />
You can choose between the following types of secure authentication tokens:<br />
• CRYPTOCard<br />
• SafeWord<br />
• SecurID<br />
Once selected, a configuration wizard will guide you through the steps to configure the token for<br />
the specified authentication method.<br />
See “Strong Authentication” on page 200 for more information on strong authentication<br />
methods.<br />
32
Configuring the Admin <strong>User</strong><br />
Adding Additional Administrative <strong>User</strong>s<br />
There is only one primary admin user account, but additional administrative users can be<br />
added using Tiered Administration. This allows you to configure another user with Full Admin<br />
rights, or with granular permissions that only give admin rights to certain <strong>ePrism</strong> options. For<br />
example, you may want to add a user who can administer reports or vacation notifications, but<br />
not have any other administrative access.<br />
Granting full or partial admin access to one or more user accounts allows actions performed by<br />
administrators to be logged because they have an identifiable <strong>User</strong>ID that can be tracked by<br />
the system.<br />
A user with Full Admin privileges cannot modify the profile of the default Admin user. They can,<br />
however, edit others users with Full Admin privileges.<br />
Add an administrative user as follows:<br />
1. From the Basic Config ➝ Admin Account screen, click the Add Admin <strong>User</strong> button.<br />
2. Enter a <strong>User</strong> ID, an optional email address to forward mail to, and a password. You can<br />
also set strong authentication methods, if required.<br />
3. At the bottom of the Add a New <strong>User</strong> screen is a section for Administrator Privileges.<br />
4. Select the required administrative access for the user:<br />
• Full Admin — The user has administrative privileges equivalent to the admin user.<br />
• Administer Aliases — The user can add, edit, remove, upload and download aliases<br />
(not including LDAP aliases.)<br />
33
Administering <strong>ePrism</strong><br />
• Administer Filter Patterns — The user can add, edit, remove, upload and download<br />
Pattern Based Message Filters and Specific Access Patterns.<br />
• Administer Mail Queue — The user can administer mail queues.<br />
• Administer Quarantine — The user can view, delete, and release quarantined files.<br />
• Administer Reports — The user can view, configure and generate reports, and view<br />
system activity.<br />
• Administer <strong>User</strong>s — The user can add, edit, and relocate user mailboxes (except the<br />
Full Admin users), including uploading and downloading user lists. <strong>User</strong> vacation<br />
notifications can also be configured.<br />
• Administer Vacations — The user can edit local user’s vacation notification settings and<br />
other global vacation parameters.<br />
• Mail History — The user can view the email database history.<br />
• View Activity — The user can view the Activity page and start and stop mail services.<br />
Individual emails can only be viewed if Mail History is also enabled.<br />
• View System Logs — The user can view all system logs files.<br />
See “Tiered Administration” on page 209 for more information on configuring admin access.<br />
Admin Login and WebMail access must be enabled on the network interface that will be used by<br />
tiered administration users. This is set in the Basic Config ➝ Network screen.<br />
34
Web Server Options<br />
Web Server Options<br />
The Web Server Options screen defines the settings used for connecting to <strong>ePrism</strong> via the web<br />
browser administrative interface. By default, <strong>ePrism</strong>’s web server uses port 80 for HTTP<br />
requests and port 443 for HTTPS requests. For secure WebMail and administration sessions, it<br />
is recommended that you leave the default SSL encryption enabled to force a connecting web<br />
browser to use HTTPS.<br />
Select Basic Config ➝ Web Server on the menu to configure your web server settings.<br />
• Admin HTTP Port — Indicates the default port 80 for HTTP requests.<br />
• Admin HTTPS Port — Indicates the default port 443 for HTTPS requests.<br />
• Require SSL encryption — Requires SSL encryption for all user and administrator web<br />
sessions.<br />
• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES<br />
ciphers with a key length of 64 bits, for encrypted user and administrator web sessions.<br />
• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2<br />
contains known security issues.<br />
• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.<br />
• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.<br />
• Character set encoding — Select the type of character encoding used for HTML data.<br />
35
Administering <strong>ePrism</strong><br />
Customizing the <strong>ePrism</strong> Interface<br />
The <strong>ePrism</strong> interface logos can be easily customized by uploading your own organization’s<br />
custom logos to replace the <strong>ePrism</strong> logo on the main login screen, the administration screen<br />
logo, and the <strong>ePrism</strong> Mail Client logo. Administrators can also customize the login page title of<br />
the administrative session screen.<br />
Customize a logo as follows:<br />
1. Select Basic Config ➝ Customization on the menu to customize the <strong>ePrism</strong> logos.<br />
2. Click Browse to choose a file, and then click Next to upload the file.<br />
Revert to the default <strong>ePrism</strong> graphic by selecting the Default Logo button.<br />
Most graphic formats are supported, but it is recommended that you use graphics suitable<br />
for web page viewing such as GIF and JPEG. The maximum file size is 32k.<br />
TABLE 1. Recommended Image Sizes<br />
Logo Type<br />
Main Screen Logo<br />
Admin Screen Small Logo<br />
<strong>ePrism</strong> Mail Client Logo<br />
Size in Pixels<br />
285 x 85 pixels<br />
191 x 57 pixels<br />
94 x 28 pixels<br />
36
CHAPTER 3<br />
Configuring Mail Delivery<br />
Settings<br />
This chapter describes how to configure network and mail delivery settings for the <strong>ePrism</strong><br />
<strong>Email</strong> <strong>Security</strong> Gateway, and contains the following topics:<br />
• “Network Settings” on page 38<br />
• “Virtual Interfaces” on page 42<br />
• “Static Routes” on page 45<br />
• “Mail Routing” on page 46<br />
• “Mail Delivery Settings” on page 48<br />
• “Mail Aliases” on page 53<br />
• “Mail Mappings” on page 55<br />
• “Virtual Mappings” on page 57<br />
37
Configuring Mail Delivery Settings<br />
Network Settings<br />
The basic networking information to get <strong>ePrism</strong> up and running on the network is configured<br />
during installation time. To perform more advanced network configuration and to configure other<br />
network interfaces, you must use the Basic Config ➝ Network settings screen.<br />
From the network settings screen you can modify the following items:<br />
• Hostname and Domain information<br />
• Default Gateway<br />
• Syslog Host<br />
• DNS and NTP servers<br />
• Network Interface IP Address and feature access settings<br />
• Clustering and Queue Replication interface configuration<br />
• Support Access settings<br />
If you make any modifications to your network settings, you must reboot <strong>ePrism</strong>. The system will<br />
prompt you to restart after clicking the Apply button.<br />
Configuring Network Settings<br />
Select Basic Config ➝ Network on the menu to configure <strong>ePrism</strong>'s network settings.<br />
• Hostname — Enter the hostname (not the Fully Qualified Domain Name) of the <strong>ePrism</strong><br />
<strong>Email</strong> <strong>Security</strong> Gateway, such as the hostname eprism in eprism.example.com.<br />
• Domain — Enter the domain name, such as example.com.<br />
• Gateway — Enter the IP address of the default route for <strong>ePrism</strong>. This is typically the<br />
external router connected to the Internet, or the network Firewall’s interface if <strong>ePrism</strong> is<br />
located on the DMZ.<br />
• Syslog Host — <strong>ePrism</strong> can log to a specific syslog host. A syslog host collects and stores<br />
log files from many sources. Enter the IP address of the syslog server that will receive all<br />
logs from <strong>ePrism</strong>.<br />
38
Network Settings<br />
• Name Server — At least one DNS name server must be configured for hostname<br />
resolution, and it is recommended that secondary name servers be specified in the event<br />
the first DNS server is unavailable.<br />
DNS servers can be queried either in strict order as specified in the configuration, or by the<br />
fastest response. If "Strict Ordering" is selected, the DNS servers will be queried in the<br />
order they are configured. If the first DNS server is unavailable, the next server in the list<br />
will be queried. For "Favor Fastest" mode, <strong>ePrism</strong> uses DNS caching to determine which of<br />
the configured DNS servers is sending the fastest response. This is the default mode which<br />
will provide the best performance in most cases.<br />
• NTP Server — NTP is critical for accurate timekeeping for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong><br />
Gateway. Entering a valid NTP server will ensure that the server time is synchronized. It is<br />
recommended that secondary NTP servers be specified in the event the primary NTP<br />
server is unavailable.<br />
Network Interfaces<br />
Enter the required settings for each network interface. You can enter information for up to four<br />
interfaces.<br />
Some of the following options will not be displayed unless the related feature is enabled.<br />
• IP Address — Enter an IP address for this interface, such as 192.168.1.104.<br />
• Netmask — Enter the netmask for this interface, such as 255.255.255.0.<br />
• Media — Select the type of network card. Use Auto select for automatic configuration.<br />
• Large MTU — Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve<br />
performance connecting to servers on the local network. The default is 576 bytes.<br />
For most organizations, the default option of 576 bytes is adequate. This option should only be<br />
changed if needed and with the involvement of a Technical Support representative.<br />
39
Configuring Mail Delivery Settings<br />
• Respond to Ping — Allows ICMP ping requests to this interface. This will allow you to<br />
perform network connectivity tests to this interface, but will cause this interface to be more<br />
susceptible to denial of service ping attacks.<br />
• Trusted Subnet — If selected, all hosts on this subnet are considered trusted for relaying<br />
and anti-spam processing.<br />
• Admin Login — Allows access to this interface for administrative purposes.<br />
• WebMail — Allows access to WebMail via this interface.<br />
• IMAPS Server — Allows secure access to <strong>ePrism</strong>’s internal IMAP server via this interface.<br />
• IMAP Server — Allows access to <strong>ePrism</strong>’s internal IMAP server via this interface.<br />
• POP3S Server — Allows secure access to <strong>ePrism</strong>’s internal POP3 server via this interface.<br />
• POP3 Server — Allows access to <strong>ePrism</strong>’s internal POP3 server via this interface.<br />
POP and IMAP settings are only displayed if enabled in <strong>User</strong> Accounts ➝ POP3 and IMAP.<br />
• SNMP Agent — Allows access to the SNMP agent via this interface.<br />
Advanced Parameters<br />
The following advanced networking parameters are TCP extensions that improve the<br />
performance and reliability of communications.<br />
• Enable RFC 1323 — Enable TCP extensions to improve performance and to provide<br />
reliable operations of high-speed paths. This is enabled by default, and should only be<br />
disabled if you experiencing networking problems with certain hosts.<br />
• Enable RFC 1644 — Enable an experimental TCP extension for efficient transaction<br />
oriented (request/response) service. This is disabled by default.<br />
• Path MTU Discovery (RFC 1191) — Disable Path MTU (Maximum Transfer Unit) if<br />
required to resolve delivery problems when interconnecting between specific firewalls and<br />
SMTP proxies. Path MTU is enabled by default.<br />
40
Network Settings<br />
Clustering<br />
The Clustering section is used to enable clustering on a specific network interface. See “HALO<br />
(High Availability and Load Optimization)” on page 265 for more information on configuring<br />
clustering.<br />
• Enable Clustering — Select the check box to enable clustering on this <strong>ePrism</strong> system.<br />
• Cluster Interface — Select the interface to enable clustering on.<br />
Support Access<br />
Enable Support Access, if required, which allows St. Bernard Technical Support to connect to<br />
this system from the specified IP address. This setting does not need to be enabled during<br />
normal usage, and should only be enabled if requested by St. Bernard Technical Support.<br />
This option only appears if you have installed the Support Access patch in Management ➝<br />
Software Updates.<br />
For security reasons, Support Access communications use SSH (Secure Shell) to establish a<br />
secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network<br />
port. Support Access will only allow a connection to be made from the St. Bernard network.<br />
41
Configuring Mail Delivery Settings<br />
Virtual Interfaces<br />
Virtual Interfaces are used by <strong>ePrism</strong> to define additional interfaces and IP addresses to send<br />
and receive mail for specific domains. These Virtual Interfaces are associated with the existing<br />
physical network interfaces on <strong>ePrism</strong>.<br />
<strong>ePrism</strong> will send all outbound email for a specific domain using its specified IP address in the<br />
Virtual Interfaces configuration. <strong>ePrism</strong> selects the Virtual Interface to use for outgoing mail by<br />
matching the sender's domain to the domains associated with the configured Virtual Interfaces.<br />
If no Virtual Interface domains match the domain of the sender, or if using the Virtual Interface<br />
results in a non-routable network connection, the <strong>ePrism</strong> will send the mail via its normal<br />
outbound interface.<br />
<strong>ePrism</strong> will also accept inbound email arriving via this Virtual Interface's IP address. When a<br />
mail server connects to SMTP port 25 on a Virtual Interface, the customized banner for that<br />
interface will be communicated. If no banner has been specified, the default <strong>ePrism</strong> banner will<br />
be used (configured via Mail Delivery ➝ Mail Access).<br />
Only TCP port 25 can be used for sending and receiving mail on a Virtual Interface. Virtual<br />
Interfaces can be pinged if ping is enabled on the corresponding physical network interface. Due to<br />
their nature, Virtual Interfaces cannot be pinged from the Status and Utility screen on <strong>ePrism</strong>.<br />
Domains using Virtual Interfaces can be used with <strong>ePrism</strong>'s Domain-based Policies to provide<br />
flexibility in creating security and content policies for specific domains.<br />
Network Routing of Virtual Interfaces<br />
Virtual Interfaces are routed as follows:<br />
• via a physical interface that shares the same subnet as the Virtual Interface<br />
• via the physical interface that can reach a host specified through a static route<br />
• via the current default route (through the physical interface that connects to the default<br />
router)<br />
For an <strong>ePrism</strong> with the following characteristics:<br />
• Interface 1: 192.168.1.10/24<br />
• Interface 2: 172.16.1.10/16<br />
• Default Gateway/Router: 172.16.1.1<br />
Adding a Virtual Interface of 192.168.1.20 will route via Interface 1.<br />
Adding a Virtual Interface of 172.16.1.20 will route via Interface 2.<br />
Adding a Virtual Interface of 10.10.1.20 will route via Interface 2 through the default gateway.<br />
If the Virtual Interface has no corresponding physical interface displayed, there is no valid route<br />
through any physical interface and the Virtual Interface will be disabled.<br />
42
Virtual Interfaces<br />
Configuring Virtual Interfaces<br />
To configure Virtual Interfaces, select Basic Config ➝ Virtual Interfaces on the menu.<br />
Administrators must upload a Virtual Interface list in CSV format that contains comma or tab<br />
separated entries in the form:<br />
[domain],[IP Address],[Banner message]<br />
For example:<br />
example1.com,10.2.45.10,example1.com ESMTP<br />
<strong>ePrism</strong> supports up to 175 Virtual Interfaces. This feature does not currently support IDN<br />
(Internationalized Domain Names).<br />
The file (vip.csv) should be created in CSV file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the file first by clicking the<br />
Download File button, editing it as required, and uploading it using the Upload File button.<br />
A standards-compliant banner should, at minimum, contain the domain name and the keyword<br />
ESMTP, such as "example.com ESMTP". Extra informational text after the ESMTP keyword is<br />
optional, such as "example.com ESMTP Authorized <strong>User</strong>s Only".<br />
Mail Routing<br />
Each domain that will be used with Virtual Interfaces must have a mail route defined via Mail<br />
Delivery ➝ Routing ➝ Mail Routing to route mail to a destination mail server.<br />
Virtual mappings can also be used for mail routing.<br />
43
Configuring Mail Delivery Settings<br />
DNS MX records must be published for any Virtual Interfaces. Local network devices such as<br />
the default external router must also be properly configured to route traffic to and from the<br />
Virtual Interfaces.<br />
Virtual Interfaces and Trusts<br />
<strong>Email</strong> arriving via a Virtual Interface is considered "Untrusted" by <strong>ePrism</strong> for Anti-Spam and<br />
security processing. To configure a client as "Trusted", use a Specific Access Pattern or Pattern<br />
Based Message Filter (PBMF) to trust the client connecting on that Virtual Interface.<br />
To trust a client using a Specific Access Pattern:<br />
1. Select Mail Delivery ➝ Mail Access on the menu.<br />
2. Click the Add Pattern button.<br />
3. Enter the IP address of the client in the Pattern field.<br />
4. Select the Client Access check box.<br />
5. Select "Trust" in the If pattern matches field.<br />
6. Click the Apply button.<br />
44
Static Routes<br />
Static Routes<br />
Static routes are required if the mail servers to which mail must be relayed are located on<br />
another network, such as behind an internal router, firewall, or accessed via a VPN.<br />
Select Basic Config ➝ Static Routes to configure your static routes.<br />
To add a new static route, enter the network address, netmask and gateway for the route, and<br />
then click New Route.<br />
45
Configuring Mail Delivery Settings<br />
Mail Routing<br />
<strong>ePrism</strong>, by default, accepts mail addressed directly to it and delivers it to local <strong>ePrism</strong><br />
mailboxes. You can configure additional domains for <strong>ePrism</strong> to accept and route mail for using<br />
the Mail Routing menu.<br />
Select Mail Delivery ➝ Routing ➝ Mail Routing from the menu to set up mail routes.<br />
• Sub — Select this check box to accept and relay mail for subdomains of the specified<br />
domain.<br />
• Domain — Enter the domain for which mail is to be accepted, such as example.com.<br />
• Route-to — Enter the address for the server to which mail will be delivered. When using a<br />
FQDN, the corresponding DNS record will be looked up.<br />
• Port — Enter the port number of the SMTP server if it is different from the default port<br />
number of 25. The port number must be between 1 and 65536.<br />
• MX — (Optional) Select the MX check box if you need to look up the mail routes in DNS<br />
before delivery. If this is not enabled, MX records will be ignored. Generally, you do not<br />
need to select this item unless you are using multiple mail server DNS entries for load<br />
balancing/failover purposes. By checking the MX record, DNS will be able to send the<br />
request to the next mail server in the list.<br />
• KeepOpen — (Optional) Select the KeepOpen check box to ensure that each mail message<br />
to the domain will not be removed from the active queue until delivery is attempted, even if<br />
the preceding mail failed or was deferred. This setting ensures that local mail servers<br />
receive higher priority.<br />
The KeepOpen option should only be used for domains that are usually very reliable. If the domain<br />
is unavailable, it may cause system performance problems due to excessive error conditions and<br />
deferred mail.<br />
A list of domains can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open]<br />
For example:<br />
example.com,10.10.1.1,25,on,off,off<br />
46
Mail Routing<br />
The file (domains.csv) should be created in csv file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the domain file first by clicking<br />
Download File, editing it as required, and uploading it using the Upload File button.<br />
LDAP Routing<br />
Click the LDAP Routing button to define mail routes using an LDAP directory server. This is<br />
the preferred method for mail routing for organizations with a large amount of domains.<br />
See “LDAP Routing” on page 76 for more detailed information on using LDAP for mail routing.<br />
Adding Rules for Relays<br />
To allow internal mail systems to relay mail outbound via <strong>ePrism</strong>, a Specific Access Pattern<br />
must be set up for the system.<br />
1. Select Mail Delivery ➝ Mail Access on the menu.<br />
2. Click the Add Pattern button.<br />
3. Enter the IP address of the system, and select Client Access.<br />
4. Set the if pattern matches field to "Trust".<br />
47
Configuring Mail Delivery Settings<br />
Mail Delivery Settings<br />
The Mail Delivery settings screen allows you to configure parameters related to accepting,<br />
relaying and delivery mail messages.<br />
Select Mail Delivery ➝ Delivery Settings on the menu to configure the following parameters:<br />
Delivery Settings<br />
• Maximum time in mail queue — Enter the number of days for a message to stay in the<br />
queue before being returned to the sender as "undeliverable".<br />
• Maximum time in queue for bounces — Enter the number of days a system-generated<br />
bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable.<br />
Default is 5 days. Set this value to 0 to attempt delivery of bounce messages only once.<br />
• Maximum original message text in bounces — Enter the maximum amount (in bytes) of<br />
original message text that is sent in a non-delivery notification. Range is 10 to 1000000000.<br />
If this field is left blank, the default is set to 5000 bytes.<br />
• Time before delay warning — Number of hours before issuing the sender a notification<br />
that mail is delayed.<br />
• Time to retain undeliverable notice mail — The number of hours to keep undelivered<br />
notice mail addressed to external mail server’s MAILER-DAEMON. These messages are<br />
typically notifications sent to mail servers with invalid return addresses and can be safely<br />
purged. Leave this value blank for no special processing.<br />
48
Mail Delivery Settings<br />
• Deliver mail to local users — Disable this option to prevent mail delivery to local accounts<br />
configured on this <strong>ePrism</strong>. The postmaster (admin) account will not be affected by this<br />
setting.<br />
Gateway Features<br />
• Masquerade Addresses — Masquerades internal hostnames by rewriting headers to only<br />
include the address of the <strong>ePrism</strong>.<br />
• Strip Received Headers — Strip all Received headers from outgoing messages.<br />
Default Mail Relay<br />
• Relay To — (Optional) Enter an optional hostname or IP address of a mail server (not this<br />
<strong>ePrism</strong> system) to relay mail to for all email with unspecified destinations. A recipient’s<br />
email domain will be checked against the Mail Routing table, and if the destination is not<br />
specified the email will be sent to the Default Mail Relay server for delivery. This option is<br />
usually used when the <strong>ePrism</strong> cannot deliver email directly to remote mail servers.<br />
If you are setting up this mail server as a dedicated webmail system, and all mail originating<br />
from this system should be forwarded to another mail server for delivery, then specify the<br />
destination mail server here.<br />
Do NOT enter the name of your <strong>ePrism</strong> system as this will cause a relay loop.<br />
BCC All Mail<br />
• Ignore MX record — Enable this option to prevent an MX record lookup for this host to<br />
force relay settings.<br />
• Enable Client Authentication — Enable client SMTP authentication for relaying mail to<br />
another mail server. This option is only used in conjunction with the default mail relay<br />
feature. This allows <strong>ePrism</strong> to authenticate to a server that it is using to relay mail. With this<br />
configuration, connections to the default mail relay are authenticated, while connections to<br />
other mail routes are not.<br />
• <strong>User</strong> ID — Enter a <strong>User</strong> ID to login to the relay mail server.<br />
• Password — Enter and confirm a password for the specified <strong>User</strong> ID.<br />
<strong>ePrism</strong> offers an archiving feature for organizations that require storage of all email that passes<br />
through their corporate mail servers. This option sends a blind carbon copy (BCC) of each<br />
message that passes through <strong>ePrism</strong> to the specified address. This address can be local or on<br />
any other system. Once copied, the mail can be effectively managed and archived from this<br />
account. You must also specify an address that will receive error messages if there are<br />
problems delivering the BCC mail.<br />
49
Configuring Mail Delivery Settings<br />
Very Malformed Mail<br />
Specify the action to be performed when a very malformed message is detected by the system.<br />
A very malformed message may cause scanning engine latency.<br />
Possible actions:<br />
• Just log — Log the event and take no further action.<br />
• Quarantine mail — The message is placed into quarantine.<br />
• Temporarily Reject Mail — Returns an error to the sending server and doesn't accept the<br />
mail. The mail delivery can be attempted again after a period of time.<br />
• Reject mail — The message is rejected with notification to the sending system.<br />
• Discard mail — The message is discarded without notification to the sending system.<br />
Select the Notify check box to allow notifications using the malformed notification settings<br />
(configured via Mail Delivery ➝ Content Management ➝ Malformed Mail) when the action<br />
specified above is performed (except for Just log.)<br />
Mail that is very malformed has not been virus scanned, or filtered for attachments and spam.<br />
Annotations and Delivery Warnings<br />
Administrators can enable and customize Annotations that are appended to all emails and<br />
customize Delivery Failure and Delivery Delay warning messages.<br />
Some mail clients will display notifications and annotations as attachments to a message rather<br />
than in the message body.<br />
Separate annotations can be enabled for different users, domains, and groups using Policies. See<br />
“Policy Management” on page 219 for information on creating policies and configuring separate<br />
annotations.<br />
50
Mail Delivery Settings<br />
The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system<br />
settings that are automatically substituted at the time the message is sent. See “Customizing<br />
Notification and Annotation Messages” on page 371 for a full list of variables that can be<br />
included.<br />
Advanced Delivery Options<br />
Click the Advanced button on the Mail Delivery ➝ Delivery Settings screen to reveal<br />
advanced options for Advanced SMTP Settings, SMTP notifications, and the Received Header.<br />
Advanced SMTP Settings<br />
The following advanced SMTP settings can be configured:<br />
• SMTP Pipelining — Select the check box to disable SMTP Pipelining when delivering mail.<br />
Some mail servers may experience problems with SMTP command pipelining and you may<br />
have to disable this feature if required.<br />
• ESMTP — Select the check box to disable ESMTP (Extended SMTP) when delivering mail.<br />
Some mail servers may not support ESMTP and you may have to disable this option if<br />
experiencing problems.<br />
Caution: Disabling ESMTP will disable TLS encryption on outgoing connections.<br />
• HELO required — Enable this option to require clients to initiate their SMTP session with a<br />
standard HELO/EHLO sequence. It is recommended that you leave this feature<br />
enabled. It should only be disabled when experiencing problems with sending hosts that do<br />
not use a standard HELO message.<br />
• Content Reject Message — This is the text part of the SMTP 552 error message reported<br />
to clients when message content is rejected because the maximum message size has been<br />
exceeded.<br />
51
Configuring Mail Delivery Settings<br />
• Multiple Recipient Reject Mode — Indicates the reject handling of messages with multiple<br />
recipients. This option only applies to features with reject actions such as Malformed and<br />
Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus,<br />
and Intercept Anti-Spam features, including those used within a policy.<br />
The options are as follows:<br />
• All: Reject the message if all recipients reject the message. If some but not all of the<br />
recipients reject the message, the message will be discarded without notification to the<br />
sender for those recipients that rejected the message.<br />
• Any: Reject the message if any recipient rejects the message.<br />
• Never: The message will never be rejected, regardless of any configured reject actions.<br />
For recipients that rejected the message, the message will be discarded without<br />
notification to the sender.<br />
• Send EHLO — Always send EHLO when communicating with another server, even if<br />
their banner does not include ESMTP. Disable EHLO if you are experiencing<br />
communications problems with specific SMTP servers.<br />
Disabling EHLO will disable TLS/SSL encryption.<br />
SMTP Notification<br />
Administrators can select the type of notifications that are sent to the postmaster account.<br />
Serious problems such as Resource or Software issues are selected by default for notification.<br />
• Resource — Mail not delivered due to resource problems, such as queue file write errors.<br />
• Software — Mail not delivered due to software problems.<br />
• Bounce — Send postmaster copies of undeliverable mail. If mail is undeliverable, a single<br />
bounce message is sent to the postmaster with a copy of the message that was not<br />
delivered. For privacy reasons, the postmaster copy is truncated after the original message<br />
headers. If a single bounce message is undeliverable, the postmaster receives a double<br />
bounce message with a copy of the entire single bounce message.<br />
• Delay — Inform the postmaster of delayed mail. In this case, the postmaster receives<br />
message headers only.<br />
• Policy — Inform the postmaster of client requests that were rejected because of (UCE)<br />
policy restrictions. The postmaster will receive a transcript of the entire SMTP session.<br />
• Protocol — Inform the postmaster of protocol errors (client or server), or attempts by a<br />
client to execute unimplemented commands. The postmaster will receive a transcript of the<br />
entire SMTP session.<br />
• Double Bounce — Send double bounced messages to the postmaster.<br />
Received Header<br />
The Received Header is the mail server information displayed in the Received: mail header of a<br />
message. The default can be modified to a more generic identifier to prevent attackers from<br />
knowing the mail server details.<br />
52
Mail Aliases<br />
Mail Aliases<br />
When mail is to be delivered locally, the delivery agent runs each local recipient name through<br />
the aliases database. If an alias exists, a new mail message will be created for the named<br />
address or addresses. This mail message will be returned to the delivery process to be<br />
mapped, routed, and so on. This process also occurs for local user accounts with a specified<br />
"forwarder address". Local user accounts are treated as aliases in this case.<br />
Local aliases are typically used to implement distribution lists, or to direct mail for standard<br />
aliases such as postmaster to real user mailboxes.<br />
For example, the alias postmaster could resolve to the local mailboxes<br />
admin1@example.com, and admin2@example.com. For distribution lists, an alias called<br />
sales@example.com can be created that points to all members of the sales organization of a<br />
company.<br />
Configuring Mail Aliases<br />
Click Mail Delivery ➝ Routing ➝ Mail Aliases on the menu to configure aliases. Click on an<br />
entry to edit a current alias.<br />
Adding a Mail Alias<br />
Click the Add Alias button to add a new alias.<br />
53
Configuring Mail Delivery Settings<br />
The specified alias name must be a valid local mailbox on this <strong>ePrism</strong> system. Enter the<br />
corresponding mail address for the alias. Click the Add More Addresses button to enter<br />
multiple addresses for this alias.<br />
Uploading Alias Lists<br />
A list of aliases can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[alias],[mail_address]<br />
For example:<br />
sales,fred@example.com<br />
info,mary@example.com<br />
The file (alias.csv) should be created in csv file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the mail alias file first by clicking<br />
Download File, editing it as required, and uploading it using the Upload File button.<br />
LDAP Aliases<br />
Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you<br />
to search LDAP-enabled directories such as Active Directory for mail aliases.<br />
See “LDAP Aliases” on page 67 for more information on LDAP Aliases.<br />
54
Mail Mappings<br />
Mail Mappings<br />
Mail Mappings are used to map an external address to an internal address and vice versa. This<br />
is useful for hiding internal mail server addresses from external users. For mail originating<br />
externally, the mail mapping translates the address in the To: and CC: mail header field into a<br />
corresponding internal address to be delivered to a specific internal mailbox.<br />
For example, mail addressed to joe@example.com can be redirected to the internal mail<br />
address joe@chicago.example.com. This enables the message to be delivered to the<br />
user’s preferred mailbox.<br />
Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender:<br />
header modified by a mail mapping so it appears to have come from the preferred external form<br />
of the mail address, joe@example.com.<br />
Configuring Mail Mappings<br />
Click Mail Delivery ➝ Routing ➝ Mail Mapping on the menu to configure mail address<br />
mappings. Click on an entry to edit a current mapping.<br />
Adding a New Mapping<br />
Click the Add button to add a new mapping.<br />
55
Configuring Mail Delivery Settings<br />
• External mail address — Enter the external mail address that you want to be converted to<br />
the specified internal email address for incoming mail. The specified internal address will be<br />
converted to this external address for outgoing mail.<br />
• Internal mail address — Enter the internal mail address that you want external addresses<br />
to be mapped to for incoming mail. The internal address will be converted to the specified<br />
external address for outgoing mail.<br />
• Extra internal addresses — Enter any additional internal mappings which will be included<br />
in the outgoing mail conversion. Click the Add button for each entry.<br />
When you have completed entering your addresses, click Apply to create the mail mapping.<br />
Uploading Mapping Lists<br />
A list of mappings can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[type ("sender" or "recipient")],[map_in],[map_out],[value ("on"<br />
or "off")]<br />
For example:<br />
sender,joe@chicago.example.com,joe@example.com,on<br />
The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or<br />
another Windows text editor. It is recommended that you download the mail mapping file first by<br />
clicking Download File, editing it as required, and uploading it using the Upload File button.<br />
Access Control via Mail Mappings<br />
<strong>ePrism</strong> can block all incoming and outgoing mail messages that do not match a configured mail<br />
mapping. This ensures that all incoming and outgoing mail matches a legitimate user as the<br />
destination or source of a message.<br />
Click the Preferences button to enable Mail Mapping Access Control.<br />
If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a<br />
mapping listed in the mail mappings table.<br />
56
Virtual Mappings<br />
Virtual Mappings<br />
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This<br />
process is performed without modifying the To: and From: headers in the mail, as virtual<br />
mappings modify the envelope-recipient address.<br />
For example, <strong>ePrism</strong> can be configured to accept mail for the domain @example.com and<br />
deliver it to @sales.example.com. This allows <strong>ePrism</strong> to distribute mail to multiple internal<br />
servers based on the Recipient: address of the incoming mail.<br />
Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for<br />
example.com is sent to mail.example.com. You can create exceptions to this rule in the<br />
Mail Mappings for particular users. Virtual mappings are also useful for ISPs who need to<br />
accept mail for several domains, and situations where the envelope-recipient header needs to<br />
be rewritten for further delivery.<br />
You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may<br />
be more appropriate for delivering mail to internal mail servers.<br />
Configuring Virtual Mappings<br />
Click on Mail Delivery ➝ Routing ➝ Virtual Mapping on the menu to configure mappings.<br />
Click on an entry to edit a current mapping.<br />
Virtual Mappings and Reject On Unknown Recipient/LDAP Checks<br />
When using Virtual Mappings, the Reject on Unknown Recipient and LDAP Recipient lookups<br />
will not be performed for these mapped addresses. This prevents these email addresses from<br />
being rejected by <strong>ePrism</strong> because the virtual mappings do not exist in an LDAP directory.<br />
57
Configuring Mail Delivery Settings<br />
Adding a Virtual Mapping<br />
Click the Add Virtual Mapping button to add a new mapping.<br />
Enter the domain or address to which incoming mail is directed in the Input box, such as<br />
@example.com. Then enter the domain or address to which mail should be redirected to, such<br />
as @sales.example.com in the Output box.<br />
Uploading Virtual Mapping Lists<br />
A list of virtual mappings can also be uploaded in one text file. The file must contain comma or<br />
tab separated entries in the form:<br />
[map_in],[map_out]<br />
For example:<br />
user@example.com,user<br />
user@example.com,user@sales.example.com<br />
@example.com,@sales.example.com<br />
The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other<br />
Windows text editor. It is recommended that you download the virtual mapping file first by<br />
clicking Download File, editing it as required, and uploading it using the Upload File button.<br />
The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record<br />
to connect to this <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> Gateway.<br />
LDAP Virtual Mappings<br />
Click the LDAP Virtual Mappings button to configure and search for virtual mappings using<br />
LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual<br />
mappings. See “LDAP Mappings” on page 69 for more information on configuring LDAP virtual<br />
mappings.<br />
58
CHAPTER 4<br />
Directory Services<br />
This chapter describes how to integrate your existing LDAP directory services with <strong>ePrism</strong> and<br />
contains the following topics:<br />
• “Directory Service Overview” on page 60<br />
• “Directory Servers” on page 61<br />
• “Directory <strong>User</strong>s and Groups” on page 63<br />
• “LDAP Aliases” on page 67<br />
• “LDAP Mappings” on page 69<br />
• “LDAP Recipients” on page 71<br />
• “LDAP Relay” on page 73<br />
• “LDAP Routing” on page 76<br />
59
Directory Services<br />
Directory Service Overview<br />
<strong>ePrism</strong> can utilize LDAP (Lightweight Directory Access Protocol) services for accessing<br />
directories (such as Active Directory, OpenLDAP, and iPlanet) for user and group information.<br />
LDAP can be used with <strong>ePrism</strong> for mail routing, group lookups for policies, user lookups for mail<br />
delivery, alias and virtual mappings, and authentication.<br />
LDAP was designed to provide a standard for efficient access to directory services using simple<br />
data queries. Most major directory services such as Active Directory support LDAP, but each<br />
differs in their interpretation and naming convention syntax. Other types of supported LDAP<br />
services include OpenLDAP and iPlanet.<br />
Naming Conventions<br />
The method for which data is arranged in the directory service hierarchy is a unique<br />
Distinguished Name. The following is an example of a Distinguished Name in Active Directory:<br />
cn=jsmith,dc=example,dc=com<br />
In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The<br />
user, jsmith, is in the users container. The domain component is analogous to the FQDN<br />
domain name, in this case, example.com.<br />
For all LDAP Directory features, you must ensure you enter values specific to your LDAP<br />
environment and schema.<br />
60
Directory Servers<br />
Directory Servers<br />
The first step in configuring Directory Services on <strong>ePrism</strong> is to define and configure your<br />
Directory Servers.<br />
Select Basic Config ➝ Directory Services ➝ Servers on the menu to configure your LDAP<br />
servers that will be used for <strong>ePrism</strong>’s LDAP functions such as user and group membership<br />
lookups, authentication, and mail routing.<br />
Click Add to configure a new LDAP server, or click Edit to modify an existing server:<br />
• Server URI — Enter the server URI (Uniform Resource Identifier) address, such as<br />
ldap://10.10.4.5.<br />
Use "ldaps:" if you are using SSL with the LDAP directory.<br />
• Label — An optional label or alias for the LDAP server.<br />
61
Directory Services<br />
• Type — Select the type of LDAP server, such as Active Directory, or choose Others for<br />
OpenLDAP or iPlanet.<br />
• Bind — Select this check box to bind to the LDAP server with the specified Bind DN and<br />
password.<br />
• Bind DN — Enter the DN (Distinguished Name) for the user to bind to the LDAP server,<br />
such as cn=Administrator,cn=users,dc=example,dc=com for Active Directory<br />
implementations. Ensure that you enter a bind DN specific to your environment.<br />
In Active Directory, if you are using a user account other than Administrator to bind to the LDAP<br />
server, the name must be specified as the full name not the account name, such as "John Smith"<br />
instead of "jsmith".<br />
• Bind Password — Enter the bind password for the LDAP server.<br />
• Search Base — Specify a default starting point for lookups, such as<br />
dc=example,dc=com.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
• Dereference Aliases — Specifies how alias dereferencing is performed during a search:<br />
• Never: Aliases are never dereferenced.<br />
• Searching: Aliases are dereferenced in subordinates of the base object, but not in<br />
locating the base object of the search.<br />
• Finding: Aliases are only dereferenced when locating the base object of the search.<br />
• Always: Aliases are dereferenced when searching and locating the base object of the<br />
search.<br />
• Paged — Select the check box to enable paging support for an Active Directory server.<br />
When querying an LDAP server, the amount of information returned may contain thousands<br />
of entries and sub-entries. Paging allows LDAP information to be retrieved in more<br />
manageable sections to control the rate of data being returned.<br />
• Page Size — Enter the amount of entries in a Page Size for this Active Directory server. If<br />
this field is left blank, the default value of 1000 will be used. The Page Size must match the<br />
size configured in the Active Directory server's LDAP query policy (default is 1000).<br />
Click the Test button to test your LDAP settings and send a test query to the LDAP server.<br />
When finished, click the Apply button to add the LDAP server.<br />
62
Directory <strong>User</strong>s and Groups<br />
Directory <strong>User</strong>s and Groups<br />
The Directory <strong>User</strong>s and Groups screen is used to import user account data from LDAP-based<br />
directory servers. This information is used to provide LDAP lookups for valid email addresses<br />
for the Reject on Unknown Recipient anti-spam option, and import group membership<br />
information for policies.<br />
Local mirror accounts can also be created to allow directory-based users to view and manage<br />
quarantined mail for the Spam Quarantine feature.<br />
Select Basic Config ➝ Directory Services ➝ <strong>User</strong>s and Groups to import users from a<br />
directory.<br />
Click the Add button to add a new directory user import configuration.<br />
• Directory Server — Select a directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
63
Directory Services<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Query Filter — Enter the appropriate query filter, such as<br />
(|(objectCategory=group)(objectCategory=person)) for Active Directory LDAP<br />
implementations.<br />
If you use Exchange public folders for email, include the following in your query filter:<br />
(objectCategory=publicFolder)<br />
For example,<br />
(|(|(objectCategory=group)(objectCategory=person))(objectCategory=p<br />
ublicFolder))<br />
For iPlanet and OpenLDAP, use:(objectClass=person)<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Result Attributes<br />
This section specifies the fields to return during the LDAP query. LDAP queries can return a lot<br />
of information that is not required and the Result Attributes are used to filter only the data<br />
needed.<br />
• <strong>Email</strong> attribute — The name of the attribute that identifies the user’s email address. For<br />
Active Directory, iPlanet, and OpenLDAP, use mail.<br />
• <strong>Email</strong> alias attribute — The name of the attribute that identifies the user’s alternate email<br />
addresses. In Active Directory, the default is proxyAddresses. For iPlanet, use <strong>Email</strong>.<br />
For OpenLDAP, leave this attribute blank.<br />
• Member Of attribute — The name of the attribute that identifies the group(s) that the user<br />
belongs to. This information is used for Policy controls. In Active Directory, the default is<br />
memberOf (this is case sensitive). For iPlanet, use Member. For OpenLDAP, leave this<br />
blank.<br />
• Account Name attribute — This is the name of the attribute that identifies a user’s account<br />
name for login. In Active Directory, the default is sAMAccountName. For iPlanet, use uid.<br />
For OpenLDAP, use cn.<br />
Click the Test button to test your LDAP settings. Click Apply when finished.<br />
64
Directory <strong>User</strong>s and Groups<br />
Import Settings<br />
<strong>ePrism</strong> can automatically import LDAP user data on a scheduled basis. This allows <strong>ePrism</strong> to<br />
stay synchronized with the LDAP directory.<br />
To import LDAP users and groups, click the Import Settings button in the Basic Config ➝<br />
Directory Services ➝ Directory <strong>User</strong>s and Groups screen.<br />
• Import <strong>User</strong> Data — Select the check box to enable automatic import of LDAP user data.<br />
Enabling automatic import ensures that your imported LDAP data remains current with the<br />
information on the LDAP directory server.<br />
• Frequency — Select the frequency of LDAP imports. You can choose between Hourly,<br />
Every 3 Hours, Daily, Weekly, and Monthly.<br />
• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to<br />
schedule an import at 11pm for the period specified in the Frequency field.<br />
Click Apply to save the settings. Click Import Now to immediately begin the import of users.<br />
View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.<br />
Mirror LDAP Accounts as Local <strong>User</strong>s<br />
To provide local account access for the Spam Quarantine feature, you can mirror the LDAP<br />
accounts which creates a local account on <strong>ePrism</strong> for each user imported. This provides a<br />
simple method for allowing directory-based users to view and manage quarantined messages if<br />
you have enabled the Spam Quarantine feature.<br />
These local mirror accounts cannot be used as local mail accounts. They can only be used for the<br />
Spam Quarantine. See “Spam Quarantine” on page 187 for more information on configuring the<br />
user-based Spam Quarantine.<br />
To create mirrored LDAP users:<br />
1. Select the Mirror accounts option.<br />
65
Directory Services<br />
2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the<br />
LDAP directory for the specified period of time, the local mirrored account will be deleted.<br />
Note that this only applies to a local mirrored account, not accounts used for the Reject on<br />
Unknown Recipients feature.<br />
3. Click Apply to save the settings. Click Import Now to immediately begin the import of users<br />
and create mirrored accounts.<br />
View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.<br />
Mirrored accounts can be viewed via <strong>User</strong> Accounts ➝ Mirrored Accounts on the menu.<br />
66
LDAP Aliases<br />
LDAP Aliases<br />
LDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an<br />
alias exists, a new mail message will be created for the named address or addresses. This mail<br />
message will be returned to the delivery process to be mapped, routed, and processed.<br />
LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active<br />
Directory LDAP implementations.<br />
See “Mail Aliases” on page 53 for more information on Mail Aliases.<br />
Select Basic Config ➝ Directory Services ➝ LDAP Aliases to configure LDAP Aliases.<br />
Click the Add button to add a new LDAP alias search.<br />
• Directory Server — Select a directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
67
Directory Services<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Alias Attribute — Enter the Alias Attribute that defines the alias mail addresses for a user,<br />
such as (proxyAddresses=smtp:%s@*) for Active Directory implementations.<br />
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active<br />
Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the<br />
settings.<br />
68
LDAP Mappings<br />
LDAP Mappings<br />
LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.<br />
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This<br />
process is performed without modifying the To: and From: headers in the mail, as virtual<br />
mappings modify the envelope-recipient address.<br />
LDAP Virtual Mappings have been tested with Active Directory only, and the examples shown are<br />
for Active Directory LDAP implementations.<br />
See “Virtual Mappings” on page 57 for more information on Virtual Mappings.<br />
Select Basic Config ➝ Directory Services ➝ LDAP Mapping to configure LDAP Virtual<br />
Mappings.<br />
Click the Add button to add a new LDAP Virtual Mapping search.<br />
• Directory Server — Select a directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
69
Directory Services<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Incoming Address — Enter the Incoming Address attribute that defines the virtual mapping<br />
for a user, such as (proxyAddresses=smtp:%s) for Active Directory implementations.<br />
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active<br />
Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to<br />
save the settings.<br />
70
LDAP Recipients<br />
LDAP Recipients<br />
The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient<br />
feature configured in Mail Delivery ➝ Anti-Spam ➝ Intercept. You must have Reject on<br />
Unknown Recipient enabled for this feature to work.<br />
When a mail message is received by <strong>ePrism</strong>, this feature searches an LDAP directory for the<br />
existence of a recipient’s email address. If that user address does not exist in the LDAP<br />
directory, the mail is rejected.<br />
This feature differs from the LDAP <strong>User</strong>s lookup option which searches for a user using the<br />
imported locally-cached LDAP users database. The LDAP Recipients feature performs a direct<br />
lookup on a configured LDAP directory server for each address.<br />
If using an Active Directory server, it is recommended that the LDAP <strong>User</strong>s function be used.<br />
If both LDAP <strong>User</strong>s and LDAP Recipients are enabled with Reject on Unknown Recipient, the<br />
system will lookup the local and mirrored LDAP <strong>User</strong>s first, and then use the direct query to an<br />
LDAP server.<br />
Select Basic Config ➝ Directory Services ➝ LDAP Recipients on the menu to configure<br />
your LDAP recipient lookups.<br />
Click Add to add a new LDAP Recipients search.<br />
71
Directory Services<br />
• Directory Server — Select a directory server to perform the search.<br />
The directory server Bind password cannot contain a "$" character.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Query Filter — Enter the Query Filter for the LDAP Recipients lookup, such as<br />
(&(objectClass=person)(mail=%s)) for Active Directory implementations.<br />
For OpenLDAP and iPlanet, use (&(objectClass=person)(uid=%s)).<br />
• Result Attribute — Enter the attribute that returns the user’s email address, such as mail<br />
for Active Directory implementations. For OpenLDAP, and iPlanet, you can also use mail.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save<br />
the settings.<br />
72
LDAP Relay<br />
LDAP Relay<br />
The LDAP SMTP Authenticated relay feature allows authenticated clients to use this <strong>ePrism</strong> as<br />
an external mail relay for sending mail. For example, you may have remote users that need to<br />
send mail via this <strong>ePrism</strong> system.<br />
These client systems must use a login and password to authenticate to the system before<br />
being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP<br />
relay authentication to authenticate the user to an LDAP directory server.<br />
Configuring LDAP Authenticated SMTP Relay<br />
1. Select Mail Delivery ➝ Mail Access on the menu.<br />
2. Enable the Permit SMTP Authenticated Relay and the LDAP Authenticated Relay<br />
check boxes.<br />
3. Select Basic Config ➝ Directory Services ➝ LDAP Relay on the menu.<br />
73
Directory Services<br />
There are two different ways to provide LDAP support for SMTP authentication: Using Bind, or<br />
querying the LDAP server directly.<br />
The Bind method will only work with Active Directory and iPlanet implementations. The Query Direct<br />
method will only work with OpenLDAP.<br />
• Bind — The Bind method will use the <strong>User</strong> ID and password to authenticate on a successful<br />
bind. The Query Filter must specify the <strong>User</strong> ID with a %s variable, such as<br />
(sAMAccountName=%s) for Active Directory. The Result Attribute must be a <strong>User</strong> ID such<br />
as sAMAccountName. Enter corresponding values specific to your LDAP environment.<br />
For iPlanet, use uid=%s for Query Filter, and mail for Result Attribute.<br />
• Query Directly — The Query Direct method will query the LDAP server directly to<br />
authenticate a user ID and password. The Query Filter must specify the user ID, and the<br />
Result Attribute must specify the password.<br />
For OpenLDAP, use uid=%s for Query Filter, and userPassword for Result Attribute.<br />
For either method, the relay will be refused if the LDAP server direct query or bind attempt fails<br />
for any reason, such as an invalid user name or password, bad query, or if the LDAP server is<br />
not responding.<br />
The directory server Bind password cannot contain a "$" character.<br />
Select a method, and then click Add to add an entry.<br />
You can only use one method, Bind or Query Direct, for all defined LDAP servers. You cannot use<br />
both at the same time.<br />
74
LDAP Relay<br />
• Directory Server — Select a directory server to perform the search.<br />
• Search Base — The Search Base is derived from the Search Base setting in Basic Config<br />
➝ Directory Services ➝ Servers. You must ensure that you complete the Search Base<br />
string with information specific to your LDAP hierarchy, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Query Filter — Enter the Query Filter for the LDAP lookup, such as<br />
(sAMAccountName=%s) for Active Directory implementations.<br />
• Result Attribute — Enter the attribute that returns the user’s account, such as<br />
sAMAccountName for Active Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP relay configuration. Click Apply to save the<br />
settings.<br />
75
Directory Services<br />
LDAP Routing<br />
LDAP mail routing allows a mail route for a recipient to be queried on a specified LDAP server.<br />
The destination mail server for that domain will be returned and the message will then be routed<br />
to that server. This is the preferred method for mail routing for organizations with a large amount<br />
of domains. Any locally defined mail routes in Mail Delivery ➝ Routing ➝ Mail Routing will be<br />
resolved before LDAP routing.<br />
LDAP routing has been tested only with iPlanet implementations but the examples provided should<br />
work with OpenLDAP depending on your LDAP schema.<br />
Select Basic Config ➝ Directory Services ➝ LDAP Routing to configure your LDAP routing<br />
settings.<br />
Click Add to add a new LDAP route search.<br />
• Directory Server — Select a directory server to perform the search.<br />
• Search Base — The Search Base is derived from the Search Base setting in Basic Config<br />
➝ Directory Services ➝ Servers. You must ensure that you complete the Search Base<br />
string with information specific to your LDAP hierarchy, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
• Base: Searches the base object only.<br />
76
LDAP Routing<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Query Filter — Enter the Query Filter that will search for the Mail Domain of a recipient,<br />
such as (&(cn=Transport Map)(uid=%s)) for iPlanet implementations.<br />
• Result Attribute — Enter the attribute that returns the domain’s mail host, such as<br />
mailHost for iPlanet implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP routing configuration. Click Apply to save<br />
the settings.<br />
77
CHAPTER 5<br />
Mail <strong>Security</strong> and Encryption<br />
This chapter describes how to configure the mail security features of your <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> <strong>Appliance</strong> and contains the following topics:<br />
• “SMTP Mail Access” on page 80<br />
• “Anti-Virus” on page 82<br />
• “Threat Outbreak Control” on page 85<br />
• “External <strong>Email</strong> Message Encryption” on page 90<br />
• “Encrypting Mail Delivery Sessions” on page 94<br />
• “SSL Certificates” on page 97<br />
79
Mail <strong>Security</strong> and Encryption<br />
SMTP Mail Access<br />
The Mail Access screen allows you to configure features that provide security when <strong>ePrism</strong> is<br />
accepting mail during an SMTP connection.<br />
Select Mail Delivery ➝ Mail Access to configure your SMTP mail access settings.<br />
• Specific Access Patterns — This feature can be used to search for patterns in a message<br />
for filtering during the SMTP connection. See “Specific Access Patterns (SAP)” on page 140<br />
for detailed information on configuring these filters.<br />
• Pattern Based Message Filtering — Enable this option to use Pattern Based Message<br />
Filtering to reject or accept mail based upon matches in the message envelope, header, or<br />
body. See “Pattern Based Message Filtering (PBMF)” on page 112 for detailed information<br />
on configuring Pattern Based Message Filters.<br />
• Maximum recipients per message — Set the maximum number of recipients accepted per<br />
message. A very large amount of recipients means the message is more likely to be spam<br />
or bulk mail. The default is set to 1000.<br />
• Maximum recipients reject code — Allows administrators to define other errors to return<br />
instead of the default "452 Error: too many recipients" error, such as permanently rejecting<br />
the connection "554".<br />
• Maximum message size — Set the maximum message size that will be accepted by<br />
<strong>ePrism</strong>.<br />
When attachments are sent with most email messages, the message size grows considerably due<br />
to the encoding methods used. The maximum message size should be set accordingly to<br />
accommodate attachments.<br />
80
SMTP Mail Access<br />
Maximum Unknown Recipients<br />
• Maximum Unknown recipients per message — This value determines how many<br />
unknown recipients are allowed in the message before it will be rejected by <strong>ePrism</strong>. A high<br />
number of unknown recipients indicates the message is likely spam, or a denial of service<br />
attempt.<br />
• Maximum Unknown recipients reject code — This value indicates the SMTP reject code<br />
to use when the maximum unknown recipients value is exceeded. This should be set to<br />
either 421 (temporary reject) or 554 (permanent reject).<br />
SMTP Authenticated Relay<br />
This feature allows authenticated clients to use <strong>ePrism</strong> as an external mail relay for sending<br />
mail. For example, you may have remote users that need to send mail via this <strong>ePrism</strong> system.<br />
Client systems must use a login and password to authenticate to the system before being<br />
allowed to relay mail. These accounts can be local or they can be authenticated via LDAP.<br />
Select Mail Delivery ➝ Mail Access on the menu to enable SMTP Authenticated Relay.<br />
LDAP SMTP Authentication<br />
SMTP authentication can also be performed via an LDAP directory server. Select the check<br />
box to enable LDAP Authenticated Relay, and select the link to configure. This feature can also<br />
be configured via Basic Config ➝ Directory Services ➝ LDAP Relay.<br />
See “LDAP Relay” on page 73 for detailed information on configuring LDAP Authenticated<br />
Relay.<br />
SMTP Banner<br />
The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This<br />
banner contains identifying information for your mail server which can be used as information to<br />
launch attacks against <strong>ePrism</strong>. This option allows you to customize the SMTP banner and also<br />
remove <strong>ePrism</strong>’s hostname by using the Domain only option.<br />
81
Mail <strong>Security</strong> and Encryption<br />
Anti-Virus<br />
<strong>ePrism</strong> provides an optional virus scanning service. When enabled, all messages (inbound and<br />
outbound) passing through the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> can be scanned for viruses.<br />
<strong>ePrism</strong> integrates the Kaspersky Anti-Virus engine which is one of the highest rated virus<br />
scanning technologies in the world. Virus scanning is tightly integrated with the mail engine for<br />
maximum efficiency.<br />
Viruses can be selectively blocked depending on whether they are found in inbound or<br />
outbound messages, and attachments are recursively disassembled to ensure that viruses<br />
cannot be concealed. When a virus-infected message is received, it can be rejected, deleted,<br />
quarantined, or the event can be simply logged. Quarantined messages may be viewed,<br />
forwarded, downloaded, or deleted. Quarantined messages can also be automatically deleted<br />
based on age.<br />
By default, any email attachments that cannot be opened and examined by the mail scanner<br />
because of password-protection are quarantined. This feature prevents password-protected zip<br />
files that contain viruses or worms from being passed through the system.<br />
Virus pattern files are automatically downloaded at regular intervals to ensure that they are<br />
always up to date. Notification messages can be sent to the sender, recipient, and mail<br />
administrator when an infected message is received.<br />
Licensing Anti-Virus<br />
Kaspersky Anti-Virus is a cost option. To enable virus scanning after the 30-day evaluation<br />
period, you must purchase and install a license for each system. See “License Management” on<br />
page 308 for more information on adding licenses.<br />
82
Anti-Virus<br />
Configuring Anti-Virus Scanning<br />
Select Mail Delivery ➝ Anti-Virus from the menu to configure virus scanning for both inbound<br />
and outbound directions.<br />
• Enable Kaspersky virus scanning — Enable or disable virus scanning by selecting the<br />
check box.<br />
Treat as a Virus<br />
• Attachments resembling a known virus — Some types of attachments may resemble a<br />
known virus pattern and could contain malicious code. It is strongly recommended that you<br />
treat attachments with code that resembles a known virus as if they contained a virus.<br />
• Attachments containing unknown viral code — The anti-virus scanner can detect code<br />
that resembles the patterns of a virus. It is strongly recommended that you treat<br />
attachments containing suspected viral code as if they contained viruses.<br />
• Corrupt attachments — Corrupted attachments may not be able to be processed by the<br />
anti-virus scanner and could contain viruses. It is strongly recommended that you treat<br />
corrupt attachments as if they contained viruses.<br />
• Password-protected attachments — Attachments protected by a password cannot be<br />
opened by the anti-virus scanner and could contain viruses. It is strongly recommended<br />
that you treat attachments that cannot be opened as if they contained viruses.<br />
• Attachments causing scan errors — Attachments that are causing errors while being<br />
scanned by the anti-virus scanner may contain viruses. It is strongly recommended that you<br />
treat attachments that cause scanning errors as if they contained viruses.<br />
• Action — Configure the action to be performed for both inbound and outbound mail.<br />
Possible actions include:<br />
• Just log: Log the event and take no further action.<br />
83
Mail <strong>Security</strong> and Encryption<br />
• Reject mail: The message is rejected with notification to the sending system.<br />
• Quarantine mail: The message is placed into the administrative quarantine area.<br />
• Discard mail: The message is discarded without notification to the sending system.<br />
• Notification — A notification email can be sent to the recipients and sender of a message,<br />
and also the mail system administrator. Select the required check box for both inbound and<br />
outbound mail. In the Inbound Notification and Outbound Notification text boxes, customize<br />
the content for the response message.<br />
Updating Pattern Files<br />
Virus pattern files must be continuously updated to ensure that you are protected from new virus<br />
threats. The frequency of virus pattern file updates can be configured from the Virus Pattern<br />
Files section.<br />
• Update interval (mins) — Select the time interval to configure how often to check for<br />
pattern file updates. Options include 15, 30, and 60 minutes.<br />
• Proxy — If you access the Internet through a proxy server, you must enter its hostname and<br />
port number, such as proxy.example.com:80, for updates to succeed.<br />
• Manual Update — Pattern files can be updated manually by clicking the Get Pattern Now<br />
button.<br />
• Status — Displays the date and time of the last update.<br />
84
Threat Outbreak Control<br />
Threat Outbreak Control<br />
The Threat Outbreak Control feature provides customers with zero-day protection against early<br />
virus outbreaks. For most virus attacks, the time from the moment the virus is released to the<br />
time a pattern file is available to protect against the virus can be several hours. During this<br />
period, mail recipients are vulnerable to potential threats.<br />
<strong>ePrism</strong>’s Threat Outbreak Controls can detect and take action against early virus outbreaks to<br />
contain the virus threat. If a message is classified as containing a possible virus, the message<br />
can be quarantined, deleted, or the event can be logged. When an updated anti-virus pattern<br />
file is received, any quarantined files will be re-scanned automatically. If a virus is detected with<br />
the new pattern file, the configured anti-virus action is performed on the message. If the hold<br />
period for a message in the quarantine expires and it has not been positively identified as a<br />
virus during that time, the configured "release" action will be performed.<br />
<strong>ePrism</strong> will examine incoming "untrusted" messages and look for the following characteristics<br />
when deciding if the message indicates an early virus threat:<br />
• The message is bulk (addressed to a large number of recipients) and contains an<br />
executable or common office document attachment (such as .doc). To detect the<br />
message as "Bulk", the Intercept Bulk Analysis feature must be enabled.<br />
• The message originates from an IP address that has recently sent viruses and contains an<br />
executable or common office document attachment. To detect if the client has recently sent<br />
viruses, the Mail Anomalies feature and the Recent virus from Client option must be<br />
enabled.<br />
• The message originates from an IP address with a poor St. Bernard <strong>Security</strong> Network<br />
(BSN) reputation and contains an executable or common document attachment. To detect<br />
addresses with a poor reputation, the BSN feature must be enabled.<br />
• The anti-virus scanner detects attachments that resemble a known virus or contain<br />
unknown viral code.<br />
• The message was malformed, or was blocked by attachment control and the action was set<br />
to "Discard" or "Reject".<br />
The following table lists the types of executable files and common office document formats that<br />
are scanned by Threat Outbreak Control:<br />
TABLE 1. Executable Files and Common Office Documents<br />
Executable<br />
.bat<br />
.chm<br />
.cmd<br />
.com<br />
.dll<br />
.drv<br />
.exe<br />
Common Office<br />
Documents<br />
.doc<br />
.dot<br />
.ppt<br />
.wk1<br />
.wks<br />
.wp<br />
.xls<br />
85
Mail <strong>Security</strong> and Encryption<br />
TABLE 1. Executable Files and Common Office Documents<br />
Executable<br />
.js<br />
.jse<br />
.nlm<br />
.ovl<br />
.pif<br />
.scr<br />
.shs<br />
.sys<br />
.vbe<br />
.vbs<br />
.vxd<br />
Common Office<br />
Documents<br />
Configuring Threat Outbreak Control<br />
Select Mail Delivery ➝ Outbreak Control on the menu to configure the Threat Outbreak<br />
Control feature.<br />
Detection<br />
The following options take effect when Threat Outbreak Control is enabled:<br />
• Action — Select the action to perform if a message is detected as having a possible virus:<br />
• Just Log: The message will be delivered and an entry added to the mail logs.<br />
• Reject mail: The message will be rejected with notification to the sender.<br />
86
Threat Outbreak Control<br />
• Quarantine mail: The message will be placed into the administrative quarantine area.<br />
These messages can be viewed and managed via Status/Reporting ➝ Quarantine on<br />
the menu.<br />
• Discard mail: The message will be discarded without notification to the sender.<br />
• Hold Period — Enter the time period (in hours) for which to hold the message in the<br />
administrative quarantine area. The default hold period is 8 hours. In most cases, the Anti-<br />
Virus pattern files will be updated within 2-4 hours of a new virus being discovered. It is<br />
recommended that enough time is configured to allow the opportunity for the files to be<br />
rescanned with updated anti-virus pattern files as they become available.<br />
If the Quarantine expiry period is set to a value less than the "Hold Period", the expiry period takes<br />
precedence and the held message will be expired.<br />
• Notification — Select the users who will receive a notification if a message is detected as<br />
having a possible virus. Options include the "Recipients", the "Sender", and the<br />
"Administrator".<br />
• Notification Message — Enter the text for the automated notification message.<br />
Anti-Virus Action<br />
During the hold period, if a quarantined message is rescanned and determined to have a virus,<br />
the configured Anti-Virus action will be performed, as set in Mail Delivery ➝ Anti-Virus. If the<br />
hold period expires and the message has been determined not to be infected with a virus, the<br />
"Release" action will be performed.<br />
Release<br />
The following options take effect for a quarantined message when its configured "Hold Period"<br />
has elapsed:<br />
• Action — Select the action to perform if the "Hold Period" has elapsed for a quarantined<br />
message:<br />
87
Mail <strong>Security</strong> and Encryption<br />
• Just Notify: A message will be sent to notify the specified users that the "Hold Period" for<br />
a quarantined message has elapsed without it being classified as a virus. The message<br />
will remain in the quarantine until released manually by the administrator.<br />
• Release mail: The message will be automatically released from the quarantine and<br />
delivered to the original recipients. Notifications can also be enabled to notify users when<br />
the message is released.<br />
If the message was discarded or rejected by Attachment Control or Malformed Mail and was then<br />
quarantined by Threat Outbreak Control, the message will be discarded on release. The final action<br />
will be Threat Outbreak Control and "Quarantine" because of a possible virus.<br />
• Notification — Select the users who will receive a notification if a message is released from<br />
the quarantine. Options include the "Recipients", the "Sender", and the "Administrator".<br />
• Notification Message — Enter the text for the automated notification message.<br />
Threat Outbreak Reports and Logs<br />
Threat Outbreak Control activity is displayed in <strong>ePrism</strong>’s reports, including the following<br />
information:<br />
• A summary of Threat Outbreak actions and the types of messages blocked, including<br />
information on the number of messages quarantined and released and the number of<br />
malformed, virus-infected messages, and messages that contained a forbidden attachment.<br />
• A list of the top viruses caught and the time and date when they were detected by Threat<br />
Outbreak Control and when they were detected by the Anti-Virus scanner.<br />
88
Threat Outbreak Control<br />
The Top Virus List section also contains a column called Outbreak Control Number indicating<br />
the number of viruses caught by Threat Outbreak Control.<br />
In the Status/Reporting ➝ Reporting ➝ Mail History section, the disposition of messages<br />
caught by Threat Outbreak Control can be searched for based on the message status of<br />
"possible virus".<br />
89
Mail <strong>Security</strong> and Encryption<br />
External <strong>Email</strong> Message Encryption<br />
<strong>ePrism</strong> provides integration with external encryption servers to provide email encryption and<br />
decryption functionality. <strong>Email</strong> encryption allows individual messages to be encrypted by a<br />
separate encryption server before being delivered to its destination by <strong>ePrism</strong>. Incoming<br />
encrypted messages can also be sent to the encryption server to be decrypted before <strong>ePrism</strong><br />
accepts the message and delivers it to the intended recipient. This integration allows<br />
organizations to ensure that encrypted messages are still processed by <strong>ePrism</strong> for security<br />
issues, as well as being scanned for content and policy rules.<br />
<strong>Email</strong> encryption provides organizations with the ability to protect the privacy and confidentiality<br />
of their messages and also conform to any regulatory compliance policies that must ensure that<br />
certain types of data are encrypted before being sent out across the Internet.<br />
Encryption and decryption can be performed for selected email messages via filter rules on the<br />
<strong>ePrism</strong>. A message filter can be created for specific email sending addresses, IP addresses and<br />
host names of specific SMTP servers, or for specific words located in the subject of a message<br />
such as "Encrypt".<br />
As mail is forwarded back and forth between <strong>ePrism</strong> and the Encryption server, all mail statistics will<br />
include this additional delivery and mail counts will be higher as a result.<br />
Configuring <strong>ePrism</strong> Message Encryption and Decryption<br />
<strong>ePrism</strong> can be set up to integrate with an existing encryption server using the following general<br />
steps:<br />
1. Configure the Encryption server to integrate with <strong>ePrism</strong>.<br />
2. Create Mail Routes to the Encryption server on <strong>ePrism</strong>.<br />
3. Enable Encryption and Decryption on <strong>ePrism</strong>.<br />
4. Create Encryption rules on <strong>ePrism</strong> to identify messages to be encrypted.<br />
The Encryption server must be on the same network as <strong>ePrism</strong>. Ensure they are communicating<br />
properly and can see each other on the network by using a utility such as ping.<br />
Configuring the Encryption Server<br />
The existing Encryption server must be set up to relay all mail to the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong><br />
<strong>Appliance</strong>. Please see the documentation provided by your Encryption server vendor.<br />
In general, outbound and inbound proxies or mail routes must be configured on the Encryption<br />
server to ensure messages are accepted from and passed back to <strong>ePrism</strong> after being encrypted<br />
or decrypted.<br />
90
External <strong>Email</strong> Message Encryption<br />
Define Mail Routes for Encryption and Decryption<br />
Mail routes to the Encryption server must be defined for both encrypting and decrypting<br />
messages. To ensure <strong>ePrism</strong> knows where to route messages for encryption, create a mail<br />
route for the domains .encrypt_reroute and .decrypt_reroute to the address of the<br />
Encryption server.<br />
1. Select Mail Delivery ➝ Routing ➝ Mail Routing to define mail routes.<br />
2. Enter .encrypt_reroute as the Domain, and in the Route-to field, enter the address of<br />
the Encryption server such as 192.168.1.175.<br />
3. Similarly, create a route for .decrypt_reroute as the Domain, and in the Route-to field,<br />
enter the address of the Encryption server such as 192.168.1.175.<br />
The port and IP address may be different depending on the Encryption server configuration.<br />
91
Mail <strong>Security</strong> and Encryption<br />
Enabling Encryption and Decryption on <strong>ePrism</strong><br />
1. Select Mail Delivery ➝ Encryption to configure your encryption settings.<br />
2. Select the Active check box to enable the Encryption and Decryption action as required.<br />
3. Select an Action to perform on a message that is to be encrypted or decrypted.<br />
Select the Redirect to action to send this message to the Encryption server for encryption or<br />
decryption using the mail route specified in the Action Data field.<br />
4. To reroute the message to the Encryption server using the Redirect to action, the Action<br />
Data must be set to the appropriate mail route for encryption and decryption.<br />
Enter encrypt_reroute or decrypt_reroute as the action data. These mail routes<br />
must be defined in Mail Delivery ➝ Routing ➝ Mail Routing to point to the Encryption<br />
server.<br />
5. Select optional notifications to the Recipients, Sender, or Administrator, when a message<br />
has been sent for encryption.<br />
92
External <strong>Email</strong> Message Encryption<br />
Defining Filter Rules for Encryption<br />
A filter rule must be used to identify what types of messages are to be encrypted. For example,<br />
your organization may use a tag in the subject header such as "Encrypt" which can used to<br />
identify an outgoing message that must be encrypted. Specific email addresses and IP<br />
addresses can also be defined to ensure certain users or servers have their email encrypted.<br />
Encryption rules can be created using either Pattern Based Message Filters (PBMF) or by<br />
using definable dictionaries with the Objectionable Content Filtering and Attachment Scanning<br />
features. The latter features allow dictionaries with specific keywords and phrases to be used to<br />
trigger the encryption rules. See “Message Content Scanning” on page 101 for detailed<br />
instructions on configuring these features.<br />
The filter rule will examine outbound mail messages for specific patterns to redirect mail for<br />
encryption. This could be anything from a user’s email address to a phrase. When setting up<br />
the filter rule, the only criterion is that the filter action is set to Encrypt or Decrypt.<br />
To set up an encryption rule using Pattern Based Message Filters:<br />
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMFs) to set up filters<br />
for encryption purposes.<br />
2. Create a simple rule that checks all outbound mail for the word "Encrypt" in the subject,<br />
and set the action to Encrypt.<br />
The "Encrypt" and "Decrypt" PBMF action will only appear when Encryption and Decryption are<br />
enabled in Mail Delivery ➝ Encryption.<br />
3. A separate filter rule must be created to allow messages arriving from the Encryption<br />
server to be relayed. This action allows <strong>ePrism</strong> to accept messages back from the<br />
Encryption server that have been encrypted and relay these messages to external<br />
networks.<br />
Create a rule to match the Client IP field to the address of the Encryption server, such as<br />
192.168.1.175, and set the action to Relay.<br />
The filter rule that allows messages to be relayed back must be of a higher priority than any<br />
Encryption rule that is created.<br />
Similarly, you must create a PBMF rule to examine incoming messages that need to be<br />
decrypted before being delivered to the recipient.<br />
93
Mail <strong>Security</strong> and Encryption<br />
Encrypting Mail Delivery Sessions<br />
<strong>ePrism</strong> offers a simple mechanism for encrypting mail delivery using SSL (Secure Socket Layer)<br />
and TLS (Transport Layer <strong>Security</strong>) encryption.<br />
A flexible policy can be implemented to allow other servers and clients to establish encrypted<br />
sessions with <strong>ePrism</strong> to send and receive mail.<br />
The following types of traffic can be encrypted:<br />
• Server to Server — Used to create an email VPN (Virtual Private Network) and protect<br />
company email over the Internet.<br />
• Client to Server — Many email clients, such as Outlook, support TLS for sending and<br />
receiving mail. This allows email messages to be sent with complete confidentiality from<br />
desktop to desktop, but without the difficulties of implementing other encryption schemes.<br />
Encryption can be enforced between particular systems, such as setting up an email VPN<br />
between two <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>s at remote sites. Encryption can also be set as<br />
optional so that users who are concerned about the confidentiality of their messages on the<br />
internal network can specify encryption in their mail client when it communicates with <strong>ePrism</strong>.<br />
<strong>ePrism</strong> supports the use of certificates to initiate the negotiation of encryption keys.<br />
<strong>ePrism</strong> can generate its own site certificates, and can also import Certificate Authority (CA)<br />
signed certificates.<br />
See “SSL Certificates” on page 97 for more information on importing certificates.<br />
Configuring Mail Delivery Encryption<br />
Select Mail Delivery ➝ SMTP <strong>Security</strong> from the menu to enable email delivery encryption.<br />
94
Encrypting Mail Delivery Sessions<br />
Incoming TLS Mail<br />
• Accept TLS — Enable this option to accept SSL/TLS for incoming mail connections.<br />
• Require TLS for SMTP AUTH — This value is used to require SSL/TLS when accepting<br />
mail for authenticated relay. See “SMTP Authenticated Relay” on page 81 for more detailed<br />
information.<br />
• Log TLS info into Received header — Enabled this option to log TLS information<br />
(including protocol, cipher used, client and issuer common name) into the Received:<br />
message header.<br />
Note: These headers may be modified by intermediate servers and only information<br />
recorded at the final destination is reliable.<br />
Default TLS Policy<br />
• Offer TLS — Enable this option to offer remote mail servers the option of using SSL/TLS<br />
when sending mail.<br />
• Enforce TLS — Enabling this option will require the validation of a CA-signed certificate<br />
when delivering mail to a remote mail server. Failure to do so will result in mail delivery<br />
failure.<br />
Specific Site Policy<br />
This option supports the specification of exceptions to the default settings for TLS/SSL. For<br />
example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS<br />
support.<br />
To exempt a system, specify the IP Address or FQDN (Fully Qualified Domain Name) of the<br />
remote mail server in the Add/Update Site field. Select Don’t Use TLS from the drop-down box<br />
and click the Update button. The exempted mail server will be listed under the Specific Site<br />
Policy.<br />
TLS options include the following:<br />
• Don’t Use TLS — TLS Mail Delivery is never used with the specified system.<br />
• May Use TLS — Use TLS if the specified system supports it.<br />
• Enforce TLS — Deliver to the specified system only if a TLS connection with a valid CAsigned<br />
certificate can be established.<br />
• Loose TLS — Similar to Enforce TLS but will accept a mismatch between the specified<br />
server name and the Common Name in the certificate.<br />
95
Mail <strong>Security</strong> and Encryption<br />
TLS and Reporting<br />
Report filters can be configured to display any messages that have been encrypted with SSL/<br />
TLS. Select Status/Reporting ➝ Reporting ➝ Report Filters, and select "SSL" in both the<br />
Encryption from Sender and Encryption to Recipient filters. The filters can be enabled when<br />
generating a report to display only SSL/TLS based messages.<br />
The Mail History can also be filtered for SSL/TLS messages via Status/Reporting ➝<br />
Reporting ➝ Mail History by selecting the "ssl" field in the drop-down search menu.<br />
96
SSL Certificates<br />
SSL Certificates<br />
A valid SSL certificate is required to support the encryption services available on <strong>ePrism</strong>.<br />
The SSL encrypted channel from the server to the web browser (such as when using a URL<br />
that begins with HTTPS), requires a valid digital certificate. You can use self-signed certificates<br />
generated by <strong>ePrism</strong>, or import certificates purchased from commercial vendors such as<br />
Verisign.<br />
A certificate binds a domain name to an IP address by means of the cryptographic signature of<br />
a trusted party. The web browser can warn you of invalid certificates that undermine secure,<br />
encrypted communications with a server.<br />
The disadvantage of self-signed certificates is that web browsers will display warnings that the<br />
"company" (in this case, the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>) issuing the certificate is<br />
untrusted. When you purchase a commercial certificate, the browser will recognize the<br />
company that signed the certificate and will not generate these warning messages.<br />
A web server digital certificate can only contain one domain name, such as<br />
server.example.com, and a limitation in the SSL protocol only allows one certificate per IP<br />
address. Some web browsers will display a warning message when trying to connect to any<br />
domain on the server that has a different domain name than the server specified in the single<br />
certificate. Digital certificates eventually expire and are no longer valid after a certain period of<br />
time and need to be renewed before the expiry date.<br />
Install a commercial certificate on the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> as follows:<br />
1. Select Management ➝ SSL Certificates on the menu.<br />
2. Create a new certificate using the Generate a 'self-signed' certificate button.<br />
3. Click Apply to reboot the system to install the new certificate.<br />
97
Mail <strong>Security</strong> and Encryption<br />
4. After the reboot, the current certificate and certificate request that was signed by the onboard<br />
Certificate Authority will be displayed. To obtain a commercial certificate, send this<br />
certificate request information to the commercial Certificate Authority (CA) of your choice<br />
(such as Verisign, Entrust, and so on) for signing.<br />
Ensure that the certificate is an Apache type of certificate for a mail server.<br />
SSL Certificate<br />
5. When received from the CA, install the commercial certificate using the Load site<br />
certificate button.<br />
Enter the PEM encoded certificate information from the signed SSL certificate returned by the<br />
CA by copying and pasting the appropriate text into the specified field.<br />
Private Key<br />
Select the Use this Private Key for SSL Certificate check box to use the supplied private key.<br />
Copy and paste the PEM encoded private key into the required field. Do not enable this option<br />
and leave the field blank if the certificate was generated by a request from this <strong>ePrism</strong> system.<br />
Generating a new self-signed certificate after you have installed a commercial certificate will<br />
overwrite the private key associated with the installed commercial certificate, making it invalid.<br />
98
SSL Certificates<br />
Intermediate Certificate<br />
Some commercial certificates require you to upload an intermediate certificate in addition to the<br />
commercial certificate and the private key. Enter this information into the Intermediate<br />
Certificate section.<br />
99
CHAPTER 6<br />
Message Content Scanning<br />
This chapter describes how to configure the Attachment and Content scanning features of<br />
your <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• “Content Scanning Overview” on page 102<br />
• “Attachment Control” on page 103<br />
• “Attachment Content Scanning” on page 106<br />
• “Objectionable Content Filter” on page 110<br />
• “Pattern Based Message Filtering (PBMF)” on page 112<br />
• “Malformed Mail” on page 121<br />
• “Dictionaries” on page 123<br />
• “Message Archiving” on page 125<br />
101
Message Content Scanning<br />
Content Scanning Overview<br />
<strong>ePrism</strong>’s extensive content management capabilities allow administrators to scan email<br />
messages and attachments to ensure that inappropriate and offense material or sensitive<br />
documents are prevented from being transmitted inbound or outbound.<br />
<strong>ePrism</strong>’s advanced attachment content scanning performs deep scanning of email attachments,<br />
such as PDF and document files, for patterns of text and phrases defined in a phrase file.<br />
These content filtering and scanning features can also be used by the policy engine to allow<br />
organizations to create different content scanning policies for different sets of domains, groups,<br />
and users.<br />
Select Mail Delivery ➝ Content Management on the menu to configure the content control<br />
and scanning features.<br />
• Inbound Attachment Control — Filters inbound messages based on the type of<br />
attachment.<br />
• Outbound Attachment Control — Filters outbound messages based on the type of<br />
attachment.<br />
• Attachment Content Scanning — Performs deep content scanning on an attachment and<br />
filters the message based on a list of key words.<br />
Note: The advanced content scanning feature is a licensed feature.<br />
• Objectionable Content Filtering (OCF) — The Objectionable Content Filter defines a list of<br />
key words that will cause a message to be blocked if any of those words appear in the<br />
message.<br />
• Pattern Based Message Filtering (PBMF) — Reject or accept mail based on matches in<br />
the message envelope, header, and body.<br />
• Malformed Mail — Scans for malformed messages in incoming mail to protect against<br />
Denial of Service (DoS) attacks.<br />
102
Attachment Control<br />
Attachment Control<br />
Attachment filtering can be used to control a wide range of problems originating from both<br />
inbound and outbound attachments, including the following:<br />
• Viruses — Attachments carrying viruses can be blocked.<br />
• Offensive Content — <strong>ePrism</strong> blocks the transfer of images which reduces the possibility<br />
that an offensive picture will be transmitted to or from your company mail system.<br />
• Confidentiality — Prevents unauthorized documents from being transmitted through the<br />
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>.<br />
• Loss of Productivity — Prevents your systems from being abused by employees.<br />
Configuring Attachment Control<br />
Select Mail Delivery ➝ Content Management ➝ Attachment Control to configure<br />
attachment filtering for inbound and outbound messages.<br />
• Default action — This value sets the default action for attachment control for items not<br />
specifically listed in the Attachment Types list. The default is Pass, which allows all<br />
attachments. Any file types defined in the Attachment Types list will override the default<br />
setting.<br />
• Attachment Control — Enable the feature for inbound and outbound mail.<br />
• Attachment Types — Click Edit to configure the controls for each type of attachment.<br />
• Action — Select an action to perform. Options include:<br />
• Just log: Log the event and take no further action.<br />
103
Message Content Scanning<br />
• Reject mail: The message is rejected with notification to the sending system.<br />
• Quarantine mail: The message is placed into the administrative quarantine area.<br />
• Discard mail: The message is discarded without notification to the sending system.<br />
• Notification — Notifications for inbound and outbound messages can be enabled for all<br />
recipients, the sender, and the administrator. Administrators can customize the content for<br />
the Inbound and Outbound notification.<br />
Editing Attachment Types<br />
Click the Edit button to edit your attachment types. You can add file extensions (.mp3), or<br />
MIME content types (image/png). For each attachment type, choose whether you want to<br />
BLOCK or Pass the attachment.<br />
Select the Scan check box to perform content scanning for attachments with the specified<br />
extension.<br />
Click the Add Extension button to add a file extension or MIME type to the list.<br />
104
Attachment Control<br />
• Extension — Enter a specific attachment type extension or MIME type, such as ".mp3" or<br />
"image/png".<br />
• Scan — Select this option to perform content scanning for attachments with the specified<br />
extension.<br />
The system can scan files within an archive file (such as.zip) for forbidden attachments.<br />
The attachment will still be checked for viruses (if anti-virus scanning is enabled) if the<br />
Scan option is deselected.<br />
If an archive file, such as.zip, contains a file type that is blocked, the archive file will be<br />
blocked, even if it is set to Pass. Disable the Scan option if you do not want to scan the<br />
content of the archive file.<br />
Anti-Virus scanning must be enabled to allow archive files to be decompressed and checked for<br />
forbidden attachments.<br />
105
Message Content Scanning<br />
Attachment Content Scanning<br />
<strong>ePrism</strong>’s Attachment Content Scanning features performs deep scanning of attachments, such<br />
as PDF and Microsoft document files, for patterns of text and phrases. This allows organizations<br />
to use filter rules and policy settings to scan attachments for specific content that could be<br />
considered offensive, private and confidential, or against existing compliance rules.<br />
There are two methods for content scanning of message attachments:<br />
• Text and phrases are searched for in a document using a Pattern-Based Message Filter<br />
(PBMF) and an appropriate PBMF action performed if there is a match.<br />
• <strong>ePrism</strong> will search the extracted message text for words contained in uploaded compliance<br />
files defined via a policy and perform the configured action if there is a match.<br />
Attachment Content Scanning is a licensed feature and requires a license key to work after an initial<br />
30 day evaluation period.<br />
Unopenable Attachments<br />
The following cases of unopenable documents will result in an attachment being flagged as a<br />
compliance violation if the "Treat unopenable documents as compliancy violations" setting is<br />
enabled.<br />
• Files that are larger than 1 GB<br />
• File types that are not recognized by the scanner<br />
• Files that take longer than one minute to scan<br />
• Malformed or virus-infected attachments<br />
Configuring Attachment Content Scanning<br />
Select Mail Delivery ➝ Content Management ➝ Attachment Scanning to configure your<br />
attachment content scanning options.<br />
• Enable — Select the check box to enable attachment content scanning.<br />
• Treat unopenable documents as compliancy violations — Attachments that are<br />
protected by a password or encrypted may contain text that is a compliance violation.<br />
Enable this feature to treat unopenable documents as though they were not compliant.<br />
Files over 1 GB in size will not be scanned and are classified as non-compliant.<br />
106
Attachment Content Scanning<br />
• Phrase length — This field specifies the length of phrases used for pattern-matching<br />
checks. This number of words will be passed to the scanning engine to check if it matches<br />
any phrases in your compliance file.<br />
Long phrases will result in greater processing times. It is recommended that phrases be four words<br />
or less. The phrase length of the compliance dictionary selected for Attachment Content Scanning<br />
should not be greater than the phrase length selected in this field.<br />
• File Types — Select the types of files to be scanned:<br />
• All Supported Formats: Scans all file formats supported by the content scanner.<br />
• Common Document Formats: Scans only common word processing, spreadsheet,<br />
database, presentation, text, and archive formats.<br />
• Standard Document Formats: Scans only common document formats (word<br />
processing, spreadsheet, database, presentation, text, and archive files), including less<br />
common formats such as graphics and desktop publishing formats.<br />
• Punctuation treatment — Select how the scanning engine should treat punctuation.<br />
• Significant: The punctuation will be considered as part of the word or phrase it appears<br />
in.<br />
• Treat as space: The punctuation will be treated as a space. For example, the phrase<br />
"This, is classified" will be treated as "This is classified". This is the default setting.<br />
• Ignore: The punctuation will be completely ignored.<br />
• Case sensitivity — Select how the scanning engine will treat case sensitivity. If Sensitive<br />
is chosen, capitalization of letters will be taken into effect. For example, the word<br />
"Classified" must appear in the phrase compliance file with the capitalized first letter.<br />
• Notifications — Notifications for inbound and outbound messages can be enabled for all<br />
recipients, the sender, and the administrator. Enter the content for the notification<br />
message.<br />
See “Customizing Notification and Annotation Messages” on page 371 for information on<br />
variables such as %SENDER% and %RECIPIENT%.<br />
The compliance status of messages can be searched in the mail history database via Status/<br />
Reporting ➝ Reporting ➝ Mail History ➝ Advanced on the menu.<br />
107
Message Content Scanning<br />
Using Pattern Based Message Filters for Attachment Scanning<br />
One of the methods that can be used to search for compliance text within a file is to create a<br />
Pattern Based Message Filter (PBMF).<br />
Create a pattern filter as follows:<br />
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) to define a filter<br />
for attachment scanning.<br />
2. Click Add.<br />
3. In the Apply To field, select whether you want to check Inbound, Outbound, or All Mail.<br />
4. In the Message Part field, select Attachment Content.<br />
Selecting Attachment Content will scan the entire email message, including the header, body and<br />
any attachment for matching content.<br />
5. In the Pattern field, enter a pattern to match against.<br />
6. Select the Action to perform on a message that contains the pattern text, such as Reject.<br />
7. Click Apply to add the filter.<br />
Attachment Scanning via Policy Compliancy File<br />
Attachment scanning can also be performed via Policies with a compliance file uploaded and<br />
enabled. The compliance file will contain a list of words and phrases that can be matched<br />
against text contained in scanned attachment files.<br />
In the specified policy, accessed via Mail Delivery ➝ Policy, enable Attachment Scanning, and<br />
select the corresponding phrase file to be used with that policy.<br />
Custom phrase files are uploaded via Mail Delivery ➝ Content Management ➝ Dictionaries.<br />
108
Attachment Content Scanning<br />
The phrase length of the compliance dictionary selected for Attachment Content Scanning should<br />
not be greater than the phrase length selected in the Attachment Content Scanning configuration.<br />
See “Dictionaries” on page 123 for more detailed information on uploading custom dictionary<br />
files.<br />
109
Message Content Scanning<br />
Objectionable Content Filter<br />
The Objectionable Content Filter defines a list of key words that will cause a message to be<br />
blocked if any of those words appear in the message. The Objectionable Content Filter provides<br />
enhanced content filtering functionality and flexibility, allowing users to restrict content of any<br />
form including objectionable words or phrases and offensive content.<br />
The predefined lists provided are configurable and can be updated and customized to meet the<br />
specific needs of any organization. Rules can also be applied to both inbound and outbound<br />
messages preventing unwanted content from entering an organization and prohibiting the<br />
release of sensitive content outside an organization.<br />
OCF words can be extracted from messages that disguise the words with certain techniques.<br />
For example, OCF will detect the word "spam", even if it is disguised as "sp@m" or "s_p_a_m"<br />
using the advanced token recognition component of <strong>ePrism</strong>’s Token Analysis feature.<br />
OCF has a maximum of 35 characters for a word. OCF does not detect plurals of words. Both plural<br />
and singular word forms need to defined in the dictionaries.<br />
Select Mail Delivery ➝ Content Management ➝ Objectionable Content on the menu to<br />
configure the objectionable content filter.<br />
• Enable OCF — Select the check box to enable OCF.<br />
• Logging — Set the type of logging to perform for OCF processing. This information will<br />
appear in the Mail Transport log.<br />
• No Logging — No OCF logging will be performed.<br />
• First match only — Log the first word that was matched by the filter.<br />
• All matches — Log all words that were matched by the filter.<br />
110
Objectionable Content Filter<br />
• Phrase Files — Select the type of phrase file to use with OCF. The Weak OCF phrase file<br />
contains a small list of common objectionable words and phrases. Moderate and Strong<br />
OCF include a larger list amounts of words and phrases that are considered offensive.<br />
Organizations can create their own OCF phrase files via the Mail Delivery ➝ Content<br />
Management ➝ Dictionaries feature. This may include words and phrases specific to an<br />
organization that need to be blocked.<br />
The OCF dictionaries contain content that is of a vulgar nature. The pre-defined dictionaries should<br />
be viewed with caution as they contain words and phrases that may be offensive.<br />
Notifications<br />
• Action — Set actions for both inbound and outbound messages. The following actions can<br />
be set:<br />
• Just log — Log the event and take no further action.<br />
• Reject mail — The message is rejected with notification to the sending system.<br />
• Quarantine mail — The message is placed into quarantine.<br />
• Discard mail — The message is discarded without notification to the sending system.<br />
• Encrypt — Redirects the message to the Encryption server specified in the Mail<br />
Delivery ➝ Encryption menu.<br />
• Decrypt — Redirects the message to the Decryption server specified in the Mail<br />
Delivery ➝ Encryption menu.<br />
Notifications for inbound and outbound messages can be enabled for all recipients, the sender,<br />
and the administrator. The content for the Inbound and Outbound notification can be<br />
customized.<br />
See “Customizing Notification and Annotation Messages” on page 371 for a full list of system<br />
variables that can be used in the notification.<br />
111
Message Content Scanning<br />
Pattern Based Message Filtering (PBMF)<br />
Pattern Based Message Filtering is the primary tool for creating filter rules on the <strong>ePrism</strong>.<br />
PBMFs are used for:<br />
• Trusting and blocking messages containing certain text or characteristics<br />
• Creating content filter rules for managing email messages.<br />
An administrator can create filter rules for any aspect of an email message including the<br />
message header, sender, recipient, subject, attachment content, and message body text. For<br />
example, administrators can create a simple text filter that specifies to check messages for the<br />
word "FREE" in the subject. This filter rule is helpful in correcting disadvantages in the other<br />
spam filters.<br />
Specific Access Patterns should be used to trust specific servers to bypass BSN, DNSBL, and other<br />
checks because PBMFs may bypass or interfere with certain content filters such as Content<br />
Scanning and OCF that occur later in <strong>ePrism</strong>’s processing order.<br />
<strong>Email</strong> Message Structure<br />
The following is an example of a typical mail message:<br />
112
Pattern Based Message Filtering (PBMF)<br />
Message Envelope<br />
The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are<br />
parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You<br />
will need to look for these in the transport logs or have other knowledge of them.<br />
Message Header<br />
The message header includes the following fields:<br />
• Received from — Indicates the final path that the message followed to get to its<br />
destination. It arrived from "mail.example.com", which delivered it to<br />
"server.example.com" to be put in the mailbox of "user@server.example.com."<br />
• Received by — This indicates a previous "hop" that the message followed. In this case, the<br />
message came via "mail.example.com" which accepted the message addressed to<br />
"user@example.com".<br />
• Delivered-To — The user to be delivered to, in this case "user@example.com".<br />
• Received from — This marks the origin of the message. Note that it is not necessarily the<br />
same as the actual system that originated the message.<br />
• Subject — This is a free form field and displayed by a typical mail client.<br />
• To — This is a free form field and displayed by a typical mail client. It may be different from<br />
the destination address in the Received headers or from the actual recipient.<br />
• From — This is a free form field and is displayed by a typical mail client. It may be different<br />
from the From address in the Received headers. It is typically faked by spammers.<br />
• Message-ID — This is added by the mail server and is often faked by spammers.<br />
Other header fields include Reply-to, Sender and so on. These fields can be forged by<br />
spammers because they do not affect how the mail is delivered.<br />
Message Body<br />
Following the header is the text or content of the message. This content can be formatted or<br />
encoded in many different ways, but in this example, it is displayed as plain text.<br />
Message Attachment<br />
Many emails contain attachments to the main message. <strong>ePrism</strong> has the ability to decode<br />
attachments to match text found within an attachment using a filter rule.<br />
113
Message Content Scanning<br />
Default Pattern Based Message Filters<br />
Several default Pattern Based Message Filters (PBMF) have been preconfigured to ensure that<br />
mail is not trained in the following situations:<br />
• Outbound Mail To: Contains "@stbernard.com"<br />
• All Mail Subject: Contains "[SPAM]"<br />
• All Mail Subject: Contains "[MAYBE SPAM]"<br />
• All Mail Subject: Contains "Spam summary for"<br />
• All Mail Subject: Contains "Delayed Mail"<br />
• All Mail Subject: Contains "Delivery Status Notification"<br />
• All Mail Subject: Contains "Delivery Failure Notification"<br />
• All Mail Subject: Contains "Undelivered Mail Returned to Sender"<br />
• All Mail Subject: Contains "AutoReply"<br />
• All Mail Subject: Contains "Returned Mail:"<br />
• All Mail From: Contains "postmaster@" + domain<br />
• All Mail From: Contains "MAILER-DAEMON@" + domain<br />
These rules help prevent misconfiguration of the Token Analysis database by ensuring that<br />
forwarded spam messages, delivery notifications, automatic replies, and system messages are<br />
not trained.<br />
Spam messages should never be forwarded within an organization as this will also misconfigure the<br />
Token Analysis training database.<br />
The default St. Bernard PBMF rules can be edited or removed by the administrator via Mail<br />
Delivery ➝ Content Management ➝ Pattern Filters (PBMF) on the menu. All St. Bernard<br />
rules can be deleted using the Remove Default PBMFs button in the PBMF edit view.<br />
Additional "postmaster" and "MAILER-DAEMON" PBMFs need to be created for organizations<br />
supporting multiple domains.<br />
114
Pattern Based Message Filtering (PBMF)<br />
Configuring Pattern Based Message Filtering<br />
Select Mail Delivery ➝ Content Management, and then select Pattern Filters (PBMF) on the<br />
menu.<br />
The pre-defined PBMF rules are provided as examples on how rules are to be created and can be<br />
deleted if not needed without any repercussions.<br />
Click the Add button to add a new pattern to the filter list.<br />
Select the direction of mail for the PBMF rule in the Apply To field, such as All Mail, Inbound,<br />
or Outbound, depending on your requirements.<br />
• All Mail — Mail destined for any domain.<br />
• Inbound mail — Any mail that is destined to a domain that the <strong>ePrism</strong> is configured to<br />
accept mail for. This will be any domain listed in the Mail Routing table in Mail Delivery ➝<br />
Routing ➝ Mail Routing.<br />
• Outbound mail — Mail destined to any domain that the <strong>ePrism</strong> is not configured to accept<br />
mail (every domain other than those configured in Mail Routing.)<br />
"Trusted" mail has no bearing on the Inbound/Outbound relationship.<br />
Select the Message Part you want to filter on. <strong>ePrism</strong> allows you to filter on the following<br />
parameters:<br />
Message Envelope Parameters<br />
These parameters will not be visible to the user. They are the "handshake" part of the SMTP<br />
protocol. You will need to look for these in the transport logs or have other knowledge of them.<br />
• — This parameter allows for a match on any part of the message<br />
envelope which includes the HELO, Client IP and Client Host.<br />
• HELO — This field is easily faked, and is not recommended for use in spam control. It may<br />
be useful in trusting a source of mail. Example: mail.example.com.<br />
115
Message Content Scanning<br />
• Client IP — This field will be accurately reported and may be reliably used for both blocking<br />
and trusting. It is the IP address of the system initiating the SMTP connection. Example:<br />
192.168.1.200.<br />
• Client Host — This field will be accurately reported and may be reliably used for both<br />
blocking and trusting. Example: mail.example.com.<br />
The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be<br />
visible if your client supports reading the message source. They can also be found in the<br />
transport logs. Other header fields may be visible as supported by the mail client.<br />
• Envelope Addr — This matches on either the Envelope To or Envelope From. These fields<br />
are easily faked, and are not recommended for use in spam control. They may be useful in<br />
trusting a source of mail. Example: fred@example.com.<br />
• Envelope To — This field is easily faked, and is not recommended for use in spam control.<br />
It may be useful in trusting a source of mail. Example: fred@example.com.<br />
• Envelope From — This field is easily faked, and is not recommended for use in spam<br />
control. It may be useful in trusting a source of mail. Example: fred@example.com.<br />
Message Header Parameters<br />
Spammers will typically enter false information into these fields, except for the Subject field, and<br />
they are usually not useful in controlling spam. These fields may be useful in trusting certain<br />
users or legitimate source of email.<br />
• — This parameter allows for a match on any part of the message header.<br />
• — This parameter matches the To: or CC: fields.<br />
• CC:<br />
• From:<br />
• Message-ID:<br />
• Received:<br />
• Reply-to:<br />
• Sender:<br />
• Subject:<br />
• To:<br />
There are other header fields that are commonly used, such as List-ID, as well as those added<br />
by local mail systems and clients. You must use Regular Expressions (described below) to<br />
specify these.<br />
Message Body Parameters<br />
• — This parameter allows for a match on any part of the encoded<br />
message body. This encoded content includes Base64, MIME, and HTML. Since messages<br />
are not decoded, a simple text match may not work. Use for text<br />
matching on the decoded content.<br />
• — This parameter allows for a match on the visible decoded message<br />
body.<br />
116
Pattern Based Message Filtering (PBMF)<br />
STA (Token Analysis) Token<br />
Bulk Analysis tokens can also be selected for pattern based message filters. This allows you to<br />
match patterns for common spam words that could be hidden or disguised with fake or invisible<br />
HTML text comments, which would not be caught by a normal pattern filter. For example,<br />
Token Analysis extracts the token "viagra" from the text "viagra" and<br />
"v.i.a.g.r.a.".<br />
Attachment Scanning<br />
Pattern based message filters can be defined to match the content of an entire mail message,<br />
including attachments. This type of PBMF is used with the Attachment Content Scanning<br />
feature. See “Attachment Content Scanning” on page 106 for more information on scanning<br />
attachments.<br />
Match Option<br />
Matching looks for the specified text in each line. You can specify one of the following:<br />
• Contains — Looks for the text to be contained in a line or field. This allows for spaces or<br />
other characters that may make an exact match fail.<br />
• Ends with — Looks for the text at the end of the line or field (no characters, spaces and so<br />
on, between the text and the non-printed end-of-line character.)<br />
• Matches — The entire line or field must match the text.<br />
• Starts with — Looks for the text at the start of the line or field (no characters between the<br />
text and the start of line.)<br />
• Reg Exp — Enter a regular expression to match the text.<br />
Pattern<br />
Enter a text pattern (case insensitive) to search for in the message.<br />
You may also use Regular Expressions which allow you to specify match rules in a more<br />
flexible and granular way. They are based on the standard POSIX specification for Regular<br />
Expressions.<br />
For example, to search for a "blank" message field, use the following regular expression:<br />
^subject:[[:blank:]]*$<br />
Although the Regular Expression feature is supported, St. Bernard cannot help with devising or<br />
debugging Regular Expressions because they have an infinite variety and can be very complex.<br />
Using Regular Expressions is not recommended unless you have advanced knowledge of their<br />
use.<br />
117
Message Content Scanning<br />
Priority<br />
Select a priority for the filter (High, Medium, Low). The entire message is read before making<br />
the decision. If a message matches multiple filters, the filter with the highest priority will be used.<br />
If more than one matched filter has the highest priority, the filter with the strongest action will be<br />
used, in order, from highest priority to lowest (Bypass, Reject, Discard, Quarantine, Certainly<br />
Spam, Archive, Redirect, Trust, Relay, Accept, Just log).<br />
Discard, Quarantine, and Redirect are actions available when creating a custom PBMF action in the<br />
PBMF preferences screen.<br />
If more than one matched rule has the highest priority and highest action, then the filter with the<br />
highest rule number will be used.<br />
Action<br />
When a rule has been triggered, the specified action is performed:<br />
• Bypass — Allow this message to bypass all Intercept anti-spam and Content Management<br />
(Attachment Control, Malformed Message and OCF) processing. This action will override<br />
other PBMF actions for the same priority.<br />
This action does not bypass Anti-Virus scanning.<br />
• Trust — This mail is considered trusted and from a legitimate source. This message will not<br />
be processed for spam.<br />
• Reject — Mail is received, then rejected before the close of an SMTP session. Message is<br />
trained for spam if "Train" is also selected.<br />
• Relay — Relay is enabled for this mail and the message is considered trusted for anti-spam<br />
scanning purposes. Message will be trained as legitimate mail if "Train" is also selected.<br />
• Accept — Mail is accepted and delivered as per normal operation. Message is trained as<br />
legitimate mail if "Train" is also selected.<br />
• Certainly Spam — Mail is received, trained as spam, and then the Intercept action for<br />
"Certainly Spam" is applied.<br />
• Just Log — Take no action, but log the occurrence. "Just Log" can be used to override<br />
other lower priority PBMFs to test the effect of PBMFs without an action taking place.<br />
• BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This<br />
option only appears if you have a BCC email address set up in the Preferences section.<br />
• Do Not Train — Do not use the message for Token Analysis training purposes.<br />
• Configurable Actions — There are several configurable actions that can be defined by the<br />
administrator by clicking the Preferences button. When defined, these actions will appear in<br />
this list.<br />
• Encrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝<br />
Encryption menu.<br />
• Decrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝<br />
Encryption menu.<br />
• Archive (High, Medium, Low) — Redirects the message to an archiving server specified in<br />
the Mail Delivery ➝ Archiving menu.<br />
The "Relay" or "Trust" action can only be used with an Envelope message part because attempted<br />
relays must be rejected immediately after the envelope transaction.<br />
118
Pattern Based Message Filtering (PBMF)<br />
Upload and Download of PBMF Rules<br />
You can create a list of PBMF rules and upload them together in one file. The file must contain<br />
comma or tab separated entries in the form:<br />
[Section],[type],[pattern],[action],[sequence(priority)],[rulen<br />
umber],[direction],[Options]<br />
For example:<br />
to:,contains,friend@example.com,reject,medium,1,both,on<br />
The Options field is used for the "Do-Not-Train" option. The value can be "on" or blank. If the<br />
field is blank, a "Reject" action will be considered "Reject+Train".<br />
The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other<br />
Windows text editor. It is recommended that you download the PBMF file first by clicking<br />
Download File, edit it as required, and upload it using the Upload File button.<br />
PBMF Preferences<br />
Select the Preferences button to define configurable PBMF actions and customize<br />
notifications.<br />
PBMF BCC Action<br />
This is used in conjunction with the BCC PBMF action to define an email address to send a<br />
blind carbon copy of the message to.<br />
PBMF Action<br />
Administrators can define up to six customized actions that can be used for PBMF filters. When<br />
an action has been defined and activated, it will appear in the list of actions when creating a<br />
PBMF rule.<br />
• Active — Select the check box to activate this action.<br />
• Action Name — Enter a descriptive name for this customized action.<br />
• Action — The action can be one of the following:<br />
• Reject: The mail will not be accepted and the connecting mail server is forced to return it.<br />
119
Message Content Scanning<br />
• Discard: The mail will be dropped with no notification.<br />
• Quarantine: The mail will be put into the administrative quarantine area. The quarantine<br />
can be accessed via Status/Reporting ➝ Quarantine on the menu.<br />
• Certainly Spam: Mail is received, trained as spam, and then the Intercept action for<br />
"Certainly Spam" is applied.<br />
• Redirect to: The message will be delivered to the mail address specified in the Action<br />
Data field.<br />
• Accept: Mail is accepted and delivered as per normal operation.<br />
• BCC: The message will be copied to the mail address specified in the Action Data field.<br />
• Do Not Train: Select the check box to ensure that when this action is triggered, the<br />
message will not be trained for spam.<br />
• Action data — For the "Redirect To" action, send the message to a mailbox such as<br />
"spam@example.com". You can also specify a domain such as "spam.example.com".<br />
For BCC, enter an email address to send a blind carbon copy of the message to.<br />
• Notification — Notifications can be enabled for all recipients, the sender, and the<br />
administrator. The content of the notification message can be customized.<br />
120
Malformed Mail<br />
Malformed Mail<br />
Many viruses and denial of service attacks (DoS) try to elude virus scanners by concealing<br />
themselves in malformed messages. The scan engines cannot detect the attachment and pass<br />
the complete message through to an internal server. Some mail clients try to rebuild malformed<br />
messages and may rebuild or activate a virus-infected attachment. Other types of malformed<br />
messages are designed to attack mail servers directly. Most often these types of messages are<br />
used in denial-of-service (DoS) attacks.<br />
<strong>ePrism</strong> analyzes each message with extensive integrity checks. Malformed messages are<br />
quarantined if they cannot be processed.<br />
Select Mail Delivery ➝ Content Management ➝ Malformed Mail on the menu to enable and<br />
configure malformed email scanning.<br />
• Enable malformed scanning — Select this option to enable scanning for malformed<br />
emails.<br />
• Enable NULL Character Detect — Select this option to enable null character detection.<br />
Any messages containing null characters (a byte value of 0) in the raw mail body will be<br />
considered a malformed message.<br />
The null character detection feature may cause incompatibility with certain mail servers and it is<br />
recommended that this feature be disabled if issues occur.<br />
• Action — Select an action to be performed. Options include:<br />
• Just log: Log the event and take no further action.<br />
• Reject mail: The message is rejected with notification to the sending system.<br />
121
Message Content Scanning<br />
• Quarantine mail: The message is placed into the administrative quarantine area.<br />
• Discard mail: The message is discarded without notification to the sending system.<br />
• Notifications — Notifications for inbound and outbound messages can be enabled for all<br />
recipients, the sender, and the administrator. Enter the content for the notification message.<br />
See “Customizing Notification and Annotation Messages” on page 371 for information on<br />
variables such as %SENDER% and %RECIPIENT%.<br />
122
Dictionaries<br />
Dictionaries<br />
The Dictionaries feature contains default and custom word and phrase dictionaries that can be<br />
used with Objectionable Content Filtering, Spam Dictionaries, and compliancy-based<br />
Attachment Content Scanning.<br />
Each file is a simple word or phrase text file (Unix format) with one word or phrase per line,<br />
such as:<br />
Compliance<br />
Classified<br />
Top Secret<br />
The maximum word length is 35 characters. Both plural and singular word forms need to defined in<br />
the dictionaries. In Policies, the phrase length of the compliance dictionary selected should not be<br />
greater than the phrase length configured in the content scanning configuration.<br />
For example, to define a new dictionary to be used for policy compliance:<br />
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.<br />
2. Click Add to add a new dictionary file.<br />
3. Click Browse to select the file to be uploaded. Click Continue.<br />
123
Message Content Scanning<br />
The file information screen displays the initial contents of the file.<br />
Choose the name of the file, and select the type of file you are uploading. This will indicate<br />
which feature to use with this file.<br />
• Any — This file can be used for any feature<br />
• Compliancy — This file can be used for compliance policy attachment scanning.<br />
• OCF — This file can be used with Objectionable Content Filtering.<br />
• Spam — This file can be used with the Spam Dictionaries Intercept Anti-Spam feature.<br />
Click Continue to finish uploading the file.<br />
The new dictionary will now appear in the list and can be selected when using a dictionarybased<br />
feature such as policy compliance.<br />
124
Message Archiving<br />
Message Archiving<br />
<strong>ePrism</strong> offers message archiving support allowing organizations to define additional mail<br />
handling controls for inbound and outbound mail. These features are especially important for<br />
organizations that must archive certain types of mail for regulatory compliance or other<br />
corporate security policies. <strong>ePrism</strong> allows mail to be categorized and selectively archived for<br />
different levels of importance. By providing the ability to classify and archive messages at<br />
different levels, mail of high importance or compliance classification can be archived while<br />
allowing different actions for mail of lower importance. These features also prevent the waste of<br />
unnecessary resources by ignoring spam messages and other types of unwanted mail when<br />
archiving messages.<br />
<strong>ePrism</strong> can integrate with third-party archiving servers and archive email messages by creating<br />
pattern filters to classify messages and route them to the appropriate archiving server or an<br />
archive email address, while still delivering the email to its original recipients. Mail headers<br />
added to an archived message by <strong>ePrism</strong> allow administrators to customize their archiving<br />
services for efficient retrieval of archived messages.<br />
Mail archiving can be used with Pattern Based Message Filters, the Objectionable Content<br />
Filter, and Attachment Content scanning, including the use of these features via Policies. When<br />
a message is received by <strong>ePrism</strong>, these features will search for text within a message and its<br />
attachments. When this text is found, an action can be taken classifying the message for<br />
archiving into one of three categories, "Archive High", "Archive Medium", and "Archive Low".<br />
The Archiving feature then applies the archiving action for each category. For example,<br />
messages categorized as "Archive High" can have an action of "Archive copy to", with the<br />
action data identifying the archiving email address or mail route to archive mail to.<br />
Configuring Message Archiving on <strong>ePrism</strong><br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> can be configured to integrate with third party archiving<br />
servers to archive messages using the following steps:<br />
1. Define an archive email address or a mail route to the archiving server<br />
2. Create Content Management filters to identify messages to be archived<br />
Select Mail Delivery ➝ Archiving on the menu to configure global archiving settings.<br />
Configuration fields for three classifications of archiving will appear for High, Medium, and Low<br />
Importance archiving actions:<br />
125
Message Content Scanning<br />
• Active — Select the check box to activate this archiving action.<br />
• Action Name — Select a name to be displayed as the archiving action for the PBMF, OCF,<br />
and Attachment Scanning features.<br />
• Action — Select the "Archive copy to" action to send the message to an archive server.<br />
• Action data — The action data can contain either an email address or the name of the mail<br />
route for the destination archiving server.<br />
For archiving to an email address, enter an address such as "archive@example.com".<br />
This will be a mailbox that will contain all archived messages. Your archiving server will be<br />
able to pull its data for <strong>ePrism</strong>’s archived messages from this mailbox.<br />
Mail routes can also be defined in this field to route mail to the archiving server. The action<br />
data will contain the name of the route for each classification, such as<br />
"archive_high_reroute", "archive_medium_reroute", or "archive_low_reroute".<br />
A corresponding mail route will need to be created on <strong>ePrism</strong> via Mail Delivery ➝ Routing<br />
➝ Mail Routing. See the following section, “Defining Mail Routes for Archiving” on<br />
page 127, for more information on creating mail routes. Mail routes are not required if<br />
archiving to an email address.<br />
• Add header — Select the check box to add an archive header to the message when it is<br />
sent to the destination archive server. This allows the archiving server to store that message<br />
according to its classification in the header and allow for more efficient retrieval of the<br />
message in the future.<br />
• Header data — Enter the mail header data that will be added to the message header, such<br />
as "X-Archive: high".<br />
• Notification — Select optional notifications to the Recipients, Sender, or Administrator<br />
when a message has been archived.<br />
126
Message Archiving<br />
Defining Mail Routes for Archiving<br />
When using the mail routing method for archiving message, mail routes to the Archiving server<br />
must be defined to ensure <strong>ePrism</strong> knows where to send messages for the appropriate archiving<br />
classification of the message.<br />
For each Archiving classification, a corresponding mail route must created:<br />
• "archive_high_reroute" ➝ .archive_high_reroute<br />
• "archive_medium_reroute" ➝ .archive_medium_reroute<br />
• "archive_low_reroute" ➝ .archive_low_reroute<br />
Select Mail Delivery ➝ Routing ➝ Mail Routing to define mail routes.<br />
Enter the domain, such as ".archive_high_reroute", and enter the destination address of<br />
the archiving server and click Add.<br />
Mail routes are not required if archiving to an email address.<br />
127
Message Content Scanning<br />
Configuring Content Management Filters for Archiving<br />
To classify messages for archiving, <strong>ePrism</strong>’s content management features, such as PBMF,<br />
OCF, and Attachment Scanning, must be configured to search for text in a message or its<br />
attachment. The corresponding action will be the archive classification, such as "Archive High".<br />
Configuring Pattern Filters (PBMF) for use with Archiving<br />
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF).<br />
2. Click the Add button.<br />
3. Create a pattern filter looking for the required specific text. In this example, we are<br />
searching for an inbound message subject that starts with the word "Compliancy".<br />
4. Set the Action to the appropriate archive action, such as "Archive High".<br />
5. Click the Apply button to add the pattern filter.<br />
Configuring OCF for Archiving<br />
The Objectionable Content Filter can also be used for classifying and archiving messages.<br />
Custom dictionaries can be created for content specific to your organization. When the OCF<br />
feature finds a word from these dictionaries, an archive action can be applied.<br />
1. Select Mail Delivery ➝ Content Management ➝ Objectionable Content.<br />
2. Enable the OCF feature, and select your customized phrase file, such as "Archive" in this<br />
example.<br />
3. Set the Action to the appropriate archive action for this phrase file, such as "Archive Low".<br />
128
Message Archiving<br />
Configuring Policies for Archiving<br />
The Archiving feature can also be used by the Policy engine to provide customization when<br />
applying archiving actions to different domains or groups of users. When creating a policy, the<br />
Attachment Scanning feature provides actions for archiving when certain text is found in an<br />
attachment.<br />
The Attachment Scanning feature requires a phrase file to match attachment content against<br />
and a corresponding archiving action to perform.<br />
To configure a policy definition:<br />
1. Ensure Attachment Scanning is enabled globally via Mail Delivery ➝ Content<br />
Management ➝ Attachment Scanning.<br />
2. Select Mail Delivery ➝ Policy ➝ Policy Definition in the menu to define a policy.<br />
3. Select the Enable check box to enable Attachment Scanning for this policy.<br />
4. Select the Compliancy file to be used for matching text, such as "Archive" in this example.<br />
5. Set the Action to the appropriate archive action for this phrase file, such as "Archive<br />
Medium".<br />
Customizing Archive Headers using Policies<br />
For each Policy definition, the archive header can be customized for each archiving<br />
classification if it needs to be changed from the default settings.<br />
129
CHAPTER 7<br />
Intercept Anti-Spam<br />
This chapter describes how to configure the Intercept Anti-Spam features of the <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> <strong>Appliance</strong> and contains the following topics:<br />
• “Intercept Anti-Spam Feature Overview” on page 132<br />
• “Trusted and Untrusted Mail Sources” on page 134<br />
• “Configuring Intercept Anti-Spam” on page 136<br />
• “Intercept Components” on page 139<br />
• “Intercept Advanced Features” on page 177<br />
• “Trusted and Blocked Senders” on page 181<br />
• “Spam Quarantine” on page 187<br />
131
Intercept Anti-Spam<br />
Intercept Anti-Spam Feature Overview<br />
<strong>ePrism</strong>’s Intercept Anti-Spam features have been developed to take advantage of its extensive<br />
mail control features and provides a solutions-based approach where each anti-spam feature,<br />
when enabled, provides input to the final spam score of a message. Information retrieved by all<br />
of the enabled Anti-Spam features results in a more informed decision on whether the message<br />
is in fact spam or legitimate mail.<br />
Thresholds can be set to take appropriate action on a message based on its score and<br />
classification, such as Certainly Spam, Probably Spam, and Maybe Spam. A different action can<br />
be set for each threshold, such as "Redirect" to a spam quarantine for messages that are<br />
classified as Certainly Spam, or "Modify Subject Header" for messages that are classified as<br />
Maybe Spam.<br />
Administrators can use the advanced Intercept options to provide more granular control over<br />
each anti-spam Intercept component for their environment, however, the default Intercept<br />
configuration has been engineered to provide maximum protection against spam without<br />
additional configuration.<br />
<strong>ePrism</strong>’s Intercept Anti-Spam engine includes the following components:<br />
• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the<br />
client address or header parameters such as HELO or Envelope-From and Envelope-To.<br />
• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in any<br />
aspect of a mail message, including the envelope, header, body and any attachments.<br />
• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and<br />
phrases that are matched against the message.<br />
• Mail Anomalies — Checks various aspects of the incoming message for issues such as<br />
unauthorized SMTP pipelining, missing headers, and mismatched identification fields.<br />
Checks for recent spam and viruses from a specific IP address can also be enabled which is<br />
used in conjunction with the Threat Prevention feature.<br />
• BorderWare <strong>Security</strong> Network (BSN) — The BSN helps to identify spam by reporting a<br />
collection of metrics about the sender of a mail message, including their overall reputation,<br />
whether the sender is a dial-up, and whether the sender appears to be virus-infected, based<br />
on information collected from <strong>ePrism</strong> systems and DNS Block Lists worldwide. This<br />
information can be used by the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> to reject the message, or<br />
used as part of the overall anti-spam decision.<br />
• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor<br />
reputation. Messages can also be rejected immediately regardless of the results of other<br />
Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows<br />
administrators to specify how many DNSBLs must trigger to consider the sender as<br />
unreliable.<br />
• URL Block List — URL Block Lists contain a list of domains and IP addresses of URLs that<br />
have appeared previously in spam messages. This feature is used to determine if the<br />
message is spam by examining any URLs contained in the body of a message to see if they<br />
appear on a block list.<br />
• Bulk Analysis — Detects bulk mail spam by checking to see if the message was sent to a<br />
large numbers of users.<br />
• Token Analysis — Detects spam based on advanced content analysis using databases of<br />
known spam and valid mail.<br />
132
Intercept Anti-Spam Feature Overview<br />
• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS<br />
records to identify and validate the source of a message to determine whether a message<br />
was spoofed.<br />
• DomainKeys Authentication — Performs a check of a sending host’s DomainKeys DNS<br />
records to identify and validate the source of a message to determine whether a message<br />
was spoofed.<br />
<strong>User</strong>-Based Options<br />
Other anti-spam options can be enabled to allow end users to create a list of Trusted and<br />
Blocked Senders, and also manage their own spam quarantine area:<br />
• Trusted and Blocked Senders List<br />
• <strong>User</strong> Spam Quarantine<br />
133
Intercept Anti-Spam<br />
Trusted and Untrusted Mail Sources<br />
<strong>ePrism</strong> must be properly configured for interaction with local and remote mail servers. <strong>ePrism</strong><br />
only processes mail through the spam filters when a message originates from an "untrusted"<br />
source. Trusted sources will bypass the spam controls.<br />
There are two ways to control how sources of mail are identified and trusted:<br />
1. Trusted Subnet — All mail from a specific network interface is considered trusted.<br />
2. Specific Access Pattern — An IP address (or address block), server, or domain name is<br />
identified as trusted using a specific access pattern rule.<br />
Trusted Subnet<br />
By default, mail that arrives on a particular network interface from the same subnet is "trusted".<br />
To change this setting, perform the following steps:<br />
1. Select Basic Config ➝ Network on the menu.<br />
2. For the specified interface, disable Trusted Subnet.<br />
Trusting via Specific Access Patterns<br />
To trust a system with a specific access pattern:<br />
1. Select Mail Delivery ➝ Mail Access on the menu.<br />
2. For Specific Access Patterns, click Add Pattern.<br />
3. Enter the IP address or hostname of the system in the Pattern field.<br />
4. Select the Client Access check box.<br />
5. Select Trust in the If pattern matches field, and then click Apply to add the rule.<br />
134
Trusted and Untrusted Mail Sources<br />
135
Intercept Anti-Spam<br />
Configuring Intercept Anti-Spam<br />
To enable and configure <strong>ePrism</strong>’s Intercept Anti-Spam features, select Mail Delivery ➝ Anti-<br />
Spam ➝ Intercept on the menu.<br />
Intercept Actions<br />
In the Intercept Actions section, administrators can assign actions for three levels of spam score<br />
thresholds. The categories are as follows:<br />
• Certainly Spam — Any message with a score over this threshold (Default: 99) is almost<br />
guaranteed to be certainly spam. These types of messages require a strong action such as<br />
Reject Mail or Redirect To.<br />
• Probably Spam — Any message with a score over this threshold (Default: 90) is probably<br />
spam. This threshold indicates a message with a very high spam score, but not high enough<br />
to be Certainly Spam. These messages should be treated with a lighter action than Certainly<br />
Spam, such as Redirect To or Modify Subject Header, but should not be rejected.<br />
• Maybe Spam — Any message with a score over this threshold (Default: 60) might be spam<br />
but should be treated with caution to prevent false positives. This threshold indicates<br />
messages which could be spam, but could also be legitimate mail. It is recommended that a<br />
light action such as Modify Subject Header or Just Log be used.<br />
For each category you can set the following fields and actions:<br />
• Threshold — Set the threshold for this category to the specified spam score. It is<br />
recommended that administrators leave these value at their defaults.<br />
• Action — Specify one of the following actions:<br />
• Just log: An entry is made in the log, and no other action is taken.<br />
136
Configuring Intercept Anti-Spam<br />
• Modify Subject Header: The text specified in the Action Data field will be inserted into<br />
the message subject line.<br />
• Add header: An "X-" mail header will be added as specified in the Action Data field.<br />
• Redirect to: The message will be delivered to the mail address or server specified in the<br />
Action Data field.<br />
• Discard mail: The message is rejected without notification to the sender.<br />
• Reject mail: The mail will not be accepted and the connecting mail server is forced to<br />
return it.<br />
• BCC: Send a blind carbon copy of the message to the mail address specified in the<br />
Action Data field.<br />
• Quarantine Mail: The message is sent to the administrative quarantine area.<br />
• Action data — Depending on the specified action:<br />
• Modify Subject Header: The specified text will be inserted into the subject line, such as<br />
[SPAM].<br />
• Redirect to: Send the message to a mailbox such as "spam@example.com". The<br />
message can also be redirected to a spam quarantine server such as<br />
"spam.example.com".<br />
• Add header: An "X-" message header will be added with the specified text as, such as<br />
"X-Reject: spam". The header action data must start with "X-" and must contain a colon<br />
followed by a space.<br />
If this is not specified, the phrase "X-Reject" will be prepended to the header. For example,<br />
if "spam" is entered, the full header will be "X-Reject: spam". If a header is entered with a<br />
colon, such as "Reason:spam", the full header will be "X-Reason:spam".<br />
Anti-Spam Header<br />
Anti-spam headers are added to all messages for diagnostic purposes and contain data on the<br />
spam processing applied to the message and its metrics. Enable this option to include the<br />
header with the message. The header output is similar to the following:<br />
X-BTI-AntiSpam: score:99,sta:99/022,dcc:passed,dnsbl:passed,<br />
sw:off,bsn:95 passed,spf:off,dk:off,pbmf:none,ipr:1/5,<br />
trusted:no,ts:no,bs:no,ubl:matched/1<br />
TABLE 1. Anti-Spam Header Description<br />
Item<br />
score<br />
sta<br />
dcc<br />
dnsbl<br />
sw<br />
bsn<br />
Description<br />
Overall Intercept score<br />
Token Analysis score<br />
Bulk Analysis check<br />
DNS Block List check<br />
Spam Dictionaries<br />
BorderWare <strong>Security</strong> Network<br />
reputation<br />
137
Intercept Anti-Spam<br />
TABLE 1. Anti-Spam Header Description<br />
Item<br />
spf<br />
dk<br />
pbmf<br />
ipr<br />
trusted<br />
ts<br />
bs<br />
ubl<br />
Description<br />
SPF results<br />
DomainKeys results<br />
Pattern Based Message Filters<br />
Mail Anomalies checks<br />
Trusted or non-trusted<br />
Trusted Senders List<br />
Blocked Senders List<br />
URL Block List check<br />
138
Intercept Components<br />
Intercept Components<br />
Each component of the Intercept Anti-Spam engine can be enabled or disabled depending on<br />
your environment. To configure advanced settings for each feature, select its link from the list.<br />
Select the Enable check box for a specific feature and then select the spam feature link to<br />
review or customize the default settings. When finished, click the Apply button to save the<br />
configuration.<br />
Each Intercept Anti-Spam feature is discussed in more detail in the following sections.<br />
Reject on Unknown Recipient<br />
This option rejects mail if the intended recipients do not exist locally or in an LDAP directory.<br />
This option is used in conjunction with LDAP <strong>User</strong>s and the LDAP Recipients feature.<br />
<strong>ePrism</strong> will determine if a user exists as follows:<br />
• Checks if the user is in the local database of imported LDAP <strong>User</strong>s<br />
• Performs a direct lookup on an LDAP user directory with the LDAP Recipients feature.<br />
If using an Active Directory server, it is recommended that the LDAP <strong>User</strong>s function be used.<br />
Configure LDAP <strong>User</strong>s and Groups and LDAP Recipients via the Basic Config ➝ Directory<br />
Services menu.<br />
139
Intercept Anti-Spam<br />
See “Directory <strong>User</strong>s and Groups” on page 63 for more information on importing LDAP users for<br />
user lookups. See “LDAP Recipients” on page 71 for information on configuring the LDAP<br />
Recipients feature.<br />
You can override Reject on Unknown Recipient by using a Specific Access Pattern set to "Allow<br />
Relaying" or "Trust".<br />
Specific Access Patterns (SAP)<br />
Specific Access Patterns (SAP) are always enabled by default and can be used to either accept<br />
or reject mail during an SMTP connection. These rules override all others, allowing them to be<br />
used for special trusting and blocking cases to allow email where it would be otherwise blocked,<br />
or to block email when it would otherwise be allowed. Specific access patterns allow an<br />
administrator to respond to local filtering requirements such as the following:<br />
• Allowing other systems to relay mail through <strong>ePrism</strong><br />
• Rejecting all messages from specific systems<br />
• Allowing all messages from specific systems (effectively trusting the server)<br />
• Trust addresses that may be blocked by BSN, DNSBL, or the URL Block List.<br />
Configuring Specific Access Patterns<br />
Select Mail Delivery ➝ Mail Access on the menu.<br />
To define a Specific Access Pattern, click the Add Pattern button.<br />
• Pattern — Enter a mail address, IP address, hostname, or domain name.<br />
• Client Access — Specify a domain, server hostname, or IP address. This item is the most<br />
reliable and may be used to block spam as well as trust clients.<br />
140
Intercept Components<br />
Only the Client Access parameter can be relied upon since spammers can easily forge all other<br />
message properties. These parameters, however, are useful for trusting.<br />
• HELO Access — Specify either a domain or server name.<br />
• Envelope-From Access — Specify a valid email address.<br />
• Envelope-To Access — Specify a valid email address.<br />
None of the previous three options are reliable as spammers can easily fake this property.<br />
• If Pattern Matches:<br />
• Reject: The connection will be dropped.<br />
• Allow relaying: Messages from this address will be relayed. These messages will be<br />
processed for spam.<br />
• Trust: Messages from this address will be relayed and not processed for spam.<br />
Matching Rules<br />
When you specify a Specific Access Pattern rule, it can take the following forms:<br />
• IP Address — <strong>ePrism</strong> will match the IP address such as, "192.168.1.10", or you can use<br />
a more general address form such as "192.168" that will match anything in that address<br />
space.<br />
For the Client Access parameter, <strong>ePrism</strong> also supports CIDR (Classless Inter-Domain Routing)<br />
format so that administrators can specify a pattern for a network such as "192.168.0.0/24".<br />
• Domain Name — <strong>ePrism</strong> will match the supplied domain name, such as "example.com",<br />
with any subdomain such as "mail.example.com", "sales.mail.example.com" and<br />
so on.<br />
• Address — <strong>ePrism</strong> will match an exact email address, such as "user@example.com", or<br />
a more general rule such as "@example.com".<br />
Pattern Based Message Filters.<br />
Pattern Based Message Filtering is the primary tool used for augmenting anti-spam controls<br />
and trusting and blocking messages. An administrator can specify that mail is rejected or<br />
trusted according to the contents of the message header, including the sender, recipient,<br />
subject, attachment content, and message body text.<br />
See “Pattern Based Message Filtering (PBMF)” on page 112 for detailed information on<br />
configuring PBMFs.<br />
141
Intercept Anti-Spam<br />
Spam Dictionaries<br />
<strong>ePrism</strong> provides a built-in Spam Dictionaries filter. When enabled, all inbound messages<br />
passing through the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> are scanned for spam words and phrases<br />
that appear in the dictionary. Messages with words or phrases in their subject or body that<br />
match the phrase list are more likely to be spam. <strong>ePrism</strong>’s Intercept Anti-Spam engine will use<br />
this information to help decide if the message is spam or legitimate mail.<br />
<strong>ePrism</strong> includes a basic pre-configured spam words list that can be used for Spam Dictionary<br />
filtering. St. Bernard’s default list includes very common spam words such as "prescription" and<br />
"viagra". The full default list can be viewed and saved. Administrators can use this list to build<br />
and upload their own custom spam word list.<br />
It is recommended that administrators review this default spam words list to ensure any included<br />
words are not part of their organizations functions. For example, the word "prescription" should be<br />
removed if the company is involved with the pharmaceutical industry.<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select Spam Dictionaries on the<br />
menu to configure the options for this feature.<br />
• Enable Spam Dictionaries — Select the check box to enable the Spam Dictionaries<br />
feature. Message content will be checked against the spam word lists and the final result will<br />
be used by the Intercept engine.<br />
• Phrase file — Select the phrase file used for anti-spam checks. This can be the "Default<br />
Spam Words" list provided by St. Bernard, or a custom list uploaded via Mail Delivery ➝<br />
Content Management ➝ Dictionaries. See the following section for more information on<br />
adding a custom dictionary.<br />
• Logging — Select the type of logging for messages that contain matched spam words and<br />
phrases. This logging information will appear in the Mail Transport logs. Choose from the<br />
following:<br />
• No logging: No logging will be performed.<br />
• First match only: Only the first matching word will be displayed.<br />
• All matches: All matched words will be displayed.<br />
142
Intercept Components<br />
Adding a Spam Dictionary<br />
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries on the menu to view the<br />
default Spam Words list.<br />
2. Select the Default Spam Words list. The Default Spam Words file contains a list of<br />
common words that are typically seen in spam messages.<br />
3. Click Download to save and view the text file of spam words. The list contains one word or<br />
phrase per line, such as the following:<br />
free pic<br />
free pics<br />
free picz<br />
meds<br />
medz<br />
Administrators can use this base list to create their own dictionary of spam words by editing<br />
the text file and adding one word or phrase per line. Default words that are not required can<br />
be deleted.<br />
The maximum length for a dictionary word or phrase is 35 characters.<br />
143
Intercept Anti-Spam<br />
To upload the new spam dictionary file:<br />
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.<br />
2. Click Add to add a new dictionary file.<br />
3. Click Browse to select the file to be uploaded. Click Continue.<br />
144
Intercept Components<br />
The file information screen displays the initial contents of the file. You can change both the<br />
name of the list and the type of dictionary.<br />
Set the Type of file to spam. This indicates that this dictionary file can be used with the Spam<br />
Dictionaries feature.<br />
Click Continue to finish uploading the file. The new dictionary will now appear in the list and<br />
can be selected when using Spam Dictionaries.<br />
145
Intercept Anti-Spam<br />
Mail Anomalies<br />
The Mail Anomalies feature performs checks on incoming messages to help determine whether<br />
the message is coming from a known source of spam or is legitimate mail. Systems that send<br />
spam have certain characteristics that can give away the nature of the sending system. Many<br />
spammers deploy scripts and use spoofed or false information when sending mail. By checking<br />
incoming connections for patterns of these behaviours, <strong>ePrism</strong> can help to determine whether<br />
mail from an incoming system is legitimate or spam.<br />
The Mail Anomalies feature checks messages for a variety of information that may reveal<br />
discrepancies between the message’s sending host and the host listed in the message<br />
envelope and contents, and information about messages recently sent by the sending host. A<br />
message must fail four or more checks to be classified as spam.<br />
The following anomalies indicators can be enabled by the administrator. If a message fails four<br />
or more checks, the weight assigned to Mail Anomalies in the Intercept advanced settings will<br />
be the score used for Intercept processing.<br />
DNS Information<br />
The following checks relate to issues with DNS record lookups for the sending host:<br />
• Missing client reverse DNS — Checks if the sending host has a PTR (address to name)<br />
record and the PTR record has a matching A (name to address) record.<br />
• Missing sender MX — Check if the sender mail address has a DNS MX record.<br />
This check is more restrictive than the check for Unknown sender domain. If Unknown<br />
sender domain fails then this check will also fail. It is recommended that only one of the two<br />
checks be used at the same time.<br />
146
Intercept Components<br />
• Unknown sender domain — Check if the sender mail address has a DNS A or MX record.<br />
This check is less restrictive than the check for Missing sender MX. If this check fails then<br />
Missing sender MX will also fail. It is recommended that only one of these two checks be<br />
used at the same time.<br />
• Invalid HELO/EHLO hostname — Checks if the HELO/EHLO address is a valid<br />
hostname.<br />
• Unknown HELO/EHLO domain — Checks if the HELO/EHLO address has a DNS A or<br />
MX record.<br />
Client Behaviour<br />
The following checks relate to issues with the connecting client’s SMTP connection and<br />
message information:<br />
• Unauthorized pipelining — Check if the client sends SMTP commands ahead of time<br />
without knowing that the mail server actually supports SMTP command pipelining. This<br />
check detects bulk mail software that improperly uses SMTP command pipelining to speed<br />
up deliveries.<br />
• HELO/EHLO doesn’t match client — Check if the HELO/EHLO address matches the<br />
sending host address.<br />
• Missing From header — Check if the From header is present.<br />
• Missing To header — Check if the To header is present.<br />
• Envelope sender doesn’t match From header — Check if the From header matches the<br />
envelope sender address.<br />
Recent Activity<br />
The following checks identify clients who have recently sent spam or viruses and will only work<br />
if Threat Prevention (configured via Mail Delivery ➝ Threat Prevention) is enabled.<br />
• Recent spam from client — Check if the sending host recently sent spam.<br />
• Recent virus from client — Check if the sending host recently sent a virus.<br />
147
Intercept Anti-Spam<br />
BorderWare <strong>Security</strong> Network<br />
The BorderWare <strong>Security</strong> Network (BSN) helps to identify spam by reporting behavior<br />
information for a collection of metrics about the sender of a mail message, including their overall<br />
reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected<br />
or sends large amounts of spam messages, based on information collected from customer<br />
<strong>ePrism</strong> systems and global DNS Block Lists.<br />
This information can be used by the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> to either reject the<br />
message immediately or contribute to the Intercept score if a message is detected from a<br />
source with a poor reputation or numerous virus infections.<br />
If this option is enabled, <strong>ePrism</strong> will ask for statistics from the BSN Domain service for the<br />
sender IP of each message received, excluding those from trusted and known networks. Using<br />
the information returned from BSN, <strong>ePrism</strong> can make a decision about whether a message is<br />
spam or legitimate mail. A reputation of "0" indicates the sender is extremely reliable and rarely<br />
sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and<br />
often sends spam or viruses. An IP address with no previous information from any source is<br />
assigned a value "50".<br />
BSN Statistics Sharing<br />
Statistics from your <strong>ePrism</strong> can also be shared with BSN by selecting the share statistics option.<br />
The following message count statistics and the upstream client IP are sent to the BSN network<br />
when Share Statistics is enabled on <strong>ePrism</strong>:<br />
• Total mail<br />
• Clean mail<br />
• Spam mail<br />
• Virus mail<br />
• Unknown recipient<br />
• Known recipients<br />
• Malformed mail<br />
BSN Domain service queries use the DNS protocol on UDP port 53. BSN statistics sharing uploads<br />
to the BSN network using HTTPS on port 443. These ports must be opened up on your network<br />
firewall if <strong>ePrism</strong> is located behind the firewall.<br />
Note the following considerations when using BSN:<br />
• If the BSN server is not available, the DNS request times out. This may affect performance<br />
and requires monitoring for timed-out connections. Remove any servers which you do not<br />
use to prevent time-outs.<br />
• If a message that you want to receive from a client is blocked by BSN, add a Specific Access<br />
Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be<br />
used to "Bypass" (skip anti-spam and content checks), "Trust" (to accept and train as valid<br />
mail) or "Accept" (just accept without training) the message, however, this may interfere with<br />
later <strong>ePrism</strong> processing and using SAPs is recommended.<br />
148
Intercept Components<br />
BSN Trusting for Relays<br />
Administrators can trust friendly local networks or addresses of known mail servers in their<br />
environment that relay mail via <strong>ePrism</strong>. These specific networks and servers can be added to<br />
the "relays" IP Address list in the Threat Prevention feature to prevent them from being blocked<br />
by Threat Prevention and BSN, as well as ensuring that reputation statistics for these<br />
addresses will not be reported to BSN.<br />
For example, it is possible that in <strong>ePrism</strong> environments with a backup MTA (Mail Transfer<br />
Agent) system, the backup system may be misclassified by BSN. If <strong>ePrism</strong> is offline, mail will<br />
be collected by the backup MTA as specified in the organization's MX records. When <strong>ePrism</strong><br />
comes back online, this mail (which may include spam, viruses, and other types of infected<br />
mail) from the backup MTA will be forwarded to <strong>ePrism</strong> for processing. If BSN is enabled, this<br />
backup system may receive a low reputation score by BSN.<br />
To add a system to the relays list:<br />
1. Click the internal hosts and friendly mail relays link on the BSN menu.<br />
2. The relays static IP/CIDR list screen will appear:<br />
3. Add the address of any internal relays and a description, and then click the Add button.<br />
149
Intercept Anti-Spam<br />
Configuring BSN Checks<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then BorderWare <strong>Security</strong> Network on<br />
the menu.<br />
• Enable — When BSN is enabled, incoming messages will be checked against the spam<br />
information gathered by the BSN network.<br />
• BSN Domain — Enter the BSN domain to query. The default (ipdns.borderware.com)<br />
is the primary BSN domain, and should not be modified.<br />
• Share Statistics — Enable BSN information, such as spam and virus statistics for<br />
connecting client IP addresses, from this <strong>ePrism</strong> to be shared with the BSN network.<br />
Port 443 must be enabled outbound to allow statistics to be uploaded to the BSN server. There are<br />
no security risks associated with sharing statistics. <strong>ePrism</strong> does not relay any private or sensitive<br />
information to the BorderWare <strong>Security</strong> Network.<br />
• Check Relays — When this option is enabled, the configured amount of received headers<br />
will be checked with BSN. For example, an email message may have been relayed by four<br />
mail servers before it reached <strong>ePrism</strong>. Use this field to specify how many relay points,<br />
starting from the latest headers to the earliest, should have their reputation checked via<br />
BSN. Acceptable values are between "0" and "ALL". Recommended values are "0" (off), "1"<br />
or "2". The default is "0" (off).<br />
Check Relays should be enabled if <strong>ePrism</strong> is installed behind another MTA or mail gateway. This<br />
ensures the relay before the intermediary MTA is checked.<br />
• Exclude Relays — This option specifies how many received headers to exclude from BSN<br />
checks, starting from the earliest header to the most recent. For example, if Check Relays is<br />
enabled, setting this value to 1 means that the first relay point will not be checked. Note that<br />
some ISPs include the originating dial-up IP as the first relay point which can lead to<br />
legitimate mail being classified as spam by BSN. Recommended values are "0" (off) or "1".<br />
The default is "0" (off).<br />
This setting will only be enabled if Check Relays is also enabled.<br />
As an example of using the Check Relays and Exclude Relays options, consider the following<br />
scenario:<br />
Server A -> Server B -> Server C -> Server D -> <strong>ePrism</strong><br />
With the mail relayed via four previous servers (A-D), the received headers of a message will<br />
appear in the following order:<br />
150
Intercept Components<br />
Received: D<br />
Received: C<br />
Received: B<br />
Received: A<br />
Setting the Check Relays option tells <strong>ePrism</strong> to start with server "D" and check the configured<br />
number of received headers. If Check Relays is set to "3", it will check "D", "C", and "B".<br />
Use the Exclude Relays option to tell <strong>ePrism</strong> to ignore the configured number of received<br />
headers starting at the end of the header list regardless of what the Check Relays option is set<br />
to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks.<br />
BSN Connection Rejects<br />
By default, <strong>ePrism</strong> uses BSN feedback as part of the Intercept decision. To override this default<br />
behavior, <strong>ePrism</strong> can use BSN information for connection level rejects. When overriding the<br />
default behavior with BSN, <strong>ePrism</strong> provides the following options:<br />
• Reject on BSN Reputation — If enabled, the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> will reject<br />
messages from senders whose reputation is above the configured Reputation Threshold. A<br />
reputation of "0" indicates the sender is extremely reliable and rarely sends spam or<br />
viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends<br />
spam or viruses. An IP address with no previous information from any source is assigned a<br />
value "50".<br />
BSN rejects can be overridden by creating a Specific Access Pattern to "Trust" the rejected<br />
address. BSN rejects cannot be overridden by a policy. Pattern Based Message Filtering<br />
can also be used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to<br />
accept and train as valid mail) or "Accept" (just accept without training) the message,<br />
however, this may interfere with later <strong>ePrism</strong> processing and using SAPs is recommended.<br />
• Reputation Threshold — Enter a reputation threshold over which a message will be<br />
rejected. Generally, a rejection threshold of "70" to "75" will reject at least 60% of spam<br />
messages. If desired, this threshold can be set to a less aggressive value of "90" which<br />
results in about 40% of spam messages being rejected via this feature.<br />
• Reject on Infection — If enabled, the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> will reject<br />
messages from senders whose infection score is above the configured Infection Threshold.<br />
• Infection Threshold — Indicates the criteria for rejecting messages based on whether the<br />
sending host is Currently infected (received in last hour), or Recently infected (received in<br />
last day). This is setting is only valid when Reject on Infection is enabled.<br />
• Reject Connection From Dial-ups — If enabled, the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> will<br />
reject messages sent directly from dial-up connections.<br />
151
Intercept Anti-Spam<br />
If a message is not rejected because it violates a BSN threshold, the reputation score and<br />
information about whether the sender is a dial-up can be incorporated into the overall Intercept Anti-<br />
Spam decision.<br />
• BSN Reject Message — This option allows the administrator to customize the reject<br />
message for BSN. Use "%s" to specify the IP address of the rejected sender, such as:<br />
go to http://intercept.borderware.com/lookup?ip=%s<br />
BSN rejection, infection, and dial-up log messages will include a URL similar to the following:<br />
BSN 450: blocked by Intercept: go to http://<br />
intercept.borderware.com/ lookup?ip=[client_ip]<br />
where the client_IP is the connecting system that was rejected. Clicking the URL will open<br />
up a web page displaying BSN reputation statistics on the specified IP address.<br />
152
Intercept Components<br />
DNS Block List<br />
DNS Block Lists (DNSBL) contain the addresses of known sources of spam and are<br />
maintained by both commercial and non-commercial organizations. The DNSBL mechanism is<br />
DNS-based resulting in a lookup on the specified DNSBL server for every server that attempts<br />
to connect to <strong>ePrism</strong>.<br />
The weight assigned to DNS Block Lists in the Intercept advanced settings will be the score<br />
(default is 80) used by Intercept processing when a DNSBL is triggered for a message. If a<br />
sender is matched on more than one DNS Block List, this will increase the weight score<br />
assigned by Intercept for each list it is matched on.<br />
Note the following considerations when using DNSBL:<br />
• If the DNSBL server is not available the DNS request will time out. This may affect<br />
performance and requires monitoring for timed-out connections. Remove any servers<br />
which you do not use to prevent time-outs.<br />
• If a message that you want to receive is blocked by a DNSBL, add a Specific Access<br />
Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be<br />
used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to accept and train<br />
as valid mail) or "Accept" (just accept without training) the message, however, this may<br />
interfere with later <strong>ePrism</strong> processing and using SAPs is recommended.<br />
Configuring DNSBL<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then select DNS Block List to configure<br />
the options for this feature:<br />
• Enable DNSBLs — Select this check box to enable DNSBL lookups.<br />
• Check Relays — The Check Relays setting deals with spammers who are relaying their<br />
messages, usually illegally, through an intermediate server. The information about the<br />
originating server is carried in the headers of the message. Use this field to specify how<br />
many relay points, starting from the latest headers to the earliest, should be checked<br />
against a DNS Block List. Acceptable values are between "0" and "ALL". It is recommended<br />
that this option be left at the default value of "0" (off), or set to "1" or "2".<br />
153
Intercept Anti-Spam<br />
This option should be enabled if <strong>ePrism</strong> is behind another MTA or mail gateway. This ensures the<br />
relay before the intermediary MTA is checked.<br />
• Exclude Relays — This option defines how many received headers to exclude from DNSBL<br />
checks, starting from the earliest to the most recent. Some ISPs include the originating dialup<br />
IP as the first relay point which can result in legitimate mail being blocked by DNSBLs<br />
that block dial-ups. It is recommended to set this value to "1" or "0". Use "1" if any of the<br />
DNSBL servers utilized include dynamic IP addresses (such as a dial-up connection). If the<br />
DNSBL service does not include dial-ups, set this to "0" to ensure mail originating from<br />
webmail systems are not rejected.<br />
As an example of using the Check Relays and Exclude Relays options, consider the<br />
following scenario:<br />
Server A -> Server B -> Server C -> Server D -> <strong>ePrism</strong><br />
With the mail relayed via four previous servers (A-D), the received headers of a message<br />
will appear in the following order:<br />
Received: D<br />
Received: C<br />
Received: B<br />
Received: A<br />
Setting the Check Relays option tells <strong>ePrism</strong> to start with server "D" and check the<br />
configured number of received headers. If Check Relays is set to "3", it will check "D", "C",<br />
and "B".<br />
Use the Exclude Relays option to tell <strong>ePrism</strong> to ignore the configured number of received<br />
headers starting at the end of the header list regardless of what the Check Relays option is<br />
set to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks.<br />
• Reject on DNSBL — Enable the check box to reject mail from blocked clients regardless of<br />
other message processing.<br />
Reject on DNSBL will reject the message at SMTP connection time regardless of other Intercept<br />
processing. Caution should be used when enabling this feature. Note that this feature, if enabled,<br />
cannot be disabled by a Policy.<br />
• DNSBL Reject Threshold — The number of Block Lists to trigger before rejecting based on<br />
DNSBL. If this value is set to "2", the server must appear on at least two DNSBLs before<br />
being rejected.<br />
154
Intercept Components<br />
DNSBL Domains<br />
Click Edit to modify the list of your DNSBL domain serves. Click Update when finished.<br />
The default DNSBL servers supplied will cover most cases and should not be changed without<br />
careful consideration.<br />
155
Intercept Anti-Spam<br />
URL Block Lists<br />
URL Block Lists contain a list of domains and IP addresses of URLs that have appeared<br />
previously in spam, phishing, or other malicious messages. This feature is used to determine if<br />
the message is spam by examining any URLs contained in the body of a message to see if they<br />
appear on a block list.<br />
Similar to DNS Block Lists, the URL Block List will be queried to see if a URL exists on the<br />
configured block list server. If a match is found, this information will be used by the Intercept<br />
engine to decide whether a message is spam or legitimate mail.<br />
If the URL in a message is matched on a URL Block List, it will be assigned a score as per the<br />
URL Block List weighting configured in the Intercept advanced Component Weight setting<br />
(default is 90.) If a URL is matched on more than one URL Block List, this will increase the<br />
weight of the score assigned by Intercept for each list it is matched on.<br />
To configure URL Block Lists:<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then select URL Block List on the menu.<br />
Select the Enable UBLs check box to enable URL Block List checks.<br />
UBL Domains<br />
URLs can be checked either by a SURBL (Spam URI Realtime Block Lists) method that<br />
performs lookups for a domain using the base domain or IP addresses of the URL, or a DNSBL<br />
lookup that can query a DNS Block List server to lookup the full domain using the resolved host<br />
IP address for the URLs in a message.<br />
St. Bernard provides a default SURBL server that can be used for the URL Block List. Other<br />
SURBL or DNSBL lists can be added by the administrator, but caution must be taken when<br />
adding servers as some free services may introduce false positives.<br />
Click the Edit button to configure the SURBL and DNSBL server lists.<br />
156
Intercept Components<br />
UBL Whitelist<br />
Administrators can define a list of domains and IP addresses that will be trusted, even if<br />
messages from those addresses contain URLs that appear in a URL Block List.<br />
Enter a domain name or IP address to be trusted and then click the Add button.<br />
If a domain is entered (such as "example.com"), all subdomains of that domain will also be<br />
included (such as "www.example.com").<br />
A list of domain names and IP addresses can also be uploaded in one text file. The entries<br />
must appear one per line in the form:<br />
192.168.1.100<br />
192.168.10.200<br />
example.com<br />
The file (ubl_wl.csv) should be created in csv file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the file first by clicking Download<br />
File, editing it as required, and uploading it using the Upload File button.<br />
157
Intercept Anti-Spam<br />
Bulk Analysis<br />
Bulk Analysis utilizes a set of servers that maintain databases of message checksums derived<br />
from numeric values that uniquely identify a message. Mail users and ISPs all over the world<br />
submit checksums of all messages received. The database records how many of each message<br />
is submitted. If requested, the Bulk Analysis server can return a count of how many instances of<br />
a message have been received. <strong>ePrism</strong> uses this count to determine the disposition of a<br />
message.<br />
A Bulk Analysis server receives no mail, address, headers, or any similar information, but only<br />
the cryptographically secure checksums of such information. A Bulk Analysis server cannot<br />
determine the text or other information that corresponds to the checksums it receives. It only<br />
acts as a clearinghouse of counts of checksums computed by clients. This Bulk Analysis<br />
provides a simple but very effective way to successfully identify spam and control its disposition<br />
while updating its database with new spam message types.<br />
The weight assigned to Bulk Analysis in the Intercept advanced settings will be the score used<br />
by Intercept processing if the message is considered bulk.<br />
You must allow a connection on UDP port 6277 on your firewall or router to allow communications<br />
with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow<br />
down mail delivery.<br />
Bulk Analysis Considerations<br />
When implementing Bulk Analysis, consider the following:<br />
• Educate your user community about this tool and request them to submit mailing lists and<br />
other bulk mail sources that need to be trusted. This step is crucial if Bulk Analysis and<br />
Token Analysis are to work properly.<br />
• Set your Intercept spam dispositions so that users can recognize that a mail has been<br />
mistakenly identified as spam. This will allow users to report back false positives. The<br />
Modify Subject Header disposition is well suited for this task.<br />
158
Intercept Components<br />
Configuring Bulk Analysis<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Bulk Analysis<br />
to configure its options.<br />
Threshold Settings<br />
The threshold is used to determine what should happen to mail when it has been classified.<br />
• If bulk exceeds — Bulk Analysis returns a number showing how many times the message<br />
has been identified. This can be zero (unique and therefore not bulk) or another number,<br />
such as 1352, indicating that the message has been reported as bulk this many times.<br />
It may also return the value "many". This is a special Bulk Analysis value returned when<br />
Bulk Analysis has seen a certain message in such volumes and in such a frequency that it<br />
is most certainly considered "bulk".<br />
For Bulk Analysis to be useful, you need to specify a threshold that will trigger an action. It<br />
is recommended that you enter either "many" or a value of 50 or 100.<br />
Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and<br />
sent in. It is recommended that you leave the default settings. These settings effectively<br />
counter the efforts of spammers to randomize message content and evade detection as<br />
bulk. Results of the various counts can be viewed in the transport logs.<br />
Click the Advanced button to reveal additional settings such as From, ID, and IP. The<br />
selected checksums must be supported by the Bulk Analysis server to work properly and it<br />
is recommended that you use the default settings.<br />
These additional settings should be used with caution, as they may increase the risk of false<br />
positives.<br />
159
Intercept Anti-Spam<br />
• Bulk Analysis Warning Threshold — The threshold for the expected Bulk Analysis<br />
successful response rate, as a percentage of total number of Bulk Analysis queries<br />
performed. If the successful response rate falls below this value, an alarm will be generated.<br />
It is acceptable to have some value of loss depending on network connectivity. This feature<br />
is used to determine whether communication between <strong>ePrism</strong> and the Bulk Analysis<br />
network is occurring properly.<br />
Bulk Analysis Servers<br />
Click Edit in the Bulk Analysis Servers section to configure your server settings, if required.<br />
he default Bulk Analysis server supplied will cover most cases and should not be changed without<br />
careful consideration.<br />
You must allow a connection on UDP port 6277 on your firewall or router to allow communications<br />
with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow<br />
down mail delivery.<br />
Bulk Analysis Trusted and Blocked Entry List<br />
Administrators can create exceptions to bulk classifications by using the Trusted and Blocked<br />
List. In many cases, it may be easier to specify such exceptions using Pattern Based Message<br />
Filters, in which case the mail bypasses all anti-spam settings. It is recommended that Pattern<br />
Based Message Filters be used for creating exceptions. The Bulk Analysis trusted and blocked<br />
entry list feature is useful for removing legitimate bulk mail, such as mailing lists, from<br />
consideration as bulk while letting it be scanned by Intercept for other spam characteristics.<br />
Click Edit to add entries to the Trusted and Block Entry lists. Click Apply to add the new entry.<br />
160
Intercept Components<br />
Token Analysis<br />
Token Analysis is a sophisticated method of identifying spam based on statistical analysis of<br />
mail content. Simple text matches can lead to false positives because a word or phrase can<br />
have many meanings depending on the context. Token Analysis provides a way to accurately<br />
measure how likely any particular message is to be spam without having to specify every word<br />
and phrase.<br />
Token Analysis achieves this by deriving a measure of a word or phrase contributing to the<br />
likelihood of a message being spam. This is based on the relative frequency of words and<br />
phrases in a large number of spam messages. From this analysis, it creates a table of<br />
"discriminators" (words associated with spam) and associated measures of how likely a<br />
message is spam.<br />
When a new incoming message is received, Token Analysis analyzes the message, extracts<br />
the discriminators (words and phrases), finds their measures from the table, and aggregates<br />
these measures to produce a spam metric for the message. This spam metric is the score<br />
assigned by Token Analysis to be used in the Intercept Anti-Spam decision.<br />
Token Analysis has a built-in weighting mechanism that assigns a value between 0 and 100 to<br />
indicate whether a message is spam. A message with a low metric (closer to 0) is considered to<br />
be legitimate, while a message with a high metric (closer to 100) is considered to be spam.<br />
Token Analysis uses three sources of data to build its run-time database:<br />
• The initial tables supplied are based on analysis of known spam.<br />
• Tables derived from an analysis of local legitimate mail. This is referred to as "local<br />
learning" or "training".<br />
• Training provided by spam from PBMF Spam, Bulk Analysis, DNSBL, SPF, and<br />
DomainKeys Intercept components.<br />
How Token Analysis Works<br />
Consider the following simple message:<br />
---------------------------------------------------------------<br />
Subject: Get rich quick!!!!<br />
Click on http://getrichquick.com to earn millions!!!!!<br />
---------------------------------------------------------------<br />
Token Analysis will break the message down into the following tokens:<br />
[Get] [rich] [quick!!!] [Click] [on] [http:// getrichquick.com]<br />
[to] [earn] [millions!!!!!]<br />
Each token is looked up in the database and a spam metric is retrieved. The token "Click" has<br />
a high metric of 91, whereas the word "to" is neutral (indicating neither spam nor legitimate.)<br />
These metrics are aggregated using statistical methods to give the overall score for the<br />
message of 98.<br />
161
Intercept Anti-Spam<br />
Mail messages with a spam metric of 90 or greater are very likely to be spam. Lower values (50-<br />
60) indicate possible spam, while very low values (20-25) are unlikely to be spam. These spam<br />
metrics are the score assigned by Token Analysis as part of the final Intercept Anti-Spam<br />
decision.<br />
Configuring Token Analysis<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Token Analysis<br />
to configure its properties.<br />
When enabled, Token Analysis will always run in training mode and analyze all local mail. Local<br />
mail is assumed to be not spam and the frequency of the words found in this mail may therefore<br />
be used to modify the values supplied by St. Bernard’s master list. For example, a mortgage<br />
company may use the word "refinance" quite frequently in its regular mail. The likelihood of this<br />
word suggesting spam would therefore be reduced.<br />
Token Analysis trains messages for spam if one of the following features (if enabled) classifies a<br />
message as spam:<br />
• PBMF spam<br />
• Bulk Analysis<br />
• DNS Block Lists<br />
• URL Block Lists<br />
• BSN Reputation<br />
Token Analysis can train messages from the following sources as legitimate mail:<br />
• PBMF "Train" action<br />
• Trusted Subnet<br />
162
Intercept Components<br />
Token Analysis Modes<br />
• Training Only — Token Analysis will analyze local mail but will NOT classify incoming mail.<br />
• Scanning and Training — Token Analysis will analyze local mail AND will classify<br />
incoming mail.<br />
Rebuild Database<br />
Click the Rebuild Database button to rebuild the Token Analysis database. The run-time<br />
engine is built and rebuilt at two hour intervals using several sources such as the supplied<br />
spam data, updated data from St. Bernard, trained spam from other Intercept features, and<br />
local training. Since the database is not built for the first time until two hours after installation,<br />
you can use this option to immediately rebuild the Token Analysis database.<br />
Delete Training<br />
Click the Delete Training button to remove all training material. You should delete all training<br />
material if your <strong>ePrism</strong> system has been misconfigured and starts to treat "trusted" mail as<br />
"untrusted" or vice versa.<br />
Token Analysis Advanced Options<br />
Click the Advanced button to reveal additional Token Analysis options. These options are for<br />
advanced configuration only, and it is highly recommended that the default values be used.<br />
Modifications to the default values may decrease Token Analysis accuracy and should be used<br />
with care.<br />
Neutral Words<br />
Neutral words are words that may or may not indicate spam. For example, a mortgage<br />
company may want to build a neutral word list that includes "refinance" or "mortgage" because<br />
these words show up quite frequently in spam mail. By adding them to the neutral word list, the<br />
likelihood of this word suggesting spam would therefore be reduced to a neutral value.<br />
• Default Neutral Words — Select the check box to enable the neutral words list. This list<br />
helps prevent pollution of the Token Analysis database. It is recommended that you leave<br />
this option enabled.<br />
• Uploaded Neutral Words — Enables the use of the uploaded neutral words list.<br />
163
Intercept Anti-Spam<br />
Upload a file using the Upload Neutral Words button. The file must be in text format and<br />
contain a list of neutral words with one word per line. Uploading a new list will replace the<br />
previous neutral words list.<br />
The system will automatically rebuild the Token Analysis database during the upload of a neutral<br />
words list. This process may take some time to complete.<br />
Token Analysis and Languages<br />
The Token Analysis spam database is based on English language spam. As a result, it may not<br />
be initially responsive to spam created in other languages. The ability to learn means that it can<br />
readily adapt to other languages. Ensure that Bulk Analysis is enabled because all mail<br />
identified as "bulk" by Bulk Analysis will be used by Token Analysis to train as spam. Assuming<br />
that some of these bulk messages are in the local language, Token Analysis will build a<br />
database that reflects that language.<br />
Token Analysis will train on local legitimate mail from the moment the system is started. This will<br />
help properly characterize the local language use by building up a database of good words to<br />
help prevent mail messages from being classified as spam.<br />
To train <strong>ePrism</strong> with known local language spam mail, it is recommended that you set up rules<br />
to use the "Certainly Spam" action in Pattern Based Message Filters (PBMF). Messages<br />
specified as "spam" will be forwarded to Token Analysis and will increase its database of local<br />
language words.<br />
Japanese, Chinese, and Korean Language<br />
Token Analysis can alter the processing behavior for Japanese, Chinese, and Korean language<br />
messages to ensure they are not automatically classified as spam. These include the following<br />
character sets:<br />
• Japanese major character sets — ISO-2022-JP, EUC-JP, Shift-JIS<br />
• Chinese major character sets — GB2312, HZ-GB-2312, BIG5, GB7589, GB7590,<br />
GB8565.2-88, GB12052, GB/T12345, GB/T13131, GB/T13132, GB/T13000.1, ISO-2022-<br />
CN, ISO-2022-CN-EXT<br />
• Korean major character sets — KS C 5601 (KS C 5601-1987), EUC-KR, ISO-2022-KR<br />
For each character set, select how Token Analysis will process the message:<br />
• Default — All content is processed by Token Analysis. If you receive legitimate mail in these<br />
languages, this may result in false positives.<br />
• No Token Analysis Scan — Token Analysis scanning will be turned off for all messages<br />
containing Japanese, Chinese, and Korean language characters.<br />
• Lenient Token Analysis Scan — Token Analysis scanning will be turned off for only the<br />
parts of the message containing Japanese, Chinese, and Korean language characters. The<br />
rest of the message will be processed normally. If there are 20 or fewer tokens in the<br />
message of non-Japanese, Chinese, and Korean characters, the Token Analysis scan will<br />
be skipped for that message.<br />
164
Intercept Components<br />
Image Analysis<br />
An Image Spam email message typically consists of random text or no text body and contains<br />
an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the<br />
spam message. These types of spam messages are difficult to detect because the message<br />
contains no helpful text or URL characteristics that can be scanned and analyzed.<br />
The Image Spam Analysis feature performs advanced analysis of image attachments to help<br />
determine if the message is spam or legitimate mail. Similar to <strong>ePrism</strong>'s other Anti-Spam<br />
features that detect spam characteristics in the text of a message, the Image Analysis feature<br />
extracts certain characteristics of the attached image to determine if these characteristics are<br />
similar to those seen in actual spam messages.<br />
1. Ensure the Enable Token Analysis option is enabled using "Scanning and Training" mode.<br />
2. Select the Enable Image Analysis check box in the Options section.<br />
3. Click the Apply button.<br />
Allow at least 24 hours for the Token Analysis scanner to scan and train incoming mail and<br />
update its database to see an improvement in spam catch rates.<br />
To accelerate this process:<br />
1. Select Management ➝ <strong>Security</strong> Connection on the menu, and then click the Connect<br />
Now button to retrieve the latest Token Analysis database updates.<br />
2. Select Mail Delivery ➝ Anti-Spam ➝ Intercept ➝ Token Analysis on the menu, and<br />
then click the Rebuild Database button to perform a manual rebuild of the Token Analysis<br />
database. (The database is rebuilt automatically every two hours.)<br />
Diagnostics<br />
The diagnostics section allows administrators to configure diagnostic options for Token<br />
Analysis to help with troubleshooting.<br />
• Enable X-STA Headers — This setting inserts X-STA (Token Analysis) headers into all<br />
messages. These are not visible to the user (although they can be filtered in most mail<br />
clients), but can be used to gather information on why mail is processed in a particular way.<br />
The following headers will be inserted:<br />
• X-STA-Metric: The "score" assigned by Token Analysis, such as 95, which would<br />
indicate a spam message.<br />
• X-STA-NotSpam: Indicates the words with the highest non-spam value found in the<br />
message.<br />
• X-STA-Spam: Indicates the words with the highest spam value found in the message.<br />
• Enable Monitoring — Select the check box to enable the monitoring of messages received<br />
by the specified email address.<br />
• Monitor email for — Enter an email address that you would like to monitor.<br />
• Copy to — Copy messages and the Token Analysis diagnostic to this email address.<br />
165
Intercept Anti-Spam<br />
Token Analysis Training<br />
The following sections allow you to define advanced parameters for Token Analysis training,<br />
such as legitimate and spam mail training settings.<br />
Legitimate Mail Settings<br />
The following settings are advanced options for the handling of legitimate mail:<br />
• Valid Training Sources — Select Trusted/Local Mail to train all local trusted network mail<br />
for Token Analysis, or select No Training.<br />
If "No Training" is selected, the Heuristic 1 Intercept Decision strategy should be used that deemphasizes<br />
Token Analysis. This prevents false positives from occurring when using the Heuristic 2<br />
strategy.<br />
• Local Limit — Enter the maximum number of messages from local users that can be used<br />
for Token Analysis training. When the limit is reached, older training messages are deleted<br />
as new messages arrive. Default is 20000.<br />
• Local Threshold — Set the threshold for messages from local users to be used for training.<br />
If the Token Analysis classification for the message is greater than or equal to the specified<br />
number, the message will be used for training.<br />
• Source Weighting % — For Token Analysis to be useful and efficient, the training must be<br />
based on well selected data. The initial database supplied represents well selected data,<br />
and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail<br />
from the trusted network.<br />
• Default: Enter a percentage for the weight of the default Token Analysis database of valid<br />
mail.<br />
166
Intercept Components<br />
• Uploaded: Enter the weight of locally uploaded valid mail. Legitimate mail can be<br />
uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text<br />
Unix mbox format. A minimum of ten messages should be uploaded to be effective.<br />
• Trusted-net: Enter the weight of mail from trusted networks that are automatically trained<br />
as valid mail.<br />
When uploading mail, it is recommended that you set the weighting to 60% for Default, 20% for<br />
Upload, and 20% for Trusted. Significant changes to the source weighting may decrease Token<br />
Analysis accuracy.<br />
Spam Training<br />
Select which features (if enabled) that will be used for spam training:<br />
• BSN Reputation — Train using mail marked as spam by BSN Reputation.<br />
• BSN DUL — Train using mail marked as spam by BSN DUL.<br />
• Bulk Analysis — Train using mail marked as spam by Bulk Analysis.<br />
• DNSBL — Train using mail marked as spam by DNSBL.<br />
• Domain Keys — Train using mail marked as spam by DomainKeys.<br />
• PBMF — Train using mail marked as spam by PBMF.<br />
• SPF — Train using mail marked as spam by SPF.<br />
• URL Block List — Train using mail marked as spam by URL Block List.<br />
Spam Settings<br />
The following settings are advanced options for the handling of spam mail:<br />
• Spam Limit — Enter the maximum number of spam messages used for training.<br />
• Spam Training Threshold — Set the threshold for spam messages to be used for training.<br />
If the Token Analysis classification for the message is less than or equal to the specified<br />
number, the message will be used for training.<br />
• Source Weighting — For Token Analysis to be useful and efficient, the training must be<br />
based on well selected data. The initial database represents well selected data and is<br />
therefore highly weighted, compared to uploaded spam mail or bulk mail from Bulk<br />
Analysis.<br />
• Default: Enter a percentage for the weight of the default Token Analysis database of<br />
spam mail.<br />
• Uploaded: Enter the weight of locally uploaded spam mail. Spam mail can be uploaded<br />
by clicking the Upload Spam Mail button. The mail must be in plain-text Unix mbox<br />
format. A minimum of ten messages should be uploaded to be effective.<br />
• Detected: Weight of mail from Bulk Analysis, DNSBL, UBL Block Lists, PBMF or BSN<br />
automatically trained as spam.<br />
When uploading mail, it is recommended to set the weighting to 60% for Default, 20% for Upload,<br />
and 20% for Bulk. Significant changes to the source weighting may decrease Token Analysis<br />
accuracy.<br />
167
Intercept Anti-Spam<br />
Dictionary Spam Count<br />
Recent changes to the way that spammers compose their messages can reduce the<br />
effectiveness of the Token Analysis filter. By introducing large numbers of normal words into<br />
their spam messages, they can hide their content because the normal words outweigh the spam<br />
words and result in a low spam count. More aggressive settings may result in more false<br />
positives. <strong>ePrism</strong> counters this in two ways:<br />
1. All words in the <strong>ePrism</strong> dictionary are now assigned a base level of how likely they are to be<br />
spam. In a normal message, this increased level will not result in a false positive, since the<br />
overall count is low. In a spam message, the result is different; the normal words will not<br />
counteract the spam content, and the message is correctly identified as spam.<br />
2. Training on local mail now works to reduce this base level closer to zero. This further<br />
reduces the likelihood of a false positive.<br />
The Dictionary Count is set to one "1" by default. This should be sufficient for most situations. It<br />
is recommended that you only change the default value if the following conditions occur:<br />
• If there are too many false positives and this is not alleviated by training, then the Dictionary<br />
Count should be set to zero "0", disabling this feature.<br />
• If too much spam is passing then the Dictionary Count can be increased. Try increasing the<br />
value to "10". If this results in too many false positives, reduce it to "5".<br />
This setting should only be considered for modification if other measures (training, threshold<br />
changes, uploading spam and/or legitimate mail) have been tried and have not provided the desired<br />
result.<br />
Troubleshooting Token Analysis<br />
Token Analysis is a very effective anti-spam tool and provides the mail administrator with a<br />
variety of options to finely tune this feature for their particular environment. With these advanced<br />
controls, there is a greater chance of creating a configuration that may result in excessive false<br />
positives (mail marked as spam when they are legitimate) or false negatives (mail not marked<br />
as spam when they are spam.)<br />
The following are some considerations when troubleshooting issues with Token Analysis:<br />
For excessive false positives:<br />
• Ensure that the system has gone through a cycle of training.<br />
• Ensure that any mailing lists that the organization sends out are trusted (via PBMF) as<br />
"accept".<br />
• Check for tokens that may be words used by the organization for their regular business. For<br />
example, a financing company would want the words "mortgage" or "refinance" to be<br />
allowed as legitimate tokens.<br />
• Lower the component weighting in the Intercept advanced settings.<br />
For excessive false negatives:<br />
• If Bulk Analysis is enabled, ensure that it is working properly and it is using Token Analysis<br />
for training.<br />
• Check that any mailing lists received by the users are trusted (via PBMF) as "Bypass" or<br />
"Accept".<br />
168
Intercept Components<br />
Sender Policy Framework (SPF)<br />
Sender Policy Framework is a sender authentication technology that prevents spammers from<br />
spoofing mail headers and impersonating a legitimate email user or domain to prevent phishing<br />
attacks. Unsuspecting users may reply to these seemingly legitimate addresses with personal<br />
and confidential information.<br />
SPF provides a means for authenticating the source of an email by querying the sending<br />
domain’s DNS records. The SPF protocol allows server administrators to describe their email<br />
servers in their DNS records. By comparing the headers of the email with the SPF value, the<br />
receiving host can verify that the email is originating from the legitimate mail server for that<br />
domain. This prevents spammers from sending forged emails.<br />
<strong>ePrism</strong>’s SPF actions only apply to incoming mail messages that have failed an SPF check (the<br />
email message does not match the corresponding published SPF record.) If a specific mail<br />
server does not have an existing SPF record then the message is processed normally. It is<br />
possible, however, that administrators may misconfigure their DNS SPF records resulting in<br />
false positives and legitimate hosts being blocked from sending you mail.<br />
The weight assigned to SPF in the Intercept advanced settings will be the score used by<br />
Intercept processing if the message fails an SPF check.<br />
SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a<br />
mechanism to prevent forged emails rather than an anti-spam measure. It is dependent on<br />
network administrators publishing their legitimate email servers in their DNS records and<br />
ensuring these records are properly configured. St. Bernard encourages customers that use<br />
SPF in their DNS infrastructure to review their own SPF records to ensure they are accurate.<br />
SPF Records<br />
The SPF protocol allows you to describe your email servers in an SPF TXT record that is<br />
attached to the domain's DNS record. A typical SPF DNS record is as follows:<br />
example.com IN TXT "v=spf1 mx -all"<br />
Administrators will add this data as a TXT record to their domain (example.com). The first part<br />
is the name part of the record, such as "example.com", and the text in quotes is entered as<br />
your TXT record data.<br />
• "v=sp1" identifies the TXT record as an SPF string.<br />
• "mx" specifies that mail can come from only the mail servers defined in your MX records.<br />
• "all" specifies that no other servers are able to send from the specified domain.<br />
You can set TXT records for both domains and individual hosts. For more information on SPF<br />
and defining TXT records, see: http://spf.pobox.com/.<br />
169
Intercept Anti-Spam<br />
Configuring SPF<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select SPF on the menu to configure<br />
Sender Policy Framework settings.<br />
• Enable SPF — Select the check box to enable SPF verification.<br />
• Strip incoming SPF headers — This option removes any "Received-SPF" header from<br />
incoming messages. Spammers may attach their own forged SPF headers to create the<br />
impression that the email is from a legitimate source<br />
• Add outgoing SPF header — This option adds an SPF header to the outgoing message.<br />
170
Intercept Components<br />
DomainKeys<br />
DomainKeys is another sender authentication technology used to prevent spammers from<br />
spoofing mail headers and launching phishing attacks. The sender of an email message is<br />
authenticated by querying the sending domain’s DNS records. The DomainKeys protocol<br />
allows server administrators to add a digital signature to their outgoing messages that can be<br />
validated via DNS.<br />
The domain owner generates a public and private key pair to use for signing all outgoing<br />
messages. The public key is published in their DNS records and the private key is used to sign<br />
outbound messages. By verifying the signature in the headers of the email using the public key,<br />
the receiving host can verify that the email is originating from the legitimate mail server for that<br />
domain. This prevents spammers from sending forged emails. <strong>ePrism</strong> also supports the signing<br />
of outgoing messages with DomainKeys using the Policy engine.<br />
<strong>ePrism</strong>’s DomainKeys actions only apply to incoming mail messages that have failed a<br />
DomainKeys check (such as the email message does not match the corresponding published<br />
DomainKeys record.) If a specific mail server does not have an existing DomainKeys record<br />
then the message is processed normally. It is possible, however, that administrators may<br />
misconfigure their DNS DomainKeys records, resulting in false positives and legitimate hosts<br />
being blocked from sending you mail. The weight assigned to DomainKeys in the Intercept<br />
advanced settings will be the score used by Intercept processing if the message fails a<br />
DomainKeys check.<br />
Configuring DomainKeys<br />
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select DomainKeys<br />
Authentication to configure DomainKeys settings.<br />
• Enable DomainKeys Authentication — Select the check box to enable DomainKeys<br />
authentication.<br />
• Strip incoming DK headers — Removes Authentication-Results: headers attached to<br />
incoming messages. This option protects against spammers who add a forged<br />
DomainKeys header to the message.<br />
• Add Authentication Header — Adds an Authentication-Results: header to incoming<br />
messages after they have been processed and verified by DomainKeys.<br />
• Temporary DNS Error — Consider the message as spam in the event a DNS error<br />
prevents a DomainKeys lookup for a sender’s key.<br />
171
Intercept Anti-Spam<br />
The message will be considered spam if any of the following checks are true:<br />
• No Signature When Required — Consider the message as spam when there is no<br />
signature, even if the sender says they sign all messages.<br />
• No Signature When Not Required — Consider the message as spam when there is no<br />
signature and the sender says they may not sign all messages.<br />
• Invalid Signature — Consider the message as spam when the signature is invalid.<br />
• Key Revoked — Consider the message as spam when the key used to sign the message is<br />
no longer valid.<br />
• Invalid Message Syntax — Consider the message as spam when the signature cannot be<br />
checked because the message has invalid syntax.<br />
• No Key — Consider the message as spam when the sending domain did not provide a key<br />
for the selector specified in the message.<br />
• Bad Key — Consider the message as spam when the sending domain provides an<br />
unusable key.<br />
Sender Testing DomainKeys<br />
These checks can also be performed for messages from senders who are testing their<br />
DomainKeys implementation by inserting a test flag into their DomainKeys DNS records. It is<br />
recommended that you use the default settings which permit more lenient checks to be<br />
performed against these test messages.<br />
DomainKeys Log Messages<br />
The response codes for DomainKeys processing will appear in the Mail Transport logs as<br />
follows:<br />
0 - Pass<br />
1 - Neutral<br />
2 - Fail<br />
3 - Soft Fail<br />
4 - Temporary Error<br />
5 - Permanent Error<br />
The logs will also indicate which DomainKeys check caused the error:<br />
DomainKeys: from=user@example.com, result=permerror(bad key)<br />
172
Intercept Components<br />
DomainKeys Outbound Message Signing<br />
To enable signing of outgoing messages, the domain owner generates a public/private key<br />
pair. The private key is used by <strong>ePrism</strong> to digitally sign the message (prepended as a header)<br />
using this key. The public key is then published in the domain’s DNS records. The receiving<br />
system can authenticate the message by querying the domain owner’s DNS records for the<br />
public key.<br />
<strong>ePrism</strong> supports the signing of outgoing messages with DomainKeys using the Policy engine.<br />
This allows administrators to allow signing for only certain domains which have been<br />
configured in DNS for use with DomainKeys.<br />
Select Mail Delivery ➝ DomainKeys Signing to configure global settings.<br />
When enabled, the use of DomainKeys message signing must be configured via Policies.<br />
Select Mail Delivery ➝ Policy ➝ Policy Definition to edit an existing policy or to add a new<br />
policy. The DomainKeys signing section appears at the bottom of the policy screen.<br />
• Enable — Select the check box to enable or disable signing of outbound messages in this<br />
policy.<br />
• Remove duplicate headers — Select the check box to remove duplicate headers, such as<br />
Subject and To: fields, from the signature calculation. Any headers listed with the "h=" tag<br />
in the DomainKeys header will be filtered for duplication and the corresponding headers will<br />
be removed from the message envelope. This option should only be enabled if<br />
experiencing issues with rejected messages due to duplicate headers.<br />
• Canonicalization — This option specifies how white space characters are treated during<br />
signing. The default is "No Folding White Space" which ignores these characters during<br />
signing. This option is more lenient so that messages reformatted in transit, such as spaces<br />
or lines inserted into or removed from the message by intermediate systems between the<br />
signer and the receiver, are still valid. Selecting "Simple" keeps the signed message intact<br />
to include white space characters so that any lines that are reformatted in transit will fail<br />
validation.<br />
173
Intercept Anti-Spam<br />
• List Headers — When signing, place a list of the headers included into the DomainKey-<br />
Signature: header. It is recommended that this option be enabled. When enabled, only<br />
those headers listed will be used in verifying the signature. If this is option is disabled, then<br />
all headers following the signature will be used in verifying the signature. Any headers<br />
added by intermediary systems after the message is signed will cause the signature to be<br />
invalid. Disabling the option increases security, but can create a large number of "invalid"<br />
signatures because of headers added by intermediary systems.<br />
• Selector Name — Set the Selector to use for DomainKeys signing.<br />
• Selector List — Click the Edit button to edit the DomainKeys Selector list.<br />
Selector List<br />
A DomainKeys selector is a tag for a DNS record that is used by others to verify your<br />
DomainKeys signature. This tag can be comprised of any characters, such as upper and lower<br />
case letters, digits, dashes, underscores, and so on. Each selector has an associated public<br />
and private key that can be generated by <strong>ePrism</strong> or via external methods. The selector is stored<br />
in a DNS TXT record with the tag:<br />
._domainkey.<br />
Click the Add Selector button to add a new Selector to the list.<br />
• Name — Enter a descriptive name for this selector.<br />
• Selector — Enter the tag name for this selector.<br />
• Private and Public Key — Displays the Private and Public Keys. These can be generated<br />
automatically by choosing a key size and clicking the Generate Key Pair button.<br />
Alternately, these keys can be generated externally and pasted into the respective text<br />
boxes.<br />
174
Intercept Components<br />
• Key Size — Select the key size for the generated key pair. Larger keys result in a more<br />
secure implementation because it decreases the probability of the keys being<br />
compromised. It is recommended that a minimum of 1024 be selected.<br />
• Generate Key Pair — Click the button to allow <strong>ePrism</strong> to generate a private/public key pair.<br />
The resulting keys will be displayed in the respective information boxes above.<br />
• Granularity — The selector record can also ensure that only a specific sender (a person or<br />
entity) is allowed to use that particular selector. This is indicated by entering the portion of<br />
the sender's email address that will appear to the left of the "@" symbol. For example,<br />
"techsupport" will ensure those only messages from "techsupport@example.com"<br />
are allowed to use the configured selector.<br />
• Testing — Select the check box to indicate that this DomainKeys DNS record is being used<br />
for testing only. This allows the administrator to perform testing on the validity of their<br />
DomainKeys configuration. Receivers will generally be more lenient with verification errors<br />
if the sender is in testing mode.<br />
• Notes — An additional area for comments by the administrator. For example, an<br />
administrator might list reasons why a particular selector was revoked.<br />
DomainKeys DNS Record<br />
When the private/public key pair have been created, <strong>ePrism</strong> automatically generates a TXT<br />
record that can be used with your DNS server for DomainKeys signing. This record contains a<br />
copy of your public key that receiving sites will use to authenticate the digital signature in your<br />
outgoing messages.<br />
A domain using DomainKeys (such as "example.com") will have a new subdomain in their<br />
DNS configured as "_domainkey" prefixed to the domain, such as<br />
"_domainkey.example.com".<br />
A typical DomainKeys DNS record is as follows:<br />
_domainkey.example.com IN TXT "t=y; o=-; n=notes;<br />
r=test@example.com"<br />
Administrators will add this data as a TXT record to their DomainKeys domain<br />
(_domainkey.example.com). The first part is the name part of the record, and the text in<br />
quotes is entered as your TXT record data.The TXT data contains information on the<br />
DomainKeys policy, such as the following:<br />
• "o=-" means all emails from this domain are signed<br />
• "o=~" means some emails from this domain are signed<br />
• "t" means Test<br />
• "r" to enter the responsible email address<br />
175
Intercept Anti-Spam<br />
• "n" to enter free form notes on the record<br />
Public key records are identified by a specific Selector (which allow a domain to have more than<br />
one public key in DNS) and stored in separate TXT records for that DomainKeys domain name.<br />
For example, the previously defined "_domainkey.example.com" domain will contain name<br />
entries for each selector, such as:<br />
selector1<br />
The corresponding TXT data consists of various options and the public key to be used, such as:<br />
g=; k=rsa; t=y; p=MEwwPQRJKoZ&ldots;<br />
The value after "p=" is the public key. There are also other fields available for granularity (g),<br />
test (t), and notes (n).<br />
176
Intercept Advanced Features<br />
Intercept Advanced Features<br />
Click the Advanced button to reveal advanced Intercept Anti-Spam features that can be<br />
enabled and configured by the administrator.<br />
Advanced Intercept Components<br />
The following additional Intercept Components appear when the Advanced button is selected.<br />
• Reject on unknown sender domain — Rejects mail when the sender’s mail address does<br />
not appear in the DNS as an A or MX record. This option applies to "untrusted" mail only.<br />
• Reject on missing sender MX — Rejects mail when the sender’s mail address has no<br />
DNS MX record.<br />
• Reject on non FQDN sender — Rejects mail when the client MAIL FROM command is not<br />
in the form of an FQDN (Fully Qualified Domain Name) such as "mail.example.com".<br />
This option applies to "untrusted" mail only.<br />
• Reject on unauth pipelining — Rejects mail when SMTP commands are sent ahead of<br />
the message even though the SMTP server supports pipelining. This option blocks mail<br />
from bulk mail software that uses SMTP command pipelining improperly to speed up<br />
deliveries.<br />
• Reject on missing addresses — Reject mail when no recipients (To:) or sender (From:)<br />
were specified in the message headers. These fields are the optional To: and From: fields,<br />
not the corresponding Envelope fields.<br />
• Reject on missing reverse DNS — Reject mail from a host when the host IP address has<br />
no PTR (address to name) record in the DNS, or when the PTR record does not have a<br />
matching A (name to address) record.<br />
Many servers on the Internet do not have valid Reverse DNS records. Setting this option may<br />
result in rejecting mail from legitimate sources. It is recommended that you do not enable this<br />
option.<br />
These options are similar to those available in Mail Anomalies, but these options will reject if a<br />
single match is found, while Mail Anomalies provides a score if a cross-section of four or more<br />
matches are found.<br />
177
Intercept Anti-Spam<br />
Intercept Decision Strategy<br />
The Intercept Decision Strategy allows administrators to alter the way in which Intercept<br />
processes messages for spam.<br />
• Highest Score — The Highest Score method will use the maximum score derived from all<br />
the scans that were processed. For example, if Bulk Analysis, Mail Anomalies, and DNS<br />
Block List are enabled, and DNS Block List results in the highest contributing score for all<br />
the scans, then that score will be used.<br />
To achieve similar results to the Anti-Spam behaviour of previous versions of <strong>ePrism</strong>, set the<br />
decision strategy to Highest Score and set all component weights to 100.<br />
• Sum of Weights — The message is initially classified by taking the maximum score of the<br />
Token Analysis check. The weight of any other enabled components with a spam score is<br />
then added.<br />
The component weights should be adjusted to be lower than their default settings when using the<br />
Sum of Weights decision strategy.<br />
• Heuristic 1 — Components are divided into objective and subjective categories. Objective<br />
components are DNS Block List, URL Block List, Mail Anomalies, BSN Dial-up, Bulk<br />
Analysis, SPF, and DomainKeys. Subjective components are Spam Dictionaries, Token<br />
Analysis, and BSN reputation. The message is classified initially by combining the<br />
subjective scores and the classification is then adjusted by combining the objective scores.<br />
A baseline is established with a subjective filter. If Token Analysis scores a message at 60,<br />
a baseline of "Maybe Spam" is established. One additional objective filter that triggers will<br />
categorize the message as "Probably Spam". Two objective filters will increase the level to<br />
"Certainly Spam".<br />
• Heuristic 2 — This strategy is similar to the Heuristic 1 strategy except that the subjective<br />
component scores are weighted more heavily in the final decision than in Heuristic1.<br />
• Statistical — Scans are processed independently and the resulting score represents the<br />
probability that a message is spam based on statistical computation of the results.<br />
• Bayesian — Scans are processed independently and the resulting score represents the<br />
probability that a message is spam based on Bayesian computation of the results.<br />
178
Intercept Advanced Features<br />
Intercept Component Weights<br />
Administrators can customize the Intercept engine by configuring the weights for each Intercept<br />
component that will help determine the final spam score for a message. These values<br />
represent the scores that will be used if that component is triggered.<br />
For example, if a mail message triggers a DNS Block List, the spam score contribution for that<br />
message will be the defined weight, such as 80. If the message also triggers a classification by<br />
Bulk Analysis, the Bulk Analysis weight, such as 75, will be added also.<br />
The final result of these scores will be decided by your selected Decision Strategy, such as<br />
Highest Score or Sum of Weights. Valid weights for each component are from 0 to 100. Set the<br />
weight to "0" if you want that feature to have no bearing on the final spam score of a message.<br />
Set this value to "100" if you want this component to have a strong weight on the final spam<br />
score of a message.<br />
The default accuracies are recommended by St. Bernard, and any modifications to these<br />
percentages should be performed with careful consideration.<br />
• Spam Dictionaries — A value of 0 means that this indicator is a completely unreliable<br />
indicator of spam. A value of 100 means that this indicator is a completely reliable indicator<br />
of spam. A list of accurate spam words should be configured with a weight close to 100.<br />
More general word lists should be configured with lower weights.<br />
• Mail Anomalies — This value is used when a message fails four or more anomaly checks.<br />
A value of 0 means that this indicator is a completely unreliable indicator of spam. A value<br />
of 100 means that this indicator is a completely reliable indicator of spam.<br />
• DNS Block List — A value of 0 means that this indicator is a completely unreliable<br />
indicator of spam. A value of 100 means that this indicator is a completely reliable indicator<br />
of spam. The DNS Block List should generally have a weight between 60 and 80. The<br />
weight assigned will be higher if the sender is matched on more than one DNS Block List.<br />
• BorderWare <strong>Security</strong> Network Reputation — BSN contributes its own unique score<br />
between 0 and 100 and cannot be assigned a configurable weight.<br />
179
Intercept Anti-Spam<br />
• BorderWare <strong>Security</strong> Network Dial-up — A value of 0 means that this indicator is a<br />
completely unreliable indicator of spam. A value of 100 means that this indicator is a<br />
completely reliable indicator of spam. BorderWare <strong>Security</strong> Network Dial-up should<br />
generally have a weight between 60 and 80.<br />
• Bulk Analysis — A value of 0 means that this indicator is a completely unreliable indicator<br />
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.<br />
Bulk Analysis should generally have a weight between 70 and 80.<br />
• Token Analysis — A value of 0 means that this indicator is a completely unreliable indicator<br />
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.<br />
The default value is 100, however, the weight should be lowered if false positives are<br />
occurring.<br />
• SPF — A value of 0 means that this indicator is a completely unreliable indicator of spam. A<br />
value of 100 means that this indicator is a completely reliable indicator of spam. SPF should<br />
generally have a weight of 50.<br />
• DomainKeys Authentication — A value of 0 means that this indicator is a completely<br />
unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable<br />
indicator of spam. DomainKeys should generally have a weight of 90.<br />
• URL Block List — A value of 0 means that this indicator is a completely unreliable indicator<br />
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.<br />
The URL Block List should generally have a weight between 60 and 80. The weight<br />
assigned will be higher if the sender is matched on more than one URL Block List.<br />
Click the Reset button to return the weights to the default values.<br />
180
Trusted and Blocked Senders<br />
Trusted and Blocked Senders<br />
<strong>ePrism</strong> allows end users to configure their own Trusted and Blocked Senders Lists.<br />
Trusted Senders List<br />
The Trusted Senders List allows users to create their own lists of senders who they want to<br />
receive mail from to prevent them from being blocked by <strong>ePrism</strong>’s spam filters. <strong>User</strong>s can<br />
utilize the WebMail/<strong>ePrism</strong> Mail Client interface to create their own Trusted Sender’s List based<br />
on a sender’s email address. Trusted Senders can also be added directly via the Spam<br />
Quarantine summary email.<br />
If the message is rejected for reasons other than spam, such as viruses or attachment controls, the<br />
Trusted Senders List will have no effect.<br />
The Trusted Senders List overrides the following anti-spam actions:<br />
• Modify Subject Header<br />
• Add Header<br />
• Redirect<br />
The following rules also apply for the Trusted Senders List:<br />
• A Reject or Discard action will reject or drop the message regardless of the settings in the<br />
Trusted Senders List.<br />
• If the action is set to Just Log or BCC, the trusted message will pass through, but will still be<br />
logged or BCC’d by <strong>ePrism</strong>.<br />
• PBMF spam actions set to Medium or High priority cannot be trusted, allowing<br />
administrators to ensure that a strong security policy is enforced.<br />
• The Trusted Senders List cannot trust items rejected by the administrator during the SMTP<br />
connection such as BSN and DNSBL checks.<br />
Blocked Senders List<br />
The Blocked Senders List allows end users to specify a list of addresses from which they do not<br />
want to receive mail. These senders will be blocked from sending mail to that specific user via<br />
<strong>ePrism</strong>. If a sender is on the Blocked Senders List, the message can either be rejected with<br />
notification or discarded by <strong>ePrism</strong>.<br />
The Trusted Senders List is processed before the Blocked Senders List. If a Blocked Sender also<br />
appears in the Trusted Senders List, the email will be delivered.<br />
In the event there are multiple recipients for a message and only specific recipients have<br />
blocked the sender, the message will be delivered for those recipients that did not block the<br />
sender and the message will be rejected for those who have blocked the sender.<br />
Local <strong>ePrism</strong> users can log in and create their own list of Blocked Senders. <strong>User</strong>s do not need<br />
a local account on the system as logins can be authenticated via LDAP to an authentication<br />
server and the user's Trusted/Blocked Senders List is saved locally on <strong>ePrism</strong>.<br />
181
Intercept Anti-Spam<br />
Enabling Trusted and Blocked Senders<br />
The Trusted and Blocked Senders List must be enabled globally by the administrator to allow<br />
users to configure their own lists.<br />
Enable the Trusted and Blocked Senders List globally as follows:<br />
1. Select Mail Delivery ➝ Anti-Spam ➝ Trusted/Blocked Senders.<br />
2. Select the Permit Trusted or Permit Blocked Senders lists check box to enable these<br />
features.<br />
3. Enter the maximum number of list entries for each user. The default is "100". Valid values<br />
are from "1" to "1000000".<br />
4. For Blocked Senders, select the action to perform when a user on the Blocked Senders List<br />
attempts to send mail via <strong>ePrism</strong>.<br />
• Reject — The message will be rejected with notification to the sender.<br />
• Discard — The message will be discarded without notification to the sender.<br />
5. Enter the internal mail server host domain. This is the domain part of the email address<br />
appended to local user names, such as "example.com".<br />
182
Trusted and Blocked Senders<br />
Configuring WebMail Access<br />
WebMail access must enabled on a network interface in Basic Config ➝ Network to allow<br />
users to login to <strong>ePrism</strong> via <strong>ePrism</strong> Mail Client/WebMail to manage their Trusted/Blocked<br />
Senders List.<br />
In <strong>User</strong> Accounts ➝ Secure WebMail, you must also enable the Trusted/Blocked Senders<br />
controls for the end user when they login to the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
183
Intercept Anti-Spam<br />
Imported Trusted/Blocked Senders List<br />
Trusted/Blocked Senders Lists can be manually or automatically updated from a global list<br />
located on an external web server. The list update can be scheduled to occur at regular<br />
intervals. The list can be updated immediately by clicking the Update imported list now button.<br />
It is recommended that organizations use either the personal Trusted/Blocked Senders List or<br />
the imported list, and not both at the same time.<br />
To configure the Imported Trusted/Blocked Senders List:<br />
1. Select the Enable imported list check box.<br />
2. Enter the List source URL where the Trusted/Blocked Senders List can be retrieved from,<br />
such as:<br />
http://listserver.example.com/bwlist.csv<br />
HTTPS is also supported for the List source URL.<br />
3. Select the Automatic update check box to enable scheduled updates, and select the days<br />
and time to retrieve the list.<br />
4. To perform a manual update, click the Update imported list now button.<br />
For <strong>ePrism</strong> systems configured in a cluster, each cluster member must be configured to import this<br />
list independently.<br />
184
Trusted and Blocked Senders<br />
Import List File<br />
The Trusted/Blocked Senders List file must be in CSV format and contain comma or tab<br />
separated entries in the form:<br />
[recipient],[sender],[block or trust]<br />
For example:<br />
user@example.com,spam@example1.com,block<br />
user@example.com,hacker@example1.com,block<br />
user@example.com,friend@example1.com,trust<br />
user@example.com,friend2@example1.com,trust<br />
The file (bwlist.csv) should be created in CSV file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the file first by clicking the<br />
Download File button, editing it as required, and uploading it using the Upload File button.<br />
Adding Trusted/Blocked Senders<br />
To create their own Trusted/Blocked Senders List, the end user can login to their <strong>ePrism</strong><br />
<strong>ePrism</strong> Mail Client/WebMail account, and select Trusted Senders or Blocked Senders from<br />
the menu.<br />
<strong>User</strong>s do not need a local account on the system. Logins can be authenticated via RADIUS or<br />
LDAP to an authentication server such as Active Directory. The user’s Trusted Senders List is<br />
saved locally on the system. See “Remote Accounts and Directory Authentication” on page 202 for<br />
more detailed information on setting up user authentication.<br />
The Trusted and Blocked Senders Lists are based on a sender’s email address. Enter an email<br />
address and click the Add button. Trusted Senders can also be added directly via the Spam<br />
Quarantine summary email.<br />
185
Intercept Anti-Spam<br />
186
Spam Quarantine<br />
Spam Quarantine<br />
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual<br />
user or to a single user. This allows users to view and manage their own quarantined spam by<br />
giving them the ability to view, release the message to their inbox, or delete the message.<br />
Spam Quarantine summary notifications can be sent to users notifying them of existing mail in<br />
their quarantine. The email notification itself can contain links to take action on messages<br />
without having to login to the quarantine.<br />
To quarantine mail, the administrator must set the action for an Intercept spam level, such as<br />
"Certainly Spam", to Redirect To, and set the action data to the FQDN (Fully qualified domain<br />
name) of the <strong>ePrism</strong> system (to host the quarantine on the current system) or another <strong>ePrism</strong><br />
running the spam quarantine feature.<br />
The Spam Quarantine must be enabled on the destination system if you choose to quarantine mail<br />
on a separate <strong>ePrism</strong>.<br />
Local Spam Quarantine Account<br />
To access quarantined mail, a local account must exist for each user. This account can be<br />
created locally, or you can use the LDAP Mirrored <strong>User</strong>s feature to import user accounts from<br />
an LDAP compatible directory (such as Active Directory) and mirror them on the local system.<br />
See “Directory <strong>User</strong>s and Groups” on page 63 for more information on importing and mirroring<br />
LDAP user accounts.<br />
Configuring the Spam Quarantine<br />
Select Mail Delivery ➝ Anti-Spam ➝ Spam Quarantine on the menu.<br />
187
Intercept Anti-Spam<br />
• Enable Spam Quarantine — Select the check box to enable the spam quarantine.<br />
• Expiry Period — Select an expiry period for mail in each quarantine folder. Any mail<br />
quarantined for longer than the specified value will be deleted.<br />
• Folder Size Limit — Set a value, in megabytes, to limit the amount of stored quarantined<br />
mail in each quarantine folder.<br />
• Enable Summary <strong>Email</strong> — Select the check box to enable a summary email notification<br />
that alerts users to mail that has been placed in their quarantine folder.<br />
Notifications can only be sent to accounts the <strong>ePrism</strong> is aware of such as local accounts or LDAP<br />
mirrored user accounts.<br />
• Limit # of message headers sent — Specify the maximum number of headers to be sent in<br />
the notification message. Set to "0" for all message headers to be sent.<br />
• Remember # of past summary keys — Enter the amount of days that users are allowed to<br />
access previously sent spam summaries. The default is 8.<br />
When doing spam summaries every 12 hours, a value of 8 would result in only the last four days of<br />
spam summaries being accessible.<br />
• Notification Domain — Enter the domain for which notifications are sent to. This is typically<br />
the Fully Qualified Domain Name of the email server.<br />
The Spam Quarantine only supports one domain.<br />
• Notification Days — Select the specific days to send the summary.<br />
• Notification Times — Select the time of day to send the summary notifications.<br />
The Spam Summary processing will begin at this time, but the actually delivery of the summary<br />
notifications will not be performed until the processing (which may take several minutes) is<br />
complete.<br />
• Spam Folder — Indicate the Spam Folder name. This must be an RFC821 compliant mail<br />
box name. This folder will appear in a user’s mailbox when they have received quarantined<br />
spam.<br />
• Mail Subject — Enter a subject for the notification email.<br />
• Allow Trusting Senders — Inserts a link in the notification summary to allow the user to<br />
add the sender to their Trusted Senders List.<br />
• Allow reading messages — Inserts a link in the notification summary to allow the user to<br />
read the original message.<br />
• Allow releasing of email — Inserts a link in the notification summary to allow the user to<br />
release it to their inbox.<br />
• Mail subject — Enter the subject of spam summary notification message. <strong>ePrism</strong> system<br />
variables can be used in the subject. See “Customizing Notification and Annotation<br />
Messages” on page 371.<br />
Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored user accounts.<br />
188
Spam Quarantine<br />
Spam Summary Message<br />
If enabled, a summary email notification can be sent to alert users to mail that has been placed<br />
in their quarantine folder. Additional options allow the end user to read the message, release<br />
the message from the quarantine to their inbox, or add the sender to their Trusted Senders list,<br />
via the links in the spam summary message.<br />
Setting Spam Redirect Options<br />
To quarantine spam mail to the Spam Quarantine, you must set the Intercept action to Redirect<br />
to and set the action data to the FQDN of the spam quarantine server.<br />
To quarantine mail to the spam quarantine, use the following procedure:<br />
1. Go to Mail Delivery ➝ Anti-Spam ➝ Intercept.<br />
2. Set the Action for the spam level (such as "Certainly Spam") to Redirect to.<br />
3. Set the Action data to the FQDN of the spam quarantine (either this <strong>ePrism</strong>, or another<br />
<strong>ePrism</strong> system running the quarantine) such as "spam.example.com".<br />
189
Intercept Anti-Spam<br />
Configuring Dedicated Spam Quarantine Server<br />
To ensure that spam redirected from another <strong>ePrism</strong> is properly quarantined on a dedicated<br />
Spam Quarantine server, it is recommended that a pattern filter be created to ensure these<br />
messages are classified as "Certainly Spam" by the dedicated Quarantine server.<br />
1. Login to the <strong>ePrism</strong> set up as the dedicated Spam Quarantine server.<br />
2. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) on the menu.<br />
3. Click the Add button to add a new pattern filter.<br />
4. Add a pattern to match the Client IP address of the <strong>ePrism</strong> system that will be redirecting<br />
mail to this quarantine server. Set the action as "Certainly Spam".<br />
5. Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu.<br />
6. For the "Certainly Spam" spam category, set the action to Redirect To and the action data<br />
to the address of the Quarantine Server.<br />
Accessing Quarantined Spam<br />
The quarantined spam folder can be viewed using the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
<strong>User</strong>s can log in to their local or mirrored account on <strong>ePrism</strong> and view their own quarantine<br />
folder.<br />
If you do not require or do not want the end users to log in locally to <strong>ePrism</strong> to retrieve these<br />
messages, they can simply use the linked actions contained in the spam quarantine summary<br />
notification to manage quarantined messages.<br />
WebMail access must be enabled on a network interface in Basic Config ➝ Network to allow<br />
users to log into <strong>ePrism</strong> locally or use the linked actions in the spam quarantine summary<br />
notification.<br />
<strong>User</strong>s can also use IMAP to access the quarantine folders. You must enable IMAP globally and<br />
on your trusted network interfaces as required. This allows users to connect to the system via<br />
IMAP and move spam messages out of the quarantine into their own folders.<br />
190
Spam Quarantine<br />
Accessing the Quarantine Folder via IMAP<br />
To enable access to the quarantine folder via IMAP:<br />
1. Select <strong>User</strong> Accounts ➝ POP3 and IMAP to enable IMAP globally.<br />
2. Select Basic Config ➝ Network to enable IMAP on a specific network interface.<br />
3. Connect from a client using IMAP to view the "spam_quarantine" folder.<br />
To retrieve false positives (messages that are not spam) from the quarantine, configure the<br />
client email application with two separate accounts, one for their normal account, and one for<br />
the spam quarantine. With this configuration you can drag and drop message from the<br />
quarantine to your mail account.<br />
Enabling WebMail and Spam Quarantine Access<br />
In Basic Config ➝ Network, enable the WebMail check box for a specific network interface to<br />
allow users to login to WebMail.<br />
In <strong>User</strong> Accounts ➝ Secure WebMail, enable the Personal Quarantine Controls option to<br />
provide users with the spam quarantine controls in the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
191
Intercept Anti-Spam<br />
Accessing the Quarantine folder using <strong>ePrism</strong> Mail Client/WebMail<br />
To access the quarantine folder via <strong>ePrism</strong> Mail Client/WebMail:<br />
1. Log into your <strong>ePrism</strong> WebMail account.<br />
2. Select Spam Quarantine on the left menu.<br />
Click the Release link to release the message back into your inbox.<br />
Click the Trusted Sender link to automatically add the sender to your Trusted Sender List.<br />
Spam Quarantine in a Cluster<br />
The <strong>User</strong> Spam Quarantine can be run in a clustered environment, but there are additional<br />
steps that need to be performed for this feature to work correctly.<br />
• The Spam Quarantine should be enabled on the master Cluster Console only. The cluster<br />
will automatically synchronize the configuration with the other cluster members.<br />
• You must set your Intercept options to use an action of Redirect To, and set the action data<br />
to a hostname that will be used specifically for the Cluster Console’s network interface. For<br />
example, set your redirect action to "redirect.example.com".<br />
• On the Cluster Console, go to Mail Delivery ➝ Routing ➝ Mail Routing, and create a mail<br />
route for "redirect.example.com" to point to the IP address of the network interface on<br />
the Cluster Console that communicates with the other cluster members. This mail route will<br />
be automatically propagated to the other cluster member systems.<br />
192
Spam Quarantine<br />
• On the Cluster Console, create a Specific Access Pattern rule set to an action of "Trust"<br />
for the Client IP of the network interface of the cluster members that communicate with the<br />
Cluster Console. This will ensure messages being redirected from the member system will<br />
be trusted.<br />
• If you are running Token Analysis, create a Pattern Based Message Filter rule on the<br />
Cluster Console set to the action of "Do Not Train" for the Client IP of the network interface<br />
of the cluster members that communicate with the Cluster Console. This prevents the<br />
message from being trained when it is sent to the master Cluster Console for the spam<br />
quarantine.<br />
193
CHAPTER 8<br />
<strong>User</strong> Accounts and Remote<br />
Authentication<br />
This chapter describes how to setup and administer local and remote user accounts and<br />
POP/IMAP access on your <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• “POP3 and IMAP Access” on page 196<br />
• “Local <strong>User</strong> Mailboxes” on page 197<br />
• “Mirror Accounts” on page 199<br />
• “Strong Authentication” on page 200<br />
• “Remote Accounts and Directory Authentication” on page 202<br />
• “Relocated <strong>User</strong>s” on page 205<br />
• “Vacation Notification” on page 206<br />
• “Tiered Administration” on page 209<br />
195
<strong>User</strong> Accounts and Remote Authentication<br />
POP3 and IMAP Access<br />
<strong>ePrism</strong> fully supports local user mailboxes. Mail is delivered to <strong>ePrism</strong> mailboxes after the same<br />
processing that applies to all other destinations. <strong>User</strong>s can use any POP or IMAP-based mail<br />
client (such as Outlook, Netscape, Eudora, and so on) to download their messages. <strong>User</strong>s can<br />
also be configured to access these mailboxes using the <strong>ePrism</strong> Mail Client.<br />
It is recommended that you use the secure versions of POP and IMAP to ensure passwords are not<br />
transmitted in clear text.<br />
Select <strong>User</strong> Accounts ➝ POP3 and IMAP on the menu to enable or disable POP and/or IMAP<br />
mailboxes.<br />
To complete the procedure, you must also enable POP3 and IMAP access (and their secure<br />
versions) on your network interfaces via the Basic Config ➝ Network menu.<br />
196
Local <strong>User</strong> Mailboxes<br />
Local <strong>User</strong> Mailboxes<br />
Select <strong>User</strong> Accounts ➝ Local Accounts on the menu to add new users and configure local<br />
user mail profile settings.<br />
Click the Add a New <strong>User</strong> button to begin the new user configuration:<br />
• <strong>User</strong> ID — Enter an RFC821 compliant mail box name for the user.<br />
• Forward email to — Enter an optional address to forward all mail to.<br />
• Set and Confirm Password — Enter and confirm the user’s password. The user should<br />
change this password the first time they log in.<br />
• Strong Authentication — Select a strong authentication method, if required. Strong<br />
authentication is explained in more detail in the next section.<br />
• Disk Space Quota — Enter an optional user disk space quota in megabytes (MB). Enter a<br />
value of "0" for no quota.<br />
• Accessible IMAP/WebMail Servers — Select the available IMAP and WebMail servers<br />
that this user can access.<br />
197
<strong>User</strong> Accounts and Remote Authentication<br />
Upload and Download <strong>User</strong> Lists<br />
You can upload lists of users using comma or tab separated text files. You can specify the login<br />
ID, password, email address, and disk quota in megabytes. Use the following format:<br />
[login],[password],[email address],[quota]<br />
For example,<br />
user1,ajg7rY,user1@example.com,0<br />
The file (user.csv) should be created in csv file format using Excel, Notepad or other Windows<br />
text editor. It is recommended that you download the user list file first by clicking File<br />
Download, editing it as required, and then uploading it using the File Upload button.<br />
Mailbox Options<br />
Click the Options button to set the maximum mailbox size (in bytes) for all local mailboxes. Set<br />
this value to 0 to disable the limit.<br />
The value must not be smaller than the Maximum message size limit set in Mail Delivery ➝ Mail<br />
Access. If you set this value to 0, users will be able to send any size of message.<br />
198
Mirror Accounts<br />
Mirror Accounts<br />
LDAP user accounts can be imported from an LDAP directory server and mirrored on the local<br />
<strong>ePrism</strong> system. This allows you to create local accounts based on the LDAP account to allow<br />
these users to login locally for the Spam Quarantine feature.<br />
These mirror accounts are not local accounts that can accept mail, they are only used for the Spam<br />
Quarantine feature.<br />
See “Directory <strong>User</strong>s and Groups” on page 63 for more detailed information on creating mirror<br />
accounts.<br />
If you have imported LDAP user accounts via Basic Config ➝ Directory Services ➝ <strong>User</strong>s<br />
and Groups, a new option will appear in the Local Accounts menu called Mirror Accounts<br />
that displays all mirrored user accounts.<br />
You can remove selected individual user’s mirror accounts or remove all of them by clicking the<br />
Remove All button.<br />
When using the Remove All button, users are removed as a background process and if you have<br />
many pages of users, it may take several minutes for this operation to complete.<br />
199
<strong>User</strong> Accounts and Remote Authentication<br />
Strong Authentication<br />
By default, user authentication is based on <strong>User</strong>ID and password. <strong>ePrism</strong> also supports strong<br />
authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware<br />
token devices provide an additional authentication key that must be entered in addition to the<br />
<strong>User</strong>ID and password.<br />
You can select a strong authentication type in the Strong Authentication drop-down menu of the<br />
user’s profile.<br />
CRYPTOCard<br />
The CRYPTOCard option is supported by a local authentication server and requires no external<br />
system for authentication. When CRYPTOCard is selected, you will be prompted to program the<br />
card at that time using the token configuration wizard.<br />
Only manually programmable CryptoCard RB-1 tokens are supported.<br />
SafeWord<br />
SafeWord Platinum and Gold tokens are supported by a local authentication server, and require<br />
no external system for authentication. When SafeWord is selected, you will be prompted to<br />
program the card at that time using the token configuration wizard.<br />
Only manually programmable SafeWord tokens are supported.<br />
200
Strong Authentication<br />
SecurID<br />
To configure RSA SecurID, you must set up the system as a valid client on the ACE Server,<br />
and create an sdconf.rec (ACE Agent version 4.x) file and upload it to <strong>ePrism</strong>.<br />
Although newer ACE servers are supported, the sdconf.rec file must be for version 4.x of the ACE<br />
Agent. Versions greater than 4.x generate a different format of this file.<br />
Select <strong>User</strong> Accounts ➝ SecurID on the menu to configure SecurID.<br />
Click the Browse button to find and load a sdconf.rec file. Click Upload when finished.<br />
After enabled SecureID via <strong>User</strong> Accounts ➝ SecurID, it must also be enabled for a network<br />
interface in the Basic Config ➝ Network screen.<br />
Ensure that <strong>ePrism</strong>’s domain name is listed in your DNS server. SecurID authentication may not<br />
work properly if a DNS record does not exist.<br />
201
<strong>User</strong> Accounts and Remote Authentication<br />
Remote Accounts and Directory Authentication<br />
Directory authentication allows users to be authenticated without having a local <strong>ePrism</strong> account.<br />
When an unknown user logs in, <strong>ePrism</strong> will send the <strong>User</strong>ID and password to the specified<br />
LDAP or RADIUS server. If the user is authenticated, <strong>ePrism</strong> will log them in and provide access<br />
to the specified server or servers.<br />
LDAP and RADIUS are widely used, and provide a convenient way of allowing access to<br />
internal mail servers or web mail servers such as Outlook Web Access. <strong>User</strong>s who login locally<br />
to an Exchange server based on an Active Directory identity can use the same identity to use<br />
Outlook Web Access with <strong>ePrism</strong>’s Secure WebMail service.<br />
If both LDAP and RADIUS services are defined, the system will try to authenticate via RADIUS first,<br />
and then LDAP if the RADIUS authentication fails.<br />
Configuring Directory Authentication<br />
Select <strong>User</strong> Accounts ➝ Remote Auth from the menu to configure LDAP and RADIUS<br />
authentication.<br />
If you want to use LDAP for authentication, click the New button in the LDAP Sources section to<br />
define a new LDAP source.<br />
202
Remote Accounts and Directory Authentication<br />
• Directory Server — Select a configured LDAP directory server for authentication.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search such as Subtree, One Level, or Base.<br />
• Base: Searches the base object only.<br />
• One Level: Searches objects beneath the base object, but excludes the base object.<br />
• Subtree: Searches the entire subtree of which the base distinguished name is the<br />
topmost object, including that base object.<br />
• Query Filter — Enter a specific query filter to search for a user in your LDAP directory<br />
hierarchy. For Active Directory implementations, use (ObjectClass=user).<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
• Account name attribute — Enter the account name result attribute that identifies a user’s<br />
login or account name, such as sAMAccountName for Active Directory implementations.<br />
You will need to enter the appropriate Query Filter and Account name attribute for your particular<br />
LDAP infrastructure if you use another LDAP service such as OpenLDAP and iPlanet.<br />
203
<strong>User</strong> Accounts and Remote Authentication<br />
RADIUS Authentication<br />
Click the New button in the Radius Servers to configure a RADIUS server for authentication.<br />
• Server — Enter the FQDN or IP address of the RADIUS server.<br />
• Shared Secret — Enter the shared secret for the RADIUS server. A shared secret is a text<br />
string that acts as a password between a RADIUS server and client. Choose a secure<br />
shared secret of at least 8 characters in length, and include a mixture of upper and<br />
lowercase alphabetic characters, numbers, and special characters such as the "@" symbol.<br />
When you add a RADIUS server, the administrator of the RADIUS server must also list this <strong>ePrism</strong><br />
<strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> as a client using the same shared secret. All listed RADIUS servers must<br />
contain the same users and credentials.<br />
• Timeout — Enter a timeout value to contact the RADIUS server.<br />
• Retry — Enter the retry interval to contact the RADIUS server.<br />
The server "This <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>" will only be made accessible for mirror<br />
users. See “Directory <strong>User</strong>s and Groups” on page 63 for more information on settings up<br />
mirrored accounts.<br />
The other servers listed in the Accessible Servers option are configured via <strong>User</strong> Accounts ➝<br />
Secure WebMail. See “Secure WebMail” on page 212 for more detailed information on<br />
configuring this feature.<br />
204
Relocated <strong>User</strong>s<br />
Relocated <strong>User</strong>s<br />
Use the Relocated <strong>User</strong>s screen to return information to the sender of a message on how to<br />
reach users that no longer have an account on the <strong>ePrism</strong> system. A full domain can also be<br />
specified if the address has changed for a large number of users.<br />
Select <strong>User</strong> Accounts ➝ Relocated <strong>User</strong>s on the menu to configure the relocation<br />
information.<br />
Click the Add button to add a new relocated user.<br />
Enter a user or domain name in the <strong>User</strong> field, such as user, user@example.com, or<br />
@example.com to specify an entire domain.<br />
In the "<strong>User</strong> has moved to…" field, enter any appropriate contact information for the relocated<br />
user, such as their new email address, street address, or phone number.<br />
205
<strong>User</strong> Accounts and Remote Authentication<br />
Vacation Notification<br />
When a user will be out of the office, they can enable Vacation Notification which sends an<br />
automated email reply to incoming messages. The reply message is fully configurable, allowing<br />
a user to personalize the vacation notification message.<br />
Vacation Notifications are processed after mail aliases and mappings. You must create notifications<br />
for a specific end user and not for an alias or mapping.<br />
The process for configuring Vacation Notification includes the following steps:<br />
1. The administrator enables Vacation Notification globally.<br />
2. Individual settings can be configured as follows:<br />
• The administrator configures Vacation Notification for the user via <strong>User</strong> Accounts.<br />
• The user configures their own Vacation Notification via <strong>ePrism</strong> Mail Client/WebMail.<br />
Select <strong>User</strong> Accounts ➝ Vacations from the menu to enable Vacation Notification globally.<br />
• Enable Vacation Notification — Enable or disable the service globally for all users.<br />
• Domain Part of <strong>Email</strong> Address — Enter the domain name to be appended to local user<br />
names. This value will be used for all local users.<br />
• Interval Before Re-sending — The number of days after a previous notification was sent to<br />
send another reply if a new email arrives from the original sender.<br />
206
Vacation Notification<br />
Default Vacation Notification Profile<br />
Enter the subject and contents for the default notification message. <strong>User</strong>s will be able to<br />
change the subject and message from their own user profile.<br />
Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary<br />
notifications for non-local users.<br />
Click on an email address to edit the user’s vacation notification settings.<br />
From this screen, an administrator can configure the notification settings, including the address<br />
that incoming mail will receive a vacation response from.<br />
207
<strong>User</strong> Accounts and Remote Authentication<br />
<strong>User</strong> Vacation Notification Profile<br />
An administrator can configure vacation notifications for individual users via their user profile in<br />
the <strong>User</strong> Accounts menu. <strong>User</strong>s can configure their own Vacation Notification settings in their<br />
profile via <strong>ePrism</strong> Mail Client.<br />
To configure Vacation Notification:<br />
1. Login to <strong>ePrism</strong> Mail Client and select <strong>User</strong> Profile on the menu.<br />
2. Set the Vacation Start Date by selecting the required date on the left calendar.<br />
3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out<br />
automatically during this time.<br />
4. Modify the default subject and contents of the response message.<br />
5. Click Save <strong>User</strong> Profile.<br />
Vacation notifications are not sent to emails marked as "bulk" such as mailing lists and system<br />
generated messages. Notifications are also not sent to messages identified as spam.<br />
208
Tiered Administration<br />
Tiered Administration<br />
Tiered Administration allows an administrator to assign additional administrative access<br />
permissions on a per-user basis. For example, the administrator can designate another user as<br />
an alternate administrator by selecting the Full Admin option in their user profile.<br />
To enable administrator permissions, select a user profile from the <strong>User</strong> Accounts ➝ Local<br />
Accounts menu. Enable each administrative option as required for that user by selecting the<br />
corresponding check box.<br />
WebMail/<strong>ePrism</strong> Mail Client access must be enabled on the network interface that will be used by<br />
tiered administration users. This is set in the Basic Config ➝ Network screen.<br />
To distribute administrative functions, the administrator can configure more selective<br />
permissions to authorize a user only for certain tasks such as administering users and reports,<br />
configuring anti-spam filter patterns, or viewing the email database.<br />
• Full Admin — The user has administrative privileges equivalent to the admin user.<br />
• Administer Aliases — The user can add, edit, remove, upload and download aliases (not<br />
including LDAP aliases.)<br />
• Administer Filter Patterns — The user can add, edit, remove, upload and download<br />
Pattern Based Message Filters and Specific Access Patterns.<br />
• Administer Mail Queue — The user can administer mail queues.<br />
• Administer Quarantine — The user can view, delete, and send quarantined files.<br />
• Administer Reports — The user can view, configure and generate reports, and view<br />
system activity.<br />
• Administer <strong>User</strong>s — The user can add, edit, and relocate user mailboxes (except the Full<br />
Admin users), including uploading and downloading user lists. <strong>User</strong> vacation notifications<br />
can also be configured.<br />
• Administer Vacations — The user can edit local user’s vacation notification settings and<br />
other global vacation parameters.<br />
• Mail History — The user can view the email history database.<br />
• View Activity — The user can view the Activity page and start and stop mail services.<br />
Individual emails can only be viewed if View <strong>Email</strong> Database is also enabled.<br />
• View System Logs — The user can view all logs.<br />
209
<strong>User</strong> Accounts and Remote Authentication<br />
Granting full or partial admin access to one or more user accounts allows actions taken by<br />
administrators to be logged because they have an identifiable <strong>User</strong>ID that can be tracked by the<br />
system.<br />
A user with Full Admin privileges cannot modify the profile of the Admin user. They can, however,<br />
edit other users with Full Admin privileges.<br />
Logging In With Tiered Admin Privileges<br />
When tiered administrative privileges have been assigned to a user, they can access them via<br />
the <strong>ePrism</strong> Mail Client interface by logging in locally to <strong>ePrism</strong>.<br />
Select the type of feature you want to administer via the top-left drop down menu.<br />
210
CHAPTER 9<br />
Secure WebMail and<br />
<strong>ePrism</strong> Mail Client<br />
This chapter describes how to setup Secure WebMail and the <strong>ePrism</strong> Mail Client on your<br />
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• “Secure WebMail” on page 212<br />
• “<strong>ePrism</strong> Mail Client” on page 216<br />
211
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Secure WebMail<br />
The Secure WebMail feature provides a highly secure mechanism for accessing webmail<br />
services such as Microsoft OWA (Outlook Web Access), Lotus iNotes, and IMAP servers.<br />
Webmail services provide an attractive, easy to use remote interface for users to access their<br />
mail server mailboxes remotely via a web browser.<br />
As these webmail services are accessible from the Internet, they present a number of security<br />
challenges. The Secure WebMail feature is designed to support the use of webmail services<br />
while protecting Webmail servers from Internet attacks. The connection is managed using a full<br />
application proxy. <strong>ePrism</strong> completely recreates all HTTP/HTTPS requests made by the external<br />
client to the internal webmail server.<br />
Configuring Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Select Basic Config ➝ Network, and then select the WebMail check box to enable WebMail<br />
access on a network interface.<br />
Select <strong>User</strong> Accounts ➝ Secure WebMail to configure Secure WebMail and <strong>ePrism</strong> Mail<br />
Client options.<br />
212
Secure WebMail<br />
Access Types<br />
The following options enable controls in the WebMail interface for features such as the Spam<br />
Quarantine, Trusted Senders, and administrative access.<br />
• Administrative Access — Enables access to administrative functions if the user has<br />
administrative privileges, such as via Tiered Administration.<br />
• Local Mail — Enables access to IMAP servers on the local network.<br />
• Proxy Mail — Enable proxy mail access to other IMAP servers.<br />
• Personal Quarantine Controls — Enables the Spam Quarantine controls. The Spam<br />
Quarantine must be enabled globally via Mail Delivery ➝ Anti-Spam ➝ Spam<br />
Quarantine.<br />
• Trusted/Blocked Senders List — Enables the Trusted and Blocked Senders List controls.<br />
These features must be enabled globally via Mail Delivery ➝ Anti-Spam ➝ Trusted/<br />
Blocked Senders.<br />
For organizations that only want to use local mailboxes for the Spam Quarantine controls or<br />
Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while<br />
enabling Personal Quarantine Controls and Trusted/Blocked Senders. This displays only those<br />
functions to the end user when they log into the <strong>ePrism</strong> Mail Client/WebMail account. Personal<br />
Quarantine and Trusted/Blocked Senders can be disabled if you are only using the Spam<br />
Quarantine summary email for these features and users do not need to login locally.<br />
At least one of these options must be enabled to allow WebMail access on a specified interface in<br />
Basic Config ➝ Network. If all of these access options are disabled, the WebMail access option<br />
on an interface will be disabled.<br />
213
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Servers<br />
Webmail servers must be running one of the following: IMAP, Outlook Web Access (OWA), or<br />
Lotus iNotes.<br />
• Cached server passwords — This option, when enabled, will keep a copy of the user’s<br />
password until they explicitly log out. If a user switches servers, they will not need to reenter<br />
their password.<br />
• Share cookies between servers — Enable this option to ensure that when a user moves<br />
from server to server or is redirected to another server, the user’s session cookies are also<br />
passed along.<br />
• Upload Maximum File Size — Enter the maximum file size allowed in megabytes.<br />
Click the Add Server button to add an internal server to be accessed.<br />
• Address — Enter the IP address, hostname, or URL of the server. Add users to this server<br />
by selecting the corresponding check box for that user.<br />
• Label — Enter an optional label to describe this server.<br />
• <strong>User</strong>s who may access this server — Select the users who will be able to access this<br />
server.<br />
• Automatic Server Login — Select this option to try the user’s WebMail ID/Login first before<br />
prompting for an ID and password. Leave this option disabled to force a login prompt for<br />
each new server. This option enables single login capabilities to allow users to login to<br />
<strong>ePrism</strong> and their WebMail server with only one login.<br />
214
Secure WebMail<br />
This option should be disabled if the server is set to expire passwords after three failed attempts.<br />
• Use Most Recent — Select this option to try the most recently used credentials first when<br />
changing servers.<br />
This option only applies to users with more than one accessible WebMail server.<br />
• Force Compatibility — Select this option to ensure support for Outlook Web Access 2000<br />
and limited support for OWA 2003.<br />
• Make Invisible — Use this option to make the server invisible to users in the Secure<br />
WebMail server drop-down list.<br />
• Keep Alive — Specify the frequency to send keep-alive messages to the WebMail server<br />
to keep the client connection alive.<br />
215
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
<strong>ePrism</strong> Mail Client<br />
The <strong>ePrism</strong> Mail Client is the native webmail client for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>.<br />
Using the <strong>ePrism</strong> Mail Client, you can access local mailboxes, IMAP Servers, administrative<br />
access, the Spam Quarantine, and the Trusted Senders List.<br />
From a web browser, enter the hostname or IP address of the <strong>ePrism</strong> system running the<br />
<strong>ePrism</strong> Mail Client. Login with your local user ID and password. (The login can also be<br />
authenticated using LDAP or RADIUS.)<br />
When successfully logged in, the <strong>ePrism</strong> Mail Client interface will be displayed.<br />
Configuring <strong>ePrism</strong> Mail Client Options<br />
In the <strong>User</strong> Accounts ➝ Secure Webmail screen, you can configure popup options, the sent<br />
mailbox folder, and other <strong>ePrism</strong> Mail Client features in the <strong>ePrism</strong> Mail Client Options section.<br />
To see popup windows, your web browser must have popups enabled.<br />
• New Mail Popup — Enable a popup window for new mail notifications.<br />
• Minimize Popups — Minimize the use of new popup browser windows by using the main<br />
frame.<br />
216
<strong>ePrism</strong> Mail Client<br />
• Enable Inline HTML-mail Viewing — Enables the viewing of HTML mail. For security<br />
reasons, any scripts and fetches for external objects are filtered out.<br />
• Save Sent Mail — Enables saving of sent mail in the user’s mailbox.<br />
• Sent Mail-box — The name of the sent mail folder if enabled.<br />
• Editable From — Enables a user to edit the From: field when composing mail.<br />
217
CHAPTER 10<br />
Policy Management<br />
This chapter describes how to use and configure Policy controls for users, groups, and<br />
domains, and contains the following topics:<br />
• “Policy Overview” on page 220<br />
• “Creating Policies” on page 223<br />
• “Domain Policies” on page 224<br />
• “Group Policies” on page 226<br />
• “<strong>User</strong> Policies” on page 231<br />
• “Managing Policies” on page 233<br />
• “Policy Diagnostics” on page 234<br />
219
Policy Management<br />
Policy Overview<br />
<strong>ePrism</strong>’s Policy controls allow specific mail security features to be customized and applied to<br />
different email domains, user groups, or individual users.<br />
The features that can be used with Policy controls include the following:<br />
• Annotations<br />
• Anti-Virus<br />
• Archiving<br />
• Attachment Control<br />
• Attachment Content Scanning<br />
• Intercept Anti-Spam<br />
• Objectionable Content Filter<br />
Policy controls enable granular settings to be applied for each specific domain, group, or user.<br />
For example, Intercept Anti-Spam settings can be enabled for specific domains, while turned off<br />
for other domains. Each Anti-Spam action can be customized to configure one domain to reject<br />
spam messages, while another domain can be configured to modify the subject header of a<br />
spam message. Spam thresholds and Intercept component weights can also be customized for<br />
different domains, groups, and user addresses.<br />
Anti-Virus and Attachment Control actions for inbound and outbound mail can also be<br />
specifically defined for the requirements of each domain, group, or user. For example, you can<br />
enable inbound and outbound Anti-Virus and Attachment Control checks for some domains,<br />
while only checking inbound mail for other domains.<br />
Sender and Recipient Policy Determination<br />
When a message arrives, <strong>ePrism</strong> will determine a set of policy settings for each message<br />
recipient as follows:<br />
• If the message is trusted, and is addressed to a non-local recipient, then the sender’s policy<br />
settings will be used for that recipient.<br />
• If the message is untrusted, or is trusted but addressed to a local recipient, then the<br />
recipient’s policy settings will be used for that recipient.<br />
Policy Hierarchy<br />
Policy settings are processed after any mail mappings etc. If the final recipient is a local user or a<br />
user in a domain that <strong>ePrism</strong> routes mail for, then it is considered a local recipient.<br />
There are four types of policies that can apply to a user: the Domain Policy, Group Policy, <strong>User</strong><br />
Policy, and Default Policy. Recipients can belong to multiple policies, for example, the recipient<br />
"user@example.com" may have a user-based policy for "user@example.com" and a policy<br />
based on the domain "example.com".<br />
The final policy for the recipient will be the merging of any existing policies for that user, with<br />
conflicting settings resolved in the following order of precedence:<br />
1. <strong>User</strong> policy (user@example.com)<br />
220
Policy Overview<br />
2. Group policy (Sales)<br />
3. Domain policy (example.com)<br />
4. Default policy<br />
For example, if <strong>User</strong> and Domain are defined and enabled and the Anti-Virus feature is defined<br />
and enabled in only the Domain policy but undefined in the other policies, Anti-Virus will be<br />
enabled. To override this Domain policy for a user, define the Anti-Virus feature as disabled in<br />
the <strong>User</strong> Policy.<br />
Multiple Group Policies<br />
In cases where a user belongs to multiple groups, the group order takes precedence. In the<br />
Group Policy configuration screen, administrators can order the list of groups into an order of<br />
priority.<br />
For example:<br />
• A user belongs to Group1 and Group2<br />
• Group 1 Policy is set to a higher priority then Group 2 Policy<br />
• Group 1 Policy has Token Analysis enabled and defined<br />
• Group 2 Policy has Token Analysis disabled and defined<br />
The final result is that the user’s email will be scanned by Token Analysis.<br />
Groups policies are not merged as they are with user and domain policies. If a user belongs to<br />
more than one group, only the first group policy in the specified group ordering is applied.<br />
PBMF Priority<br />
When using PBMFs with policies, there may be situations with conflicting priorities for global<br />
PBMFs and policy PBMFs. When processing PBMFs, <strong>ePrism</strong> makes the following decisions:<br />
1. The priority of all actions are taken into consideration. If there is only one "High" priority<br />
action, that filter will be used.<br />
2. For PBMFs with the same priority, policies are resolved in the following order:<br />
• <strong>User</strong> Policy<br />
• Group Policy<br />
• Domain Policy<br />
• Default Policy/Global<br />
3. For the same priority and same policy, actions are resolved in the following order:<br />
• Bypass<br />
• Reject<br />
• Discard<br />
• Quarantine<br />
• Certainly Spam<br />
• Redirect<br />
• Trust<br />
• Relay<br />
• Accept<br />
221
Policy Management<br />
• Just Log<br />
When creating Pattern Based Message Filters (PBMFs) in policies, certain message parts such<br />
as Envelope-to and Envelope-from, Client IP, and Host, are not available. These PBMFs can<br />
cause actions to trigger before the recipients are known, such as on a connecting client IP<br />
address, and therefore are not available for use in Policies.<br />
BCC and Do Not Train actions will not prevent lower priority actions from being triggered. For<br />
example, a BCC action at "High" priority in the global PBMF list and an Accept action at "Medium"<br />
priority in a policy will result in an Accept and the BCC option.<br />
222
Creating Policies<br />
Creating Policies<br />
The following sections describe how to enable and define policies. The general steps are as<br />
follows:<br />
1. Define global <strong>ePrism</strong> settings<br />
2. Enable the Default Policy<br />
3. Add and define new Domain, Group, and <strong>User</strong> Policies<br />
Define Global <strong>ePrism</strong> Settings<br />
Before creating your specific domain and user policies, it is recommended that administrators<br />
define globally their default <strong>ePrism</strong> settings for Anti-Virus, Attachment Control, Anti-Spam<br />
features, and so on, before defining more granular policies based on these global settings.<br />
These settings will be inherited by the Default policy which is the policy used by all users that<br />
do not belong to a specific policy.<br />
If you disable a feature globally, it cannot be enabled by a policy. The feature will be completely<br />
disabled, regardless of how a policy is configured.<br />
Enable the Default Policy<br />
Select Mail Delivery ➝ Policy ➝ Policy Definition to enable the default policy.<br />
The Default policy cannot be deleted. The policy name "Default" is a reserved word specifically to<br />
be used as the Default policy for users that are not defined to a specific policy.<br />
223
Policy Management<br />
Domain Policies<br />
When global settings have been defined, more granular policy settings can be configured by<br />
creating policies for specific domains, groups, and users.<br />
Domain policies can be created to enable different policies for different domains in an<br />
organization. For example, administrators might require that different domains need separate<br />
annotations (such as a legal disclaimer) appended to their messages.<br />
Create a policy definition for this domain as follows:<br />
1. Select Mail Delivery ➝ Policy ➝ Policy Definition to configure customized policies.<br />
2. Click the Add Policy button.<br />
3. Enter a descriptive name for this domain policy, such as "example.com".<br />
4. Select the Enable check box to enable this policy.<br />
5. Go to the Annotations section of the policy.<br />
6. Select the Enable check box and the Define check box to enable annotations for this<br />
domain policy.<br />
7. Select the Define check box for the Annotation "Edit" field, and then click the Edit button to<br />
customize the annotation for this domain.<br />
8. Customize the annotation and click Apply, and then click Return to Policy.<br />
224
Domain Policies<br />
9. Click Apply to save the "example.com" domain policy.<br />
10. Select Mail Delivery ➝ Policy ➝ Domain Policy to add the "example.com" domain.<br />
11. Select the "example.com" policy in the Policy drop-down list.<br />
12. Enter the domain that this policy will apply to, such as:<br />
example.com<br />
Use a leading "." to indicate subdomains of the specified domain, such as:<br />
.example.com<br />
This will match:<br />
a.example.com, b.example.com, c.d.example.com<br />
but not "example.com".<br />
13. Click Add to add the domain to the Domain Policy list.<br />
Uploading and Downloading Domain Policy Lists<br />
A list of domains and corresponding policies can also be uploaded in one text file. The file must<br />
contain comma or tab separated entries in the form:<br />
[Domain],[policy name]<br />
For example:<br />
example.com,Domain1<br />
The file (domain_policy.csv) should be created in csv file format using Excel, Notepad or<br />
another Windows text editor. It is recommended that you download the domain file first by<br />
clicking Download File, editing it as required, and uploading it using the Upload File button.<br />
225
Policy Management<br />
Group Policies<br />
Policies can be customized for user’s who belong to specific group. For example, a "Sales"<br />
group might have different attachment content scanning policies than users in the Development<br />
group. Group policies are also useful for providing different annotations or anti-spam features<br />
for each user group.<br />
Group membership information must be imported from an LDAP directory. Click the LDAP<br />
Import button which will take you to the Directory <strong>User</strong>s and Groups screen where LDAP users<br />
and group names can be imported. A Directory Server must be set up before you can import<br />
users and groups.<br />
See “Directory <strong>User</strong>s and Groups” on page 63 for more detailed information on setting up<br />
directory services for group imports.<br />
When you have set up your Directory <strong>User</strong>s and groups configuration, click Apply.<br />
Click the Import Now button which will import users and their corresponding group<br />
memberships from an LDAP directory. When the import is completed, the group list will appear<br />
226
Group Policies<br />
in your Group Policy screen. Schedules imports can set up by clicking the Import Settings<br />
button.<br />
Select the "New" group view to show the groups that you just imported and are currently<br />
unassigned. New imported groups will display "New" as their policy category, indicating that the<br />
group has just been imported and currently has no policy.<br />
These new groups can then either be assigned the "Default" policy, an existing configured<br />
policy, or be set as "Unassigned". Groups configured as "New" or "Unassigned" do not have an<br />
active policy.<br />
A reimport of groups will change all previously "New" groups to "Unassigned".<br />
227
Policy Management<br />
Re-Ordering Groups<br />
Group policies are applied in the order listed if the user belongs to more than one group. For<br />
example, in the case of annotations, the annotation for a user belonging to multiple groups will<br />
be their first group listed in the group order.<br />
Groups can be reordered for priority by clicking the Re-Order Groups button.<br />
A list of "Assigned" groups (groups assigned to a policy) will be displayed. Select a group to be<br />
moved, and then click the Up or Down buttons to move the group up and down the list order.<br />
Groups can be moved immediately to the top or bottom of the list using the Top and Bottom<br />
buttons.<br />
When finished the re-ordering of groups, click the Apply button.<br />
228
Group Policies<br />
Assigning Group Policies<br />
Policies can now be assigned to each group by selecting a specific policy from the drop-down<br />
box. In this example, we have created a Group Policy 1 policy that we will apply to specific<br />
groups.<br />
In this example, the Canada, India, and Japan groups have been configured to use the Group<br />
Policy 1 policy. When you are finished setting the policies for the required groups, ensure the<br />
groups that have been modified are selected, and then click the Apply link.<br />
Uploading Group Policy Lists<br />
A list of groups and corresponding policies can also be uploaded in one text file. The file must<br />
contain comma or tab separated entries in the form:<br />
[group],[policy name]<br />
For example:<br />
sales,salesgroup<br />
The file (group_policy.csv) should be created in csv file format using Excel, Notepad or<br />
another Windows text editor. It is recommended that you download the group file first by<br />
clicking Download File, editing it as required, and uploading it using the Upload File button.<br />
229
Policy Management<br />
Orphaned Groups<br />
Orphaned LDAP groups are groups that have been deleted from the LDAP directory but still<br />
exist in <strong>ePrism</strong>’s local group list. Any policies configured for these orphaned groups will not be<br />
processed.<br />
Click the Delete Orphans button to remove these groups from <strong>ePrism</strong>’s group policy screen.<br />
Disabling Group Policy<br />
Group Policies can be disabled if they are not being used for Policies in your organization. This<br />
may help performance for organization’s that have a large number of directory users and do not<br />
need to use Group Policy. Click the Disable Group Policy button to disable this feature.<br />
230
<strong>User</strong> Policies<br />
<strong>User</strong> Policies<br />
Policies can be customized for individual user addresses. The <strong>User</strong> policy will take precedence<br />
over Domain and Group policies, and are useful for creating individual exceptions to these<br />
policies.<br />
In the following example, a user policy will be created with customized anti-virus settings.<br />
Configure a user policy as follows:<br />
1. Select Mail Delivery ➝ Policy ➝ Policy Definition.<br />
2. Click the Add Policy button.<br />
3. Enter a descriptive name for this policy, such as "<strong>User</strong> Policy".<br />
4. Select the Enable check box to enable this policy.<br />
5. Go to the Anti-Virus section of the policy.<br />
6. Select Kaspersky Virus Scanning and ensure the Define check box is checked.<br />
7. Customize the actions and notifications for inbound and outbound virus scanning.<br />
8. When finished, click Apply to save this policy.<br />
9. Select Mail Delivery ➝ Policy ➝ <strong>User</strong> Policy to add a user address.<br />
231
Policy Management<br />
10. Select the <strong>User</strong> Policy created in the previous steps in the Policy drop-down list.<br />
11. Enter the user address, such as "user@example.com" in the <strong>Email</strong> field.<br />
12. Click Add to add the user address to the <strong>User</strong> Policy list.<br />
Uploading and Downloading <strong>User</strong> Address Lists<br />
A list of users can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[email],[policy name]<br />
For example:<br />
user@example.com,<strong>User</strong> Policy<br />
The file (email_policy.csv) should be created in csv file format using Excel, Notepad or<br />
another Windows text editor. It is recommended that you download the user file first by clicking<br />
Download File, editing it as required, and uploading it using the Upload File button.<br />
232
Managing Policies<br />
Managing Policies<br />
When several domain, group, and user policies have been created and customized, they can<br />
be managed from the Mail Delivery ➝ Policy ➝ Policy Definition screen.<br />
The Enabled field indicates if a policy is on and active or disabled.<br />
Each individual policy can be edited by clicking on its corresponding name.<br />
To delete policies, select the corresponding check box of the policies you want to delete, then<br />
click the Remove button.<br />
Enable Verbose Logging<br />
The Enable Verbose Logging feature enables additional logging information in the Mail<br />
Transport log file for policies. Click the Enable Verbose Logging button to enable this feature.<br />
The mail log can be viewed via Status/Logs ➝ System Logs ➝ Mail Transport.<br />
The message displayed will contain information similar to the following:<br />
policy_recipient=,<br />
policy_user= (remote=F),<br />
domain_policy=, group_policy=,<br />
group_name=, user_policy=<br />
default_policy=<br />
233
Policy Management<br />
Policy Diagnostics<br />
The Policy Diagnostics screen allows administrators to test their policy structure to ensure that<br />
the final result for a specific user is the desired result. There are several policies that can apply<br />
to a single user, including domain policies, user policies, group policies, and the default policy.<br />
By entering the user’s email address in the diagnostic screen, the final result of each policy<br />
feature will be displayed, including information on which policies were overridden by another<br />
policy with higher priority.<br />
Select Mail Delivery ➝ Policy ➝ Policy Diagnostic on the menu to configure and run policy<br />
diagnostics.<br />
• Sender — Enter a sender address for this test if you are testing an outbound message. This<br />
field can be left blank to indicate any sender for inbound mail.<br />
• Recipient — Enter the test recipient for the policy. The final result displayed during the<br />
diagnostics will be the final policy result for this specific user.<br />
• Direction — Select a direction for the message to determine policy results when the<br />
message is inbound or outbound.<br />
• Trusted — Select whether the message is considered to be from a trusted or untrusted<br />
source.<br />
Click Lookup to start the policy diagnostics.<br />
234
Policy Diagnostics<br />
The Policy Diagnostic summary screen provides the administrator with a detailed analysis of<br />
how the various active policies combine to determine the final disposition of mail messages.<br />
The Policy Diagnostics table displays the <strong>ePrism</strong> features that can be configured on a perpolicy<br />
basis.<br />
Each column displays the contributions to the disposition of the message by each policy (<strong>User</strong>,<br />
Group, Domain, and Default).<br />
For each feature, an "X" indicates the defined policy was used to determine the final result. Any<br />
policies that were overridden by the applied policy are indicated by an "_". An empty column<br />
indicates that a matching policy was not found by the policy resolution engine.<br />
At the end of each feature row, the final result of the policy is indicated such as "Disabled" for<br />
Kaspersky Anti-Virus.<br />
As policies are initialized with reasonable defaults and those values may match the overall<br />
default setting, it can appear that a particular policy has been overridden when in fact there is<br />
no apparent configuration responsible for this. For example, the default setting for attachment<br />
scanning is 'disabled'. If a user policy is defined, but attachment scanning is not part of that<br />
definition and nothing else overrides the default then it will appear that the contribution has<br />
come from the user policy.<br />
235
CHAPTER 11<br />
Threat Prevention<br />
This chapter describes how to configure <strong>ePrism</strong>’s Threat Prevention features to detect and<br />
automatically respond to security threats, and contains the following topics:<br />
• “Threat Prevention Overview” on page 238<br />
• “Configuring Threat Prevention” on page 239<br />
• “Creating Threat Prevention Rules” on page 241<br />
• “Static Address Lists” on page 251<br />
• “Dynamic Address Lists” on page 253<br />
• “F5 Blocking” on page 256<br />
• “Cisco Blocking” on page 261<br />
• “Threat Prevention Status” on page 264<br />
237
Threat Prevention<br />
Threat Prevention Overview<br />
<strong>ePrism</strong> provides a threat prevention feature to detect and mitigate incoming threats. By default,<br />
<strong>ePrism</strong> can recognize the following threats:<br />
• Directory harvesting<br />
• Denial of Service attacks<br />
• Connections from blocked addresses<br />
• Connections originating from addresses that send spam<br />
• Connections originating from addresses that send viruses<br />
Historical information about connecting IP addresses and how they behave are retained,<br />
allowing a configurable set of actions including accept or reject that will be determined at<br />
connection time based on current and historical data.<br />
This information can also be pushed to a perimeter F5 or Cisco device that can be configured to<br />
rate limit, throttle or block a given IP address for a period of time before it reaches <strong>ePrism</strong>.<br />
How Threat Prevention Works<br />
The Threat Prevention feature performs the following tasks.<br />
• Determines the threat level of connecting IP addresses and retains historical statistics about<br />
that address<br />
• Acts on the connection’s IP address based on its connection history<br />
The Threat Prevention feature is contacted at several stages of mail delivery for a specific client<br />
IP address:<br />
1. At connection request time, the history for the IP address is provided to the rules script that<br />
determines if the connection should be allowed or rejected, and how to further classify the<br />
address into a specific data group.<br />
2. After early mail scanning, the number of known and unknown recipients and DNSBL results<br />
are added to the history of the connecting address.<br />
3. After full mail scanning, the results of Anti-Virus, Anti-Spam, and Malformed message<br />
scanning are recorded in the history of the address.<br />
4. Prior to connection, an F5 or Cisco device (if configured) may block an IP address before it<br />
reaches <strong>ePrism</strong> if <strong>ePrism</strong> is configured to push threat prevention information to the device.<br />
238
Configuring Threat Prevention<br />
Configuring Threat Prevention<br />
A Connection Rules script is run each time a client tries to connect to <strong>ePrism</strong>. This configurable<br />
script determines whether to accept or reject a connection based on its threat prevention<br />
history. The script performs an evaluation of the connection and drives the reject and accept<br />
decision for the threat prevention feature. The script is also responsible for moving IP<br />
addresses into appropriate data groups.<br />
Select Mail Delivery ➝ Threat Prevention on the menu to configure <strong>ePrism</strong>’s threat<br />
prevention features.<br />
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> implements connection rule checking by using a scripting<br />
language to drive the decision making process. The script can reject or accept mail given<br />
various statistics available at the time of client connection. The listed default rules are<br />
processed in order.<br />
• Description — A description for the rule.<br />
• Condition — Condition statement to execute.<br />
• List — Defines which list to insert the IP address.<br />
• Action — Action to take if the condition is "True", such as Accept or Reject.<br />
• Reject Code — Reply code to send to the connecting client. For Reject, this is 450<br />
(temporary) or 550 (permanent). For Accept, the reply code is set to 220.<br />
• Move — Select the arrows to modify the ordering of the connection rules.<br />
239
Threat Prevention<br />
Click the Add Rule button to add a new connection rule.<br />
This rules are fully configurable, and the system will check the script when saved to ensure<br />
there are no syntax or execution errors. When you are finished with your changes, click the<br />
Apply button. The results of the script test will be shown, including existing syntax errors.<br />
Click the Advanced button to see the entire connection rules script based on the configured<br />
rules.<br />
Resetting to Defaults<br />
See the following section “Creating Threat Prevention Rules” on page 241 which describes how to<br />
create these rules.<br />
Press the Reset to Defaults button to replace all existing rules with the default set of rules.<br />
240
Creating Threat Prevention Rules<br />
Creating Threat Prevention Rules<br />
The Threat Prevention feature runs a connection rules script each time a client tries to connect<br />
to <strong>ePrism</strong>. The script determines whether to accept or reject a connection based on its threat<br />
prevention history. The script is also responsible for moving IP addresses into appropriate<br />
dynamic lists, such as "infected" or "spammers".<br />
The full script itself is not editable, but it is updated with the condition statements and actions<br />
that are defined for each Threat Prevention rule. These rules are configurable, and the system<br />
will check the script when new rules are applied to ensure there are no syntax or execution<br />
errors.<br />
Basic Rule Structure<br />
The basic structure of a connection rule is as follows:<br />
• Rule Condition — A set of criteria that must be met for the rule to be triggered, such as<br />
"stats1h.virus > 10" (10 or greater virus-infected messages sent in the last hour). <strong>ePrism</strong><br />
collects over 15 different types of data that can be used to create a rule condition.<br />
• Action — Action to take when the rule condition is met, such as "Accept" or "Reject".<br />
• Reply code — The reply code to send back to the sending server, such as temporarily<br />
reject (450) or permanently reject (550).<br />
• Add to Dynamic List — Add the IP address to a configured dynamic list, if applicable. For<br />
example, a sender that triggers a spam rule can be placed in the "spammers" dynamic list.<br />
Default Connection Rules<br />
The default connection rules are active when the Threat Prevention feature is enabled. These<br />
rules include checks for typical conditions such as blocked clients, virus and junk mail senders,<br />
and denial of service (DoS) attempts. The default rules are also helpful in learning how to put<br />
together condition statements for customized connection rules.<br />
Any of the default rules can be customized to change any aspect of the rule to better suit the needs<br />
of your organization.<br />
241
Threat Prevention<br />
Blacklisted clients<br />
This rule checks if the client is already blocked by <strong>ePrism</strong>. The condition statement "is_blacklist"<br />
simply checks if the client is listed in the blacklist static IP address list. If the check is true, the<br />
client will be rejected and added to the blacklisted dynamic IP address list.<br />
Directory harvesters<br />
This rule checks if the client has been involved with directory harvesting activities intended to<br />
discover valid email addresses from <strong>ePrism</strong>. The following condition statement is used to<br />
identify if a client is considered a directory harvester:<br />
stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3 &&<br />
(!is_internal && !is_mynetworks )<br />
This statement indicates:<br />
• If the number of invalid recipients from the client in the last 30 minutes is greater than or<br />
equal to 50<br />
• and the number of good recipients from the client in the last 30 minutes is less than 3<br />
• and the client does not exist in the internal or mynetworks static lists (to trust the client)<br />
• then the connecting system is rejected and entered into the harvesters dynamic IP address<br />
list<br />
Big virus senders<br />
This rule checks if the client has recently sent a large number of viruses. The following condition<br />
statement is used to identify if a client is considered a source of viruses:<br />
stats1h.virus > 10 && stats1h.perc_virus_to_messages > 50 &&<br />
stats1h.perc_ham_to_messages < 25 && (!is_internal &&<br />
!is_mynetworks)<br />
This statement indicates:<br />
• If the number of viruses received from this client in the last hour is greater than 10<br />
• and the percentage of virus infected messages received from this client in the last hour is<br />
greater than 50<br />
• and the percentage of clean messages received from this client in the last hour is less than<br />
25<br />
• and the client does not exist in the internal or mynetworks static lists (to trust the client)<br />
• then the connecting system is rejected and entered into the infected dynamic IP address list<br />
DNSBL clients (on more than one list)<br />
This rule checks if the client has been listed on more than one DNS Block List of blocked clients.<br />
If the client is on more than one DNSBL, it is a known open-relay that may send out a large<br />
number of spam messages. The following condition statement is used to identify if a client is on<br />
more than one DNSBL:<br />
block_list > 1 && (!is_internal && !is_mynetworks)<br />
242
Creating Threat Prevention Rules<br />
This statement indicates:<br />
• If the client exists on more than one DNSBL<br />
• and the client does not exist in the internal or mynetworks static lists (to trust the client)<br />
• then the connecting system is temporarily rejected and entered into the spammers dynamic<br />
list<br />
DNSBL clients<br />
This rule checks if the client exists on only one DNS Block List. In this case, there is the<br />
possibility that the client is on this DNSBL by mistake, and <strong>ePrism</strong> makes additional checks to<br />
examine its recent history of mail messages. The following condition statement is used to<br />
identify if a client is on one DNSBL and sends a large number of spam messages:<br />
block_list == 1 && stats30m.bad_mail > 10 && stats30m.ham < 2 &&<br />
(!is_internal && !is_mynetworks)<br />
This statement indicates:<br />
• If the client exists on only one DNSBL<br />
• and the number of spam and junk messages received from this client in the last 30 minutes<br />
is greater than 10<br />
• and the number of clean messages received from this client in the last 30 minutes is less<br />
than 2<br />
• and the client does not exist in the internal or mynetworks static lists (to trust the client)<br />
• then the connecting system is temporarily rejected and entered into the spammers dynamic<br />
IP address list<br />
Junk senders<br />
This rule checks if the client sends out a large amount of spam or junk mail in proportion to the<br />
number of legitimate messages. The following condition statement is used to identify if a client<br />
is sending a large amount of spam or junk messages compared to legitimate messages:<br />
stats1h.bad_mail > 20 && stats1h.perc_ham_to_spam < 25 &&<br />
stats5m.messages > 10 && (!is_internal && !is_mynetworks)<br />
This statement indicates:<br />
• If the number of spam and junk messages received from this client in the last hour is<br />
greater than 20<br />
• and the percentage of clean messages compared to spam received from this client in the<br />
last hour is less than 25<br />
• and the number of messages sent from this client in the last five minutes is greater than 10<br />
• and the client does not exist in the internal or mynetworks static lists (to trust the client)<br />
• then the connecting system is temporarily rejected and entered into the tarpit dynamic IP<br />
address list<br />
243
Threat Prevention<br />
Internal DoS<br />
This rule checks if the client is on an internal network and is using a lot of open connections that<br />
may result in a denial of service. The following condition statement is used to identify if an<br />
internal client is creating a large amount of open connections:<br />
open_connections > 50 && is_internal<br />
This statement indicates:<br />
• If the number of open connections from this client is greater than 50<br />
• and the client is listed in the internal static address list<br />
• then the connecting system is temporarily rejected<br />
External DoS<br />
This rule checks if an external client is using a lot of open connections that may result in a denial<br />
of service. The following condition statement is used to identify if an external client is creating a<br />
large amount of open connections:<br />
open_connections > 20 && !is_internal<br />
This statement indicates:<br />
• If the number of open connections from this client is greater than 20<br />
• and the client is not listed in the internal static address list<br />
• then the connecting system is temporarily rejected<br />
Excessive senders<br />
This rule checks if a client is sending too many messages that could result in a denial of service.<br />
The following condition statement is used to identify if a client is sending an abnormal amount of<br />
messages:<br />
!is_peers && !is_internal && stats1h.messages > 50000<br />
This statement indicates:<br />
• If the client is not listed in the peers and internal static address lists (to trust the client)<br />
• and the number of messages sent from this client in the last hour is greater than 50000<br />
• then the connecting system is temporarily rejected<br />
244
Creating Threat Prevention Rules<br />
Creating Connection Rules<br />
To create customized connection rules for the Threat Prevention feature, select Mail Delivery<br />
➝ Threat Prevention on the menu, and then click the Add Rule button.<br />
The following options can be configured:<br />
• Description — Enter a descriptive summary of the rule.<br />
• Condition — Enter a condition statement to execute, such as:<br />
stats1h.bad_mail > 20 && (!is_internal && !is_mynetworks)<br />
This statement checks if the client has sent more than 20 virus-infected or spam messages<br />
in the last hour, and is not on the internal or mynetworks IP address lists.<br />
See the following section "Building Condition Statements" for detailed information on creating<br />
these statements.<br />
• Action — Action to take if the condition is "True". Options are Accept Mail or Reject Mail.<br />
• Reject Code — Reply code to send to the connecting client. For Reject, this is 450<br />
(temporary) or 550 (permanent). For Accept, the reply code is set to 220.<br />
• Reject Message — A customized reject message to send to the connecting client. The<br />
%IP% variable can be used to indicate the IP address of the client.<br />
• Add to List — Select a Dynamic Address List to add the client IP address to if the condition<br />
is true. These lists can be viewed and configured via Mail Delivery ➝ Threat Prevention<br />
➝ Dynamic Lists.<br />
245
Threat Prevention<br />
Building Condition Statements<br />
The Threat Prevention rules are based on condition statements that are used to create various<br />
criteria for the connecting clients and their historical behaviour.<br />
The following tables describe the variables, parameters, and Boolean operators available to<br />
create Threat Prevention rules.<br />
General Statistics<br />
The following are general statistics that can be used when creating connection rules. They<br />
include items such as the IP address of the connecting client and how many open connections a<br />
client is using.<br />
TABLE 1. General Statistics<br />
Statistic<br />
ip_address<br />
current_group<br />
open_connections<br />
block_list<br />
rule_no<br />
Description<br />
The IP address of the connecting client.<br />
The name of the current Dynamic list the client<br />
IP addresses is in, if any.<br />
The current number of open connections to<br />
this IP address.<br />
If DNS Block lists are enabled, this indicates<br />
the number of lists the IP address matched.<br />
Indicates the connection rule number for<br />
ordering purposes.<br />
For example, as part of your condition statement to prevent denial of service attacks, check that<br />
the client does not have a large amount of open connections:<br />
IP Lists<br />
open_connections > 50<br />
The following parameters indicate if the client IP address is listed in any of the pre-defined Static<br />
IP lists (defined via Mail Delivery ➝ Threat Prevention ➝ Static Lists on the menu.)<br />
This allows you to check if the client IP address is trusted because it is identified as an internal<br />
system, a network under your control, or a peer address. The client can also be blocked if it<br />
appears in the local blacklist.<br />
TABLE 2. IP Lists<br />
Static IP List<br />
is_internal<br />
is_mynetworks<br />
Description<br />
Checks if the client IP address is listed in the internal<br />
address list.<br />
Checks if the client IP address is listed in the<br />
mynetworks address list.<br />
246
Creating Threat Prevention Rules<br />
TABLE 2. IP Lists<br />
Static IP List<br />
is_peers<br />
is_blacklist<br />
Description<br />
Checks if the client IP address is listed in the peers<br />
address list.<br />
Checks if the client IP address is listed in the blacklisted<br />
address list.<br />
For example, to check if the connecting client is in the blacklist static IP list, use the following<br />
condition statement:<br />
is_blacklist<br />
If the client is already listed in the blacklist IP list, the condition is true and the configured action<br />
executed.<br />
These lists can also be used to ensure clients are trusted because they are considered internal<br />
or under an organization's control. For example, to check for a large amount of open<br />
connections, and to ensure this client is not an internal client, use the following statement:<br />
open_connections > 50 && !is_internal<br />
This statement checks clients who have more than 50 open connections and do not belong to<br />
the internal static IP list.<br />
<strong>Email</strong> Statistics<br />
The following email statistics can be used to build condition statements in the connection rules<br />
based on the types of messages received. These statistics identify the number of messages<br />
based on their classification, such as virus-infected, malformed, spam, and clean. Several<br />
statistics also indicate the percentage of one type of message to another, such as the<br />
percentage of spam messages to total messages received.<br />
TABLE 3. <strong>Email</strong> Statistics<br />
<strong>Email</strong> Statistic<br />
messages<br />
virus<br />
malformed<br />
spam<br />
ham<br />
connection_attempts<br />
bad_mail<br />
bad_recipients<br />
Description<br />
Total number of messages from successful connections.<br />
Number of virus-infected messages.<br />
Number of malformed messages.<br />
Number of spam messages (Intercept Certainly Spam<br />
or Probably Spam, PBMF spam).<br />
Number of messages that were clean (not spam, virus,<br />
or malformed).<br />
Number of attempted connection attempts.<br />
Number of viruses, malformed, and spam messages.<br />
Number of unknown recipients (or 0 if the "Reject on<br />
unknown recipient" feature is disabled).<br />
247
Threat Prevention<br />
TABLE 3. <strong>Email</strong> Statistics<br />
<strong>Email</strong> Statistic<br />
good_recipients<br />
perc_ham_to_messages<br />
perc_virus_to_messages<br />
perc_spam_to_messages<br />
perc_malformed_to_messag<br />
es<br />
perc_bad_to_messages<br />
perc_ham_to_spam<br />
Description<br />
Number of legitimate recipients.<br />
Percentage of clean messages to the total amount of<br />
messages.<br />
Percentage of virus-infected messages to the total<br />
amount of messages.<br />
Percentage of spam messages to the total amount of<br />
messages.<br />
Percentage of malformed messages to the total<br />
amount of messages.<br />
Percentage of bad messages (virus, malformed, and<br />
spam) to the total amount of messages.<br />
Percentage of clean messages to the total amount of<br />
spam messages.<br />
These email statistics must be used in combination with a specific time period. This allows you<br />
to check for the number of certain types of email messages, such as "spam" messages, in a<br />
certain time period such as 24 hours.<br />
The following table describes various time periods that can be used in conjunction with the email<br />
statistics variables.<br />
TABLE 4. Statistics Time Periods<br />
Time Period<br />
Description<br />
stats1m<br />
Statistics for the last minute<br />
stats5m<br />
Statistics for the last 5 minutes<br />
stats15m<br />
Statistics for the last 15 minutes<br />
stats30m<br />
Statistics for the last 30 minutes<br />
stats1h<br />
Statistics for the last hour<br />
stats24h Statistics for the last 24 hours (1<br />
day)<br />
Specify the time period and the email statistics parameter separated by a "." (period).<br />
For example, to check how many spam messages were received in the last 24 hours, use the<br />
following:<br />
stats24h.spam<br />
To check the percentage of the number of spam messages compared to the total amount of<br />
messages in the last hour, use the following:<br />
stats1h.perc_spam_to_messages<br />
248
Creating Threat Prevention Rules<br />
Boolean Operators and Syntax<br />
The following are the Boolean operators that can be used when building condition statements.<br />
To combine operators, use the following syntax to ensure the order: (a && (b || c)). This<br />
indicates the result of "a" AND ("b" OR "c").<br />
TABLE 5. Boolean Operators<br />
Boolean Operator<br />
&&<br />
Description<br />
and<br />
! not<br />
|| or<br />
> Greater than<br />
< Less than<br />
== Equal to<br />
>= Greater than or equal<br />
to<br />
= 50 && stats30m.good_recipients < 3<br />
This example checks the number of good and bad recipients in the last 30 minutes. If the bad<br />
recipients are greater than or equal to 50, and the good recipients are less than 3, then the<br />
condition is true.<br />
Connection Rules Script Error Checking<br />
When you are finished with the changes and additions to the connection rules, click the Apply<br />
button. The results of the script test will be shown, including any syntax errors if they occur.<br />
249
Threat Prevention<br />
If an error occurs, examine the rule you just applied and check the condition statement to<br />
ensure that it conforms to the proper syntax and that any variables or parameters are entered<br />
correctly.<br />
250
Static Address Lists<br />
Static Address Lists<br />
Static IP/CIDR address lists are used to define specific groups of IP addresses that affect<br />
Threat Prevention processing. When a client connects, the connection rules script will look up<br />
the client’s IP address in the existing Static Address Lists and perform any defined actions for<br />
that list. This allows you to trust, block, or provide additional classification for a specific IP<br />
address or subnet.<br />
For example, if the address is listed in the blacklist, the connection rules script will reject the<br />
message. Addresses in the peers or mynetworks list can be exempted from some of the checks<br />
because they are known sources or internal networks of your organization.<br />
It is critical that administrators add any non-routable networks used locally to the internal<br />
address list and ensure any networks under an organization’s control or friendly networks are<br />
listed in the mynetworks and peers list respectively. This prevents any local addresses from<br />
being affected by Threat Prevention processing.<br />
Select Mail Delivery ➝ Threat Prevention ➝ Static Lists to define your static address lists.<br />
• blacklist — List of any IP addresses or networks from which you will never want to receive<br />
email.<br />
• internal — List of internal non-routable IP addresses from which you will always accept<br />
mail, such as the 192.168.0.0 network.<br />
• mynetworks — A list of networks and subnets that are under your organization’s control<br />
from which you will always accept mail.<br />
• peers — A list of special sites such as peer ISP networks from which you will typically<br />
always accept mail.<br />
The peers list is not used by the default connection rules. Administrators must modify the current<br />
rules or add a new connection rule to use this list.<br />
• relays — A list of mail servers that need to relay mail via <strong>ePrism</strong>. This prevents these<br />
servers from being blocked by content-based Threat Prevention rules and BSN, as well as<br />
being reported to BSN.<br />
Click the Add button to add a new IP list.<br />
251
Threat Prevention<br />
Enter a name and description for this address list, and then enter one of the following address<br />
types:<br />
• Single IP address, such as 192.168.1.25.<br />
• Subnet in CIDR format (such as 192.168.0.1/24)<br />
• Class A, B, or C subnet with trailing octets removed (such as 192.168)<br />
Enter a comment that can be used to further describe the addresses in this list.<br />
When finished, click the Add button to add the new list.<br />
Uploading and Downloading Addresses<br />
A list of addresses can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[address],[description]<br />
For example:<br />
192.168.0.0/16,non-routable<br />
The file (ipcidr.csv) should be created in csv file format using Excel, Notepad or another<br />
Windows text editor. It is recommended that you download the file first by clicking Download<br />
File, editing it as required, and uploading it using the Upload File button.<br />
252
Dynamic Address Lists<br />
Dynamic Address Lists<br />
The Threat Prevention feature can place IP addresses into Dynamic Address lists for a<br />
specified period of time and set the response to connection requests for clients falling into<br />
these groups. These dynamic lists can be configured to provide a specific action (such as 450<br />
temporary reject or 550 permanent reject) and a time period to execute that action.<br />
Dynamic lists differ from Static lists because their contents are always changing based on the<br />
latest threat prevention data. Static lists are used by the administrator to define trusted and<br />
blocked lists based on addresses specific to their organization. Dynamic lists build their data<br />
from the history of connecting addresses and assign specific rules and actions to these<br />
addresses based on that history.<br />
IP addresses are added to these lists by the Threat Prevention connection rules script if they<br />
match a specific behavior. For example, messages from an IP address that indicate harvesting<br />
of email addresses will be put into the harvesters list.<br />
When that same IP address tries to connect again after being added to the list, it will be<br />
rejected with a configured reject code for the list if it is configured with the reject action. For<br />
example, the harvesters list will reject with code "550 denied due to too many unknown<br />
recipients". No further statistics will be gathered on that IP address during this early reject<br />
period and further Threat Prevention rules will not be applied. An IP address can be released<br />
from a dynamic list after a configurable period of time. Dynamic lists can contain tens of<br />
thousands of IP addresses.<br />
Dynamic lists with an action of "Just Log" will pass the request on to the rules processing script.<br />
The rules script can then specify its own reject or accept action. If the rules script specifies an<br />
accept action, further statistics will be gathered as the mail is received and processed.<br />
Integration with F5 and Cisco Devices<br />
The dynamic lists defined on <strong>ePrism</strong> can also be pushed to an F5 or Cisco device. If this<br />
feature is configured, any IP addresses that are added to a Dynamic list by the connection rules<br />
script will be pushed to an F5 or Cisco device and added to a group list of the same name. This<br />
allows the F5 or Cisco device to process further connections from the IP address and to act<br />
accordingly without the connection reaching <strong>ePrism</strong>.<br />
253
Threat Prevention<br />
Configuring Dynamic Lists<br />
Select Mail Delivery ➝ Threat Prevention ➝ Dynamic Lists to configure your threat<br />
prevention dynamic lists.<br />
There are five predefined dynamic lists:<br />
• blacklisted — Addresses that have been blocked.<br />
• harvesters — Addresses known to be involved in email address directory harvesting.<br />
• infected — Addresses known to send virus-infected messages.<br />
• spammers — Addresses known to send large amounts of spam.<br />
• tarpit — Group used to temporarily reject connections to slow down incoming connections<br />
from an address.<br />
Select a group to edit its properties, or click the Add button to add a new group.<br />
• Name — Enter a descriptive name for this list. If you are pushing data to an F5 or Cisco<br />
device, this list name must match the group name configured on the device.<br />
254
Dynamic Address Lists<br />
• Description — Enter a description of this list.<br />
• Action — Action to take if a connection IP is listed in this group. Choices are Reject Mail, or<br />
Just Log.<br />
• Reject Code — If the selected action is Reject Mail, reply to the connection request with<br />
this reject code. Choose between "450" (temporary) or "550" (permanent).<br />
• Reject Message — Enter the reason provided to the client for rejecting the connection.<br />
This message is only used if the action is set to Reject Mail.<br />
• Entry Duration — Enter the duration (in seconds) for an IP to remain in this list after it has<br />
been placed into this group by a connection rule. This duration period only applies to the<br />
groups on <strong>ePrism</strong> and is not pushed to an F5 or Cisco device.<br />
• Maximum Entries — If the entry is not rejected, only allow this many address entries at<br />
once in the list. This value can range from 0 to 100000. Set to "0" for unlimited.<br />
• Push to Cisco Devices — Select the check box to push data to all configured Cisco<br />
devices. The list name must be identical to the group name defined on the Cisco device.<br />
Only one dynamic list can be assigned to push information to a Cisco device.<br />
• Push to F5 Devices — Select the check box to push data to all configured F5 devices. The<br />
Group name must be identical to the group name defined on the F5 device.<br />
255
Threat Prevention<br />
F5 Blocking<br />
Administrators can push <strong>ePrism</strong>’s Threat Prevention information to an existing F5 device.<br />
The F5 device can then be configured to rate limit, throttle, or block a given IP address.<br />
The dynamic lists defined with <strong>ePrism</strong>’s Threat Prevention feature can be used to populate data<br />
groups on the F5 with the same name. For examples, IP addresses already defined into a<br />
"spammers" group can be pushed to the same group name on the F5 device allowing it to<br />
manage the response to these addresses. The F5 device will then be responsible for acting on<br />
those IP addresses. When an item is removed from a Threat Prevention dynamic list, it is<br />
automatically removed from the F5 data group.<br />
Note that the duration period of the IP addresses only applies to the Dynamic lists on <strong>ePrism</strong>.<br />
The <strong>ePrism</strong> constantly pushes updated list information to the F5 every 30 seconds to ensure the<br />
lists are current and accurate. Any expired IP addresses will be removed and new addresses<br />
since the last update will be added to the F5 device’s list. The Dynamic list is also fully<br />
synchronized with the F5 device every hour.<br />
Administrators must then configure iRules on the F5 device to act on the data groups as<br />
appropriate. The Threat Prevention feature will not automatically create iRules on the F5 device.<br />
The F5 device must be version 9.0.5 or greater.<br />
Select Mail Delivery ➝ Threat Prevention ➝ F5 Blocking to define your F5 devices.<br />
Click Add to add a new F5 device.<br />
256
F5 Blocking<br />
• Name — Enter a descriptive name to refer to this specific F5 device.<br />
• URL — Enter the full URL for the F5 device, such as https://10.10.5.200.<br />
• <strong>User</strong> Name — Enter a valid user name to log into the F5 device.<br />
• Password — A corresponding password for the user name entered above.<br />
Click the Test button to test your connection and login parameters on the F5 device.<br />
Enabling Data Transfer to an F5 Device<br />
<strong>ePrism</strong>’s Threat Prevention feature can be configured to push items from its own defined<br />
dynamic lists to F5 data groups of the same name on one or more F5 devices.<br />
To enable data to be pushed to F5, ensure that each Dynamic list defined on <strong>ePrism</strong> in Mail<br />
Delivery ➝ Threat Prevention ➝ Dynamic Lists has the Push to F5 Devices check box<br />
enabled.<br />
257
Threat Prevention<br />
Configuring F5 Data Groups<br />
The Dynamic list names defined on <strong>ePrism</strong> must be manually created on the F5 devices. These<br />
groups are not automatically created via the Threat Prevention feature.<br />
On the F5 device, you must create the groups using "external file" address data groups, not address<br />
groups. External file address groups can be updated frequently with many IP addresses without<br />
affecting F5 performance.<br />
To create groups on the F5 device:<br />
1. Log in to the F5 administration interface.<br />
2. Select Local Traffic ➝ iRules, and then click the Data Group list tab.<br />
3. Click Create, and then enter the same group name as the data group defined in <strong>ePrism</strong>’s<br />
Threat Prevention feature.<br />
4. Select External file (not Address), and a subset of options will appear.<br />
5. Enter the group name and select Address in the File Contents list.<br />
6. Click Finished.<br />
7. Repeat the steps for each data group required. This procedure must be repeated on each<br />
F5 device.<br />
258
F5 Blocking<br />
8. Create an iRule for the data group.<br />
An iRule for the default set of data groups provided with Threat Prevention would be similar<br />
to the following:<br />
when CLIENT_ACCEPTED {<br />
if {[matchclass [IP::remote_addr] equals $::harvesters] } {<br />
TCP::respond "550 Message Rejected - Too many unknown<br />
recipients\r\n"<br />
drop<br />
}<br />
if {[matchclass [IP::remote_addr] equals $::spammers] } {<br />
TCP::respond "550 Message Rejected - Too much spam\r\n"<br />
drop<br />
}<br />
if {[matchclass [IP::remote_addr] equals $::blacklisted] } {<br />
TCP::respond "550 Message Rejected - client<br />
blacklisted\r\n"<br />
drop<br />
}<br />
}<br />
if {[matchclass [IP::remote_addr] equals $::infected] } {<br />
TCP::respond "550 Message Rejected - Infected\r\n"<br />
drop<br />
}<br />
if {[matchclass [IP::remote_addr] equals $::tarpit] } {<br />
pool slow_rateclass<br />
}<br />
259
Threat Prevention<br />
9. Create any rate shaping classes, virtual hosts, pools, and so on, as necessary for normal<br />
configuration of an MTA. In the previous example, a pool called "slow_rateclass" is required<br />
that would be configured with rate shaping to allow a limited rate of traffic.<br />
10. Click the Test button in the Mail Delivery ➝ Threat Prevention ➝ F5 Blocking menu to<br />
verify that you have configured the F5 device correctly in the Threat Prevention feature.<br />
<strong>ePrism</strong> will attempt to list the contents of the F5 data group. If successful, the list of IP<br />
addresses which have been pushed to the F5 device will be displayed. The test feature will<br />
not interrupt mail delivery or communications with the F5 and can be used at any time.<br />
In version 9.0.5 of F5, you cannot view the contents of external file data groups from the F5 web<br />
interface. Use the Test button in <strong>ePrism</strong>’s Threat Prevention menu to view the contents of external<br />
file data groups.<br />
<strong>ePrism</strong> and F5 Integration Notes<br />
Note the following considerations when integrating <strong>ePrism</strong> and an F5 device:<br />
• The Threat Prevention feature updates continuously but also synchronizes with each F5<br />
Data Group once an hour to ensure there are no discrepancies.<br />
• If the F5 device does not contain a data group, Threat Prevention will attempt to synchronize<br />
with it indefinitely, once every second. It will report the warning once every 30 seconds in<br />
the mail logs for this condition.<br />
• If there is a loss of communications between <strong>ePrism</strong> and the F5 device, the Threat<br />
Prevention feature will retry the connection to the F5 up to ten times.<br />
• When using F5 integration with an <strong>ePrism</strong> cluster, only the master Cluster Console’s data<br />
groups will get pushed to the F5 device.<br />
260
Cisco Blocking<br />
Cisco Blocking<br />
Administrators can push Threat Prevention information to an existing Cisco device. <strong>ePrism</strong> can<br />
update the Cisco device with information from one Dynamic Address List. The Cisco device<br />
can then be configured to block a given IP address by adding it to an appropriate IP named<br />
ACL (Access Control List). When an item is removed from <strong>ePrism</strong>’s Threat Prevention list, it is<br />
automatically removed from the Cisco IP access list.<br />
<strong>ePrism</strong> utilizes the IP named access control list feature to forward information to the Cisco device.<br />
Cisco IOS version 11.2 or later is required for <strong>ePrism</strong> and Cisco integration.<br />
Select Mail Delivery ➝ Threat Prevention ➝ Cisco Blocking to define your Cisco devices.<br />
Click the Add button to add a new Cisco device.<br />
• Name — Enter a descriptive name to refer to this specific Cisco device.<br />
• URL — Enter the full telnet URL for the Cisco device, such as telnet://<br />
192.168.1.175.<br />
• <strong>User</strong> Name — Enter a valid user name to log into the Cisco device.<br />
• <strong>User</strong> Password — A corresponding password for the user name entered above.<br />
• Administrative Password — Enter the administrative (enable) password for this device.<br />
261
Threat Prevention<br />
Enabling Data Transfer to a Cisco Device<br />
<strong>ePrism</strong>’s Threat Prevention feature can be configured to push items from a defined Dynamic<br />
Address List to an IP access list on a Cisco device. To enable data to be pushed to the Cisco<br />
device, select a Dynamic list defined on <strong>ePrism</strong> in Mail Delivery ➝ Threat Prevention ➝<br />
Dynamic Lists, and ensure the Push to Cisco Devices check box enabled.<br />
When using Cisco integration with an <strong>ePrism</strong> cluster, only the master Cluster Console’s data groups<br />
will get pushed to the Cisco device.<br />
The Cisco device can only accept one dynamic list. It is recommended that the blacklisted list be<br />
used to block clients at the Cisco device.<br />
Note that the duration period of the IP addresses only applies to the Dynamic lists on <strong>ePrism</strong>.<br />
The <strong>ePrism</strong> constantly pushes updated list information to the Cisco device every 30 seconds to<br />
ensure the lists are current and accurate. Any expired IP addresses will be removed and new<br />
addresses since the last update will be added to the Cisco device’s list. The Dynamic list is also<br />
fully synchronized with the Cisco device every hour.<br />
Ensure that the Maximum Entries value is customized to the capabilities of your Cisco device. Large<br />
values may overrun a smaller load Cisco device that can only handle a certain amount of access list<br />
entries.<br />
262
Cisco Blocking<br />
Cisco Device Configuration<br />
Configure the Cisco device as follows to integrate with <strong>ePrism</strong>’s Threat Prevention feature:<br />
For IOS version 12.1 and later, <strong>ePrism</strong> lists are automatically created on the Cisco device when<br />
group information is pushed, however, the IP access group must still be assigned to a specific<br />
interface.<br />
1. Log in to the Cisco device with the enable privilege.<br />
2. Change to configure mode:<br />
#configure terminal<br />
3. Change to interface mode:<br />
# interface FastEthernet x/y (where x and y are ethernet<br />
device)<br />
4. Attach the IP access group to the <strong>ePrism</strong> Dynamic Address list:<br />
# ip access-group in<br />
5. Exit from the config-if mode:<br />
# exit<br />
6. Perform the same steps for each Cisco interface as required.<br />
263
Threat Prevention<br />
Threat Prevention Status<br />
The Threat Prevention Status screen displays the current state of the threat prevention feature<br />
and provides information on the current number of items in each specified list, such as the<br />
number of addresses listed as "spammers".<br />
Select Status/Reporting ➝ Threat Prevention Status from the menu to view the current threat<br />
status.<br />
A summary of the entire threat prevention database is displayed, including the following:<br />
• Number of IPs in the Threat Prevention database<br />
• Number of open connections and open connections in a DNSBL<br />
• The number of items in each defined data group, such as "tarpit", "harvesters", "spammers",<br />
"infected", and "blacklisted".<br />
Administrators can search for the state of a specific IP address by entering it in the search field<br />
and clicking the right-arrow button.<br />
A new table will appear for that specific IP address displaying statistics on the number of<br />
messages from that IP address during a time period and the types of messages received.<br />
To reset the status data, click Reset Threat Prevention History.<br />
264
CHAPTER 12<br />
HALO (High Availability and<br />
Load Optimization)<br />
This chapter describes the high availability and load optimization features of the <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> <strong>Appliance</strong>, and contains the following topics:<br />
• “HALO Overview” on page 266<br />
• “Configuring Clustering” on page 268<br />
• “Cluster Management” on page 274<br />
• “Configuring the F5 Load Balancer” on page 278<br />
• “Queue Replication” on page 279<br />
265
HALO (High Availability and Load Optimization)<br />
HALO Overview<br />
HALO (High Availability Load Optimization), is the fail-safe clustering architecture for high<br />
availability for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>. HALO enables two or more <strong>ePrism</strong> systems<br />
to act as a single logical unit for processing a mail stream while providing load balancing and<br />
high availability benefits.<br />
HALO ensures that mail messages are never lost due to security vulnerabilities or individual<br />
system failures. The clustering architecture is illustrated in the following diagram.<br />
Cluster Management<br />
The <strong>ePrism</strong> systems participating in the cluster will be grouped together by connecting a<br />
network interface to a separate network called the Cluster Network. The <strong>ePrism</strong> systems will<br />
communicate clustering information with each other via this network. Systems can also be<br />
added or removed from clusters without interruption to mail services. It is recommended that all<br />
systems in the cluster should be running on the same platform, and that the cluster network be<br />
separated from the main production network.<br />
One system is configured to be the Cluster Console which is the "master" system where all<br />
cluster administration and configuration will be performed. When an <strong>ePrism</strong> system is added to<br />
the cluster, its configuration will automatically be synchronized with the Cluster Console. Any<br />
changes to the configuration on the Cluster Console will also be replicated to every cluster<br />
member.<br />
The <strong>ePrism</strong> cluster will be treated as a logical unit for processing mail and system configuration.<br />
266
HALO Overview<br />
Load Balancing<br />
Although the <strong>ePrism</strong> cluster will be treated as one system, email is processed independently by<br />
each cluster member and requires the use of a load balancing system to distribute mail flow<br />
between the systems in the cluster.<br />
Load Balancing via DNS<br />
A DNS round-robin technique can be used to distribute incoming SMTP connections via DNS<br />
to the systems in the cluster, as shown in the following example MX records:<br />
example.com IN MX 10 mail1.example.com<br />
example.com IN MX 10 mail2.example.com<br />
Priority can be given to specific servers by configuring different priority values, as follows:<br />
example.com IN MX 5 mail1.example.com<br />
example.com IN MX 10 mail2.example.com<br />
Using a Load Balancer<br />
You can also use a hardware load balancing device, such as the F5 BIG-IP, Cisco, or other<br />
similar load balancer. The load balancer is configured to send the mail stream to systems in a<br />
cluster. If one of the systems fails, the load balancer will distribute the load between the<br />
remaining systems.<br />
The load balancer can be configured to distribute the mail stream connections intelligently<br />
across all systems in the cluster, using techniques such as round-robin, and distribution by<br />
system load and availability.<br />
267
HALO (High Availability and Load Optimization)<br />
Configuring Clustering<br />
The following sections describe how to install and configure a cluster. In these examples, a<br />
cluster of two systems is described. The procedure requires the following steps:<br />
1. Hardware and Licensing — Ensure all systems are of the same hardware and have the<br />
same software versions and are properly licensed. This includes the <strong>ePrism</strong> license, the<br />
Stateful Failover license, and any other options. Ensure the member cluster systems are<br />
new installations with no changes to the default configuration. When they are connected to<br />
the cluster, they will receive their configuration from the Cluster Console.<br />
2. Cluster Network Configuration — Configure a network interface on each system for<br />
clustering.<br />
Using an M1000 (which only has two network cards) in a clustering scenario requires that it be<br />
deployed internally using a single interface model so that the second network card can be used for<br />
clustering.<br />
3. Create the cluster — From the Cluster Console system, create the cluster.<br />
4. Add Cluster members — From the Cluster Console, add the cluster member systems.<br />
Step 1: Hardware and Licensing<br />
All cluster members, including the Cluster Console, should be the same level of hardware, and<br />
be running the same version of software and update patches.<br />
All cluster members must also have all the same additional features (such as Kaspersky Anti-<br />
Virus) installed and licensed before integration into the cluster. Member systems should be new<br />
installations with no changes to the default configuration except for additional licensed options.<br />
It is critical that the cluster member systems be new installations with no changes to the default<br />
configuration except for licensed options, networking, and HALO settings. The admin passwords<br />
must also be identical.<br />
Step 2: Cluster Network Configuration<br />
The following instructions describe how to configure the network settings for two <strong>ePrism</strong><br />
systems in a cluster.<br />
1. Connect an unused network interface from each <strong>ePrism</strong> to a common network switch, or<br />
connect each interface with a crossover network cable. This will form the "cluster network",<br />
a control network where clustering information will be passed back and forth between the<br />
<strong>ePrism</strong> systems that form the cluster. For security reasons, this network should be isolated<br />
on its own and not be connected to the main network. For a cluster of two systems, a<br />
crossover network cable can be connected between the selected interfaces providing a<br />
secure connection without the need for a switch.<br />
2. On each <strong>ePrism</strong> system, go to the Basic Config ➝ Network screen.<br />
3. On the network interface that you want to use for clustering, ensure that an IP address has<br />
been configured, and that the Trusted Subnet and Admin Login check boxes are enabled.<br />
268
Configuring Clustering<br />
4. In the Clustering section of the Network settings screen, select the Enable Clustering<br />
check box and choose the network interface that is connected to the cluster control<br />
network.<br />
Ensure that the selected interface has been already configured with an IP address before enabling<br />
clustering.<br />
269
HALO (High Availability and Load Optimization)<br />
Step 3: Creating the Cluster<br />
The following instructions describe how to create the cluster and initialize the Cluster Console<br />
system.<br />
1. Select HALO ➝ Cluster Administration on the menu. Before continuing, ensure that this<br />
is the system that you want to be the Cluster Console system.<br />
2. Click the Configure button to start the cluster configuration process.<br />
3. The system will prompt you for information on setting up the cluster. First, you must enter<br />
the admin user and password for the system that will be configured as the Cluster Console.<br />
Click the Add or Update Member button to add the system as the Cluster Console, and<br />
then click Close to finish.<br />
4. The Cluster Management console is then displayed.<br />
270
Configuring Clustering<br />
Step 4: Adding Cluster Members<br />
The following instructions describe how to add other systems to the cluster.<br />
It is critical that any additions or deletions from the cluster configuration be performed with only a<br />
single administrator logged in. If any changes are performed during a cluster configuration change,<br />
there is a risk that initialization of a member will not process correctly.<br />
1. Add cluster members by clicking the Add/Remove button in the Cluster Management<br />
console.<br />
2. Enter the Cluster Member hostname or IP Address, an optional name for the system, and<br />
the Admin login ID and password.<br />
All cluster systems must have the same Admin user password.<br />
3. Click the Add or Update Member button to add the system.<br />
4. When systems are added to a cluster, the configuration of the Cluster Console system is<br />
replicated automatically to the new cluster member. This process will take some time to<br />
complete, and the Cluster Management screen will indicate that the cluster member is<br />
initializing.<br />
271
HALO (High Availability and Load Optimization)<br />
It is critical that no other configuration changes are made to the Cluster Member or Cluster Console<br />
while the member is initializing.<br />
When a system is added to the cluster, the configuration of the Cluster Console is replicated<br />
to the new node with the following exceptions:<br />
• Unique networking settings such as host name and IP address, and network interface<br />
specific settings<br />
• Local users and any WebMail related information<br />
• Any reporting related information<br />
• Centralized management information<br />
• Token analysis databases<br />
• Vacation notification related information is only partially replicated<br />
Local user accounts cannot be used on a Cluster Member.<br />
5. When the initialization of the member is complete, the Cluster Management console will<br />
appear, displaying both the Cluster Console and the new cluster member.<br />
272
Configuring Clustering<br />
Troubleshooting Cluster Initialization<br />
The following table describes common issues that occur when configuring a cluster.<br />
TABLE 1. Troubleshooting Cluster Initialization<br />
Issue<br />
Blank 'Address' field when setting<br />
up the cluster console<br />
Connection check fails<br />
Very slow to display the initialization<br />
screen in the console<br />
window for a new cluster member<br />
Solution<br />
The interface has not been correctly initialized.<br />
Go to Basic Config ➝ Network and scroll down to the<br />
Clustering section. Select the Cluster Interface, click<br />
Update, and reboot.<br />
The interface on the Console may not be configured correctly.<br />
The target cluster member machine is not running or the<br />
interface on the target node is not configured correctly.<br />
The hardware or software of the cluster sub-net may not<br />
be configured correctly.<br />
Check the cluster subnet between the Console and the<br />
target cluster member.<br />
Try clicking the Refresh now button on the Console<br />
screen.<br />
273
HALO (High Availability and Load Optimization)<br />
Cluster Management<br />
The Cluster Management screen is accessed on the Cluster Console via HALO ➝ Cluster<br />
Administration, displaying mail processing statistics for each individual cluster member. All<br />
cluster management and configuration must be performed from the Cluster Console system.<br />
Any configuration changes made to the Cluster Console are automatically replicated to the<br />
cluster member servers.<br />
Cluster Commands<br />
The following commands can be performed for the entire cluster or for individual cluster member<br />
systems:<br />
• Queues — Select the appropriate button to Run, Stop, and Flush the mail queues.<br />
• Send — You can Enable or Disable the sending of mail from the cluster or specified system.<br />
• Receive — You can Enable or Disable the receiving of mail for the cluster or specified<br />
system.<br />
Activate/Deactivate Members<br />
When member systems are added to a cluster, they are assigned an active state to process<br />
mail for the cluster. If you need to take this system out of the cluster for maintenance purposes,<br />
the system can be temporarily deactivated from the cluster by using the Deactivate button. A<br />
deactivated cluster member is still monitored, and can process mail, but its configuration will not<br />
be synchronized with the Cluster Console. The state of the email queue is not changed when a<br />
cluster member is deactivated.<br />
The Cluster Console itself cannot be deactivated. To perform maintenance on the Cluster<br />
Console, you must deactivate all cluster members individually. This effectively deactivates the<br />
entire cluster. When your maintenance is completed, reactivate each cluster member.<br />
274
Cluster Management<br />
To reactivate a disabled cluster member, click the Activate button. Activating a cluster member<br />
will synchronize its configuration information by comparing the last time of replication and<br />
update the system with the configuration from the Cluster Console. A complete<br />
resynchronization will be required if the replication times do not exactly match.<br />
A cluster member will be deactivated automatically if the Cluster Console is unable to<br />
communicate with it, and an alarm will be issued when this occurs. <strong>Email</strong> processing is not<br />
affected by this deactivation.<br />
Start-Up Configuration<br />
Click the Configure button to select an action to perform when a cluster member system<br />
restarts.<br />
• Wait for Console — The cluster member, after a restart, will wait until it contacts the<br />
Cluster Console system and synchronize before processing mail. The system will try to<br />
contact the console for five minutes before starting without synchronization.<br />
• Start immediately — The cluster member will start immediately without contacting and<br />
synchronizing its configuration with the Cluster Console system.<br />
Cluster Activity<br />
When a cluster is activated, a new Cluster Activity option appears on the Activity menu, and<br />
provides an activity screen displaying the combined activity of all cluster members. To see the<br />
activity for just the current system, use the Activity option from the menu.<br />
Cluster Reporting<br />
<strong>ePrism</strong> reports can be generated for a single system or for all systems in a cluster. The email<br />
database can also be searched on a single system or on the entire cluster. The history and<br />
status of any message can be instantly retrieved regardless of which system processed the<br />
message. See “Viewing and Generating Reports” on page 284 for more information on cluster<br />
reporting.<br />
275
HALO (High Availability and Load Optimization)<br />
Configuring a New Cluster Console<br />
If you need to assign the Cluster Console role to another system in the cluster, you must log in<br />
to the cluster member you would like to use as the Cluster Console and reconfigure the cluster<br />
from the HALO ➝ Cluster Administration menu. This will essentially deactivate the entire<br />
cluster, and you must add the cluster members again to the cluster once the new Cluster<br />
Console is initialized.<br />
Backup and Restore<br />
You should configure the backup for a cluster member with a unique backup directory for each<br />
cluster system, including the Cluster Console. Separate backup directories are required to<br />
ensure that backups do not inadvertently overwrite the backup from another cluster system.<br />
Restoring from a backup is primarily intended for product recovery after a re-installation or<br />
software upgrade. Restoring clustered systems can potentially cause problems with cluster<br />
configuration and communication, and it is recommended that you use the following procedures<br />
when restoring a member of a cluster system.<br />
See “Backup and Restore” on page 314 for more detailed information on the backup and restore<br />
process.<br />
Restoring a Cluster Member<br />
Use the following procedure to perform a restore on a cluster member system (not the Cluster<br />
Console):<br />
1. From the Cluster Console, remove the member system from the cluster.<br />
2. Disconnect the member system from the cluster network via the network cable.<br />
3. Perform the restore procedure, but only restore Quarantined mail, SSL Certificates,<br />
Token Analysis, and Reporting Data (optional). The member will automatically<br />
synchronize the rest of its configuration with the Cluster Console when it is reintegrated with<br />
the cluster.<br />
4. When the system is restored, disable clustering on the cluster network interface in Basic<br />
Config ➝ Network. Click the Update button but do not reboot.<br />
5. Re-enable clustering on the network interface. Ensure that the specified interface is the one<br />
connected to the cluster network. Click the Update button but do not reboot.<br />
6. Connect the member system’s network cable to the cluster network.<br />
7. From the Cluster Console, add the system back into the cluster.<br />
Restoring the Cluster Console<br />
On each cluster member system, (not the Cluster Console) clear the cluster configuration as<br />
follows:<br />
1. Disable clustering on the cluster network interface of each cluster member in Basic Config<br />
➝ Network. Click the Update button but do not reboot. Re-enable clustering on the network<br />
interface. Ensure that the specified interface is the one connected to the cluster network.<br />
Click the Update button but do not reboot.<br />
2. Disconnect the Cluster Console from the cluster network via the network cable.<br />
276
Cluster Management<br />
3. On the Cluster Console, perform a full restore of all configuration items.<br />
4. When the restore is complete, go to the cluster configuration screen in HALO ➝ Cluster<br />
Administration, and remove all cluster members from the cluster.<br />
5. Reconnect the Cluster Console to the cluster network.<br />
6. Reconfigure the cluster and add the other systems as cluster members.<br />
Trusted Senders List and Spam Quarantine with a Cluster<br />
The Trusted Senders List and Spam Quarantine can be used in a clustering environment.<br />
Please note the following when using these features in a Cluster.<br />
• Trusted Senders List — This feature should only be enabled on the master Cluster<br />
Console system. The cluster will automatically synchronize the configuration with the other<br />
cluster members.<br />
• Spam Quarantine — This feature should only be enabled on the master Cluster Console<br />
system. The cluster will automatically synchronize the configuration with the other cluster<br />
members.<br />
You must set up your Intercept Redirect To actions with a hostname dedicated to the<br />
cluster interface on the Cluster Console system. See “Spam Quarantine” on page 187 for<br />
detailed information on setting up the Spam Quarantine in a clustered environment.<br />
277
HALO (High Availability and Load Optimization)<br />
Configuring the F5 Load Balancer<br />
As part of <strong>ePrism</strong>’s clustering solution, you can use the F5 BIG-IP F5 iControl load balancer to<br />
control traffic to your clustered systems. <strong>ePrism</strong> includes a configuration screen where you can<br />
configure the F5 load balancer via the iControl administrative connection.<br />
This integration allows you to configure and communicate the <strong>ePrism</strong> cluster system nodes<br />
directly to the F5 device. Information on message and traffic load can be communicated directly<br />
with the load balancer resulting in intelligent failover decisions.<br />
See the F5 documentation for more information on configuring the load balancer. Load balancing<br />
integration only works with version of F5 up to version 9. It is recommended that the load balancing<br />
integration be performed on the F5 device itself rather than on <strong>ePrism</strong>.<br />
Select HALO ➝ F5 Integration from the menu to configure the BIG-IP load balancer.<br />
Click the Config button to setup a new F5 configuration.<br />
• BIG-IP Enabled — Select the check box to enable management of the BIG-IP load balancer<br />
with iControl.<br />
• BIG-IP IP Address — Specify the IP address of the BIG-IP system used for iControl<br />
administrative access.<br />
• Login — Enter the login ID used to configure the load balancer.<br />
• Password — Enter the password for the login ID above.<br />
• Pool — Specify the name of the load balancing pool used for mail flow for the <strong>ePrism</strong><br />
cluster.<br />
278
Queue Replication<br />
Queue Replication<br />
The Queue Replication feature enables mail queue replication and stateful failover between<br />
two <strong>ePrism</strong> systems. In the event that the primary owner of a mail queue is unavailable, the<br />
mirror system can take ownership of the mirrored mail queue for delivery.<br />
Without queue replication, a system with received and queued messages that have not been<br />
delivered may result in lost mail if that system suddenly fails. In large environments, this could<br />
translate into hundreds or thousands of messages.<br />
Queue replication actively copies any queued mail to the mirror system, ensuring that if one<br />
system should fail or be taken offline, the mirror system can take ownership of the queued mail<br />
and deliver it. If the source system successfully delivers the message, the copy of the message<br />
on the mirror server is automatically removed.<br />
In the following diagram, system A and system B are configured to be mirrors of each other’s<br />
mail queues.<br />
Licensing<br />
When a message is received by system A, it is queued locally and a copy of the message is<br />
also immediately sent over the failover connection to the mirror queue on system B.<br />
If system A fails, administrators can login to system B and take ownership of the queued mail to<br />
deliver it. Messages are exchanged between the systems to ensure that the mirrored mail<br />
queues are properly synchronized, preventing duplicate messages from being delivered when<br />
a failed system has come back online.<br />
HALO Queue Replication must be licensed to use it beyond the evaluation period.<br />
See “License Management” on page 308 for more information on licensing optional<br />
components.<br />
279
HALO (High Availability and Load Optimization)<br />
Configuring Queue Replication<br />
Select HALO ➝ Queue Replication from the menu to configure this feature’s options.<br />
• Enable Queue Replication — Select the check box to enable queue replication on this<br />
system. Replication must be enabled on both the source and mirror hosts in the Basic<br />
Config ➝ Network screen.<br />
• Replication Timeout —Specify the time, in seconds, to contact the host system before<br />
timing out.<br />
• Replicate to Host — The mail queues are automatically updated when a message is first<br />
received, and the queues are also synchronized at regular intervals. Press this button to<br />
replicate the queue to the mirror host system immediately.<br />
• Mirrored Messages — This value indicates the current amount of queued mail that is<br />
mirrored on this <strong>ePrism</strong>.<br />
• Purge Mirrored Messages — Select this button to delete any mail messages in the local<br />
mirror queue. These are the files that are mirrored for another host server.<br />
• Deliver Mirrored Messages — Select this button to take ownership and process the mail<br />
that is mirrored for another source system. If the server is still alive, importing and<br />
processing the mirror queue may result in duplicate messages being delivered.<br />
Do not press this button unless you are certain that the source system is unable to deliver mail.<br />
• Review Mirrored Messages — Select this button to review any mail in the local mirror<br />
queue that is mirrored for another source server.<br />
280
Queue Replication<br />
Queue Replication Interface<br />
You must also enable queue replication on a network interface on both the host and client<br />
server.<br />
Select Basic Config ➝ Network from the menu, and then scroll down to the Queue<br />
Replication section.<br />
These options only appear in the Network settings screen after Queue Replication is enabled.<br />
• Enable Replication — Select the check box to enable queue replication on this system.<br />
• Replication Host — Specify the IP address of the system that will be backing up mail for<br />
this <strong>ePrism</strong>.<br />
• Replication Client — Specify the IP address of the system that will be backing up its mail<br />
queue to this <strong>ePrism</strong>.<br />
• Replication I/F — Select the network interface to use for queue replication. This network<br />
interface should be connected to a secure network. It is recommended that queue<br />
replication and clustering functions be run together on their own dedicated subnet.<br />
If you are backing up and restoring configuration information to a different system than the original<br />
and queue replication is enabled, you will have to reconfigure Queue Replication to ensure that it<br />
will work properly.<br />
Importing and Processing Mirrored Messages<br />
If you have two systems that are mirroring each other’s mail queues and one of those systems<br />
fails, you must go to the mirror server and import the mirrored mail to ensure that it is<br />
processing and delivered.<br />
Import the mirrored messages as follows:<br />
1. Ensure that the host server is unavailable. Before importing any mirrored mail, you must<br />
ensure that the host server is not processing mail. If you import and process the mirrored<br />
mail on the mirror server, this may result in duplicate messages if the host server starts<br />
functioning again.<br />
2. On the mirror server, select HALO ➝ Queue Replication from the menu.<br />
281
HALO (High Availability and Load Optimization)<br />
3. You may wish to view the current mirrored my mail by clicking the Review button.<br />
4. Click the Deliver button. This <strong>ePrism</strong> will take ownership of any queued mail mirrored from<br />
the source server, and process and deliver it.<br />
282
CHAPTER 13<br />
Reporting<br />
This chapter describes the reporting features of the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> and<br />
contains the following topics:<br />
• “Viewing and Generating Reports” on page 284<br />
• “Viewing the Mail History Database” on page 294<br />
• “Viewing the System History Database” on page 296<br />
• “Report Configuration” on page 299<br />
283
Reporting<br />
Viewing and Generating Reports<br />
<strong>ePrism</strong>’s reporting functionality provides a comprehensive range of informative reports for the<br />
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong>, including:<br />
• Traffic Summary<br />
• System Health<br />
• Top Mailbox Disk <strong>User</strong>s<br />
• WebMail Usage<br />
• POP and IMAP Access<br />
• Bulk Analysis and DNSBL Lookup Performance<br />
• Spam Statistics<br />
• Virus and Threat Outbreak Reports<br />
• Recipient Reports<br />
• Health Check reports<br />
The reports are derived from information written to the various systems logs which is then stored<br />
in the database. Reports are stored on the system for online viewing, and can also be emailed<br />
automatically to specified users. Reports can be generated on demand and at scheduled times.<br />
Reports can also be filtered to provide reporting on only mail domains, user groups, or specific<br />
hosts.<br />
Administrators can specify which data is to be included in each report, how it is to be displayed,<br />
the order of data, and the number of entries to report, such as "Top 10 Disk Space <strong>User</strong>s".<br />
Reports can be generated in four different formats: HTML, PDF, CSV (comma separated<br />
output) and Postscript format.<br />
284
Viewing and Generating Reports<br />
Reporting Menu<br />
To generate and view reports, select Status/Reporting ➝ Reporting ➝ Reports.<br />
To view a previously generated report, click on the report name. To configure a report, click on<br />
the Configure button beside the corresponding report name. Click Generate to immediately<br />
generate the specified report.<br />
Viewing Reports<br />
To view a report, click on the report name, such as Full Report.<br />
285
Reporting<br />
Reports that have been previously generated are listed here. Click on an HTML report name,<br />
such as "rep1.html", to view the contents within the current browser window. Click on the<br />
Finished At time to view it in a popup window. Click on other formats to save the report to your<br />
workstation.<br />
The following illustrates the types of charts and graphs available from the full report.<br />
286
Viewing and Generating Reports<br />
Configuring Reports<br />
Click the Configure button beside a specific report name to configure that report, or click Add<br />
New Report Type to start a new report.<br />
General Report Configuration Parameters<br />
• Report Title — Title to display at the top of the report.<br />
• <strong>Email</strong> To (HTML, CSV, PDF, PS) — Specify an email address, such as<br />
admin@example.com. Use a comma-separated list if you wish to distribute the report to<br />
multiple users, or assign an alias.<br />
• Paper Size — For PDF and PS formats, select the paper size, such as Letter, A4, or Legal.<br />
• Describe fields in report — Select this option to include a short description of each field in<br />
the report.<br />
• Hosts — If you are running a clustered system, select the specific host you want the report<br />
to apply to. When running reports in a clustered system, if you select "All" hosts in the<br />
report, it will generate a report for each host individually, and then merge the results into<br />
one report.<br />
• Filters — Select a filter, if any, to use with this report. Filters are created from the Status/<br />
Reporting ➝ Reporting ➝ Report Filters menu.<br />
287
Reporting<br />
Automatic Report Generation<br />
Configure and generate automatic reports from the Report Generation section of the<br />
configuration screen.<br />
• Enable Auto Generate — Select this check box to automatically generate reports.<br />
• Auto Generate Report at — Select the time to generate the report.<br />
• Auto Generate on Week Days… — Choose the days of the week to generate the report.<br />
• ...and/or Day(s) of Month — Choose specific days of the month to generate the report.<br />
• Timespan Covered — Select the timespan covered for this report.<br />
• Timespan Ends at… — Select the end of the timespan. It is recommended to set the<br />
timespan end time a few hours prior to report generation to allow all deferred mail to be<br />
finalized.<br />
• ...Timespan Offset (Days Ago) — Select the number of days to offset the timespan. This<br />
amount of time is subtracted before setting the timespan.<br />
Click the Generate Now button to generate a report on demand using the specified settings.<br />
This will also automatically email the report to the specified address.<br />
To generate a report daily at 2.00am for the previous day (up to 11:00pm):<br />
Auto Generate Report at: 02:00<br />
Auto Generate on Week Days: All<br />
Timespan covered: 1 day<br />
Timespan ends at: 23:00<br />
Timespan offset: 0 days<br />
To generate weekly reports on Sunday at 4:00am for the period ending Friday 11:00pm:<br />
Auto Generate Report at: 04:00<br />
Auto Generate on Week Days: Sunday<br />
Timespan covered: 1 week<br />
Timespan ends at: 23:00<br />
Timespan offset: 1 day ago<br />
288
Viewing and Generating Reports<br />
Report Fields<br />
The Fields section allows you to choose which fields or items of information to include in the<br />
report. The fields provided are static and the standard reports use fields pre-selected from this<br />
list to satisfy certain requirements. You can include or exclude fields to any one of the reports<br />
as required.<br />
Columns<br />
• Field ID — This is the <strong>ePrism</strong> name for this item.<br />
• Title in Report — Designate a title to appear in the report.<br />
• Order — The higher the value, the higher the field will appear in the report. Any number<br />
can be chosen to position the fields as needed.<br />
• Page Break — Choose between no, before, after, and both, to configure page breaks. This<br />
option only applies to PDF and PS format reports.<br />
• Limit — Set a limit for the number of items in a field. For example, enter "10" in the top<br />
viruses field to create a "Top Ten Virus List".<br />
Field Descriptions<br />
The following table describes the fields that appear in the report. Brief descriptions of each field<br />
can be included in the report by configuring it in the general report parameters.<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
System name<br />
Date time<br />
Version<br />
Timespan<br />
Uptime<br />
Filter summary<br />
Description<br />
The system host name, such as<br />
server.example.com.<br />
Date and time of report generation.<br />
<strong>ePrism</strong> software revision.<br />
Period covered by report.<br />
How long the <strong>ePrism</strong> system has been running<br />
since the last reboot.<br />
A summary of the filters applied to this report.<br />
289
Reporting<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
Head comment<br />
Traffic blocking<br />
Blocking pie chart<br />
Total traffic Received<br />
Total traffic sent<br />
Total received message size<br />
Total sent out message size<br />
Trust traffic<br />
Processing time<br />
Spam metrics<br />
Top virus<br />
Recent virus list<br />
Threat Outbreak Control<br />
Summary<br />
Threat Outbreak Virus List<br />
Top PBMFs<br />
Top forbidden attachments<br />
Recent forbidden<br />
attachments<br />
Top compliancy<br />
Top word match<br />
Description<br />
Freeform comment that you may enter.<br />
A table showing the number of messages caught<br />
by each method over the preceding hour, day,<br />
week, month, and report timespan.<br />
A pie chart of the same data as the right hand<br />
column of Traffic Blocking (timespan).<br />
Graphs of the number of messages received per<br />
hour over the reporting period (timespan).<br />
Graphs of the number of messages sent per<br />
hour over the reporting period (timespan).<br />
Total message size of incoming messages per<br />
hour.<br />
Total message size of outgoing messages per<br />
hour.<br />
A table showing the number of messages<br />
classified as "trusted" and "untrusted" and their<br />
disposition over the reporting period.<br />
The average time a message waits between<br />
initial handshake and disposition, including<br />
DNSBL/Bulk Analysis lookups if any. Messages<br />
that are deferred are not included.<br />
Graph of the number of messages per Token<br />
Analysis assigned spam metric (0 - 100).<br />
List of the top viruses found.<br />
List of the most recent viruses found.<br />
The number of messages quarantined by Threat<br />
Outbreak Control and the number of those<br />
messages that were released, malformed,<br />
contained forbidden attachments, or were later<br />
found to contain viruses.<br />
The most commonly detected virus types<br />
detected by Threat Outbreak Control.<br />
List of the top pattern based message filters.<br />
Note that this includes only global PBMFs.<br />
List of the top forbidden attachments caught by<br />
attachment control.<br />
List of the most recent forbidden attachments<br />
caught by attachment control.<br />
List of the most common detected compliancy<br />
violations.<br />
List of spam word and OCF word matches.<br />
290
Viewing and Generating Reports<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
Spam Summary<br />
Intercept Component<br />
Weights<br />
Disk usage<br />
Disk load<br />
CPU load<br />
NIC load<br />
Swap usage<br />
Paging<br />
Top mailbox sizes<br />
Webmail<br />
POP<br />
IMAP<br />
Active mail queue<br />
Deferred mail queue<br />
Top senders<br />
Description<br />
Lists the number of messages classified as<br />
certainly spam, probably spam, and maybe<br />
spam<br />
A composite list of the components of the Anti-<br />
Spam Intercept engine and the results of each<br />
component relating to the number of positive<br />
results that were designated by the system as<br />
Certainly Spam, Probably Spam, Maybe Spam,<br />
mixed spam, or not spam at all.<br />
Shows disk usage by partition.<br />
Graph of average disk load (MB/s) over the<br />
reporting period.<br />
Graph of average CPU load (number of waiting<br />
processes) over the reporting period.<br />
Graph for each active network interface load<br />
(Bytes/hour) for the reporting period.<br />
Swap file usage.<br />
Paging usage.<br />
Lists the top users based on the size of their<br />
mailboxes in MB.<br />
The number of WebMail logins and failed<br />
attempts per hour. This does not include "admin"<br />
logins.<br />
Graph showing the number of POP logins and<br />
login failures per hour over the reporting period.<br />
Graph showing the number of IMAP logins and<br />
login failures per hour over the reporting period.<br />
Graph showing number of queued messages (as<br />
sampled every 5 minutes) over the reporting<br />
period.<br />
Graph showing maximum number of messages<br />
(as sampled every 5 minutes) in the deferred<br />
queue over the reporting period.<br />
The top sender (judged by envelope from, not<br />
header from) during the report timespan, sorted<br />
by number of messages. If the title contains one<br />
or more comma characters, the list will be<br />
restricted to those senders which include any<br />
string after the first comma. The limit parameter<br />
in the report configuration sets the maximum<br />
number listed.<br />
291
Reporting<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
Top sending hosts<br />
Top recipients<br />
Bulk Analysis Servers<br />
DNSBL Servers<br />
Policy summary<br />
Recipient traffic blocking<br />
Connection summary<br />
End comment<br />
Extra comment<br />
Description<br />
The top sending host names (in FQDN format)<br />
during the report timespan, sorted by number of<br />
messages. If the title contains one or more<br />
comma characters, the list will be restricted to<br />
those sender FQDNs which include any string<br />
after the first comma. The limit parameter in the<br />
report configuration sets the maximum number<br />
listed.<br />
The top recipients during the report timespan,<br />
sorted by number of messages. The sum of the<br />
message sizes is also listed. If the title contains<br />
one or more comma characters, the list will be<br />
restricted to those recipients which include any<br />
string after the first comma. The limit parameter<br />
in the report configuration sets the maximum<br />
number listed.<br />
Graph showing the average round trip, in<br />
seconds, to the preferred Bulk Analysis server<br />
over the reporting period.<br />
Graph showing the round trip, in seconds, to the<br />
DNSBL servers over the reporting period. The<br />
value is averaged over all enabled DNSBL<br />
servers.<br />
A summary of policy actions over certain time<br />
periods.<br />
Traffic blocked by recipients due to policies and<br />
their actions.<br />
Lists the number of connections refused based<br />
on features such as Mail Anomalies, Threat<br />
Prevention, DNSBL, and BSN.<br />
Comment text.<br />
Extra comment text.<br />
Language Support<br />
Any text field in the report configuration can use Western (ISO-8859-1) text. For extended<br />
characters (such as accented letters), configure your browser for Western (ISO-8859-1) and set<br />
the character set encoding in Basic Config ➝ Web Server. You can then use your language<br />
specific keyboard or copy and paste ISO-8859 text into the report configuration fields.<br />
292
Viewing and Generating Reports<br />
Creating Report Filters<br />
You can create custom filters to apply when generating reports. When a filter is selected in the<br />
report configuration editor, the applicable report fields are restricted to those values that include<br />
any string in the supplied list. You can filter by mail domain, user groups, and specific hosts.<br />
Filters for specific viruses, encryption, and attachments types can also be created.<br />
Field values can be separated by a space or by starting a new line. Leave a field blank for no<br />
filtering. Wildcard characters can be used for domains and email addresses, such as:<br />
*@example.com<br />
joe@*.example.com<br />
fred@*example*<br />
Select Status/Reporting ➝ Reporting ➝ Report Filters to create and edit report filters.<br />
You can filter on the following fields:<br />
• Sender domain or email address<br />
• Recipient domain or email address<br />
• Sending host name or IP<br />
• Encryption from Sender<br />
• Encryption to Recipient<br />
• Sender groups<br />
• Recipient groups<br />
• Virus<br />
• Forbidden Attachment<br />
When a filter is created, it will appear in a dropdown list in the report configuration settings. Select<br />
the filter to apply it to the report.<br />
293
Reporting<br />
Viewing the Mail History Database<br />
Every message that passes through <strong>ePrism</strong> generates a database entry that records<br />
information about how it was processed, including a detailed journal identifying the results of the<br />
mail processing.<br />
Select Status/Reporting ➝ Reporting ➝ Mail History to view the email database.<br />
Columns<br />
• QueueID — Identifies the message in the database.<br />
• Time Received — Time when the message was received by <strong>ePrism</strong>.<br />
• Subject — Contents of the message subject header field.<br />
• Prior — If a message is forwarded because of alias expansion, bounced, vacation<br />
notification, and so on, a new message in the queue will be created. The QueueID number<br />
in the Prior column links to the original message.<br />
• Journal — Shows how the message was processed, including its disposition.<br />
• Auth — Shows SMTP authentication information, if enabled.<br />
Search<br />
Search for specific message details using the following search fields:<br />
• Search — Select the specific part of the message you want to search on, such as "sender"<br />
or "subject".<br />
• For — Enter a search string. Use a blank field to match any string.<br />
Advanced Search<br />
Select the Advanced button to perform an advanced search of the email database.<br />
294
Viewing the Mail History Database<br />
• Search — Select the specific part of the message you want to search on, such as "sender"<br />
or "subject". Use the "and" fields to select an additional message part and search string.<br />
• Date — You can select a time frame to search for received, disposed, or deferred mail.<br />
• Status — Select a message status to search for, such as "malformed", or "virus".<br />
• Hosts — In a clustered system, you can specify a specific host to perform the search on.<br />
• Max — Enter the maximum number of results (up to 10,000) returned in the search.<br />
• Regex — Select this option to define a search using a regular expression.<br />
After performing a search, you can enter more criteria and use the Refine button to search only<br />
within the previous results.<br />
Displaying Message Details<br />
Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any,<br />
are listed in the Message Disposition section.<br />
295
Reporting<br />
Viewing the System History Database<br />
Select Status/Reporting ➝ Reporting ➝ System History to view the system database.<br />
The system database is a record of system events, such as login failures and disk space usage.<br />
Search<br />
Enter any text to search for an event. You can specify the type of message to narrow the<br />
search. Leave the text area blank to list by event type.<br />
Columns<br />
• Event# — Identifies the event in the database.<br />
• End Time — Time when the event is complete.<br />
• Type — The type of event.<br />
• Device, <strong>User</strong> — The device or user in the event.<br />
• Text — Associated text for the event.<br />
• #1, #2, #3 — Parameters of the event. These are specific to each event type.<br />
Event Types<br />
The following table describes the event types that can appear in the system database.<br />
TABLE 2. System Database Event Types<br />
Event Type Abbreviation Description Parameters<br />
Admin Actions adm Shows administrative<br />
functions that have been<br />
performed<br />
AV Updates avup The time of the last update,<br />
its success or failure, and the<br />
name of the new pattern file<br />
CPU Load cpuld The load average for the past<br />
1, 5, and 15 minutes<br />
Number of<br />
processes waiting<br />
for CPU. A very<br />
busy system may<br />
have 50 or more<br />
296
Viewing the System History Database<br />
TABLE 2. System Database Event Types<br />
Event Type Abbreviation Description Parameters<br />
DCC Preferred dccpref The round trip time to<br />
preferred Bulk Analysis<br />
server<br />
Disk I/O diskio MB per second transfer, KB<br />
per transfer, transfers per<br />
second for a disk<br />
Disk Usage du Amount of used and total<br />
available disk space for each<br />
disk slice<br />
IMAP I/O impio This shows each IMAP based<br />
transfer of email messages<br />
IMAP Logins implin This shows each successful<br />
IMAP authentication. If the<br />
connection used SSL, the<br />
string "ssl" follows in a<br />
separate column. Note: IMAP<br />
transfers smaller than 50<br />
bytes are not recorded<br />
IMAP Failures impfail Shows the number of IMAP<br />
login failures.<br />
Name of preferred<br />
server<br />
<strong>User</strong>ID and IP<br />
address<br />
<strong>User</strong>ID and IP<br />
address<br />
Logins login A single web based login <strong>User</strong>ID and IP<br />
address<br />
Logouts logout A single web based logout<br />
(not including timed-out<br />
sessions)<br />
<strong>User</strong>ID and IP<br />
address<br />
Login failures lifail Login failure <strong>User</strong>ID and IP<br />
address<br />
Network I/O nic Amount of data in and out of<br />
network card<br />
Paging page This shows the swap paging<br />
activity (pages in/out) over 5<br />
seconds<br />
POP I/O popio This shows each POP based<br />
transfer of email messages<br />
POP Logins poplin This shows each successful<br />
POP authentication. If the<br />
connection used SSL, the<br />
string "ssl" follows the IP<br />
address<br />
Number of emails<br />
and bytes<br />
transferred in POP<br />
session<br />
<strong>User</strong>ID and IP<br />
address<br />
297
Reporting<br />
TABLE 2. System Database Event Types<br />
Event Type Abbreviation Description Parameters<br />
POP Failures popfail This shows each POP<br />
authentication failure. If the<br />
connection used SSL, the<br />
string "ssl" follows the IP<br />
address<br />
Queue Sizes que Number of messages in<br />
active and deferred queues<br />
DNSBL Response rbldns Average round time to<br />
DNSBL server with minimum<br />
and maximum values<br />
Swap usage swap This shows the swap usage,<br />
and total swap space<br />
available<br />
<strong>User</strong>ID and IP<br />
address<br />
Active queue size<br />
in bytes, deferred<br />
queue size in<br />
bytes<br />
DNSBL server<br />
Used and<br />
available swap<br />
space in<br />
megabytes<br />
298
Report Configuration<br />
Report Configuration<br />
Select Status/Reporting ➝ Reporting ➝ Configure to configure the maximum time email<br />
summaries, system event summaries, and reports are kept on the system, including the<br />
maximum number that are retained.<br />
<strong>Email</strong> summaries, system events, and reports are included in backups. Each email summary is<br />
about 1,000 bytes in size. For performance reasons, such as backup/restores and searches, it<br />
is recommended to set the email message limits no longer than is required, such as 250,000<br />
messages for an M1000, 500,000 messages for an M3000 and so on.<br />
The email message history is trimmed to the expiry date and number limit, whichever is<br />
smaller. System events occupy less than 2 MB per day, and a setting of 3 months is<br />
reasonable.<br />
The system purges old data every day after 12:00am, and also within a few minutes of saving<br />
the settings in this menu. The data is rolled out depending on the date/time and number<br />
constraints, whichever is less.<br />
Reports will not be generated while the data is being purged.<br />
299
Reporting<br />
Disabling Reporting<br />
The reporting database is populated with information that is obtained by interpreting the system<br />
log files. You have the option of disabling reporting which results in no new information being<br />
saved in the reporting database. Note that all log files are still saved but the reporting engine will<br />
not analyze and interpret them for reports.<br />
Disabling reporting is not recommended, and should only be used if the system is extremely<br />
overloaded, or if you are testing performance levels.<br />
Click the Advanced button on the Status/Reporting ➝ Reporting ➝ Configure screen to<br />
reveal an option for disabling the reporting function.<br />
Software upgrades or system restores will re-enable reporting, if disabled.<br />
300
CHAPTER 14<br />
System Management<br />
This chapter describes the tools used to administer the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> and<br />
contains the following topics:<br />
• “System Status and Utilities” on page 302<br />
• “Mail Queue Management” on page 305<br />
• “Quarantine Management” on page 306<br />
• “License Management” on page 308<br />
• “Software Updates” on page 311<br />
• “<strong>Security</strong> Connection” on page 312<br />
• “Reboot and Shutdown” on page 313<br />
• “Backup and Restore” on page 314<br />
• “Centralized Management” on page 321<br />
• “Problem Reporting” on page 326<br />
• “Health Check” on page 327<br />
301
System Management<br />
System Status and Utilities<br />
The Status/Reporting ➝ Status & Utility screen provides the following information:<br />
• A snapshot of the system status, including information on uptime, load average, amount of<br />
swap space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus<br />
pattern file status.<br />
• Controls to start and stop the mail systems and flush the mail queues.<br />
• Diagnostic tools such as a Hostname Lookup function, SMTP Probe, Ping, and Traceroute<br />
utilities that are useful for resolving mail and networking problems.<br />
• System hardware configuration information.<br />
System Status<br />
From the System Status screen, you can view a number of system statistics such as the total<br />
system Uptime, load average, the amount of used swap and disk partition space, RAID status,<br />
NTP server status, and Anti-Virus pattern update status.<br />
302
System Status and Utilities<br />
Utility Functions<br />
The Utility Functions allow you to control the following system services:<br />
• Stop/Start Mail Services — You can stop or start all mail services by clicking on the Stop/<br />
Start Mail System Control option.<br />
• Disable/Enable Sending and Receiving — Alternately, you can also enable or disable<br />
only the Receiving or Sending of mail by clicking the appropriate button. This is useful if you<br />
only want to stop the processing of mail in one direction. For example, you may want to turn<br />
off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to<br />
receive incoming mail.<br />
• Flush Mail Queue — The Flush button is used to reprocess any queued mail in the<br />
system. Only click this button once. If the mail queue does not process, you may be having<br />
other types of delivery problems, and reprocessing the mail queue will only add additional<br />
load to the system.<br />
Diagnostics<br />
The Diagnostics section contains networking and SMTP utilities to help troubleshoot network<br />
and mail delivery issues.<br />
See “Network and Mail Diagnostics” on page 355 for more detailed information on using these<br />
diagnostic tools for troubleshooting.<br />
• Hostname Lookup — Allows you to verify host name resolution by looking up a host on a<br />
DNS name server.<br />
• SMTP Probe — Allows you to send a test email to a remote SMTP server.<br />
• Ping — Ensures network connectivity via ICMP ping<br />
• Traceroute — Ensures routing connectivity by tracing the routes of network data from<br />
source to destination server.<br />
303
System Management<br />
Current Admin and WebMail <strong>User</strong>s<br />
The Current Admin and WebMail <strong>User</strong>s section allows you to see who is logged in via the web<br />
admin interface or through a WebMail session.<br />
If you are using Clustering, an admin login may show up several times on the list because of<br />
additional RPC calls related to clustering communications. In these cases you will see the Remote<br />
IP address as the other <strong>ePrism</strong> systems.<br />
Configuration Information<br />
The Configuration Information section shows you important system information such as the<br />
current version of the system software, the time it was installed, and licensing and hardware<br />
information.<br />
304
Mail Queue Management<br />
Mail Queue Management<br />
The Status/Reporting ➝ Mail Queue screen contains information on mail waiting to be<br />
delivered. You can search for a specific mail message using the search function. Messages<br />
that appear to be undeliverable can be removed by selecting them and then clicking the<br />
Remove link.<br />
Any mail messages in the mail queue can be processed out of the queue by clicking the Flush<br />
Mail Queue button. Only click this button once. If the mail queue does not process, you may be<br />
having other types of delivery problems and reprocessing the mail queue will only add<br />
additional load to the system.<br />
Display Options<br />
The Remove All button is used specifically with the search function. You must enter a search<br />
pattern to use with this button. To delete all mail messages in the queue, enter "@" in the search<br />
field, and then click Remove All.<br />
The following options can be appended to the URL of the Mail Queue screen:<br />
• ?limit=n — Sets the total number of items that will be listed to the specified number. The<br />
default is 2000.<br />
• ?ipp=n — Sets the number of items per page.<br />
• ?order=asc — Sorts items by oldest date first to the most recent.<br />
If the query URL already contains a "?" argument, you must use the "&" instead to add options to<br />
the query.<br />
To set the total number of items to be displayed to 100, use the following URL:<br />
https://server.example.com/ADMIN/mailqueue.spl?limit=100<br />
Use the "&" symbol instead if an "?" option already exists:<br />
https://server.example.com/ADMIN/<br />
mailqueue.spl?action=submit&limit=100<br />
305
System Management<br />
Quarantine Management<br />
Select Status/Reporting ➝ Quarantine to manage the Quarantine folder. This folder contains<br />
messages that have been blocked because of a virus, malformed message, compliance<br />
violation, or an illegal attachment. You can view the details of a message by clicking on its ID<br />
number, or delete the message from quarantine by clicking the Delete button.<br />
Quarantined messages can also be released from the quarantine and delivered to their original<br />
destination by clicking the Release button.<br />
Use the search field to look for specific messages within the quarantine. For example, you could<br />
search for the name of a specific virus so that any quarantined messages infected with that<br />
specific virus will be displayed.<br />
Display Options<br />
The Delete All and Release All buttons are used specifically with the search function. You must<br />
enter a specific search pattern before using these controls. It is recommended that you use the<br />
Expiry Options button to clear the quarantine area of all messages beyond a certain date.<br />
The following options can be appended to the URL of the Quarantined Mail screen:<br />
• ?limit=n — Sets the total number of items that will be listed to the specified number. The<br />
default is 2000.<br />
• ?ipp=n — Sets the number of items per page.<br />
• ?order=asc — Sorts items by oldest date first to the most recent.<br />
If the query URL already contains a "?" argument, you must use the "&" instead to add options to<br />
the query.<br />
To set the total number of items to be displayed to 100, use the following URL:<br />
https://server.example.com/ADMIN/quarantine.spl?limit=100<br />
Use the "&" symbol instead if an "?" option already exists:<br />
https://server.example.com/ADMIN/<br />
quarantine.spl?action=submit&limit=100<br />
306
Quarantine Management<br />
Quarantine Expiry Options<br />
Click the Expiry Options button to configure the quarantine expiry settings. An expiry term can<br />
be set so that quarantined messages will be deleted after a certain period of time. You can use<br />
this feature to flush all messages from the quarantine area on a regular basis.<br />
• Expire only on disk full — The Quarantine will expire messages based on the disk space<br />
percentage configured by the administrator. The default is 90% which expires messages<br />
from the quarantine when the disk is 90% full. Valid values are between 10% and 90%.<br />
• Expire per settings — The Quarantine will expire messages based on the administrator's<br />
configured settings.<br />
• Days — Enter how many days to keep a quarantined message before deleting it.<br />
• Disk usage (percentage) — Enter a percentage of disk usage that can be used by the<br />
quarantine area. If the quarantine area grows beyond this size, messages will be expired.<br />
The disk partition used by the quarantine is the /var partition.<br />
Click Update to enable the settings for new quarantined messages. Click Update and Expire<br />
Now to apply the settings to all messages in the quarantine area.<br />
To delete all messages in the quarantine, set the Days value to "0", and then click Update and<br />
Expire Now.<br />
307
System Management<br />
License Management<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> initially starts in evaluation mode which can be used for 30<br />
days. After that time, <strong>ePrism</strong> stops accepting new mail. Incoming mail will receive an SMTP<br />
failure message explaining that no mail is being accepted because the evaluation period has<br />
elapsed. Existing mail in the queue will still be delivered, and mail in mailboxes will still be<br />
accessible to POP3/IMAP and <strong>ePrism</strong> Mail Client users.<br />
Use the information in your License Pack to license and activate <strong>ePrism</strong>. Activating <strong>ePrism</strong> also<br />
activates your support contract which is valid for 12 months from purchase.<br />
Your Support Contract entitles you to all software upgrades and patches, as well as return-tofactory<br />
warranty on the hardware. Failure to activate your system may delay the delivery of support<br />
services.<br />
<strong>ePrism</strong> can be licensed both automatically via the Internet and manually. For automatic<br />
licensing, <strong>ePrism</strong> requires an Internet connection.<br />
Automatic License Activation<br />
License <strong>ePrism</strong> automatically as follows:<br />
1. Ensure that the system can access the Internet so it can connect to the St. Bernard License<br />
server.<br />
2. Select Management ➝ License Management on the menu.<br />
3. Click the Automatic Activation button. A new web browser window will open up and<br />
display the St. Bernard licensing activation screen.<br />
308
License Management<br />
4. Enter the serial number found in the Psn field from the License Pack. (This is not the<br />
hardware serial number of the system.)<br />
5. Enter the hardware serial number located on the <strong>ePrism</strong> in the Hsn field.<br />
6. Click Continue to activate the license.<br />
Manual License Activation<br />
To manually activate a license:<br />
1. From a workstation connected to the Internet, go to activate.stbernard.com to obtain<br />
an Activation Key.<br />
2. Select the product or option you want to license, and then enter the appropriate license<br />
information.<br />
3. You will receive an Activation Key that will be used in the following steps.<br />
4. On <strong>ePrism</strong>, select Management ➝ License Management on the menu.<br />
5. Click the Manual Activation button.<br />
6. Enter the Serial number and Activation Key, and then click Next.<br />
309
System Management<br />
Optional Product Licenses<br />
The following products must be licensed separately. If these options are enabled, they will run in<br />
evaluation mode for 30 days. Use the same licensing procedure described previously to add<br />
these optional licenses.<br />
• Kaspersky Anti-Virus<br />
• HALO Stateful Failover Option<br />
• Attachment Content Scanning<br />
310
Software Updates<br />
Software Updates<br />
It is important to keep your <strong>ePrism</strong> software updated with the latest patches and upgrades.<br />
A key aspect of good security is responding quickly to new attacks and exposures by updating<br />
the system software when updates are available.<br />
Updates are supplied in special files provided by St. Bernard. These updates can be delivered<br />
or retrieved using a variety of methods, including email, FTP, or from St. Bernard’s support<br />
servers. The <strong>Security</strong> Connection, if enabled, will download any patches automatically. <strong>Security</strong><br />
Connection is discussed in more detail in the next section.<br />
St. Bernard recommends that you backup the current system before performing an update. See<br />
“Backup and Restore” on page 314 for detailed information on the backup and restore procedure.<br />
Select Management ➝ Software Updates on the menu to load and apply software updates.<br />
The Software Updates screen shows updates that are Available Updates (loaded onto<br />
<strong>ePrism</strong>, but not applied) and Installed Updates (applied and active.) You can install an available<br />
update, or uninstall a previously installed update.<br />
When these software update files are downloaded to your local system, they can be installed<br />
by clicking Browse, navigating to the downloaded file, and then clicking Upload.<br />
After applying any updates, you must restart the system.<br />
311
System Management<br />
<strong>Security</strong> Connection<br />
The <strong>Security</strong> Connection is a service running on <strong>ePrism</strong> that polls St. Bernard’s support servers<br />
for new updates, security alerts, and other important information. When new information and<br />
updates are received, an email notification can be sent to the administrator. It is recommended<br />
that you enable this service.<br />
For security purposes, all <strong>Security</strong> Connection files are encrypted and contain an MD5-based digital<br />
signature which is verified after decrypting the file.<br />
• Enabled — Select to enable <strong>Security</strong> Connection.<br />
• Frequency — Specify how often to run the <strong>Security</strong> Connection service. Choices are daily,<br />
weekly, and monthly.<br />
• Auto Download — Enable this option to allow software updates to be downloaded<br />
automatically. The updates will not be automatically installed. They must be installed via<br />
Management ➝ Software Updates.<br />
• Display Alerts — Enable this option to display any alert messages on the system console.<br />
• Send <strong>Email</strong> — Enable this option to send an email notification to the address specified<br />
below.<br />
• Notification Mail Address — Specify an email address to receive messages from <strong>Security</strong><br />
Connection.<br />
• Support Contract — You must enter a valid Support Contract number. This information is<br />
supplied with your license key at the time of purchase.<br />
Click Update to save your <strong>Security</strong> Connection configuration.<br />
Click the Connect Now button to run <strong>Security</strong> Connection immediately.<br />
312
Reboot and Shutdown<br />
Reboot and Shutdown<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> can be safely rebooted or shut down from this menu.<br />
Before shutting down, remove any media from the floppy and CD-ROM drives.<br />
Click Reboot now to shutdown the system and reboot.<br />
Click Shutdown now to shutdown the system completely.<br />
See “Restoring <strong>ePrism</strong> to Factory Default Settings” on page 367 for detailed information on<br />
restarting <strong>ePrism</strong> and restoring it to factory default settings.<br />
313
System Management<br />
Backup and Restore<br />
<strong>ePrism</strong> can backup all data, including the database, quarantined items, mail queues, user mail<br />
directories, uploaded user lists, SSL certificates, reports, and system configuration data.<br />
The <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> supports three backup methods:<br />
• Local tape drive (if available)<br />
• FTP server<br />
• Local disk (using browser download to a workstation)<br />
The restore feature can restore any backup items individually. The <strong>ePrism</strong> system should be<br />
backed up before performing any type of software upgrade or update.<br />
Restoring a clustered system requires a different procedure than outlined in the next section. See<br />
the Cluster Management section starting on page 197 for more information on backing up and<br />
restoring clustered systems.<br />
Restore Considerations<br />
The backup and restore function is primarily intended for product recovery after a re-installation<br />
or upgrade, and it is strongly recommended that all data be restored during a system recovery<br />
rather than individually. As the size of the reporting database can be quite large, you should<br />
restore the reporting database separately after the restoration of the basic system.<br />
You must always restore the system data first before restoring the reporting database.<br />
Starting a Backup<br />
You can perform backups on demand, or you can schedule a tape or FTP backup once per day<br />
via the Management ➝ Backup & Restore ➝ Daily Backup menu.<br />
Select Management ➝ Backup & Restore on the menu to start a backup.<br />
Select the required type of backup and click the Next >> button.<br />
314
Backup and Restore<br />
Local Disk (Direct Backup) Options<br />
The following options are for backing up to the local disk:<br />
• Encrypt backup — Select this option to store the backup file in encrypted form.<br />
• Backup system configuration — Select this option to backup all system configuration<br />
data, including mailboxes, Token Analysis data, licenses and keys. This option must be<br />
enabled if you need to restore system functionality.<br />
• Backup reporting data — Select this option to include reports, email history, and system<br />
event data in the backup.<br />
Backing up reporting data can drastically increase the size of the backup file, resulting in a much<br />
longer backup time. Use scheduled FTP backups to prevent your browser from timing out when<br />
this type of backup is taking place.<br />
When you have set your options, click Next >> to continue.<br />
Verify that your options are correct, and then click Create backup now to start the backup.<br />
The system will prompt you for a location to download the file (backup.gz). The backup file is<br />
saved in a gzip compressed archive.<br />
315
System Management<br />
FTP Backup Options<br />
The following options are for backing up to an FTP server:<br />
• Encrypt backup — Select this option to store the backup file in encrypted form.<br />
• Backup system configuration — Select this option to backup all system configuration<br />
data, including mailboxes, Token Analysis data, licenses and keys. This option must be<br />
enabled if you need to restore system functionality.<br />
• Backup reporting data — Select this option to include reports, email history, and system<br />
event data in the backup.<br />
• FTP server — Enter the host name or IP address of the destination FTP server.<br />
• <strong>User</strong>name — Enter the username for the FTP server.<br />
• Password — Enter the password for the FTP server.<br />
• Directory — Enter the directory on the FTP server for the backup files.<br />
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.<br />
When you have set your options, click Next >> to continue.<br />
316
Backup and Restore<br />
Verify that your options are correct, and then click Create backup now to start the backup.<br />
You can also click Create scheduled backup which will take you to the Daily Backup menu to<br />
create a scheduled FTP backup.<br />
Daily Scheduled Backup<br />
You can schedule an automatic FTP or tape backup to be performed every day at a specified<br />
time.<br />
Select Management ➝ Backup & Restore ➝ Daily Backup on the menu to configure<br />
automatic daily backups.<br />
• Tape Backup — Select the check box to enable daily tape backups (if available.)<br />
• FTP Backup — Select the check box to enable daily FTP backups. You must configure the<br />
FTP backup settings separately using the Management ➝ Backup & Restore screen.<br />
• Start Time — Set the start time for the backup in 24-hour format using the syntax HH:MM,<br />
such as 02:00 for 2:00AM.<br />
Mail History, System Event History, and Reports cannot be backed up if the daily backup runs<br />
between 12AM and 12:30AM. This is the time period when the reporting database is processing its<br />
rollout information.<br />
317
System Management<br />
FTP Backup Naming Conventions<br />
The naming convention for FTP backups is time stamped as follows:<br />
MX-DATAx.YYMMDDHHMM<br />
Example:<br />
MX-DATA0.0505152245<br />
This indicates that the backup file is from May 15th, 2005 at 10:45PM. When purging old backup<br />
files during routine maintenance, ensure that you examine the timestamps before deleting them.<br />
Restoring from Backup<br />
Select the required type of restore and click the Next >> button.<br />
Restore from Local Disk Options<br />
Enter the local filename that contains your server’s backup data, or click Browse to select the<br />
file from the local drive directory listing. Click Next >> to upload and restore the backup file.<br />
318
Backup and Restore<br />
FTP Restore Options<br />
Enter the following information to restore from an FTP server:<br />
• FTP server — Enter the host name or IP address of the FTP server where the backup file is<br />
stored.<br />
• <strong>User</strong>name — Enter the username for the FTP server.<br />
• Password — Enter the password for the FTP server.<br />
• Directory — Enter the directory on the FTP server for the backup files.<br />
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.<br />
Click Next >> to connect with the FTP server and restore the backup file.<br />
Restore Options<br />
When the backup file has been successfully retrieved, you can choose which aspects of the<br />
system you want to restore. When finished selecting the restore items, click Restore Now.<br />
If you are restoring reporting data separately, it must be performed after the restoration of the main<br />
system information.<br />
319
System Management<br />
You can view the current status of the restore process in the Status section of the Management<br />
➝ Backup & Restore menu.<br />
When the restore is complete, you should review and edit your network configuration in the<br />
Basic Config ➝ Network screen as required, and click Apply to reboot. This ensures that all<br />
restored network settings have been applied.<br />
If you modified the networking information during the system installation process and then<br />
performed a restore, your new networking information may be overwritten by the restored data.<br />
Ensure that your network settings are correct before updating and rebooting the system.<br />
Backup and Restore Errors<br />
The following table describes the types of errors that can occur when restoring a backup file:<br />
TABLE 1. Backup and Restore Error Codes<br />
Error Code<br />
Description<br />
0 No error<br />
1 Form data missing<br />
2 MIME data missing boundary<br />
3 Invalid form data<br />
4 Unsupported encoding method<br />
5 Unsupported header in MIME data<br />
6 File open error<br />
7 Filename not specified<br />
8 Error writing file<br />
9 Data is incomplete<br />
320
Centralized Management<br />
Centralized Management<br />
The Centralized Management feature allows you to administer multiple <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong><br />
<strong>Appliance</strong>s from a single management console. Centralized Management allows you to<br />
perform many routine administrative tasks across all <strong>ePrism</strong> systems configured in the same<br />
management group.<br />
Centralized Management is used to monitor and administer multiple <strong>ePrism</strong> systems, including<br />
the ability to copy configuration items such as mail routes, aliases and mappings, RADIUS and<br />
LDAP settings, and so on, to other systems in the management group.<br />
All management group communications are authenticated and transmitted using HTTPS.<br />
You can perform the following functions from the Centralized Management console:<br />
• Start and Stop mail services<br />
• Monitor mail queues<br />
• View statistics of incoming and outgoing mail<br />
• Copy configuration settings to other <strong>ePrism</strong> systems<br />
• Perform backups<br />
Centralized Management and Clustering<br />
Centralized Management is very different from <strong>ePrism</strong>’s HALO Clustering features.<br />
Centralized Management is intended for managing multiple <strong>ePrism</strong> systems with different<br />
configurations, while Clustering is used to monitor and manage multiple systems with identical<br />
configurations for redundancy and load balancing purposes.<br />
See “HALO (High Availability and Load Optimization)” on page 265 for more detailed<br />
information on cluster management.<br />
321
System Management<br />
Configuring Centralized Management<br />
Use the following procedure to initialize and configure Centralized Management.<br />
1. Select Basic Config ➝ Network from the menu.<br />
2. Ensure that Admin Login access is enabled for the specific network interface that will be<br />
communicating with the management group.<br />
3. Select Management ➝ Centralized Management to configure Centralized Management.<br />
The initialization screen will appear indicating that there are no management groups<br />
configured.<br />
4. To create a management group, click Configure. You will need to enter the login and<br />
password of the admin user.<br />
5. Add new members to the management group by clicking the Members button.<br />
322
Centralized Management<br />
6. Enter the group member’s hostname or IP address, an optional name, and the Admin<br />
user’s login and password. Click Add or Update Member.<br />
Once added, click the Close button.<br />
The group member will now appear in the main management console screen.<br />
If the address of a member server changes, the original entry must be removed before adding a<br />
new entry with the new address.<br />
Changing the Centralized Management Console<br />
To change the address of the console you are using, click Edit, enter your new settings, and<br />
then click Add or Update Member. You cannot delete the console you are using from the<br />
management group.<br />
323
System Management<br />
Using the Management Console<br />
From the Centralized Management Console, you can perform a variety of administrative<br />
functions.<br />
Group Commands<br />
The following commands are applied to the entire management group:<br />
• Centralized Management Command — From the drop-down box you can select a specific<br />
function to execute across all members of the management group. The options include<br />
Refresh, Stop All Queues, Run (Start) All Queues, and Backup.<br />
• Select Auto Refresh — Select the time, in seconds, for automatic refresh of settings and<br />
statistics for group members. Select Disable if you do not require Auto Refresh.<br />
Member System Commands<br />
The following commands are only applied to the specified group member:<br />
• Start and Stop Services — You can start and stop services for each management group<br />
member. The current status is also displayed.<br />
• Connect — Connect directly to the specified member and open its administration screen.<br />
• Backup — Backup the member server via FTP. Each group member must have its FTP<br />
backup configured individually before this function will work from the console.<br />
• Copy Configuration — Copy the selected settings from the management console to the<br />
selected member. Each member can be configured individually to receive only certain<br />
settings by selecting the check box of each configuration item.<br />
Click Save to save your selected settings on the management console screen.<br />
324
Centralized Management<br />
Copy Configuration<br />
To copy configuration items from the Centralized Management Console to the group members,<br />
select which items to copy, and then click the Copy button. Click Save to save your settings.<br />
The following configuration settings can be replicated:<br />
• Attachment Control — All items, including Attachment Types, are added to the selected<br />
group member.<br />
• Mail Aliases — All mail aliases will be added to the selected group member.<br />
• Virtual Mappings — All virtual mappings will be added to the selected group member.<br />
• Mail Mapping — All mail mappings will be added to the selected group member.<br />
• Mail Routing — All mail routes will be added to the selected group member.<br />
• Mail Access/Filtering — Message size and patterns settings will be added to the selected<br />
group member.<br />
• Relocated <strong>User</strong>s — The list of relocated users on a group member will be replaced by<br />
those from the management console.<br />
• Pattern Based Filtering — All anti-spam Pattern Based Filtering settings except the<br />
default settings will be added to the selected group member.<br />
• RADIUS/LDAP — All RADIUS and LDAP configuration settings will be added to the<br />
selected group member.<br />
The mail queue will be temporarily stopped during the replication process.<br />
325
System Management<br />
Problem Reporting<br />
Problem reporting allows you to send important configuration and logging information to St.<br />
Bernard Technical Support for help with troubleshooting system issues. This feature should be<br />
used in conjunction with an existing support request with technical support.<br />
Select Status/Reporting ➝ Problem Reporting to configure your troubleshooting<br />
configuration information.<br />
• Send To — Enter an email address to send the reports. The default is St. Bernard Technical<br />
Support, but you can also put in your own email address so that you can view them before<br />
sending them to St. Bernard.<br />
• Mail Log — Sends the latest daily mail server log.<br />
• Mail Configuration — Sends your current mail configuration file.<br />
• Mail Queue Stats — Sends a snapshot of the latest current mail queue statistics.<br />
• System Messages — Sends the latest daily system message log.<br />
• System Configuration — Sends an XML version of the system configuration.<br />
Click Apply to save the information in the form, and click Send Now to send the information to<br />
the configured email address.<br />
326
Health Check<br />
Health Check<br />
The Health Check service is a cost-option for the <strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> that allows<br />
St. Bernard to perform a comprehensive review of your current configuration. St. Bernard’s<br />
Professional Services consultants will provide a comprehensive report identifying the health of<br />
system processes, database inconsistencies and overall performance. Detailed<br />
recommendations for optimizing spam capture effectiveness and performance are then<br />
provided in a Diagnosis Report.<br />
The Diagnosis Report returned to you includes:<br />
• Summary of system review and activities (General Configuration, Network Settings and<br />
Topology, Anti-Spam, Content Filtering, Attachment Control, Anti-Virus, Software Updates)<br />
• Recommendations for each area of concern<br />
• Identification of known software issues<br />
• Details on upcoming releases and patches<br />
• License Key — Enter your license key for the Health Check service.<br />
• System Report — Select the type of system report to generate:<br />
• Health Check now: Send a health check report immediately.<br />
• Health Check + Report now: Send a health check and a full system report immediately.<br />
• Health Check + Report at 3am: Send a health check and full system report at 3am. This<br />
allows the health check and report generation to occur during times of lower activity.<br />
• EMail — This is the St. Bernard email address where system health reports will be sent and<br />
cannot be changed.<br />
Click Submit to start the Health Check service. You will receive verification that the health<br />
check has been sent, and receive notification that you will receive a report.<br />
327
CHAPTER 15<br />
Monitoring System Activity<br />
This chapter describes how to monitor <strong>ePrism</strong>’s system activity and message processing, and<br />
contains the following topics:<br />
• “Activity Screen” on page 330<br />
• “System Log Files” on page 332<br />
• “Offloading Log Files” on page 335<br />
• “SNMP (Simple Network Management Protocol)” on page 337<br />
• “Alarms” on page 340<br />
329
Monitoring System Activity<br />
Activity Screen<br />
The Activity screen provides a variety of system information and utilities all on one screen,<br />
including:<br />
• Mail service stop and start<br />
• Mail queue statistics<br />
• Queue Activity<br />
• System uptime and CPU load<br />
• Message status and final actions<br />
The following describes the queue statistics columns:<br />
• Arrived — The total number of messages processed by <strong>ePrism</strong> (messages accepted).<br />
These include messages that were spam, viruses, attachment control, and so on.<br />
• Sent — The total number of messages sent by <strong>ePrism</strong>, including mailer daemon mail,<br />
quarantine notifications, mail delivery delay notifications, local mail, alarms, reports, and so<br />
on. If a message has multiple recipients, each delivered recipient will be added to the total.<br />
• Spam — The total number of messages considered spam by the Intercept engine.<br />
• Reject — The total number of messages rejected because of client hostname/address<br />
restrictions, SAP rejects, DNSBLs, and PMBFs with reject action.<br />
• Virus — The total number of messages that contained a virus.<br />
• Clean — The total number of messages that were accepted for delivery inbound and<br />
outbound by <strong>ePrism</strong> and passed all security and spam filters.<br />
330
Activity Screen<br />
Show Recipients/Senders<br />
Click the Show Recipients button to show all recipients for a message if there are multiple<br />
recipients. If there is only one recipient for a message, the message will display the same way<br />
in Show Senders and Show Recipients view.<br />
If there are multiple recipients for a message, the Show Senders view will display a "+" sign in<br />
front of the message. Use this button to expand the message to see all the recipients. This is<br />
useful for seeing the actions and dispositions of a message for each recipient if they belong to<br />
different scanning policies.<br />
Cluster Activity<br />
In a clustered system, an additional Cluster Activity screen is displayed that shows the<br />
combined activity for all clustered systems.<br />
331
Monitoring System Activity<br />
System Log Files<br />
Select Status/Reporting ➝ System Logs on the menu to access the system log files.<br />
Click View in the Current Log column to view the most recent log file.<br />
Click View in the Time Index column to see a list of all log files available on the system in<br />
chronological order including the current log file, old log files (rolled out) and archived (zipped).<br />
The Mail Transport log is the most important log to monitor because it contains a record of all<br />
mail processed by <strong>ePrism</strong>. See “Examining Log Files” on page 346 for more information on<br />
interpreting the mail transport logs.<br />
Other logs include:<br />
• Authentication — Contains messages from POP, IMAP, and WebMail logins.<br />
• HTTP Access — A log of access to the web server.<br />
• HTTPS Access — A log of SSL web server access.<br />
• HTTP Errors — Contains error messages from the web server.<br />
• HTTPS Engine — Contains messages for the web server encryption engine.<br />
• Messages — Contains system messages, including file uploads.<br />
• Kernel — A log of kernel generated messages.<br />
It is possible that you may receive errors in the kernel logs regarding partition slices. If you your<br />
system is installed with a manufacturer’s diagnostics partition, this is the cause of the error and<br />
does not indicate a critical condition.<br />
• Reporting SQL (when enabled) — This option only appears when SQL logging is enabled<br />
in Status/Reporting ➝ Reporting ➝ Configure. The logs can be downloaded in SQL<br />
format from this screen.<br />
332
System Log Files<br />
Viewing and Searching Log Files<br />
Search for a particular search string by entering a value in the Search field and then clicking the<br />
arrow button.<br />
The following features can be used to help refine log searches:<br />
• For logical "and" and "or" searches, use the keywords "and", "or", and "not".<br />
• Use \and or \or to search for the actual words such as "and" and "or".<br />
• Use a preceding / to search using Unix-style regular expressions.<br />
You can also download the log to a text file by using the Download button. You can then import<br />
this file into a log analysis application for offline processing.<br />
Advanced Search<br />
Click the Advanced Search link to perform advanced searches for all the log files for a specific<br />
log type.<br />
• Logs to Search — Select the log to perform the advanced search in.<br />
• Search Archived — Select the check box to search all current and archived log files.<br />
333
Monitoring System Activity<br />
• Search All Dates — Select the check box to the entire time span. The Date/Time fields<br />
below will be greyed out if this option is selected.<br />
• Date/Time from — Enter a beginning date and time to search from.<br />
• Date/Time to — Enter the end date and time to search to.<br />
• Pattern — Enter a pattern to search for in the logs.<br />
Click the Search button when you are ready to begin the advanced log search.<br />
Configuring a Syslog Host<br />
All of <strong>ePrism</strong>’s log files can be forwarded to a syslog server which is a host that collects and<br />
stores log files from many sources.<br />
The syslog files can then be analyzed by a separate logging and reporting program.<br />
You can define a syslog host in the Basic Config ➝ Network screen.<br />
334
Offloading Log Files<br />
Offloading Log Files<br />
In environments with large mail throughput requirements, <strong>ePrism</strong>’s log files, such as mail<br />
transport log information, may grow very quickly. When a certain amount of log files have been<br />
generated, <strong>ePrism</strong> can automatically compress older files to save disk space.<br />
For backup purposes and offline reporting, <strong>ePrism</strong> can copy log and reporting files to another<br />
system at regular intervals using FTP or SCP file copy utilities. This allows administrators to<br />
backup the log files to a separate host for analysis and storage. When enabled, the offload will<br />
occur each time a log file is rolled over and for the time period specified in the offload date and<br />
time.<br />
The Offload (Reporting) section is used for organizations requiring a separate reporting server<br />
where logs will be forwarded to for reporting purposes.<br />
Select Status/Reporting ➝ Server Logs ➝ Rollout & Offload on the menu to configure your<br />
rollout and offload settings.<br />
Rollout (Keep Uncompressed)<br />
Configure the number of local uncompressed files to keep on <strong>ePrism</strong> in the Keep<br />
uncompressed field. When log files are rolled over, <strong>ePrism</strong> will keep this amount of files<br />
uncompressed on the hard drive. When this value is reached, the files will then be compressed<br />
to save disk space (oldest first). Leave this field blank to leave all log files uncompressed.<br />
335
Monitoring System Activity<br />
Offload (Backup)<br />
• Offload — Select the check box to enable offloading of rollout log files.<br />
• Copy application — Select the program (FTP or SCP) to use for copy rollout files. These<br />
applications must be enabled on the destination host.<br />
• Port — TCP port to be used by the copy application. If this field is left blank, default port<br />
values will be used.<br />
• Host — Enter the host to copy rollout data to using the specified method.<br />
• Folder — Select a folder to copy the rollout data to.<br />
• Construct Filename — Select an identifier for the file name, such as a sequential number<br />
(maillog.1) or a timestamp (maillog.200501010000).<br />
• <strong>User</strong> — <strong>User</strong>name to use to log in to the destination host.<br />
• Password — Corresponding password for the specified username.<br />
• Compress — Select the check box to enable gzip compression of the rollout files.<br />
Click the Update button when finished.<br />
Click the Offload now button to begin offloading files immediately.<br />
Click the Offload Again button to reset the information of Offloaded files. This will force an<br />
offload of all files (even those offloaded before) again.You must click Offload Now, or wait for<br />
the next scheduled offload (when a log file has rolled over, or every hour) to start the offloading<br />
process after clicking Offload Again.<br />
336
SNMP (Simple Network Management Protocol)<br />
SNMP (Simple Network Management Protocol)<br />
Simple Network Management Protocol (SNMP) is the standard protocol for network<br />
management. When enabled on <strong>ePrism</strong>, this feature allows standard SNMP monitoring tools to<br />
connect to the SNMP agent running on <strong>ePrism</strong> and extract real-time system information.<br />
The information available from the SNMP agent is organized into objects which are described<br />
by the MIB (Management Information Base) files. The information available includes disk,<br />
memory, and CPU statistics, mail queue information, and statistics on the number of spam or<br />
virus-infected emails. An SNMP trap can be sent when the system reboots.<br />
See “SNMP MIBS” on page 383 for detailed information on the objects available in <strong>ePrism</strong>’s<br />
MIB files.<br />
The SNMP agent service is installed and running by default, but it must be enabled specifically<br />
for each interface in the Basic Config ➝ Network screen. It is strongly advised that the agent<br />
only be configured for the internal (trusted) network.<br />
337
Monitoring System Activity<br />
Configuring SNMP<br />
Select Basic Config ➝ SNMP Configuration on the menu to configure SNMP.<br />
• Send Trap on Reboot — Enable the check box to send a trap message to your SNMP trap<br />
host whenever the system reboots.<br />
• System Contact — (Required) Enter the email address of the contact person for this<br />
system.<br />
• System Location — (Required) Enter the location of the system.<br />
• Read-Only Community — By default, <strong>ePrism</strong> does not allow read/write access to the<br />
SNMP agent. For read access, you must set up a read-only community string on both the<br />
agent, and your SNMP management application for authentication. It is recommended that<br />
you change the default community string "public" to a more secure value.<br />
The community string is case sensitive.<br />
Permitted Clients<br />
To allow access to <strong>ePrism</strong>’s SNMP agent, you must specifically add the client system to the list<br />
of SNMP Permitted Clients. The clients can be specified using a host name, IP address, or<br />
network address (192.168.138.0/24). Typically, you will enter the address of your SNMP<br />
management station. Click Add to add the permitted client.<br />
338
SNMP (Simple Network Management Protocol)<br />
Trap Hosts<br />
A trap host is an SNMP management station that will be receiving system traps from <strong>ePrism</strong>.<br />
<strong>ePrism</strong> will send an SNMP trap when the system is rebooted.<br />
Enter a list of hosts that will receive trap messages. The hosts can be specified using a host<br />
name or IP address. Click Add to add the trap host.<br />
MIB Files<br />
The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files<br />
must be imported into your SNMP management program. The MIB file contains a list of objects<br />
representing the information that can be extracted from the system’s SNMP agent.<br />
See “SNMP MIBS” on page 383 for detailed information on the contents of the St. Bernard<br />
<strong>ePrism</strong> <strong>Email</strong> <strong>Security</strong> <strong>Appliance</strong> MIB files.<br />
339
Monitoring System Activity<br />
Alarms<br />
<strong>ePrism</strong> implements a variety of system alarms to notify the administrator of exceptional system<br />
conditions. Alarms are currently generated from the HALO, LDAP, and Backup subsystems. For<br />
example, you can receive an alarm notification if the daily FTP backup fails, or if communication<br />
is lost with a cluster member. Errors with LDAP user imports will also trigger an alarm.<br />
You can select the type of alarm notifications to receive, such as Critical, Serious, and Warning<br />
events.<br />
These notifications can be sent via:<br />
• <strong>Email</strong><br />
• Console Alert<br />
• Activity Screen Alert<br />
The following example shows an alarm appearing on the Activity screen. You must click<br />
Acknowledge to remove the alarm notification.<br />
340
Alarms<br />
Configuring Alarms<br />
Select Basic Config ➝ Alarms on the menu to configure your alarms and notifications.<br />
• Send Escalation Mail — Select the types of alarms that will trigger an email to be sent to<br />
the Escalation Mail Address specified below.<br />
• Send Alarm Mail — Select the types of alarms that will trigger an email to be sent to the<br />
Alarm Mail Address specified below.<br />
You must have a valid email specified in the <strong>Email</strong> Addresses section for the alarm email to be<br />
sent.<br />
• Alert to Console — Select the types of alarms that will display an alert on the system<br />
console screen.<br />
• Alert to Activity Page — Select the types of alarms that will display an alert on the main<br />
activity screen.<br />
• Escalation Mail Address — Enter an email address to send escalation messages to.<br />
• Alarm Mail Address — Enter an email address to send alarm messages to.<br />
It is recommended that you use SNMP for monitoring of system resources such as disk space and<br />
memory usage. See “SNMP (Simple Network Management Protocol)” on page 337 for more<br />
information.<br />
341
Monitoring System Activity<br />
Alarms List<br />
The following table describes the types of alarms that can be triggered.<br />
TABLE 1. Alarms List<br />
Severity<br />
Critical<br />
Critical<br />
Critical<br />
Critical<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Serious<br />
Alarm<br />
LDAP Lookup: LDAP lookup failed during delivery<br />
LDAP Lookup: LDAP lookup: Unable to bind to server<br />
LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server<br />
Queue Replication: Cannot connect to mirror<br />
Clustering: Cluster Error connecting to host [member address]<br />
Clustering: Cluster Error writing to host [member address]<br />
Clustering: Cluster Error closing socket for host [member address]<br />
Clustering: Cluster Error Connection to database<br />
Clustering: Cluster Error query failed: [query error message]<br />
Clustering: Cluster replication Error opening configuration file [file error]<br />
Clustering: Error loading cluster configuration file<br />
Clustering: Cluster Error loading command at [location in configuration<br />
file]<br />
LDAP Import: LDAP import, Import of groups failed<br />
LDAP Import: LDAP import, Import of users failed<br />
LDAP Import: LDAP failed to download users, groups<br />
dccstat: Excessive DCC failures<br />
FTP Backup: FTP Backup Failed [error message]<br />
342
CHAPTER 16<br />
Troubleshooting Mail<br />
Delivery<br />
This chapter describes procedures for troubleshooting mail delivery problems and contains the<br />
following topics:<br />
• “Troubleshooting Mail Delivery” on page 344<br />
• “Troubleshooting Tools” on page 345<br />
• “Examining Log Files” on page 346<br />
• “Network and Mail Diagnostics” on page 355<br />
• “Troubleshooting Content Issues” on page 360<br />
343
Troubleshooting Mail Delivery<br />
Troubleshooting Mail Delivery<br />
When experiencing mail delivery problems, the first step is to examine if the problem is affecting<br />
only incoming mail, outgoing, or both. For example, if you are receiving mail, but not sending<br />
outgoing mail, it is certain that your Internet connection is working properly, or you would not be<br />
receiving mail. In this scenario, you may have issues with the Firewall blocking your outbound<br />
SMTP connections, or some other problem preventing mail delivery.<br />
Problems affecting both inbound and outbound delivery include the following scenarios:<br />
• Network infrastructure and Communications — The most common scenario in which<br />
you are not receiving or sending mail is if your Internet connection is down. This can include<br />
upstream communications with your ISP, your connection to the Internet, or your external<br />
router. You should also check your internal network infrastructure to ensure you can contact<br />
<strong>ePrism</strong> from your router or firewall.<br />
• DNS — If your DNS is not working or configured properly, mail will not be forwarded to your<br />
<strong>ePrism</strong> or you will not be able to lookup external mail sites. Check the DNS service itself to<br />
see if it is running, and check your DNS records for any misconfiguration for your mail<br />
services. Ensure that your MX records are setup properly to indicate the <strong>ePrism</strong> system.<br />
• Firewall — If you are having issues with your Firewall or if it is misconfigured, it may<br />
inadvertently block mail access to and from <strong>ePrism</strong>. For example, SMTP port 25 must be<br />
opened between the Internet and <strong>ePrism</strong> and internally to allow inbound and outbound mail<br />
connections.<br />
• Internal Mail Systems — You may be receiving incoming mail to the <strong>ePrism</strong>, but mail is not<br />
being forwarded to the appropriate internal mail servers. Also, outgoing mail from the<br />
internal servers may not be forwarded to <strong>ePrism</strong> for delivery. In these scenarios, examine<br />
your internal mail server to ensure it is working properly. Check communications between<br />
the two systems to ensure there are no network, DNS, or routing issues. Also check that<br />
your internal servers are configured to send outgoing mail to <strong>ePrism</strong>.<br />
• External Mail Systems — If you have a large amount of mail to a particular destination, and<br />
that mail server is currently down, these messages will queue up in the deferred mail queue<br />
to be retried after a period of time. You can view the Mail Transport logs to see the relevant<br />
messages that may indicate why you cannot connect to that particular mail server. The<br />
server could be down, too busy, or not currently accepting connections.<br />
344
Troubleshooting Tools<br />
Troubleshooting Tools<br />
The following sections describe the built-in tools that can be used on the <strong>ePrism</strong> system to help<br />
troubleshoot mail delivery problems.<br />
Monitoring the Activity Screen<br />
On <strong>ePrism</strong>’s main Activity screen, you will be able to quickly examine if there are any issues<br />
with mail delivery.<br />
Examine the following items:<br />
• Check the mail queue activity to view the number of Queued, Deferred, and Total<br />
messages in the mail queue. This is a quick indicator of how your mail is processing. Click<br />
the Refresh button frequently to ensure that the mail queues are not building up too high.<br />
• In the Mail Received Recently portion of the activity screen, check the timestamps of your<br />
most recent incoming and outgoing mail. If no mail has been processed in a certain period<br />
of time, this may indicate that the inbound, outbound, or both mail directions are not<br />
working.<br />
• Check the statistics for your mail queues. You may notice mail system latency if you are<br />
receiving a lot of virus, spam, or message rejects.<br />
345
Troubleshooting Mail Delivery<br />
Examining Log Files<br />
Examine the system log files in the Status/Reporting ➝ System Logs screen.<br />
The Mail Transport log is the most important, as it provides a detailed description of each<br />
message that passes through the system.<br />
The start of a single message log entry begins with a smtpd "connect" message, and ends with<br />
the "disconnect" message. To ensure that you are looking at the entries for a specific message,<br />
check the message ID (such as 3A30A3F269 in the previous example) for each log entry to<br />
ensure they are for the same message.<br />
A summary of the actions for this message are included in the log, for example:<br />
Only the first recipient is logged in the overall message summary when more than one recipient is<br />
found within a message.<br />
346
Examining Log Files<br />
Interpreting Text Log Files<br />
Log files can be downloaded as a text file to allow you to analyze the logs offline. When<br />
interpreting Mail Transport log files from the text version, the final message summary appears<br />
as a special analysis string. The analysis string contains a list of codes that are created by the<br />
logging engine to create the message summary in the log.<br />
For example, the following analysis string is interpreted as follows:<br />
analysis=T086FFT001FFT000F000FFF000000TF--5000000000055-F1F-<br />
FF00000000F000FFF000000000000F1FFT001T001<br />
The following table describes each character in the analysis string:<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
T<br />
Token Analysis T - True, F - False<br />
scanned? (True)<br />
086 Token Analysis Metric 3 digit numeric value<br />
(86)<br />
F<br />
Bulk Analysis<br />
T - True, F - False<br />
Scanned? (False)<br />
F<br />
Bulk Analysis result? T - True, F - False<br />
(False)<br />
T<br />
DNSBL Scanned? T - True, F - False<br />
(True)<br />
001 Number of DNSBL 3 digit numeric value<br />
Rejects<br />
F n/a n/a<br />
F n/a n/a<br />
T<br />
Kaspersky AV<br />
T - True, F - False<br />
Scanned? (True)<br />
000 Number of Viruses 3 digit numeric value<br />
F n/a n/a<br />
000 Viruses detected (0) 3 digit numeric value<br />
F<br />
Malformed Message T - True, F - False<br />
Scanned? (False)<br />
F<br />
Malformed message? T - True, F - False<br />
(False)<br />
F<br />
Attachment Control T - True, F - False<br />
scanned? (True)<br />
000 Inbound Attachments<br />
blocked (0)<br />
3 digit numeric value<br />
347
Troubleshooting Mail Delivery<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
3 digit numeric value<br />
000 Outbound Attachments<br />
blocked (0)<br />
T<br />
PBMF Scanned?<br />
(True)<br />
F<br />
PBMF triggered?<br />
(False)<br />
- PBMF Action (no<br />
match)<br />
- PBMF Rule Type (no<br />
match)<br />
5 PBMF Priority (5 -<br />
high)<br />
0000000 PBMF Filter number<br />
(PBMF filter number)<br />
T - True, F - False<br />
T - True, F - False<br />
D - Reject<br />
A - Accept<br />
V - Valid<br />
S - Spam<br />
T - Trust<br />
R - Relay<br />
B - BCC<br />
I - Do Not Train<br />
a - Archive Copy<br />
y - Bypass<br />
- None<br />
S - System<br />
G - Group<br />
P - Personal<br />
- None<br />
0 - low, 3 - medium, 5 - high<br />
This is the number of the filter in your<br />
list of PBMFs.<br />
000 PBMF Options See Table 2 "PBMF Options<br />
Description"<br />
5 PBMF "no train" rule 1 digit numeric value<br />
rank (5)<br />
5 PBMF "BCC" rule rank<br />
(5)<br />
1 digit numeric value<br />
- PBMF Configurable<br />
Action<br />
Configurable action associated with the<br />
PBMF. (1-6 or a-e). "-" means no<br />
configurable action.<br />
F SPF scanned? T - True, F - False<br />
1 SPF result Pass = 0<br />
None = 1<br />
Fail = 2,3<br />
Error = 4<br />
Neutral = 5<br />
Unknown = 6<br />
Unknown SPF Mechanism = 7<br />
F n/a n/a<br />
348
Examining Log Files<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
- n/a n/a<br />
T OCF Scanned (True) T - True, F - False<br />
F OCF Result T - True, F - False<br />
0000 Mail Anomalies checks<br />
performed bitmap<br />
(none)<br />
0000 Mail Anomalies checks<br />
failed bitmap (none)<br />
F<br />
Attachment Content<br />
Scanned (false)<br />
000 Attachment Content<br />
Scanning matches (0)<br />
F<br />
Spam Dictionary<br />
scanned (false)<br />
F<br />
Spam Dictionary<br />
matched (false)<br />
4 digit numeric value. This field is only<br />
decodable via the <strong>ePrism</strong> logs display.<br />
4 digit numeric value. This field is only<br />
decodable via the <strong>ePrism</strong> logs display.<br />
T - True, F - False<br />
3 digit numeric value<br />
T - True, F - False<br />
T - True, F - False<br />
F BSN scanned (False) T - True, F - False<br />
00000000 BSN result bitmap<br />
(none)<br />
8 digit numeric value. This field is only<br />
decodable via the <strong>ePrism</strong> logs display.<br />
0 BSN relays checks 1 digit numeric value<br />
000 BSN Reputation score 3 digit numeric value<br />
F<br />
DomainKeys scanned<br />
(false)<br />
T - True, F - False<br />
1 DomainKeys result<br />
(permanent error)<br />
F<br />
DomainKeys spam<br />
(False)<br />
F<br />
DomainKeys Signed?<br />
(False)<br />
T<br />
URL Block List<br />
Scanned?<br />
001 URL Block Lists<br />
matched<br />
T<br />
Threat Outbreak<br />
Scanned?<br />
001 Number of possible<br />
viruses<br />
0 - Pass<br />
1 - Neutral<br />
2 - Fail<br />
3 - Soft Fail<br />
4 - Temporary Error<br />
5 - Permanent Error<br />
T - True, F - False<br />
T - True, F - False<br />
T - True, F - False<br />
3 digit numeric value<br />
T - True, F - False<br />
3 digit numeric value<br />
349
Troubleshooting Mail Delivery<br />
The following table describe the analysis code for PBMF Options:<br />
TABLE 2. PBMF Options Code Description<br />
Code Description<br />
000 None<br />
001 Do Not Train<br />
002 Notify Admin<br />
003 Notify Admin + Do Not Train<br />
004 Notify Sender<br />
005 Notify Sender + Do Not Train<br />
006 Notify Sender + Notify Admin<br />
007 Notify Sender + Notify Admin + Do Not Train<br />
008 Notify Recipient<br />
009 Notify Recipient + Do Not Train<br />
010 Notify Recipient + Notify Admin<br />
011 Notify Recipient + Notify Admin + Do Not Train<br />
012 Notify Recipient + Notify Sender<br />
013 Notify Recipient + Notify Sender + Do Not Train<br />
014 Notify Recipient + Notify Sender + Notify Admin<br />
015 Notify Recipient + Notify Sender + Notify Admin + Do Not Train<br />
016 BCC<br />
017 BCC + Do Not Train<br />
018 BCC + Notify Admin<br />
019 BCC + Notify Admin + Do Not Train<br />
020 BCC + Notify Sender<br />
021 BCC + Notify Sender + Do Not Train<br />
022 BCC + Notify Sender + Notify Admin<br />
023 BCC + Notify Sender + Notify Admin + Do Not Train<br />
024 BCC + Notify Recipient<br />
025 BCC + Notify Recipient + Do Not Train<br />
026 BCC + Notify Recipient + Notify Admin<br />
027 BCC + Notify Recipient + Notify Admin + Do Not Train<br />
028 BCC + Notify Recipient + Notify Sender<br />
029 BCC + Notify Recipient + Notify Sender + Do Not Train<br />
030 BCC + Notify Recipient + Notify Sender + Notify Admin<br />
031 BCC + Notify Recipient + Notify Sender + Notify Admin + Do Not Train<br />
032 Do Not Quarantine<br />
033 Do Not Quarantine + Do Not Train<br />
350
Examining Log Files<br />
TABLE 2. PBMF Options Code Description<br />
Code<br />
Description<br />
034 Do Not Quarantine + Notify Admin<br />
035 Do Not Quarantine + Notify Admin + Do Not Train<br />
036 Do Not Quarantine + Notify Sender<br />
037 Do Not Quarantine + Notify Sender + Do Not Train<br />
038 Do Not Quarantine + Notify Sender + Notify Admin<br />
039 Do Not Quarantine + Notify Sender + Notify Admin + Do Not Train<br />
040 Do Not Quarantine + Notify Recipient<br />
041 Do Not Quarantine + Notify Recipient + Do Not Train<br />
042 Do Not Quarantine + Notify Recipient + Notify Admin<br />
043 Do Not Quarantine + Notify Recipient + Notify Admin + Do Not Train<br />
044 Do Not Quarantine + Notify Recipient + Notify Sender<br />
045 Do Not Quarantine + Notify Recipient + Notify Sender + Do Not Train<br />
046 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin<br />
047 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin + Do<br />
Not Train<br />
048 Do Not Quarantine + BCC<br />
049 Do Not Quarantine + BCC + Do Not Train<br />
050 Do Not Quarantine + BCC + Notify Admin<br />
051 Do Not Quarantine + BCC + Notify Admin + Do Not Train<br />
052 Do Not Quarantine + BCC + Notify Sender<br />
053 Do Not Quarantine + BCC + Notify Sender + Do Not Train<br />
054 Do Not Quarantine + BCC + Notify Sender + Notify Admin<br />
055 Do Not Quarantine + BCC + Notify Sender + Notify Admin + Do Not Train<br />
056 Do Not Quarantine + BCC + Notify Recipient<br />
057 Do Not Quarantine + BCC + Notify Recipient + Do Not Train<br />
058 Do Not Quarantine + BCC + Notify Recipient + Notify Admin<br />
059 Do Not Quarantine + BCC + Notify Recipient + Notify Admin + Do Not Train<br />
060 Do Not Quarantine + BCC + Notify Recipient + Notify Sender<br />
061 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Do Not Train<br />
062 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin<br />
063 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin +<br />
Do Not Train<br />
351
Troubleshooting Mail Delivery<br />
Action String<br />
The action string displays a code that shows what the final action is for a message. Each action<br />
is represented as True (T) or False (F). For example, in the following string, the eleventh action<br />
code is set to "True", which is Quarantine. If multiple actions were taken, other action codes will<br />
also be set to "True".<br />
FFFFFFFFFFTFFFFFFFFFFF<br />
TABLE 3. Action String<br />
Order Action<br />
1 Has Policy<br />
2 No Action<br />
3 Reject<br />
4 Accept<br />
5 Valid<br />
6 Spam<br />
7 Trust<br />
8 Relay<br />
9 Modify subject<br />
10 Add header<br />
11 Quarantine<br />
12 Discard<br />
13 Just log<br />
14 Bounce<br />
15 Redirect<br />
16 BCC<br />
17 PBMF BCC<br />
18 Bypass<br />
19 Do not train<br />
20 Temporary reject<br />
21 Archive copy<br />
352
Examining Log Files<br />
Policy Codes<br />
The following codes appear when using policies to describe the final disposition and action for<br />
a message due to a policy.<br />
The action codes and actions show up in the "policy=" string in the mail transport logs. For<br />
example:<br />
Jul 17 17:13:35 jimbo postfix/cleanup[8119]: 319D313E14:<br />
policy=Qv,just_log=--, recip=rplant@engineering.example.com<br />
,as_score=0,policy_ids=1:0:0:0<br />
In this case, "policy=Qv" means "Quarantine, possible virus".<br />
TABLE 4. Policy Final Code<br />
Code<br />
- None<br />
W<br />
w<br />
K<br />
V<br />
C<br />
M<br />
F<br />
X<br />
O<br />
v<br />
Description<br />
PBMF<br />
Trusted Senders List<br />
Blocked Senders List<br />
Anti-Virus<br />
Attachment Control<br />
Malformed<br />
OCF<br />
Crash (insufficient data)<br />
Relay<br />
TABLE 5. Policy Final Action<br />
Code<br />
Threat Outbreak Control<br />
Description<br />
- No Action<br />
D<br />
A<br />
V<br />
S<br />
T<br />
R<br />
H<br />
h<br />
Q<br />
d<br />
Reject<br />
Accept<br />
Valid<br />
Spam<br />
Trust<br />
Relay<br />
Modify subject header<br />
Add header<br />
Quarantine<br />
Discard<br />
353
Troubleshooting Mail Delivery<br />
TABLE 5. Policy Final Action<br />
Code<br />
L<br />
B<br />
r<br />
C<br />
c<br />
y<br />
I<br />
z<br />
E<br />
n<br />
Description<br />
Just log<br />
Bounce<br />
Redirect<br />
BCC<br />
PBMF BCC<br />
Bypass<br />
Do not train<br />
Temporary reject<br />
Release (Threat Outbreak)<br />
Just Notify (Threat Outbreak)<br />
354
Network and Mail Diagnostics<br />
Network and Mail Diagnostics<br />
In the Status/Reporting ➝ Status & Utility screen there are mail tools and networking<br />
diagnostic tools such as Hostname Lookups, SMTP Probe, Ping, and Traceroute, to help you<br />
troubleshoot possible networking problems and connectivity issues with other mail servers.<br />
Flush Mail Queue<br />
From the Status/Reporting ➝ Status & Utility screen, and also the main Activity screen, there<br />
is a button that can be used to flush and reprocess all queued mail. You should only use this<br />
utility if you have a high amount of deferred mail that you would like to try and deliver. In<br />
environments with a high amount of deferred mail, this process can take a very long time.<br />
If the deferred mail queue continues to grow, there are other problems that are preventing the<br />
delivery of mail and the Flush button should not be used again.<br />
This button should only be clicked once because it will reprocess all queued mail.<br />
Hostname Lookup<br />
The Hostname Lookup utility is used to perform DNS host lookups. This ensures that<br />
hostnames are being properly resolved by the DNS server.<br />
Enter the FQDN (Fully Qualified Domain Name) of the host you would like to lookup on a name<br />
server, such as server.example.com. In the Query Type field, select the type of DNS<br />
record, such as a typical "A" name host record, or "MX" for a mail server lookup.<br />
Click the Lookup button when ready to test. The name server should provide you with the IP<br />
address for the name you entered. If the result displayed shows "Unknown host", then the<br />
name you entered is not listed in the DNS records.<br />
355
Troubleshooting Mail Delivery<br />
If the name server cannot be contacted, check your DNS configuration in Basic Config ➝<br />
Network. To ensure you have network connectivity use the ping and traceroute commands in<br />
the Status & Utility screen to ensure you have a connection to the network and to the DNS<br />
server.<br />
356
Network and Mail Diagnostics<br />
SMTP Probe<br />
The SMTP (Simple Mail Transport Protocol) Probe is used to test email connectivity with a<br />
remote SMTP server. This allows you to verify that the SMTP server is responding to<br />
connection requests and returning a valid response.<br />
In the SMTP Probe screen, you must enter the destination SMTP server, the envelope header<br />
fields for the sender and recipient (MAIL FROM and RCPT TO), the HELO identifier, and the<br />
message data.<br />
Click the Send Message button to send the test message to the destination SMTP server.<br />
The server should come back with a response.<br />
• SMTP Server — Enter the domain name or IP address of the destination SMTP server that<br />
you want to test.<br />
• Envelope-from (MAIL FROM) — The MAIL FROM part of the email message identifies the<br />
sender. Enter an email address indicating the sender of the message.<br />
• Envelope-to (RCPT TO) — The RCPT TO part of the email message identifies the<br />
recipient of the email. Enter an email address indicating the intended recipient of the<br />
message.<br />
• HELO — The HELO parameter is used to identify the SMTP Client to the SMTP Server.<br />
You can enter any value here, but the sending domain name of the server is usually<br />
specified.<br />
• Message to Send (DATA Command) — This contains the actual test message data. You<br />
can enter an optional subject to ensure a blank subject field is not sent.<br />
The response field will show the result of the SMTP diagnostic probe, including the response<br />
for each SMTP command sent:<br />
Sending mail...<br />
Troubleshooting Mail Delivery<br />
Ping Utility<br />
Network and Mail Diagnostics<br />
Traceroute Utility<br />
Traceroute is used to see the routing steps between two hosts. If you are losing connectivity<br />
somewhere in between <strong>ePrism</strong> and a receiving host, you can use traceroute to see where<br />
exactly the packet is losing its connection.<br />
The traceroute utility will show each network "hop" as it passes through each router to its<br />
destination. If you are experiencing routing issues, you will be able to see in the trace where<br />
exactly the communication is failing.<br />
Click the Traceroute button on the Status & Utility screen to trace the route to the specified<br />
host.<br />
Enter the IP address or hostname of the system you want to trace the route to, and then click<br />
the Traceroute button. Use Reset to reset the display.<br />
359
Troubleshooting Mail Delivery<br />
Troubleshooting Content Issues<br />
If the mail has been delivered to <strong>ePrism</strong> successfully, it will undergo security processing before<br />
delivery to its final destination. Many of the security tools used by <strong>ePrism</strong>, such as Intercept antispam,<br />
content filtering, anti-virus scanning, attachment control, and so on, will cause the<br />
message to be rejected, discarded, and quarantined, without the message being delivered to<br />
the recipient’s mail box.<br />
These tools can often be misconfigured allowing legitimate messages to be incorrectly rejected<br />
or quarantined. If you find that certain mail messages are being blocked when they should not<br />
be, check the following:<br />
• Is there a Specific Access Pattern or Pattern Based Message Filter rule that applies to the<br />
message?<br />
• Is the attachment type or content filtered via Attachment Control or Attachment scanning?<br />
• Are any of the Intercept Anti-Spam features blocking the message?<br />
• Do words from the Objectionable Content Filter (OCF) or Spam Dictionaries appear in the<br />
message?<br />
• Is the message over the maximum size limit?<br />
• Does the user belong to a policy that may block the message?<br />
Mail History Database<br />
Every message that passes through <strong>ePrism</strong> generates a database entry that records<br />
information about how it was processed, filtered, quarantined, and so on. To see how the<br />
message was handled by <strong>ePrism</strong>, you can check the Mail History Database to see the<br />
disposition of the message.<br />
Using this information, you can find out which security process is blocking the message, and<br />
then check the configuration and rules to ensure that they are set properly.<br />
Select Status/Reporting ➝ Reporting ➝ Mail History to view processed messages. Examine<br />
the Journal column for full information on how a message was processed and its final<br />
disposition.<br />
360
Troubleshooting Content Issues<br />
Displaying Message Details<br />
Click on a QueueID number to view the details of a message. Dispositions and the final<br />
Intercept score, if any, are listed below the details table in the Message Disposition section.<br />
361
APPENDIX A<br />
Using the <strong>ePrism</strong> System<br />
Console<br />
The <strong>ePrism</strong> system console provides a limited subset of administrative tasks and is only<br />
recommended for use during initial installation and network troubleshooting.<br />
Routine administration should be performed via the web browser administration interface.<br />
When accessing the system console, you will be prompted for the <strong>User</strong>ID and Password for<br />
the administrative user. When accessing the console for the first time after installation, the<br />
default settings are admin for the <strong>User</strong>ID, and admin for the Password. The password can be<br />
changed from the browser administration interface.<br />
Activity Screen<br />
The console Activity screen provides you with basic activity and statistics information for this<br />
<strong>ePrism</strong> system.<br />
363
Using the <strong>ePrism</strong> System Console<br />
Admin Menu<br />
Press any key to log into the console using the admin login.<br />
The Admin menu contains the following functions:<br />
• Exit — Exits the console.<br />
• Hardware Information — Displays the processor type, available memory, and network<br />
interface information.<br />
• Configure Interfaces — Modify the host and domain name, IP address, Gateway, DNS and<br />
NTP servers for all network interfaces.<br />
• <strong>Security</strong> Connection — Enables automatic updates from St. Bernard.<br />
• Shutdown — Shutdown <strong>ePrism</strong>.<br />
• Reboot — Shutdown and restart <strong>ePrism</strong>.<br />
• Switch to Text Mode — Switch from graphical mode to text mode.<br />
Diagnostics Menu<br />
Repair Menu<br />
Misc Menu<br />
The Diagnostics menu contains the following functions:<br />
• Activity Display — Displays CPU usage, network traffic and mail message activity.<br />
• Ping — Allows you to test network connectivity to other systems via the ping utility. An IP<br />
address or host name can be used.<br />
• Traceroute — Displays the routing steps between your <strong>ePrism</strong> system and a destination<br />
host.<br />
• Reset Network Interface — Resets network interfaces. This function is useful for correcting<br />
connection issues.<br />
• Display Disk Usage — Displays the amount of used and available disk space.<br />
• Display System Processes — Displays information on processes running on the system.<br />
The Repair menu contains the following functions:<br />
• Reset SSL Certificates — Sets certificate information back to the factory defaults. Any<br />
uploaded certificates or private keys will be lost.<br />
• Delete Strong Authentication for Admin — Removes strong authentication for the admin<br />
user login to allow you to use the console password.<br />
The Miscellaneous menu contains the following functions:<br />
• Set Time and Date — Sets the time and date for the system.<br />
• Set Time Zone — Sets your local time zone settings.<br />
• Configure UPS — Configure the link to an Uninterruptible Power Supply (UPS) for<br />
automatic shutdown in the event of a power failure.<br />
• Configure Web Admin — Modify the ports used to access the <strong>ePrism</strong> web browser<br />
administration interface.<br />
364
• Configure Serial Console — Configure a serial port for using the console over a serial<br />
connection. You must set your terminal program to the following values to use <strong>ePrism</strong>’s<br />
serial console:<br />
VT100 Emulation<br />
Baud Rate: 9600<br />
Data Bits: 8<br />
Parity: None<br />
Stop Bits: 1<br />
Flow Control: Hardware<br />
• Color Settings — Sets the colors for the console.<br />
365
APPENDIX B<br />
Restoring <strong>ePrism</strong> to Factory<br />
Default Settings<br />
<strong>ePrism</strong> can be returned to its factory defaults at any time. You may need to re-initialize the<br />
system if unrecoverable disk errors are found, or if you wish to perform a full restore.<br />
This procedure should only be used after consultation with St. Bernard technical support. You will<br />
lose ALL your configuration data and stored mail if you have not performed a backup.<br />
Re-initialize the system as follows:<br />
1. Select Management ➝ Reboot and Shutdown on the menu.<br />
2. Click the Reboot button, and the system will reboot.<br />
3. When the system restarts, go to the system console and press F1 "Restore" to restore<br />
the system to factory defaults.<br />
Press "r" to reinstall if you upgraded to 6.0 from a previous version and are using an older boot<br />
menu.<br />
4. Press Enter to select graphics mode when prompted.<br />
5. An informational screen will appear. Select OK to continue.<br />
6. Select a keyboard type.<br />
7. Select Auto (to auto partition you drives) or Custom and press Enter. Select OK to<br />
confirm.<br />
8. Select OK at the information screen: "You can install from CDROM…".<br />
9. Use the arrow keys to select Hard Drive from the options and press Enter.<br />
10. When the procedure is complete, an information message will appear: "St. Bernard’s<br />
software has now been loaded….".<br />
11. Select OK and the system will restart.<br />
The system will now be restarted with the factory default configuration. Proceed with the<br />
installation and configuration of the system. See the <strong>ePrism</strong> Installation <strong>Guide</strong> for detailed<br />
information on the install procedure.<br />
367
APPENDIX C<br />
Message Processing Order<br />
The following list describes the full order in which incoming messages are processed by<br />
<strong>ePrism</strong>:<br />
SMTP Connection Checks<br />
• Reject on Threat Prevention<br />
• Reject on unauth SMTP pipelining<br />
• Reject on expired <strong>ePrism</strong> license<br />
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF) HELO<br />
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF)<br />
Envelope-To<br />
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF)<br />
Envelope-From<br />
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF) Client<br />
IP<br />
• Reject on DNS Block List (DNSBL)<br />
• Reject on BorderWare <strong>Security</strong> Network (BSN) reputation<br />
• Reject on BorderWare <strong>Security</strong> Network (BSN) infected<br />
• Reject on BorderWare <strong>Security</strong> Network (BSN) dial-up<br />
At this point, local and trusted networks skip any remaining "Reject" checks.<br />
• Reject on unknown sender domain<br />
• Reject on missing reverse DNS<br />
• Reject on missing sender MX<br />
• Reject on non-FQDN sender<br />
• Reject on unknown recipient<br />
• Reject on missing addresses<br />
• Reject if number of recipients exceeds maximum<br />
• Reject if message size exceeds maximum<br />
369
Message Processing Order<br />
Message Checks<br />
• Very Malformed<br />
• Anti-Virus<br />
• Pattern Based Message Filter (PBMF) Bypass (This action skips remaining checks)<br />
• Malformed messages<br />
• Attachment Control<br />
• Threat Outbreak Control<br />
• Message Affirmation<br />
• Objectionable Content Filter (OCF)<br />
• Pattern Based Message Filter (PBMF) (High priority)<br />
• Pattern Based Message Filter (PBMF) (Medium priority)<br />
• Trusted Senders List (Skips remaining checks)<br />
• Blocked Senders List<br />
• Pattern Based Message Filter (PBMF) (Low priority)<br />
• Attachment Content Scanning<br />
• SAP (Trusted and Allow)<br />
• Trusted Network (Skips remaining checks)<br />
• Intercept Anti-Spam Processing:<br />
• SPF<br />
• DomainKeys<br />
• Bulk Analysis<br />
• DNSBL<br />
• Message Anomalies<br />
• Spam Words<br />
• BSN Reputation<br />
• BSN Dial-up<br />
• Token Analysis<br />
• URL Block lists<br />
Message Mappings and Routing<br />
• Mail Mappings<br />
• Virtual Mappings<br />
• Relocated <strong>User</strong>s<br />
• Mail Aliases<br />
• Mail Routing<br />
• Mail Delivery to its final destination<br />
370
APPENDIX D<br />
Customizing Notification and<br />
Annotation Messages<br />
You can use variables to customize the content of notifications and annotations. <strong>ePrism</strong> will<br />
substitute your local settings for the variables at the time the message is sent. The following<br />
variables are available:<br />
Not all variables will work with all notification features.<br />
TABLE 1. <strong>ePrism</strong> System Variables<br />
Variable Description Example<br />
%PROGRAM% or<br />
%PRODUCT%<br />
Product name<br />
St. Bernard <strong>ePrism</strong> <strong>Email</strong><br />
<strong>Security</strong> <strong>Appliance</strong><br />
%HOSTNAME%<br />
Hostname entered on the<br />
Network Settings screen.<br />
mail.example.com<br />
%POSTMASTER_MAIL_ADD<br />
R%<br />
%DISPN%<br />
%DELAY_WARN_TIME%<br />
<strong>Email</strong> address of the admin<br />
user.<br />
Disposition or Action for a<br />
message. Applicable only to<br />
notifications for message<br />
content security and<br />
management features such<br />
as Anti-Virus, Attachment<br />
Control, Malformed Mail, etc.<br />
Cannot be used in Delivery<br />
failure notifications.<br />
Time before Delay Warning.<br />
Only applicable in Mail<br />
Delivery ➝ Delivery<br />
Settings in the Delivery<br />
Delay Warning section.<br />
admin@example.com<br />
quarantined<br />
4 hours<br />
371
Customizing Notification and Annotation Messages<br />
TABLE 1. <strong>ePrism</strong> System Variables<br />
Variable Description Example<br />
%MAX_QUEUE_TIME%<br />
5 days<br />
%S_YOU% (%SENDER%)<br />
%R_YOU% (%RECIPIENT%)<br />
%SPAM_FOLDER%<br />
%SPAM_EXPIRY%<br />
%SPAM_MESSAGES%<br />
%WEBMAIL_URL%<br />
Maximum Time in Mail<br />
Queue. Only applicable in<br />
Mail Delivery ➝ Delivery<br />
Settings in the Delivery<br />
Delay Warning section.<br />
"you" Mail address of sender.<br />
Applicable only to<br />
notifications for message<br />
content security and<br />
management features such<br />
as Anti-Virus, Attachment<br />
Control, Malformed Mail, etc.<br />
Cannot be used in Delivery<br />
failure notifications.<br />
"you" Mail address of<br />
recipient. Applicable only to<br />
notifications for message<br />
content security and<br />
management features such<br />
as Anti-Virus, Attachment<br />
Control, Malformed Mail, etc.<br />
Cannot be used in Delivery<br />
failure notifications.<br />
The name of the spam folder<br />
for the user spam quarantine.<br />
Only applicable to the <strong>User</strong><br />
Spam Quarantine feature.<br />
The number of days before<br />
quarantined spam is expired.<br />
Only applicable to the <strong>User</strong><br />
Spam Quarantine feature.<br />
The information for a spam<br />
message<br />
(Date,From,Subject). Only<br />
applicable to the <strong>User</strong> Spam<br />
Quarantine.<br />
The URL of the configured<br />
WebMail server. Only<br />
applicable to the <strong>User</strong> Spam<br />
Quarantine and other<br />
features that use WebMail.<br />
sender@example.com<br />
recipient@example.com<br />
spam_quarantine<br />
30<br />
05/27/04,<br />
joe@example.com, File<br />
for you<br />
http://<br />
eprism.example.com/<br />
372
TABLE 1. <strong>ePrism</strong> System Variables<br />
Variable Description Example<br />
%NUMSPAM%<br />
Number of spam messages 20<br />
in the spam folder. This<br />
information is sent in a spam<br />
summary digest and is only<br />
applicable to the <strong>User</strong> Spam<br />
Quarantine.<br />
%NUMSPAMSTAT%<br />
Number of spam messages<br />
and bytes used in the spam<br />
folder. This information is<br />
sent in a spam summary<br />
digest and is only applicable<br />
to the <strong>User</strong> Spam<br />
Quarantine.<br />
20,10000<br />
None of these variables can be used with the SMTP Banner and SMTP Content Reject message.<br />
373
APPENDIX E<br />
Performance Tuning<br />
There are several factors that can affect the performance of your <strong>ePrism</strong> system:<br />
• Network bandwidth<br />
• Number of allowed SMTP connections<br />
• Usage of background processes such as Reporting and <strong>ePrism</strong> Mail Client<br />
• Internet unpredictability: Mail can often arrive in bursts of activity, with only a few<br />
messages arriving one minute, and several hundred the next. In the event of a network<br />
outage, such as a failed router, the amount of queued mail that arrives after the router is<br />
back online can be very large.<br />
• Internet performance: SMTP clients can be very slow at connecting, and the connection<br />
may be disconnected before it is complete.<br />
• The time to process a message is also affected by the size of the email and its<br />
attachments.<br />
• Amount of system resources (Processing power, RAM, and disk space)<br />
These factors must be carefully considered when tuning a system for optimal performance. If<br />
an <strong>ePrism</strong> system is optimized for throughput to handle high mail loads, other aspects of the<br />
system may suffer from increased latency issues, such as reporting, WebMail/<strong>ePrism</strong> Mail<br />
Client access, and the possibility of dropped connections by clients who cannot connect to a<br />
busy system. Similarly, allocating too many resources to resolve latency issues will affect mail<br />
throughput performance.<br />
Modifying certain parameters may affect the performance of other aspects of the system, and it is<br />
recommended that you only change these settings to resolve specific performance issues with<br />
guidance from St. Bernard Technical Support. Do NOT experiment with these settings.<br />
375
Performance Tuning<br />
Setting Default Performance Settings<br />
When <strong>ePrism</strong> is installed and initialized, you must select the default profile for your system, such<br />
as an "M1000 with mail scanning only", or an "M1000 with WebMail".<br />
You may need to change your settings if you enable or disable the use of WebMail after your<br />
initial installation.<br />
Select Basic Config ➝ Performance on the menu to configure your Performance tuning<br />
settings.<br />
376
Advanced Settings<br />
Advanced Settings<br />
Click the Advanced button if you need to adjust any of the individual parameters to create a<br />
custom setting.<br />
377
Performance Tuning<br />
Maximum Number of Processes<br />
This parameter specifies the maximum number of concurrent processes that implement mail<br />
services. This setting limits the number of connections accepted by smtpd, and the number of<br />
outgoing SMTP connections. If this number is set too large, you may run out of swap space.<br />
TABLE 1. Maximum Number of Processes<br />
System Recommended Value Description<br />
M1000 50 (default) This is the default setting and should<br />
not be modified. Set this parameter to<br />
40 if using WebMail.<br />
M2000 200 This is the default setting and should<br />
not be modified. Set this parameter to<br />
150 if using WebMail.<br />
M3000 300 This is the default setting and should<br />
not be modified. Set this parameter to<br />
200 if using WebMail.<br />
M4000 400 This is the default setting and should<br />
not be modified. Set this parameter to<br />
300 if using WebMail.<br />
Maximum Number of Parallel Deliveries<br />
This parameter specifies the maximum number of outgoing SMTP connections to the same<br />
destination. This setting helps limit the number of outgoing connections. The value must be less<br />
than the maximum number of processes, or performance will be degraded.<br />
TABLE 2. Maximum Number of Parallel Deliveries<br />
System<br />
Recommended<br />
Value<br />
Description<br />
M1000 4 (default) This is the default setting and should not<br />
be modified.<br />
M2000 10 You should only increase this value if you<br />
are having problems delivering enough<br />
mail to the internal server<br />
M3000/4000 10<br />
378
Advanced Settings<br />
Maximum Number of Mail Scanners<br />
This parameter specifies the maximum number of mail scanners that can run simultaneously.<br />
This setting limits the overall mail processing and memory footprint. Setting this value too high<br />
or too low may result in reduced performance. Valid settings are from 2 - 20.<br />
TABLE 3. Maximum Number of Mail Scanners<br />
System<br />
Recommended<br />
Value<br />
Description<br />
M1000 2 (default) This is the default setting and should not<br />
be modified.<br />
M2000 6 Increase this value to a maximum of 8<br />
only if performance is an issue.<br />
M3000/4000 6 Increase this value to a maximum of 10<br />
only if performance is an issue.<br />
Raise Priority of Heavy Weight Processes<br />
Increasing the priority of heavyweight processes can increase performance and <strong>ePrism</strong> Mail<br />
Client response times, but it can reduce the processing resources for other mail processes if it<br />
is set too high. Valid settings are from a default priority of 0 to a maximum priority of 20.<br />
TABLE 4. Raise Priority of Heavy Weight Processes<br />
System Recommended Value Description<br />
M1000 0 (default) This is the default setting<br />
and should not be modified.<br />
M2000 5 Only change this from the<br />
default value if WebMail is<br />
not being used, and you<br />
need to devote more<br />
resources to message<br />
handling.<br />
M3000/4000 10 Set this value to 5 if using<br />
WebMail and/or<br />
performance is not an<br />
issue.<br />
Number of Heavy Weight Processes<br />
This parameter specifies the maximum number of heavy weight mail scanning processes that<br />
can be run simultaneously.<br />
Valid settings are from 1 (Default) - 6 (maximum processes).<br />
Setting a value greater than 2 will not improve performance, and changing this value from the<br />
default setting is not recommended.<br />
379
Performance Tuning<br />
Number of DB Proxies<br />
This parameter specifies the maximum number of database proxies that can be used by the<br />
mail scanning processes. This value is relative to the Maximum Number of Processes setting,<br />
and should be increased in conjunction with the number of maximum processes.<br />
Valid settings are from 2 (Default) - 12 (maximum processes), however, setting this value above<br />
8 will result in diminishing performance returns.<br />
TABLE 5. Number of DB Proxies<br />
System Recommended Value Description<br />
M1000 2 (default) This is the default setting<br />
and should not be modified.<br />
M2000 4 If increasing number of<br />
processes above 50, then<br />
set to 6.<br />
M3000/4000 8 If increasing number of<br />
processes above 150, then<br />
set to 10.<br />
SMTP Connect Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, for an SMTP client to complete<br />
a TCP connection before the connection is dropped. This value defines how long <strong>ePrism</strong> will<br />
wait for a response before timing out. The default is 0, but there is an overall system timeout of<br />
5 minutes for SMTP connections. Increasing this value may help with sites which have a slow<br />
Internet connection.<br />
SMTP HELO Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, for receiving the SMTP greeting<br />
banner before we drop the connection. The default is 300 seconds, which means that <strong>ePrism</strong><br />
will wait 5 minutes to receive the initial SMTP HELO message before timing out. Using a lower<br />
timeout value may increase performance by freeing up more connections. Increasing this value<br />
may help with sites which have a slow Internet connection.<br />
SMTPD Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, to send an SMTP server<br />
response and to receive an SMTP client request before dropping the connection. The default is<br />
300 seconds. When <strong>ePrism</strong> connects to another mail server to deliver mail, it will drop the<br />
connection if it takes more than 5 minutes to receive a response. A lower value may increase<br />
performance by freeing up connections. Increasing this value may help with sites which have a<br />
slow Internet connection.<br />
380
Advanced Settings<br />
SMTPD Minimum Receive Rate<br />
The minimum rate, in bytes per second, at which a client must send data. The limit will be<br />
enforced after the SMTPD minimum receive rate interval has elapsed. Set this to a higher value<br />
when excessively slow clients are tying up system resources. A value of 0 indicates no<br />
minimum rate. Default is 0.<br />
SMTPD Receive Rate Interval<br />
The time interval, in seconds, which must elapse before the SMTPD minimum receive rate<br />
restriction is enforced for a newly connected client. Set this to a higher value to give clients<br />
longer to establish an acceptable data flow rate. A value of 0 means that the limit is enforced<br />
immediately. Default is 0.<br />
SMTP Tarpit Time<br />
The amount of time, in seconds, to wait before replying to an SMTP client with a 4xx or 5xx<br />
error message (such as the message content was rejected.) The default is 5 seconds. A lower<br />
value may increase performance by freeing up connections. A higher value may deter senders<br />
from sending invalid content such as spam and viruses.<br />
Service Throttle Time<br />
The amount of time, in seconds, to wait before re-starting a Postfix service that exits<br />
unexpectedly. The default is 60 seconds, and must be 1 second at minimum.<br />
Size of Temporary Files Filesystem<br />
Specify the size of the /tmp filesystem at system startup. This setting affects the maximum<br />
size of attachments that may be scanned, and should only be used if you are having problems<br />
with scanning large files. If you increase this setting beyond the amount of physical RAM,<br />
system performance will be degraded due to excessive swapping. You must monitor your<br />
system performance if this setting is used.<br />
Size of Shared Memory block allocated to Database<br />
Specify the size of the shared memory block to make available to the database. Increasing this<br />
value increases the speed of database operations at the cost of having less memory available<br />
for other purposes. Increase this value if you are increasing the number of messages that will<br />
be stored in the email database.<br />
If you change the size of the temp file system or shared memory block, the system will need to be<br />
restarted before these settings takes effect.<br />
381
APPENDIX F<br />
SNMP MIBS<br />
The following sections describe the statistics available from the system’s SNMP MIBS. The<br />
MIB files can be downloaded from Basic Config ➝ SNMP Configuration and clicking the<br />
Download MIBS button.<br />
The MIB files are based on SNMP version 2 and are backwards compatible with version 1.<br />
MIB Files Summary<br />
The following sections contain a summary of the MIB file entries. The raw MIB files are listed at<br />
the end of this appendix.<br />
Memory Usage and Reporting<br />
TABLE 1. Memory Usage and Reporting<br />
Object<br />
memTotalSwap<br />
memAvailSwap<br />
memTotalReal<br />
memAvailReal<br />
memTotalSwapTXT<br />
memAvailSwapTXT<br />
memTotalRealTXT<br />
Description<br />
Total Swap Size configured for the host<br />
Available Swap Space on the host<br />
Total Real/Physical Memory Size on<br />
the host<br />
Available Real/Physical Memory Space<br />
on the host<br />
Total virtual memory used by text<br />
Active virtual memory used by text<br />
Total Real/Physical Memory Size used<br />
by text<br />
383
SNMP MIBS<br />
TABLE 1. Memory Usage and Reporting<br />
Object<br />
memAvailRealTXT<br />
memTotalFree<br />
memMinimumSwap<br />
memShared<br />
memBuffer<br />
memCached<br />
memSwapError<br />
memSwapErrorMsg<br />
Description<br />
Active Real/Physical Memory Space<br />
used by text<br />
Total Available Memory on the host<br />
Minimum amount of free swap required<br />
to be free<br />
Total Shared Memory<br />
Total Buffered Memory<br />
Total Cached Memory<br />
Error flag indicating very little swap<br />
space left<br />
Error message describing the Error<br />
Flag condition<br />
Disk Information<br />
TABLE 2. Disk Information<br />
Object<br />
dskIndex<br />
dskPath<br />
dskDevice<br />
dskMinimum<br />
dskMinPercent<br />
dskTotal<br />
dskAvail<br />
dskUsed<br />
dskPercent<br />
dskPercentNode<br />
dskErrorFlag<br />
dskErrorMsg<br />
Description<br />
Integer reference number (row number)<br />
for the disk MIB.<br />
Path where the disk is mounted.<br />
Path of the device for the partition<br />
Minimum space required on the disk (in<br />
kBytes) before errors are triggered.<br />
Percentage of minimum space required<br />
on the disk before errors are triggered.<br />
Total size of the disk/partition (kBytes)<br />
Available space on the disk<br />
Used space on the disk<br />
Percentage of space used on disk<br />
Percentage of inodes used on disk<br />
Error flag signaling that the disk or<br />
partition is under the minimum required<br />
space configured for it.<br />
A text description providing a warning<br />
and the space left on the disk.<br />
384
MIB Files Summary<br />
System Statistics<br />
TABLE 3. System Statistics<br />
Object<br />
ssIndex<br />
ssErrorName<br />
ssSwapIn<br />
ssSwapOut<br />
Description<br />
Reference Index for each observed<br />
system statistic<br />
The list of system statistic names being<br />
counted<br />
Amount of memory swapped in from<br />
disk (KB/s)<br />
Amount of memory swapped to disk<br />
(KB/s)<br />
The SNMP agent only implements the following statistics that are supported by the kernel. Not<br />
all of the following objects will be available.<br />
TABLE 4. System Statistics If Supported by Kernel<br />
Object<br />
ssCpuRaw<strong>User</strong><br />
ssCpuRawNice<br />
ssCpuRawSystem<br />
ssCpuRawIdle<br />
ssCpuRawWait<br />
ssCpuRawKernel<br />
ssCpuRawInterrupt<br />
ssIORawSent<br />
ssIORawReceived<br />
ssRawInterrupts<br />
ssRawContexts<br />
Description<br />
<strong>User</strong> CPU time<br />
Nice CPU time<br />
System CPU time<br />
Idle CPU time<br />
IOwait CPU time<br />
Kernel CPU time<br />
Interrupt level CPU time<br />
Number of requests sent to a block<br />
device<br />
Number of interrupts processed<br />
Number of requests received from a<br />
block device<br />
Number of context switches<br />
385
SNMP MIBS<br />
Alarm Objects<br />
TABLE 5. Alarm Objects<br />
Object<br />
alTriggerAlarm<br />
alLastChange<br />
alName<br />
alRemoteIpAddr<br />
alDestPort<br />
alAlarm<br />
Description<br />
The flag to trigger an alarm<br />
The time value when the alarm condition<br />
occurs<br />
A textual string containing the name of the<br />
alarm<br />
Source IP address<br />
Destination port number<br />
The alarm trap<br />
Mail System Objects<br />
Current Mail Data<br />
TABLE 6. Current Mail Data<br />
Object<br />
queuedMessages<br />
deferredMessages<br />
totalMessages<br />
Description<br />
The number of queued mail messages.<br />
The number of deferred mail messages.<br />
The total number of mail messages.<br />
Historical Mail Data<br />
TABLE 7. Historical Mail Data<br />
Object<br />
mailIndex<br />
mailInterval<br />
mailRcvd<br />
mailSent<br />
mailSpam<br />
mailReject<br />
mailVirus<br />
mailClean<br />
Description<br />
The value of this object uniquely identifies<br />
each mail stats entry.<br />
Time interval pertaining to the data in this<br />
sequence.<br />
Number of received messages for this<br />
interval.<br />
Number of sent messages for this interval.<br />
Number of spam messages for this<br />
interval.<br />
Number of rejected messages for this<br />
interval.<br />
Number of messages identified as<br />
containing a virus for this interval.<br />
Number of clean messages for this<br />
interval.<br />
386
MIB Files<br />
Traps<br />
The system will send an SNMP trap when the system shuts down and when it restarts.<br />
MIB Files<br />
BORDERWARE-FW-MIB DEFINITIONS ::= BEGIN<br />
IMPORTS<br />
MODULE-COMPLIANCE, OBJECT-GROUP<br />
FROM SNMPv2-CONF<br />
OBJECT-TYPE, NOTIFICATION-TYPE,<br />
MODULE-IDENTITY, OBJECT-IDENTITY,<br />
Integer32, enterprises, IpAddress<br />
FROM SNMPv2-SMI<br />
TEXTUAL-CONVENTION, DisplayString, DateAndTime<br />
FROM SNMPv2-TC<br />
bwProducts<br />
FROM BORDERWARE-MIB;<br />
bwFirewall MODULE-IDENTITY<br />
LAST-UPDATED "200404110000Z"<br />
ORGANIZATION "Borderware Technology Inc."<br />
CONTACT-INFO<br />
"mibs@borderware.com "<br />
DESCRIPTION<br />
"The private Borderware SNMP extensions."<br />
REVISION "200404110000Z"<br />
DESCRIPTION<br />
"Draft. "<br />
::= { bwProducts 1 }<br />
-- Current mib entries -----------------------------------------<br />
bwFirewallConformance OBJECT IDENTIFIER ::= { bwFirewall 3 }<br />
387
SNMP MIBS<br />
-- OID values assigned in the bwFirewall branch ----------------<br />
bwAlarm<br />
OBJECT-IDENTITY<br />
STATUS current<br />
DESCRIPTION<br />
"The entry for alarm objects."<br />
::= { bwFirewall 100 }<br />
alTriggerAlarm OBJECT-TYPE<br />
SYNTAX Integer32 (0..1)<br />
MAX-ACCESS read-write<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"The flag to trigger an alarm."<br />
::= { bwAlarm 1 }<br />
alLastChange OBJECT-TYPE<br />
SYNTAX<br />
DateAndTime<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"The time value when the alarm condition occurs."<br />
::= { bwAlarm 4 }<br />
-- Removed interface name from implementation<br />
-- alInterface OBJECT-TYPE<br />
-- SYNTAX DisplayString (SIZE (0..255))<br />
-- MAX-ACCESS read-only<br />
-- STATUS current<br />
-- DESCRIPTION<br />
-- "A textual string containing name of the<br />
-- interface."<br />
-- ::= { bwAlarm 7 }<br />
alName OBJECT-TYPE<br />
SYNTAX DisplayString (SIZE (0..255))<br />
388
MIB Files<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"A textual string containing name of the alarm."<br />
::= { bwAlarm 9 }<br />
alRemoteIpAddr OBJECT-TYPE<br />
SYNTAX<br />
IpAddress<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"A source IP address."<br />
::= { bwAlarm 10 }<br />
alDestPort<br />
OBJECT-TYPE<br />
SYNTAX Integer32 (0..65535)<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"Destination port number."<br />
::= { bwAlarm 15 }<br />
-- definition of trap triggered by the alarm condition.<br />
alAlarm NOTIFICATION-TYPE<br />
OBJECTS {<br />
alLastChange,<br />
alName,<br />
alRemoteIpAddr,<br />
alDestPort<br />
}<br />
STATUS current<br />
DESCRIPTION<br />
"A trap."<br />
::= { bwAlarm 50 }<br />
389
SNMP MIBS<br />
-- Conformance information --------------------------------------------<br />
bwFirewallCompliances OBJECT IDENTIFIER ::= { bwFirewallConformance 1 }<br />
bwFirewallGroups OBJECT IDENTIFIER ::= { bwFirewallConformance 2 }<br />
-- Compliance statements ----------------------------------------------<br />
bwFirewallCompliance MODULE-COMPLIANCE<br />
STATUS<br />
current<br />
DESCRIPTION "The compliance statement for SNMP entities which<br />
implement the BORDERWARE-FW-MIB. "<br />
MODULE<br />
-- this module<br />
MANDATORY-GROUPS { bwAlarmGroup }<br />
::= { bwFirewallCompliances 1 }<br />
bwAlarmGroup OBJECT-GROUP<br />
OBJECTS {<br />
alTriggerAlarm,<br />
alLastChange,<br />
alName,<br />
alRemoteIpAddr,<br />
alDestPort<br />
}<br />
STATUS<br />
current<br />
DESCRIPTION "A collection of objects providing for remote<br />
monitoring. "<br />
::= { bwFirewallGroups 1 }<br />
END<br />
BORDERWARE-MIB DEFINITIONS ::= BEGIN<br />
IMPORTS<br />
MODULE-COMPLIANCE, OBJECT-GROUP<br />
FROM SNMPv2-CONF<br />
OBJECT-TYPE, NOTIFICATION-TYPE,<br />
MODULE-IDENTITY, OBJECT-IDENTITY,<br />
Counter32, Integer32, Opaque, enterprises, IpAddress<br />
390
MIB Files<br />
FROM SNMPv2-SMI<br />
TEXTUAL-CONVENTION, DisplayString, DateAndTime<br />
FROM SNMPv2-TC;<br />
borderware MODULE-IDENTITY<br />
LAST-UPDATED "200211070000Z"<br />
ORGANIZATION "Borderware Technology Inc."<br />
CONTACT-INFO<br />
"mibs@borderware.com "<br />
DESCRIPTION<br />
"The private Borderware SNMP extensions."<br />
REVISION "200211070000Z"<br />
DESCRIPTION<br />
"Draft."<br />
::= { enterprises 8673 }<br />
-- Current mib entries -----------------------------------------<br />
bwProducts OBJECT IDENTIFIER ::= { borderware 1 }<br />
bwProductId OBJECT IDENTIFIER ::= { bwProducts 2 }<br />
-- ObjectId<br />
bwFirewallServer7 OBJECT IDENTIFIER ::= { bwProductId 1 }<br />
-- Current core mib table entries:<br />
-- memory OBJECT IDENTIFIER ::= { ucdavis 4 }<br />
-- diskTable OBJECT IDENTIFIER ::= { ucdavis 9 }<br />
-- systemStats OBJECT IDENTIFIER ::= { ucdavis 11 }<br />
--<br />
-- Define the Float Textual Convention<br />
-- This definition was written by David Perkins.<br />
--<br />
Float ::= TEXTUAL-CONVENTION<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"A single precision floating-point number. The semantics<br />
391
SNMP MIBS<br />
and encoding are identical for type 'single' defined in<br />
IEEE Standard for Binary Floating-Point,<br />
ANSI/IEEE Std 754-1985.<br />
The value is restricted to the BER serialization of<br />
the following ASN.1 type:<br />
FLOATTYPE ::= [120] IMPLICIT FloatType<br />
(note: the value 120 is the sum of '30'h and '48'h)<br />
The BER serialization of the length for values of<br />
this type must use the definite length, short<br />
encoding form.<br />
For example, the BER serialization of value 123<br />
of type FLOATTYPE is '9f780442f60000'h. (The tag<br />
is '9f78'h; the length is '04'h; and the value is<br />
'42f60000'h.) The BER serialization of value<br />
'9f780442f60000'h of data type Opaque is<br />
'44079f780442f60000'h. (The tag is '44'h; the length<br />
is '07'h; and the value is '9f780442f60000'h."<br />
SYNTAX Opaque (SIZE (7))<br />
--<br />
-- Memory usage/watch reporting.<br />
--<br />
bwSysMemory OBJECT IDENTIFIER ::= { borderware 4 }<br />
memIndex OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Bogus Index. This should always return the integer 0."<br />
::= { bwSysMemory 1 }<br />
memErrorName OBJECT-TYPE<br />
SYNTAXDisplayString<br />
392
MIB Files<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Bogus Name. This should always return the string 'swap'."<br />
::= { bwSysMemory 2 }<br />
memTotalSwap OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Swap Size configured for the host."<br />
::= { bwSysMemory 3 }<br />
memAvailSwap OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Available Swap Space on the host."<br />
::= { bwSysMemory 4 }<br />
memTotalReal OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Real/Physical Memory Size on the host."<br />
::= { bwSysMemory 5 }<br />
memAvailReal OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
393
SNMP MIBS<br />
"Available Real/Physical Memory Space on the host."<br />
::= { bwSysMemory 6 }<br />
memTotalSwapTXT OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total virtual memory used by text."<br />
::= { bwSysMemory 7 }<br />
memAvailSwapTXT OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Active virtual memory used by text."<br />
::= { bwSysMemory 8 }<br />
memTotalRealTXT OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Real/Physical Memory Size used by text."<br />
::= { bwSysMemory 9 }<br />
memAvailRealTXT OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Active Real/Physical Memory Space used by text."<br />
::= { bwSysMemory 10 }<br />
memTotalFree OBJECT-TYPE<br />
394
MIB Files<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Available Memory on the host"<br />
::= { bwSysMemory 11 }<br />
memMinimumSwap OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Minimum amount of free swap required to be free<br />
or else memErrorSwap is set to 1 and an error string is<br />
returned memSwapErrorMsg."<br />
::= { bwSysMemory 12 }<br />
memShared OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Shared Memory"<br />
::= { bwSysMemory 13 }<br />
memBuffer OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Buffered Memory"<br />
::= { bwSysMemory 14 }<br />
memCached OBJECT-TYPE<br />
SYNTAXInteger32<br />
395
SNMP MIBS<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Total Cached Memory"<br />
::= { bwSysMemory 15 }<br />
memSwapError OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Error flag. 1 indicates very little swap space left"<br />
::= { bwSysMemory 100 }<br />
memSwapErrorMsg OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Error message describing the Error Flag condition"<br />
::= { bwSysMemory 101 }<br />
dskTable OBJECT-TYPE<br />
SYNTAXSEQUENCE OF DskEntry<br />
MAX-ACCESSnot-accessible<br />
STATUScurrent<br />
DESCRIPTION<br />
"Disk watching information. Partions to be watched<br />
are configured by the snmpd.conf file of the agent."<br />
::= { borderware 9 }<br />
dskEntry OBJECT-TYPE<br />
SYNTAX<br />
DskEntry<br />
MAX-ACCESS not-accessible<br />
396
MIB Files<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"An entry containing a disk and its statistics."<br />
INDEX { dskIndex }<br />
::= { dskTable 1 }<br />
DskEntry ::= SEQUENCE {<br />
dskIndexInteger32,<br />
dskPathDisplayString,<br />
dskDeviceDisplayString,<br />
dskMinimumInteger32,<br />
dskMinPercentInteger32,<br />
dskTotalInteger32,<br />
dskAvailInteger32,<br />
dskUsedInteger32,<br />
dskPercentInteger32,<br />
dskPercentNodeInteger32,<br />
dskErrorFlagInteger32,<br />
dskErrorMsgDisplayString<br />
}<br />
dskIndex OBJECT-TYPE<br />
SYNTAXInteger32 (0..65535)<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Integer reference number (row number) for the disk mib."<br />
::= { dskEntry 1 }<br />
dskPath OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
397
SNMP MIBS<br />
"Path where the disk is mounted."<br />
::= { dskEntry 2 }<br />
dskDevice OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Path of the device for the partition"<br />
::= { dskEntry 3 }<br />
dskMinimum OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Minimum space required on the disk (in kBytes) before the<br />
errors are triggered. Either this or dskMinPercent is<br />
configured via the agent's snmpd.conf file."<br />
::= { dskEntry 4 }<br />
dskMinPercent OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Percentage of minimum space required on the disk before the<br />
errors are triggered. Either this or dskMinimum is<br />
configured via the agent's snmpd.conf file."<br />
::= { dskEntry 5 }<br />
dskTotal OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
398
MIB Files<br />
DESCRIPTION<br />
"Total size of the disk/partion (kBytes)"<br />
::= { dskEntry 6 }<br />
dskAvail OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Available space on the disk"<br />
::= { dskEntry 7 }<br />
dskUsed OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Used space on the disk"<br />
::= { dskEntry 8 }<br />
dskPercent OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Percentage of space used on disk"<br />
::= { dskEntry 9 }<br />
dskPercentNode OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Percentage of inodes used on disk"<br />
::= { dskEntry 10 }<br />
399
SNMP MIBS<br />
dskErrorFlag OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Error flag signaling that the disk or partition is under<br />
the minimum required space configured for it."<br />
::= { dskEntry 100 }<br />
dskErrorMsg OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"A text description providing a warning and the space left<br />
on the disk."<br />
::= { dskEntry 101 }<br />
systemStats OBJECT IDENTIFIER ::= { borderware 11 }<br />
ssIndex OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Reference Index for each observed systemStat (1)."<br />
::= { systemStats 1 }<br />
ssErrorName OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
400
MIB Files<br />
"The list of systemStats names (vmstat) we're Counting."<br />
::= { systemStats 2 }<br />
ssSwapIn OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Amount of memory swapped in from disk (kB/s)."<br />
::= { systemStats 3 }<br />
ssSwapOut OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Amount of memory swapped to disk (kB/s)."<br />
::= { systemStats 4 }<br />
ssIOSent OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"Blocks sent to a block device (blocks/s). Deprecated, replaced by<br />
the ssIORawSent object"<br />
::= { systemStats 5 }<br />
ssIOReceive OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"Blocks received from a block device (blocks/s). Deprecated, replaced by<br />
the ssIORawReceived object"<br />
401
SNMP MIBS<br />
::= { systemStats 6 }<br />
ssSysInterrupts OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"The number of interrupts per second, including the clock.<br />
Deprecated, replaced by ssRawInterrupts"<br />
::= { systemStats 7 }<br />
ssSysContext OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"The number of context switches per second.<br />
Deprecated, replaced by ssRawContext"<br />
::= { systemStats 8 }<br />
ssCpu<strong>User</strong> OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"percentages of user CPU time. Deprecated, replaced by the ssCpuRaw<strong>User</strong><br />
object"<br />
::= { systemStats 9 }<br />
ssCpuSystem OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"percentages of system CPU time. Deprecated, replaced by of the<br />
402
MIB Files<br />
ssCpuRawSystem object"<br />
::= { systemStats 10 }<br />
ssCpuIdle OBJECT-TYPE<br />
SYNTAXInteger32<br />
MAX-ACCESSread-only<br />
STATUSdeprecated<br />
DESCRIPTION<br />
"percentages of idle CPU time. Deprecated, replaced by of the<br />
ssCpuRawIdle object"<br />
::= { systemStats 11 }<br />
-- The agent only implements those of the following counters that the<br />
-- kernel supports! Don't expect all to be present.<br />
ssCpuRaw<strong>User</strong> OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"user CPU time."<br />
::= { systemStats 50 }<br />
ssCpuRawNice OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"nice CPU time."<br />
::= { systemStats 51 }<br />
ssCpuRawSystem OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
403
SNMP MIBS<br />
"system CPU time."<br />
::= { systemStats 52 }<br />
ssCpuRawIdle OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"idle CPU time."<br />
::= { systemStats 53 }<br />
ssCpuRawWait OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"iowait CPU time. This is primarily a SysV thingie"<br />
::= { systemStats 54 }<br />
ssCpuRawKernel OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"kernel CPU time."<br />
::= { systemStats 55 }<br />
ssCpuRawInterrupt OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"interruptlevel CPU time. This is primarily a BSD thingie"<br />
::= { systemStats 56 }<br />
ssIORawSent OBJECT-TYPE<br />
404
MIB Files<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"Number of requests sent to a block device"<br />
::= { systemStats 57 }<br />
ssIORawReceived OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"Number of interrupts processed"<br />
::= { systemStats 58 }<br />
ssRawInterrupts OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"Number of requests received from a block device"<br />
::= { systemStats 59 }<br />
ssRawContexts OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"Number of context switches"<br />
::= { systemStats 60 }<br />
END<br />
BORDERWARE-SMG-MIB DEFINITIONS ::= BEGIN<br />
IMPORTS<br />
MODULE-COMPLIANCE, OBJECT-GROUP<br />
405
SNMP MIBS<br />
FROM SNMPv2-CONF<br />
OBJECT-TYPE, OBJECT-IDENTITY, MODULE-IDENTITY,<br />
Counter32, Integer32<br />
FROM SNMPv2-SMI<br />
DisplayString<br />
FROM SNMPv2-TC<br />
borderware, bwProducts, bwProductId<br />
FROM BORDERWARE-MIB;<br />
bwMailFirewall MODULE-IDENTITY<br />
LAST-UPDATED "200405260000Z"<br />
ORGANIZATION "Borderware Technology Inc."<br />
CONTACT-INFO<br />
"mibs@borderware.com "<br />
DESCRIPTION<br />
"The private Borderware Mail Firewall SNMP extensions."<br />
REVISION "200405260000Z"<br />
DESCRIPTION<br />
"Draft. "<br />
::= { bwProducts 11 }<br />
bwMailFirewall4 OBJECT IDENTIFIER ::= { bwProductId 11 }<br />
bwMailFirewallConformance OBJECT IDENTIFIER ::= { bwMailFirewall 3 }<br />
-- Conformance information --------------------------------------------<br />
bwMailFirewallCompliances OBJECT IDENTIFIER ::= { bwMailFirewallConformance 1<br />
}<br />
bwMailFirewallGroups OBJECT IDENTIFIER ::= { bwMailFirewallConformance 2<br />
}<br />
-- Compliance statements ----------------------------------------------<br />
bwMailFirewallCompliance MODULE-COMPLIANCE<br />
STATUS<br />
current<br />
406
MIB Files<br />
DESCRIPTION "The compliance statement for SNMP entities which<br />
implement the BORDERWARE-SMG-MIB. "<br />
MODULE<br />
-- this module<br />
MANDATORY-GROUPS { bwMessagesGroup }<br />
::= { bwMailFirewallCompliances 1 }<br />
-- Group declarations --------------------------------------------------<br />
bwMessagesGroup OBJECT-GROUP<br />
OBJECTS {<br />
queuedMessages,<br />
deferredMessages,<br />
totalMessages<br />
}<br />
STATUS<br />
current<br />
DESCRIPTION "A collection of objects providing for remote<br />
monitoring of current condition of mail handler. "<br />
::= { bwMailFirewallGroups 1 }<br />
bwMailStatsGroup OBJECT-GROUP<br />
OBJECTS {<br />
mailInterval,<br />
mailRcvd,<br />
mailSent,<br />
mailSpam,<br />
mailReject,<br />
mailVirus,<br />
mailClean<br />
}<br />
STATUS<br />
current<br />
DESCRIPTION "A collection of objects providing for remote<br />
monitoring of historical condition of mail handler. "<br />
::= { bwMailFirewallGroups 2 }<br />
-- Table definitions -----------------------------------------------------<br />
407
SNMP MIBS<br />
mailTable OBJECT-GROUP<br />
OBJECTS {<br />
bwMailStatsGroup,<br />
bwMessagesGroup<br />
}<br />
STATUScurrent<br />
DESCRIPTION<br />
"Complete mail activity summary."<br />
::= { bwMailFirewall 10 }<br />
mailEntry OBJECT-TYPE<br />
SYNTAX<br />
SEQUENCE OF MailEntry<br />
MAX-ACCESS not-accessible<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"An entry containing mail statistics."<br />
INDEX { mailInterval }<br />
::= { mailTable 1 }<br />
MailEntry ::= SEQUENCE {<br />
mailIntervalDisplayString,<br />
mailRcvdCounter32,<br />
mailSentCounter32,<br />
mailSpam<br />
Counter32,<br />
mailReject Counter32,<br />
mailVirusCounter32,<br />
mailCleanCounter32<br />
}<br />
mailStatus<br />
OBJECT-IDENTITY<br />
STATUS current<br />
DESCRIPTION<br />
"The entry for current stats on MTA"<br />
::= { mailTable 2 }<br />
408
MIB Files<br />
-- The current data ----------------------------------------------------<br />
queuedMessages OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"The number of queued mail messages."<br />
::= { mailStatus 1 }<br />
deferredMessages OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"The number of deferred mail messages."<br />
::= { mailStatus 2 }<br />
totalMessages OBJECT-TYPE<br />
SYNTAX<br />
Counter32<br />
MAX-ACCESS read-only<br />
STATUS<br />
current<br />
DESCRIPTION<br />
"The total number of mail messages."<br />
::= { mailStatus 3}<br />
-- The historical data -------------------------------------------------<br />
mailInterval OBJECT-TYPE<br />
SYNTAXDisplayString<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Time interval pertaining to the data in this sequence."<br />
::= { mailEntry 1 }<br />
mailRcvd OBJECT-TYPE<br />
409
SNMP MIBS<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Number of received messages for this interval."<br />
::= { mailEntry 2 }<br />
mailSent OBJECT-TYPE<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Number of sent messages for this interval."<br />
::= { mailEntry 3 }<br />
mailSpam OBJECT-TYPE<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Number of spam messages for this interval."<br />
::= { mailEntry 4 }<br />
mailReject OBJECT-TYPE<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Number of rejected messages for this interval"<br />
::= { mailEntry 5 }<br />
mailVirus OBJECT-TYPE<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
410
MIB OID Values<br />
DESCRIPTION<br />
"Number of messages identified as containig a<br />
virus for this interval."<br />
::= { mailEntry 6 }<br />
mailClean OBJECT-TYPE<br />
SYNTAXCounter32<br />
MAX-ACCESSread-only<br />
STATUScurrent<br />
DESCRIPTION<br />
"Number of clean messages for this interval."<br />
::= { mailEntry 7 }<br />
END<br />
MIB OID Values<br />
The following describes the SNMP MIB OID values:<br />
.1.3.6.1.4.1.8673 -><br />
.1.1.100.1.0 = bwProducts.bwFirewall.bwAlarm.alTriggerAlarm.0 = INTEGER: 0<br />
.1.1.100.4.0 = bwProducts.bwFirewall.bwAlarm.alLastChange.0 = STRING: 0-1-<br />
1,0:0:0.0<br />
.1.1.100.9.0 = bwProducts.bwFirewall.bwAlarm.alName.0 = STRING: None<br />
.1.1.100.10.0 = bwProducts.bwFirewall.bwAlarm.alRemoteIpAddr.0 = IpAddress:<br />
0.0.0.0<br />
.1.1.100.15.0 = bwProducts.bwFirewall.bwAlarm.alDestPort.0 = INTEGER: 0<br />
.1.11.10.1.1.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.1 =<br />
STRING: Hour<br />
.1.11.10.1.1.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.2 =<br />
STRING: Day<br />
.1.11.10.1.1.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.3 =<br />
STRING: Week<br />
.1.11.10.1.2.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.1 =<br />
Counter32: 5<br />
.1.11.10.1.2.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.2 =<br />
Counter32: 12<br />
411
SNMP MIBS<br />
.1.11.10.1.2.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.3 =<br />
Counter32: 42<br />
.1.11.10.1.3.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.1 =<br />
Counter32: 7<br />
.1.11.10.1.3.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.2 =<br />
Counter32: 19<br />
.1.11.10.1.3.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.3 =<br />
Counter32: 50<br />
.1.11.10.1.4.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.1 =<br />
Counter32: 0<br />
.1.11.10.1.4.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.2 =<br />
Counter32: 0<br />
.1.11.10.1.4.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.3 =<br />
Counter32: 0<br />
.1.11.10.1.5.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.1 =<br />
Counter32: 0<br />
.1.11.10.1.5.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.2 =<br />
Counter32: 0<br />
.1.11.10.1.5.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.3 =<br />
Counter32: 5<br />
.1.11.10.1.6.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.1 =<br />
Counter32: 0<br />
.1.11.10.1.6.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.2 =<br />
Counter32: 0<br />
.1.11.10.1.6.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.3 =<br />
Counter32: 0<br />
.1.11.10.1.7.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.1 =<br />
Counter32: 0<br />
.1.11.10.1.7.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.2 =<br />
Counter32: 3<br />
.1.11.10.1.7.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.3 =<br />
Counter32: 4<br />
.1.11.10.2.1 = bwProducts.bwMailFirewall.mailTable.mailStatus.queuedMessages<br />
= Counter32: 0<br />
.1.11.10.2.2 =<br />
bwProducts.bwMailFirewall.mailTable.mailStatus.deferredMessages = Counter32: 0<br />
.1.11.10.2.3 = bwProducts.bwMailFirewall.mailTable.mailStatus.totalMessages =<br />
Counter32: 0<br />
.4.1.0 = bwSysMemory.memIndex.0 = INTEGER: 0<br />
.4.2.0 = bwSysMemory.memErrorName.0 = STRING: swap<br />
.4.3.0 = bwSysMemory.memTotalSwap.0 = INTEGER: 262016<br />
412
MIB OID Values<br />
.4.4.0 = bwSysMemory.memAvailSwap.0 = INTEGER: 260928<br />
.4.5.0 = bwSysMemory.memTotalReal.0 = INTEGER: 104264<br />
.4.6.0 = bwSysMemory.memAvailReal.0 = INTEGER: 46684<br />
.4.11.0 = bwSysMemory.memTotalFree.0 = INTEGER: 46696<br />
.4.12.0 = bwSysMemory.memMinimumSwap.0 = INTEGER: 16000<br />
.4.13.0 = bwSysMemory.memShared.0 = INTEGER: 29000<br />
.4.14.0 = bwSysMemory.memBuffer.0 = INTEGER: 22640<br />
.4.15.0 = bwSysMemory.memCached.0 = INTEGER: 12<br />
.4.100.0 = bwSysMemory.memSwapError.0 = INTEGER: 0<br />
.4.101.0 = bwSysMemory.memSwapErrorMsg.0 = STRING:<br />
.9.1.1.1 = dskTable.dskEntry.dskIndex.1 = INTEGER: 1<br />
.9.1.1.2 = dskTable.dskEntry.dskIndex.2 = INTEGER: 2<br />
.9.1.1.3 = dskTable.dskEntry.dskIndex.3 = INTEGER: 3<br />
.9.1.1.4 = dskTable.dskEntry.dskIndex.4 = INTEGER: 4<br />
.9.1.2.1 = dskTable.dskEntry.dskPath.1 = STRING: /server/mail<br />
.9.1.2.2 = dskTable.dskEntry.dskPath.2 = STRING: /server/ftp/log<br />
.9.1.2.3 = dskTable.dskEntry.dskPath.3 = STRING: /var<br />
.9.1.2.4 = dskTable.dskEntry.dskPath.4 = STRING: /backup<br />
.9.1.3.1 = dskTable.dskEntry.dskDevice.1 = STRING: /dev/ad0s2e<br />
.9.1.3.2 = dskTable.dskEntry.dskDevice.2 = STRING: /dev/ad0s2d<br />
.9.1.3.3 = dskTable.dskEntry.dskDevice.3 = STRING: /dev/ad0s2f<br />
.9.1.3.4 = dskTable.dskEntry.dskDevice.4 = STRING: /dev/ad0s2g<br />
.9.1.4.1 = dskTable.dskEntry.dskMinimum.1 = INTEGER: -1<br />
.9.1.4.2 = dskTable.dskEntry.dskMinimum.2 = INTEGER: -1<br />
.9.1.4.3 = dskTable.dskEntry.dskMinimum.3 = INTEGER: -1<br />
.9.1.4.4 = dskTable.dskEntry.dskMinimum.4 = INTEGER: -1<br />
.9.1.5.1 = dskTable.dskEntry.dskMinPercent.1 = INTEGER: 10<br />
.9.1.5.2 = dskTable.dskEntry.dskMinPercent.2 = INTEGER: 10<br />
.9.1.5.3 = dskTable.dskEntry.dskMinPercent.3 = INTEGER: 10<br />
.9.1.5.4 = dskTable.dskEntry.dskMinPercent.4 = INTEGER: 10<br />
.9.1.6.1 = dskTable.dskEntry.dskTotal.1 = INTEGER: 2834414<br />
413
SNMP MIBS<br />
.9.1.6.2 = dskTable.dskEntry.dskTotal.2 = INTEGER: 2834414<br />
.9.1.6.3 = dskTable.dskEntry.dskTotal.3 = INTEGER: 2834414<br />
.9.1.6.4 = dskTable.dskEntry.dskTotal.4 = INTEGER: 2834414<br />
.9.1.7.1 = dskTable.dskEntry.dskAvail.1 = INTEGER: 2607590<br />
.9.1.7.2 = dskTable.dskEntry.dskAvail.2 = INTEGER: 2576054<br />
.9.1.7.3 = dskTable.dskEntry.dskAvail.3 = INTEGER: 2499830<br />
.9.1.7.4 = dskTable.dskEntry.dskAvail.4 = INTEGER: 2607660<br />
.9.1.8.1 = dskTable.dskEntry.dskUsed.1 = INTEGER: 72<br />
.9.1.8.2 = dskTable.dskEntry.dskUsed.2 = INTEGER: 31608<br />
.9.1.8.3 = dskTable.dskEntry.dskUsed.3 = INTEGER: 107832<br />
.9.1.8.4 = dskTable.dskEntry.dskUsed.4 = INTEGER: 2<br />
.9.1.9.1 = dskTable.dskEntry.dskPercent.1 = INTEGER: 0<br />
.9.1.9.2 = dskTable.dskEntry.dskPercent.2 = INTEGER: 1<br />
.9.1.9.3 = dskTable.dskEntry.dskPercent.3 = INTEGER: 4<br />
.9.1.9.4 = dskTable.dskEntry.dskPercent.4 = INTEGER: 0<br />
.9.1.100.1 = dskTable.dskEntry.dskErrorFlag.1 = INTEGER: 0<br />
.9.1.100.2 = dskTable.dskEntry.dskErrorFlag.2 = INTEGER: 0<br />
.9.1.100.3 = dskTable.dskEntry.dskErrorFlag.3 = INTEGER: 0<br />
.9.1.100.4 = dskTable.dskEntry.dskErrorFlag.4 = INTEGER: 0<br />
.9.1.101.1 = dskTable.dskEntry.dskErrorMsg.1 = STRING:<br />
.9.1.101.2 = dskTable.dskEntry.dskErrorMsg.2 = STRING:<br />
.9.1.101.3 = dskTable.dskEntry.dskErrorMsg.3 = STRING:<br />
.9.1.101.4 = dskTable.dskEntry.dskErrorMsg.4 = STRING:<br />
.11.1.0 = systemStats.ssIndex.0 = INTEGER: 1<br />
.11.2.0 = systemStats.ssErrorName.0 = STRING: systemStats<br />
.11.3.0 = systemStats.ssSwapIn.0 = INTEGER: 0<br />
.11.4.0 = systemStats.ssSwapOut.0 = INTEGER: 0<br />
.11.7.0 = systemStats.ssSysInterrupts.0 = INTEGER: 233<br />
.11.8.0 = systemStats.ssSysContext.0 = INTEGER: 49<br />
.11.9.0 = systemStats.ssCpu<strong>User</strong>.0 = INTEGER: 1<br />
.11.10.0 = systemStats.ssCpuSystem.0 = INTEGER: 7<br />
414
MIB OID Values<br />
.11.11.0 = systemStats.ssCpuIdle.0 = INTEGER: 91<br />
.11.50.0 = systemStats.ssCpuRaw<strong>User</strong>.0 = Counter32: 483<br />
.11.51.0 = systemStats.ssCpuRawNice.0 = Counter32: 0<br />
.11.52.0 = systemStats.ssCpuRawSystem.0 = Counter32: 2859<br />
.11.53.0 = systemStats.ssCpuRawIdle.0 = Counter32: 20860<br />
.11.55.0 = systemStats.ssCpuRawKernel.0 = Counter32: 2752<br />
.11.56.0 = systemStats.ssCpuRawInterrupt.0 = Counter32: 107<br />
.11.59.0 = systemStats.ssRawInterrupts.0 = Counter32: 47574<br />
.11.60.0 = systemStats.ssRawContexts.0 = Counter32: 10795<br />
415
APPENDIX G<br />
Third Party Copyrights and<br />
Licenses<br />
Apache<br />
Apache License<br />
Version 2.0, January 2004<br />
http://www.apache.org/licenses/<br />
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION<br />
1. Definitions.<br />
"License" shall mean the terms and conditions for use, reproduction, and<br />
distribution as defined by Sections 1 through 9 of this document.<br />
"Licensor" shall mean the copyright owner or entity authorized by the<br />
copyright owner that is granting the License.<br />
"Legal Entity" shall mean the union of the acting entity and all other<br />
entities that control, are controlled by, or are under common control with<br />
that entity. For the purposes of this definition, "control" means (i) the<br />
power, direct or indirect, to cause the direction or management of such<br />
entity, whether by contract or otherwise, or (ii) ownership of fifty percent<br />
(50%) or more of the outstanding shares, or (iii) beneficial ownership of such<br />
entity.<br />
"You" (or "Your") shall mean an individual or Legal Entity exercising<br />
permissions granted by this License.<br />
"Source" form shall mean the preferred form for making modifications,<br />
including but not limited to software source code, documentation source, and<br />
configuration files.<br />
417
Third Party Copyrights and Licenses<br />
"Object" form shall mean any form resulting from mechanical transformation or<br />
translation of a Source form, including but not limited to compiled object<br />
code, generated documentation, and conversions to other media types.<br />
"Work" shall mean the work of authorship, whether in Source or Object form,<br />
made available under the License, as indicated by a copyright notice that is<br />
included in or attached to the work (an example is provided in the Appendix<br />
below).<br />
"Derivative Works" shall mean any work, whether in Source or Object form, that<br />
is based on (or derived from) the Work and for which the editorial revisions,<br />
annotations, elaborations, or other modifications represent, as a whole, an<br />
original work of authorship. For the purposes of this License, Derivative Works<br />
shall not include works that remain separable from, or merely link (or bind by<br />
name) to the interfaces of, the Work and Derivative Works thereof.<br />
"Contribution" shall mean any work of authorship, including the original<br />
version of the Work and any modifications or additions to that Work or<br />
Derivative Works thereof, that is intentionally submitted to Licensor for<br />
inclusion in the Work by the copyright owner or by an individual or Legal<br />
Entity authorized to submit on behalf of the copyright owner. For the purposes<br />
of this definition, "submitted" means any form of electronic, verbal, or<br />
written communication sent to the Licensor or its representatives, including<br />
but not limited to communication on electronic mailing lists, source code<br />
control systems, and issue tracking systems that are managed by, or on behalf<br />
of, the Licensor for the purpose of discussing and improving the Work, but<br />
excluding communication that is conspicuously marked or otherwise designated in<br />
writing by the copyright owner as "Not a Contribution."<br />
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf<br />
of whom a Contribution has been received by Licensor and subsequently<br />
incorporated within the Work.<br />
2. Grant of Copyright License. Subject to the terms and conditions of this<br />
License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive,<br />
no-charge, royalty-free, irrevocable copyright license to<br />
reproduce, prepare Derivative Works of, publicly display, publicly perform,<br />
sublicense, and distribute the Work and such Derivative Works in Source or<br />
Object form.<br />
3. Grant of Patent License. Subject to the terms and conditions of this<br />
License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive,<br />
no-charge, royalty-free, irrevocable (except as stated in this<br />
section) patent license to make, have made, use, offer to sell, sell, import,<br />
and otherwise transfer the Work, where such license applies only to those<br />
patent claims licensable by such Contributor that are necessarily infringed by<br />
their Contribution(s) alone or by combination of their Contribution(s) with the<br />
Work to which such Contribution(s) was submitted. If You institute patent<br />
litigation against any entity (including a cross-claim or counterclaim in a<br />
lawsuit) alleging that the Work or a Contribution incorporated within the Work<br />
constitutes direct or contributory patent infringement, then any patent<br />
licenses granted to You under this License for that Work shall terminate as of<br />
the date such litigation is filed.<br />
418
4. Redistribution. You may reproduce and distribute copies of the Work or<br />
Derivative Works thereof in any medium, with or without modifications, and in<br />
Source or Object form, provided that You meet the following conditions:<br />
(a) You must give any other recipients of the Work or Derivative Works a copy<br />
of this License; and (b) You must cause any modified files to carry prominent<br />
notices stating that You changed the files; and (c) You must retain, in the<br />
Source form of any Derivative Works that You distribute, all copyright,<br />
patent, trademark, and attribution notices from the Source form of the Work,<br />
excluding those notices that do not pertain to any part of the Derivative<br />
Works; and (d) If the Work includes a "NOTICE" text file as part of its<br />
distribution, then any Derivative Works that You distribute must include a<br />
readable copy of the attribution notices contained within such NOTICE file,<br />
excluding those notices that do not pertain to any part of the Derivative<br />
Works, in at least one of the following places: within a NOTICE text file<br />
distributed as part of the Derivative Works; within the Source form or<br />
documentation, if provided along with the Derivative Works; or, within a<br />
display generated by the Derivative Works, if and wherever such third-party<br />
notices normally appear. The contents of the NOTICE file are for informational<br />
purposes only and do not modify the License. You may add Your own attribution<br />
notices within Derivative Works that You distribute, alongside or as an<br />
addendum to the NOTICE text from the Work, provided that such additional<br />
attribution notices cannot be construed as modifying the License.<br />
You may add Your own copyright statement to Your modifications and may provide<br />
additional or different license terms and conditions for use, reproduction, or<br />
distribution of Your modifications, or for any such Derivative Works as a<br />
whole, provided Your use, reproduction, and distribution of the Work otherwise<br />
complies with the conditions stated in this License.<br />
5. Submission of Contributions. Unless You explicitly state otherwise, any<br />
Contribution intentionally submitted for inclusion in the Work by You to the<br />
Licensor shall be under the terms and conditions of this License, without any<br />
additional terms or conditions.<br />
Notwithstanding the above, nothing herein shall supersede or modify the terms<br />
of any separate license agreement you may have executed with Licensor<br />
regarding such Contributions.<br />
6. Trademarks. This License does not grant permission to use the trade names,<br />
trademarks, service marks, or product names of the Licensor, except as<br />
required for reasonable and customary use in describing the origin of the Work<br />
and reproducing the content of the NOTICE file.<br />
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in<br />
writing, Licensor provides the Work (and each Contributor provides its<br />
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY<br />
KIND, either express or implied, including, without limitation, any warranties<br />
or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A<br />
PARTICULAR PURPOSE. You are solely responsible for determining the<br />
appropriateness of using or redistributing the Work and assume any risks<br />
associated with Your exercise of permissions under this License.<br />
8. Limitation of Liability. In no event and under no legal theory, whether in<br />
tort (including negligence), contract, or otherwise, unless required by<br />
419
Third Party Copyrights and Licenses<br />
applicable law (such as deliberate and grossly negligent acts) or agreed to in<br />
writing, shall any Contributor be liable to You for damages, including any<br />
direct, indirect, special, incidental, or consequential damages of any<br />
character arising as a result of this License or out of the use or inability to<br />
use the Work (including but not limited to damages for loss of goodwill, work<br />
stoppage, computer failure or malfunction, or any and all other commercial<br />
damages or losses), even if such Contributor has been advised of the<br />
possibility of such damages.<br />
9. Accepting Warranty or Additional Liability. While redistributing the Work or<br />
Derivative Works thereof, You may choose to offer, and charge a fee for,<br />
acceptance of support, warranty, indemnity, or other liability obligations and/<br />
or rights consistent with this License. However, in accepting such obligations,<br />
You may act only on Your own behalf and on Your sole responsibility, not on<br />
behalf of any other Contributor, and only if You agree to indemnify, defend,<br />
and hold each Contributor harmless for any liability incurred by, or claims<br />
asserted against, such Contributor by reason of your accepting any such<br />
warranty or additional liability.<br />
END OF TERMS AND CONDITIONS<br />
Curl, Libcurl<br />
COPYRIGHT AND PERMISSION NOTICE<br />
Copyright (c) 1996 - 2004, Daniel Stenberg, .<br />
All rights reserved.<br />
Permission to use, copy, modify, and distribute this software for any purpose<br />
with or without fee is hereby granted, provided that the above copyright notice<br />
and this permission notice appear in all copies.<br />
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR<br />
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,<br />
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN<br />
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,<br />
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR<br />
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE<br />
OR OTHER DEALINGS IN THE SOFTWARE.<br />
Except as contained in this notice, the name of a copyright holder shall not be<br />
used in advertising or otherwise to promote the sale, use or other dealings in<br />
this Software without prior written authorization of the copyright holder.<br />
420
Cyrus-SASL<br />
CMU libsasl<br />
Tim Martin<br />
Rob Earhart<br />
Copyright (c) 2000 Carnegie Mellon University. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation and/<br />
or other materials provided with the distribution.<br />
3. The name "Carnegie Mellon University" must not be used to endorse or<br />
promote products derived from this software without prior written permission.<br />
For permission or any other legal details, please contact Office of Technology<br />
Transfer Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213-<br />
3890 (412) 268-4387, fax: (412) 268-7395 tech-transfer@andrew.cmu.edu<br />
4. Redistributions of any form whatsoever must retain the following<br />
acknowledgment: "This product includes software developed by Computing<br />
Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."<br />
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS<br />
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN<br />
NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT<br />
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,<br />
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER<br />
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE<br />
OF THIS SOFTWARE.<br />
421
Third Party Copyrights and Licenses<br />
DCC<br />
Distributed Checksum Clearinghouse<br />
Copyright (c) 2004 by Rhyolite Software<br />
Permission to use, copy, modify, and distribute this software for any purpose<br />
with or without fee is hereby granted, provided that the above copyright notice<br />
and this permission notice appear in all copies.<br />
THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE DISCLAIMS ALL WARRANTIES<br />
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE BE LIABLE FOR<br />
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES<br />
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF<br />
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION<br />
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.<br />
Copyright (c) 1987, 1993, 1994<br />
The Regents of the University of California. All rights reserved.<br />
File<br />
Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995.<br />
Software written by Ian F. Darwin and others; maintained 1994-1999 Christos<br />
Zoulas.<br />
This software is not subject to any export provision of the United States<br />
Department of Commerce, and may be exported to any country or planet.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice<br />
immediately at the beginning of the file, without modification, this list of<br />
conditions, and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation and/<br />
or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must<br />
display the following acknowledgement:<br />
This product includes software developed by Ian F. Darwin and others.<br />
4. The name of the author may not be used to endorse or promote products<br />
derived from this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY<br />
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY<br />
422
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON<br />
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
FreeBSD<br />
Copyright 1994-2004 The FreeBSD Project. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or<br />
other materials provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY EXPRESS OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO<br />
EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<br />
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY<br />
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
The views and conclusions contained in the software and documentation are<br />
those of the authors and should not be interpreted as representing official<br />
policies, either expressed or implied, of the FreeBSD Project.<br />
FreeType<br />
The FreeType Project LICENSE<br />
2000-Feb-08<br />
Copyright 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg<br />
Introduction<br />
============<br />
The FreeType Project is distributed in several archive packages; some of<br />
them may contain, in addition to the FreeType font engine, various tools and<br />
contributions which rely on, or relate to, the FreeType Project.<br />
This license applies to all files found in such packages, and which do not<br />
fall under their own explicit license. The license affects thus the<br />
423
Third Party Copyrights and Licenses<br />
FreeType font engine, the test programs, documentation and makefiles, at<br />
the very least.<br />
This license was inspired by the BSD, Artistic, and IJG (Independent<br />
JPEG Group) licenses, which all encourage inclusion and use of free<br />
software in commercial and freeware products alike. As a consequence, its<br />
main points are that:<br />
* We don't promise that this software works. However, we will be interested in<br />
any kind of bug reports. (`as is' distribution)<br />
* You can use this software for whatever you want, in parts or full form,<br />
without having to pay us. (`royalty-free' usage)<br />
* You may not pretend that you wrote this software. If you use it, or only<br />
parts of it, in a program, you must acknowledge somewhere in your<br />
documentation that you have used the FreeType code. (`credits')<br />
We specifically permit and encourage the inclusion of this software,<br />
with or without modifications, in commercial products. We disclaim all<br />
warranties covering The FreeType Project and assume no liability related<br />
to The FreeType Project.<br />
Legal Terms<br />
===========<br />
Definitions<br />
--------------<br />
Throughout this license, the terms `package', `FreeType Project', and<br />
`FreeType archive' refer to the set of files originally distributed by<br />
the authors (David Turner, Robert Wilhelm, and Werner Lemberg) as the<br />
`FreeType Project', be they named as alpha, beta or final release.<br />
'You' refers to the licensee, or person using the project, where `using' is a<br />
generic term including compiling the project's source code as well as linking<br />
it to form a `program' or `executable'. This program is referred to as `a<br />
program using the FreeType engine'.<br />
This license applies to all files distributed in the original FreeType<br />
Project, including all source code, binaries and documentation,<br />
unless otherwise stated in the file in its original, unmodified form<br />
as distributed in the original archive.<br />
If you are unsure whether or not a particular file is covered by this<br />
license, you must contact us to verify this.<br />
The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert<br />
Wilhelm, and Werner Lemberg. All rights reserved except as specified below.<br />
1. No Warranty<br />
--------------<br />
THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY KIND,<br />
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL<br />
424
ANY OF THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY<br />
THE USE OR THE INABILITY TO USE, OF THE FREETYPE PROJECT.<br />
2. Redistribution<br />
-----------------<br />
This license grants a worldwide, royalty-free, perpetual and irrevocable<br />
right and license to use, execute, perform, compile, display, copy,<br />
create derivative works of, distribute and sublicense the FreeType<br />
Project (in both source and object code forms) and derivative works<br />
thereof for any purpose; and to authorize others to exercise some or all<br />
of the rights granted herein, subject to the following conditions:<br />
* Redistribution of source code must retain this license file<br />
(`LICENSE.TXT') unaltered; any additions, deletions or changes to the<br />
original files must be clearly indicated in accompanying<br />
documentation. The copyright notices of the unaltered, original<br />
files must be preserved in all copies of source files.<br />
* Redistribution in binary form must provide a disclaimer that states that<br />
the software is based in part of the work of the FreeType Team, in the<br />
distribution documentation. We also encourage you to put an URL to the<br />
FreeType web page in your documentation, though this isn't mandatory.<br />
These conditions apply to any software derived from or based on the FreeType<br />
Project, not just the unmodified files. If you use our work, you must<br />
acknowledge us. However, no fee need be paid to us.<br />
3. Advertising<br />
--------------<br />
Neither the FreeType authors and contributors nor you shall use the name of<br />
the other for commercial, advertising, or promotional purposes without<br />
specific prior written permission.<br />
We suggest, but do not require, that you use one or more of the following<br />
phrases to refer to this software in your documentation or advertising<br />
materials: `FreeType Project', `FreeType Engine', `FreeType library', or<br />
`FreeType Distribution'.<br />
As you have not signed this license, you are not required to accept it.<br />
However, as the FreeType Project is copyrighted material, only this<br />
license, or another one contracted with the authors, grants you the right<br />
to use, distribute, and modify it. Therefore, by using, distributing, or<br />
modifying the FreeType Project, you indicate that you understand and accept<br />
all the terms of this license.<br />
4. Contacts<br />
-----------<br />
There are two mailing lists related to FreeType:<br />
* freetype@freetype.org<br />
425
Third Party Copyrights and Licenses<br />
Discusses general use and applications of FreeType, as well as future and<br />
wanted additions to the library and distribution. If you are looking for<br />
support, start in this list if you haven't found anything to help you in the<br />
documentation.<br />
* devel@freetype.org<br />
Discusses bugs, as well as engine internals, design issues, specific<br />
licenses, porting, etc.<br />
* http://www.freetype.org<br />
Holds the current FreeType web page, which will allow you to download our<br />
latest development version and read online documentation.<br />
You can also contact us individually at:<br />
David Turner<br />
Robert Wilhelm<br />
Werner Lemberg<br />
<br />
<br />
<br />
GD Graphics Library<br />
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003,<br />
2004 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the<br />
National Institutes of Health.<br />
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 by<br />
Boutell.Com, Inc.<br />
Portions relating to GD2 format copyright 1999, 2000, 2001, 2002, 2003, 2004<br />
Philip Warner.<br />
Portions relating to PNG copyright 1999, 2000, 2001, 2002, 2003, 2004 Greg<br />
Roelofs.<br />
Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002, 2003, 2004 John<br />
Ellson (ellson@graphviz.org).<br />
Portions relating to gdft.c copyright 2001, 2002, 2003, 2004 John Ellson<br />
(ellson@graphviz.org).<br />
Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002,<br />
2003, 2004, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,<br />
2000, 2001, 2002, 2003, 2004 Thomas G. Lane. This software is based in part on<br />
the work of the Independent JPEG Group. See the file README-JPEG.TXT for more<br />
information.<br />
Portions relating to GIF compression copyright 1989 by Jef Poskanzer and David<br />
Rowley, with modifications for thread safety by Thomas Boutell.<br />
Portions relating to GIF decompression copyright 1990, 1991, 1993 by David<br />
Koblas, with modifications for thread safety by Thomas Boutell.<br />
Portions relating to WBMP copyright 2000, 2001, 2002, 2003, 2004 Maurice<br />
Szmurlo and Johan Van den Brande.<br />
Portions relating to GIF animations copyright 2004 Jaakko Hyvätti<br />
(jaakko.hyvatti@iki.fi)<br />
426
Permission has been granted to copy, distribute and modify gd in any context<br />
without fee, including a commercial application, provided that this notice is<br />
present in user-accessible supporting documentation.<br />
This does not affect your ownership of the derived work itself, and the intent<br />
is to assure proper credit for the authors of gd, not to interfere with your<br />
productive use of gd. If you have questions, ask. "Derived works" includes all<br />
programs that utilize the library. Credit must be given in user-accessible<br />
documentation.<br />
This software is provided "AS IS." The copyright holders disclaim all<br />
warranties, either express or implied, including but not limited to implied<br />
warranties of merchantability and fitness for a particular purpose, with<br />
respect to this code and accompanying documentation.<br />
Although their code does not appear in the current release, the authors also<br />
wish to thank Hutchison Avenue Software Corporation for their prior<br />
contributions.<br />
Info-ZIP<br />
Copyright (c) 1990-2003 Info-ZIP. All rights reserved.<br />
For the purposes of this copyright and license, "Info-ZIP" is defined as the<br />
following set of individuals:<br />
Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jeanloup<br />
Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase, Greg<br />
Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny<br />
Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, Sergio Monesi,<br />
Keith Owens, George Petrov, Greg Roelofs, Kai Uwe Rommel, Steve Salisbury,<br />
Dave Smith, Christian Spieler, Antoine Verheijen, Paul von Behren, Rich Wales,<br />
Mike White<br />
This software is provided "as is," without warranty of any kind, express or<br />
implied. In no event shall Info-ZIP or its contributors be held liable for<br />
any direct, indirect, incidental, special or consequential damages arising out<br />
of the use of or inability to use this software.<br />
Permission is granted to anyone to use this software for any purpose,<br />
including commercial applications, and to alter it and redistribute it freely,<br />
subject to the following restrictions:<br />
1. Redistributions of source code must retain the above copyright notice,<br />
definition, disclaimer, and this list of conditions.<br />
2. Redistributions in binary form (compiled executables) must reproduce<br />
the above copyright notice, definition, disclaimer, and this list of<br />
conditions in documentation and/or other materials provided with the<br />
distribution. The sole exception to this condition is redistribution of a<br />
standard UnZipSFX binary (including SFXWiz) as part of a self-extracting<br />
archive; that is permitted without inclusion of this license, as long as the<br />
normal SFX banner has not been removed from the binary or disabled.<br />
427
Third Party Copyrights and Licenses<br />
3. Altered versions--including, but not limited to, ports to new operating<br />
systems, existing ports with new graphical interfaces, and dynamic, shared, or<br />
static library versions--must be plainly marked as such and must not be<br />
misrepresented as being the original source. Such altered versions also must<br />
not be misrepresented as being Info-ZIP releases--including, but not limited<br />
to, labeling of the altered versions with the names "Info-ZIP" (or any<br />
variation thereof, including, but not limited to, different capitalizations),<br />
"Pocket UnZip," "WiZ" or "MacZip" without the explicit permission of Info-ZIP.<br />
Such altered versions are further prohibited from misrepresentative use of the<br />
ip-Bugs or Info-ZIP email addresses or of the Info-ZIP URL(s).<br />
4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip,"<br />
"UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own<br />
source and binary releases.<br />
JPEG<br />
The authors make NO WARRANTY or representation, either express or implied, with<br />
respect to this software, its quality, accuracy, merchantability, or fitness<br />
for a particular purpose. This software is provided "AS IS", and you, its<br />
user, assume the entire risk as to its quality and accuracy.<br />
This software is copyright (C) 1991-1998, Thomas G. Lane.<br />
All Rights Reserved except as specified below.<br />
Permission is hereby granted to use, copy, modify, and distribute this software<br />
(or portions thereof) for any purpose, without fee, subject to these<br />
conditions:<br />
(1) If any part of the source code for this software is distributed, then this<br />
README file must be included, with this copyright and no-warranty notice<br />
unaltered; and any additions, deletions, or changes to the original files must<br />
be clearly indicated in accompanying documentation.<br />
(2) If only executable code is distributed, then the accompanying documentation<br />
must state that "this software is based in part on the work of the Independent<br />
JPEG Group".<br />
(3) Permission for use of this software is granted only if the user accepts<br />
full responsibility for any undesirable consequences; the authors accept NO<br />
LIABILITY for damages of any kind.<br />
These conditions apply to any software derived from or based on the IJG code,<br />
not just to the unmodified library. If you use our work, you ought to<br />
acknowledge us.<br />
Permission is NOT granted for the use of any IJG author's name or company name<br />
in advertising or publicity relating to this software or products derived from<br />
it. This software may be referred to only as "the Independent JPEG Group's<br />
software".<br />
428
We specifically permit and encourage the use of this software as the basis of<br />
commercial products, provided that all warranty or liability claims are<br />
assumed by the product vendor.<br />
Libspf<br />
The libspf Software License, Version 1.0<br />
Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice,<br />
this list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation<br />
and/or other materials provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.<br />
IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
ModSSL<br />
Copyright (c) 1998-2004 Ralf S. Engelschall. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation and/<br />
or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must<br />
display the following acknowledgment: "This product includes software<br />
developed by Ralf S. Engelschall for use in the mod_ssl<br />
project http://www.modssl.org/)."<br />
429
Third Party Copyrights and Licenses<br />
4. The names "mod_ssl" must not be used to endorse or promote products derived<br />
from this software without prior written permission. For written permission,<br />
please contact rse@engelschall.com.<br />
5. Products derived from this software may not be called "mod_ssl" nor may<br />
"mod_ssl" appear in their names without prior written permission of Ralf S.<br />
Engelschall.<br />
6. Redistributions of any form whatsoever must retain the following<br />
acknowledgment:<br />
"This product includes software developed by Ralf S. Engelschall<br />
for use in the mod_ssl project (http://www.modssl.org/<br />
)."<br />
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO<br />
EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<br />
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE<br />
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
Mpack<br />
(C) Copyright 1993,1994 by Carnegie Mellon University<br />
All Rights Reserved.<br />
Permission to use, copy, modify, distribute, and sell this software and its<br />
documentation for any purpose is hereby granted without fee, provided that the<br />
above copyright notice appear in all copies and that both that copyright notice<br />
and this permission notice appear in supporting documentation, and that the<br />
name of Carnegie Mellon University not be used in advertising or publicity<br />
pertaining to distribution of the software without specific, written prior<br />
permission. Carnegie Mellon University makes no representations about the<br />
suitability of this software for any purpose. It is provided "as is" without<br />
express or implied warranty.<br />
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS<br />
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN<br />
NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT<br />
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,<br />
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS<br />
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS<br />
SOFTWARE.<br />
Portions of this software are derived from code written by Bell Communications<br />
Research, Inc. (Bellcore) and by RSA Data <strong>Security</strong>, Inc. and bear similar<br />
copyrights and disclaimers of warranty.<br />
430
NTP<br />
Copyright (c) David L. Mills 1992-2004<br />
Permission to use, copy, modify, and distribute this software and its<br />
documentation for any purpose and without fee is hereby granted, provided that<br />
the above copyright notice appears in all copies and that both the copyright<br />
notice and this permission notice appear in supporting documentation, and that<br />
the name University of Delaware not be used in advertising or publicity<br />
pertaining to distribution of the software without specific, written prior<br />
permission. The University of Delaware makes no representations about the<br />
suitability this software for any purpose. It is provided "as is" without<br />
express or implied warranty.<br />
OpenLDAP<br />
The OpenLDAP Public License<br />
Version 2.8, 17 August 2003<br />
Redistribution and use of this software and associated documentation<br />
("Software"), with or without modification, are permitted provided that the<br />
following conditions are met:<br />
1. Redistributions in source form must retain copyright statements and<br />
notices,<br />
2. Redistributions in binary form must reproduce applicable copyright<br />
statements and notices, this list of conditions, and the following disclaimer<br />
in the documentation and/or other materials provided with the distribution,<br />
and<br />
3. Redistributions must contain a verbatim copy of this document.<br />
The OpenLDAP Foundation may revise this license from time to time. Each<br />
revision is distinguished by a version number. You may use this Software<br />
under terms of this license revision or under the terms of any subsequent<br />
revision of the license.<br />
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS<br />
IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,<br />
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE<br />
ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS,<br />
OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<br />
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY<br />
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
The names of the authors and copyright holders must not be used in advertising<br />
or otherwise to promote the sale, use or other dealing in this Software<br />
431
Third Party Copyrights and Licenses<br />
without specific, written prior permission. Title to copyright in this<br />
Software shall at all times remain with copyright holders.<br />
OpenLDAP is a registered trademark of the OpenLDAP Foundation.<br />
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.<br />
All Rights Reserved. Permission to copy and distribute verbatim copies of this<br />
document is granted.<br />
OpenSSH<br />
The licences which components of this software fall under are as follows.<br />
First, we will summarize and say that all components are under a BSD licence,<br />
or a licence more free than that.<br />
OpenSSH contains no GPL code.<br />
1) Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights<br />
reserved<br />
As far as I am concerned, the code I have written for this software can be used<br />
freely for any purpose. Any derived versions of this software must be clearly<br />
marked as such, and if the derived work is incompatible with the protocol<br />
description in the RFC file, it must be called by a name other than "ssh" or<br />
"Secure Shell".<br />
However, I am not implying to give any licenses to any patents or copyrights<br />
held by third parties, and the software includes parts that are not under my<br />
direct control. As far as I know, all included source code is used in<br />
accordance with the relevant license agreements and can be used freely for any<br />
purpose (the GNU license being the most restrictive); see below for details.<br />
Note that any information and cryptographic algorithms used in this software<br />
are publicly available on the Internet and at any major bookstore, scientific<br />
library, and patent office worldwide. More information can be found e.g. at<br />
"http://www.cs.hut.fi/crypto".<br />
The legal status of this program is some combination of all these permissions<br />
and restrictions. Use only at your own responsibility. You will be responsible<br />
for any legal consequences yourself; I am not making any claims whether<br />
possessing or using this is legal or not in your country, and I am not taking<br />
any responsibility on your behalf.<br />
NO WARRANTY<br />
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY<br />
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN<br />
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE<br />
THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND<br />
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND<br />
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU<br />
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.<br />
432
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY<br />
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE<br />
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY<br />
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE<br />
OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR<br />
DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR<br />
A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH<br />
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
2) The 32-bit CRC compensation attack detector in deattack.c was<br />
contributed by CORE SDI S.A. under a BSD-style license.<br />
Cryptographic attack detector for ssh - source code<br />
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights<br />
reserved. Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that this copyright notice is retained.<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE<br />
DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING<br />
FROM THE USE OR MISUSE OF THIS SOFTWARE.<br />
Ariel Futoransky <br />
3) ssh-keyscan was contributed by David Mazieres under a BSD-style license.<br />
Copyright 1995, 1996 by David Mazieres .<br />
Modification and redistribution in source and binary forms is permitted<br />
provided that due credit is given to the author and the OpenBSD project by<br />
leaving this copyright notice intact.<br />
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo<br />
Barreto is in the public domain and distributed with the following license:<br />
@version 3.0 (December 2000)<br />
Optimised ANSI C code for the Rijndael cipher (now AES)<br />
@author Vincent Rijmen <br />
@author Antoon Bosselaers <br />
@author Paulo Barreto <br />
This code is hereby placed in the public domain.<br />
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO<br />
EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT<br />
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
433
Third Party Copyrights and Licenses<br />
5) One component of the ssh source code is under a 3-clause BSD license, held<br />
by the University of California, since we pulled these parts from original<br />
Berkeley code.<br />
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of<br />
California. All rights reserved. Redistribution and use in source and binary<br />
forms, with or without modification, are permitted provided that the following<br />
conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice,<br />
this list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation<br />
and/or other materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may<br />
be used to endorse or promote products derived from this software without<br />
specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY<br />
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY<br />
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON<br />
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
6) Remaining components of the software are provided under a standard 2-term<br />
BSD licence with the following names as copyright holders:<br />
Markus Friedl<br />
Theo de Raadt<br />
Niels Provos<br />
Dug Song<br />
Aaron Campbell<br />
Damien Miller<br />
Kevin Steves<br />
Daniel Kouril<br />
Wesley Griffin<br />
Per Allansson<br />
Nils Nordman<br />
Simon Wilkinson<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation and/<br />
or other materials provided with the distribution.<br />
434
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO<br />
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,<br />
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR<br />
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER<br />
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
OpenSSL<br />
Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice,<br />
this list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright<br />
notice, this list of conditions and the following disclaimer in the<br />
documentation and/or other materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must<br />
display the following acknowledgment:<br />
"This product includes software developed by the OpenSSL Project for use in<br />
the OpenSSL Toolkit. (http://www.openssl.org/)"<br />
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be use to<br />
endorse or promote products derived from this software without prior written<br />
permission. For written permission, please contact openssl-core@openssl.org.<br />
5. Products derived from this software may not be called "OpenSSL" nor may<br />
"OpenSSL" appear in their names without prior written permission of the<br />
OpenSSL Project.<br />
6. Redistributions of any form whatsoever must retain the following<br />
acknowledgment:<br />
"This product includes software developed by the OpenSSL Project for use in<br />
the OpenSSL Toolkit (http://www.openssl.org/)"<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED<br />
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES<br />
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO<br />
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,<br />
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<br />
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br />
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY<br />
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
435
Third Party Copyrights and Licenses<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes<br />
cryptographic software written by Eric Young (eay@cryptsoft.com). This product<br />
includes software written by Tim Hudson (tjh@cryptsoft.com).<br />
PAM<br />
Redistribution and use in source and binary forms of Linux-PAM, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain any existing copyright notice,<br />
and this entire permission notice in its entirety, including the disclaimer of<br />
warranties.<br />
2. Redistributions in binary form must reproduce all prior and current<br />
copyright notices, this list of conditions, and the following disclaimer in the<br />
documentation and/or other materials provided with the distribution.<br />
3. The name of any author may not be used to endorse or promote products<br />
derived from this software without their specific prior written permission.<br />
ALTERNATIVELY, this product may be distributed under the terms of the GNU<br />
General Public License, in which case the provisions of the GNU GPL are<br />
required INSTEAD OF the above restrictions. (This clause is necessary due to a<br />
potential conflict between the GNU GPL and the restrictions contained in a BSDstyle<br />
copyright.)<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND<br />
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE<br />
AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,<br />
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING<br />
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY<br />
OF SUCH DAMAGE.<br />
PHP<br />
The PHP License, version 3.0<br />
Copyright (c) 1999 - 2002 The PHP Group. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, is permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation and/<br />
or other materials provided with the distribution.<br />
436
3. The name "PHP" must not be used to endorse or promote products derived from<br />
this software without prior written permission. For written permission, please<br />
contact group@php.net.<br />
4. Products derived from this software may not be called "PHP", nor may "PHP"<br />
appear in their name, without prior written permission from group@php.net.<br />
You may indicate that your software works in conjunction with PHP by saying<br />
"Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"<br />
5. The PHP Group may publish revised and/or new versions of the license from<br />
time to time. Each version will be given a distinguishing version number. Once<br />
covered code has been published under a particular version of the license, you<br />
may always continue to use it under the terms of that version. You may also<br />
choose to use such covered code under the terms of any subsequent version of<br />
the license published by the PHP Group. No one other than the PHP Group has the<br />
right to modify the terms applicable to covered code created under this<br />
License.<br />
6. Redistributions of any form whatsoever must retain the following<br />
acknowledgment:<br />
"This product includes PHP, freely available from ".<br />
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY<br />
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS<br />
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
437
Third Party Copyrights and Licenses<br />
PostgreSQL<br />
Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group<br />
Portions Copyright (c) 1994, The Regents of the University of California<br />
Permission to use, copy, modify, and distribute this software and its<br />
documentation for any purpose, without fee, and without a written agreement is<br />
hereby granted, provided that the above copyright notice and this paragraph and<br />
the following two paragraphs appear in all copies.<br />
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR<br />
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING<br />
LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,<br />
EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF<br />
SUCH DAMAGE.<br />
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,<br />
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND<br />
THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE,<br />
SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.<br />
438
A<br />
Access Control via Mail Mappings 56<br />
Action String 352<br />
Active Directory 18<br />
Activity screen 330, 345<br />
Add Authentication Header 171<br />
Adding a Spam Dictionary 143<br />
Admin Login 40<br />
Admin <strong>User</strong> 32<br />
Advanced SMTP Settings 51<br />
Alarms 340<br />
Alarms List 342<br />
Analysis Code Descriptions 347<br />
Annotations 50<br />
Anti-Spam Header 137<br />
Anti-Virus 82<br />
Archiving 19, 125<br />
Mail Routes 127<br />
Attachment Content Scanning 102, 106<br />
Attachment Control 23, 102, 103<br />
Attachment Types 103<br />
Authentication 17<br />
Authentication log 332<br />
Automatic License Activation 308<br />
B<br />
Backup<br />
Errors 320<br />
FTP 316<br />
Local Disk 315<br />
Naming Conventions 318<br />
BCC (Blind Carbon Copy) 49<br />
Blocked Senders List 16, 181<br />
BSN (BorderWare <strong>Security</strong> Network) 132, 148<br />
BSN Whitelisting 149<br />
Check Relays 150<br />
Exclude Relay 150<br />
Reject Message 152<br />
Reject on BSN Reputation 151<br />
Reject on Infection 151<br />
Statistics Sharing 148<br />
Bulk Analysis 16, 132, 158<br />
Servers 160<br />
C<br />
Cached server passwords 214<br />
Canonicalization 173<br />
Centralized Management 321<br />
Console 324<br />
Copy Configuration 325<br />
Certificate 97<br />
Certificate Authority (CA) 98<br />
Chinese character set 164<br />
Cisco blocking 261<br />
Clustering 41, 266<br />
Activity 275, 331<br />
Adding Cluster Members 271<br />
Administration 274<br />
Backup and Restore 276<br />
Configuration 268<br />
Console 266<br />
Interface 41<br />
Network Configuration 268<br />
Reporting 275<br />
Troubleshooting Cluster Initialization 273<br />
Compliancy 108, 123<br />
Configuration Information 304<br />
Configuring Spam Controls 136<br />
Connection Rules 245<br />
Content Reject Message 51<br />
Content Scanning 102, 106<br />
Copy Configuration 325<br />
CRYPTOCard 17, 32, 200<br />
Current Admin and WebMail <strong>User</strong>s 304<br />
Customization 36<br />
Customizing Notification and Annotation<br />
Messages 371<br />
D<br />
Daily Backup 317<br />
Default Connection Rules 241<br />
Default Logo 36<br />
Default Mail Relay 49<br />
Default policy 223<br />
Default Spam Words 143<br />
Delete Strong Authentication for Admin 364<br />
Delivery Settings 48<br />
Delivery Warning 50<br />
Diagnostics 303<br />
Dictionaries 123<br />
Dictionary Spam Count 168<br />
Directory Authentication 202<br />
Directory Groups 63<br />
Directory Servers 61<br />
Directory Services 61<br />
Directory <strong>User</strong>s 63<br />
Disabling Group Policy 230<br />
Disabling Reporting 300<br />
Disk Space Quota 197<br />
DMZ (Demilitarized Zone) 20<br />
DNS 39<br />
Favor Fastest 39<br />
Strict Ordering 39<br />
DNS Block List (DNSBL) 15, 132, 153<br />
Check Relays 153<br />
Domains 155<br />
Exclude Relays 154<br />
Reject Threshold 154<br />
Rejects 154<br />
Domain policies 224<br />
DomainKeys 16, 133, 171<br />
Add Authentication Header 171<br />
Canonicalization 173<br />
439
DNS Record 175<br />
Granularity 175<br />
Log Messages 172<br />
Outbound message signing 173<br />
Selector 174<br />
Selector List 174<br />
Temporary DNS Error 171<br />
Testing 172, 175<br />
Dynamic Lists 253<br />
E<br />
Enable NULL Character Detect 121<br />
Enable Sending and Receiving 303<br />
Encryption 94<br />
Envelope sender doesn’t match From header 147<br />
<strong>ePrism</strong> Mail Client 216<br />
Escalation Mail 341<br />
ESMTP (Extended SMTP) 51<br />
External message encryption 90<br />
F<br />
F5 Blocking 256<br />
F5 Cluster Configuration 278<br />
Factory Default Settings 367<br />
Flush Mail Queue 303, 355<br />
G<br />
Gateway 38<br />
Group policies 226<br />
Group Policy<br />
Disabling 230<br />
Orphaned Groups 230<br />
H<br />
HALO (High Availability and Load<br />
Optimization) 17, 266<br />
Health Check service 327<br />
HELO 51, 113, 115, 141<br />
HELO/EHLO doesn’t match client 147<br />
Hostname Lookup 303, 355<br />
I<br />
Image Spam Analysis 165<br />
IMAP 17, 196<br />
Inbound Attachment Control 102<br />
Intercept 15, 132<br />
Advanced Features 177<br />
Component Weights 179<br />
Decision Strategy 178<br />
Internationalization 19<br />
Invalid HELO/EHLO hostname 147<br />
iPlanet 18<br />
J<br />
Japanese character set 164<br />
K<br />
KeepOpen 46<br />
Kernel Log 332<br />
Korean character set 164<br />
L<br />
Large MTU 39<br />
LDAP (Lightweight Directory Access Protocol) 18,<br />
60<br />
LDAP Aliases 54, 65, 67<br />
LDAP Recipients 71, 139<br />
LDAP Routing 76<br />
LDAP SMTP Authenticated relay 73<br />
LDAP SMTP Authentication 81<br />
LDAP <strong>User</strong>s 139<br />
LDAP Virtual Mappings 58, 69<br />
License Management 308<br />
Load Balancing 18<br />
Using DNS 267<br />
Local Accounts 197<br />
Log Files 332, 346<br />
Log TLS info into Received header 95<br />
Login page title 36<br />
M<br />
Mail Access 80<br />
Mail Aliases 25, 53<br />
Mail Anomalies 15, 132, 146<br />
Mail History 294, 360<br />
Mail Mappings 24, 55<br />
Mail Queue Management 305<br />
Mail Routing 25, 46<br />
Mail Transport log 347<br />
MAILER-DAEMON 48<br />
Malformed messages 15, 102, 121<br />
Manual License Activation 309<br />
Masquerade Addresses 49<br />
Maximum mailbox size 198<br />
Maximum message size 23, 80<br />
Maximum Number of Mail Scanners 379<br />
Maximum Number of Parallel Deliveries 378<br />
Maximum Number of Processes 378<br />
Maximum number of recipients 23<br />
Maximum original message text in bounces 48<br />
Maximum recipients per message 80<br />
Maximum recipients reject code 80<br />
Maximum time in mail queue 48<br />
Maximum time in queue for bounces 48<br />
Maximum Unknown Recipients 81<br />
Maximum Unknown recipients per message 81<br />
Maximum Unknown recipients reject code 81<br />
Message Body 113<br />
Message Disposition 295, 361<br />
Message Envelope 113<br />
Message Processing Order 369<br />
440
Messages Log 332<br />
MIB (Management Information Base) 337, 339<br />
OID Values 411<br />
MIME (Multipurpose Internet Mail Extensions) 14<br />
Mirror Accounts 65, 199<br />
Missing client reverse DNS 146<br />
Missing From header 147<br />
Missing sender MX 146<br />
Missing To header 147<br />
MTU 39<br />
Multiple Recipient Reject Mode 52<br />
N<br />
Network Interfaces 39<br />
Network Settings 38<br />
Neutral Words 163<br />
NTP (Network Time Protocol) 39<br />
Number of Database Proxies 380<br />
Number of Heavy Weight Processes 379<br />
O<br />
OCF (Objectionable Content Filter) 23, 102, 110<br />
OpenLDAP 18<br />
Optional Product Licenses 310<br />
Outbound Attachment Control 102<br />
P<br />
Pattern Based Message Filtering (PBMF) 15, 80,<br />
102, 108, 132, 141<br />
Action 119<br />
BCC Action 119<br />
Preferences 119<br />
Priority 118<br />
Performance Tuning 375<br />
Personal Quarantine Controls 213<br />
Ping 303, 358, 364<br />
Policy 18, 220<br />
Diagnostics 234<br />
hierarchy 220<br />
Verbose Logging 233<br />
POP3 17, 196<br />
Problem Reporting 326<br />
Q<br />
Quarantine expiry options 307<br />
Quarantine Management 306<br />
Queue replication 18, 279<br />
Interface 281<br />
R<br />
RADIUS 204<br />
Raise Priority of Heavy Weight Processes 379<br />
Raw Mail Body 116<br />
Reboot 313, 364<br />
Received Header 52<br />
Reject Connection From Dial-ups 151<br />
Reject on BSN 22<br />
Reject on BSN Reputation 151<br />
Reject on DNSBL 22, 154<br />
Reject on expired license 22<br />
Reject on Infection 151<br />
Reject on missing addresses 23, 177<br />
Reject on missing reverse DNS 23, 177<br />
Reject on missing sender MX 23, 177<br />
Reject on non FQDN sender 23, 177<br />
Reject on Threat Prevention 22<br />
Reject on unauth pipelining 22, 177<br />
Reject on unknown recipient 23, 139<br />
Reject on unknown sender domain 23, 177<br />
Relaying mail 47<br />
Relocated <strong>User</strong>s 24, 205<br />
Remote Authentication 202<br />
Re-Ordering Groups 228<br />
Replication Client 281<br />
Replication Host 281<br />
Reporting SQL Log 332<br />
Reports 284<br />
Automatic Report Generation 288<br />
Configuration 299<br />
Disabling 300<br />
Fields 289<br />
Filters 293<br />
Generating 285<br />
Viewing 285<br />
Require TLS for SMTP AUTH 95<br />
Reset Network Interface 364<br />
Reset SSL Certificates 364<br />
Respond to Ping 40<br />
Restore<br />
Errors 320<br />
FTP 319<br />
Local Disk 318<br />
Restoring a Cluster Member 276<br />
Restoring from Backup 318<br />
Restoring the Cluster Console 276<br />
RFC 1323 40<br />
RFC 1644 40<br />
Rollout and Offload 335<br />
S<br />
SafeWord 17, 32, 200<br />
Searching Log Files 333<br />
Secure WebMail 16, 212<br />
SecurID 17, 32, 201<br />
<strong>Security</strong> Connection 19, 312, 364<br />
Selector List 174<br />
Send EHLO 52<br />
Sender Policy Framework (SPF) 16, 133, 169<br />
SPF Records 169<br />
Serial Console 365<br />
Service Throttle Time 381<br />
Show Recipients 331<br />
441
Shutdown 313, 364<br />
Size of Shared Memory block 381<br />
Size of Temporary Files Filesystem 381<br />
SMTP 17<br />
SMTP Authenticated Relay 81<br />
SMTP Banner 81<br />
SMTP Connect Timeout 380<br />
SMTP HELO Timeout 380<br />
SMTP Notification 52<br />
SMTP Pipelining 51<br />
SMTP Probe 303, 357<br />
SMTP <strong>Security</strong> 94<br />
SMTP Tarpit Time 381<br />
SMTPD Minimum Receive Rate 381<br />
SMTPD Receive Rate Interval 381<br />
SMTPD Timeout 380<br />
SNMP (Simple Network Management<br />
Protocol) 19, 40, 337<br />
Community string 338<br />
MIBS 383<br />
Permitted Clients 338<br />
Trap Hosts 339<br />
Software Updates 311<br />
Spam Dictionaries 15, 132, 142<br />
Spam Quarantine 16, 133, 187, 277<br />
in a Cluster 192<br />
Spam Summary Message 189<br />
Specific Access Patterns (SAP) 15, 22, 80, 132, 140<br />
SSL (Secure Socket Layer) 94<br />
SSL Certificates 97<br />
Static Lists 251<br />
Static Routes 45<br />
Status & Utility 302<br />
Stop and Start Mail Services 303<br />
Strip incoming DK headers 171<br />
Strip Received Headers 49<br />
Strong Authentication 32, 197, 200<br />
Support Access 41<br />
Supported web browsers 28<br />
SURBL (Spam URI Realtime Block Lists) 16<br />
Syslog 334<br />
Syslog Host 38<br />
System Console 31, 363<br />
System event types 296<br />
System History 296<br />
System Logs 332, 346<br />
Advanced Search 333<br />
System Status 302<br />
Default Connection Rules 241<br />
Dynamic Lists 253<br />
F5 Blocking 256<br />
Static Lists 251<br />
Status 264<br />
Tiered Administration 33, 209<br />
Time before delay warning 48<br />
Time to retain undeliverable notice mail 48<br />
TLS (Transport Layer <strong>Security</strong>) 17, 94<br />
Reporting 96<br />
Token Analysis 16, 132, 161<br />
Advanced Options 163<br />
Delete Training 163<br />
Token 117<br />
Training 166<br />
Troubleshooting 168<br />
Traceroute 303, 359, 364<br />
Troubleshooting Content Issues 360<br />
Troubleshooting Mail Delivery 344<br />
Troubleshooting Tools 345<br />
Trusted and Untrusted Mail 134<br />
Trusted Senders List 16, 133, 181, 213, 277<br />
Trusted Subnet 40, 134<br />
U<br />
Unauthorized pipelining 147<br />
Unknown HELO/EHLO domain 147<br />
Unknown sender domain 147<br />
UPS 364<br />
URL Block List 16, 132, 156<br />
<strong>User</strong> policy 231<br />
V<br />
Vacation Notification 206<br />
Very Malformed Mail 50<br />
Virtual Interfaces 42<br />
Virtual Mappings 24, 57<br />
Virus pattern files 84<br />
W<br />
Web Server Options 35<br />
X<br />
X-STA Header 165<br />
T<br />
TCP extensions 40<br />
Temporary DNS Error 171<br />
Threat Outbreak Control 85<br />
Threat Prevention 16, 238<br />
Cisco blocking 261<br />
Creating Connection Rules 245<br />
442