ePrism Email Security Appliance User Guide - EdgeWave

ePrism Email Security Appliance
User Guide
Software Version: 6.5.2
Last Revision: 5/25/07

Preface 7
CHAPTER 1 ePrism Overview 11
What’s New in ePrism 6.5 12
ePrism Overview 14
ePrism Deployment 20
How Messages are Processed by ePrism 22
CHAPTER 2 Administering ePrism 27
Connecting to ePrism 28
Configuring the Admin User 32
Web Server Options 35
Customizing the ePrism Interface 36
CHAPTER 3 Configuring Mail Delivery Settings 37
Network Settings 38
Virtual Interfaces 42
Static Routes 45
Mail Routing 46
Mail Delivery Settings 48
Mail Aliases 53
Mail Mappings 55
Virtual Mappings 57
CHAPTER 4 Directory Services 59
Directory Service Overview 60
Directory Servers 61
Directory Users and Groups 63
LDAP Aliases 67
LDAP Mappings 69
LDAP Recipients 71
LDAP Relay 73
LDAP Routing 76
CHAPTER 5 Mail Security and Encryption 79
SMTP Mail Access 80
Anti-Virus 82
Threat Outbreak Control 85
External Email Message Encryption 90
Encrypting Mail Delivery Sessions 94
SSL Certificates 97
3

CHAPTER 6 Message Content Scanning 101
Content Scanning Overview 102
Attachment Control 103
Attachment Content Scanning 106
Objectionable Content Filter 110
Pattern Based Message Filtering (PBMF) 112
Malformed Mail 121
Dictionaries 123
Message Archiving 125
CHAPTER 7 Intercept Anti-Spam 131
Intercept Anti-Spam Feature Overview 132
Trusted and Untrusted Mail Sources 134
Configuring Intercept Anti-Spam 136
Intercept Components 139
Intercept Advanced Features 177
Trusted and Blocked Senders 181
Spam Quarantine 187
CHAPTER 8 User Accounts and Remote Authentication 195
POP3 and IMAP Access 196
Local User Mailboxes 197
Mirror Accounts 199
Strong Authentication 200
Remote Accounts and Directory Authentication 202
Relocated Users 205
Vacation Notification 206
Tiered Administration 209
CHAPTER 9 Secure WebMail and ePrism Mail Client 211
Secure WebMail 212
ePrism Mail Client 216
CHAPTER 10 Policy Management 219
Policy Overview 220
Creating Policies 223
Domain Policies 224
Group Policies 226
User Policies 231
Managing Policies 233
Policy Diagnostics 234
4

CHAPTER 11 Threat Prevention 237
Threat Prevention Overview 238
Configuring Threat Prevention 239
Creating Threat Prevention Rules 241
Static Address Lists 251
Dynamic Address Lists 253
F5 Blocking 256
Cisco Blocking 261
Threat Prevention Status 264
CHAPTER 12 HALO (High Availability and Load Optimization) 265
CHAPTER 13 Reporting 283
HALO Overview 266
Configuring Clustering 268
Cluster Management 274
Configuring the F5 Load Balancer 278
Queue Replication 279
Viewing and Generating Reports 284
Viewing the Mail History Database 294
Viewing the System History Database 296
Report Configuration 299
CHAPTER 14 System Management 301
System Status and Utilities 302
Mail Queue Management 305
Quarantine Management 306
License Management 308
Software Updates 311
Security Connection 312
Reboot and Shutdown 313
Backup and Restore 314
Centralized Management 321
Problem Reporting 326
Health Check 327
CHAPTER 15 Monitoring System Activity 329
Activity Screen 330
System Log Files 332
Offloading Log Files 335
SNMP (Simple Network Management Protocol) 337
Alarms 340
5

CHAPTER 16 Troubleshooting Mail Delivery 343
Troubleshooting Mail Delivery 344
Troubleshooting Tools 345
Examining Log Files 346
Network and Mail Diagnostics 355
Troubleshooting Content Issues 360
APPENDIX A Using the ePrism System Console 363
APPENDIX B Restoring ePrism to Factory Default Settings 367
APPENDIX C Message Processing Order 369
APPENDIX D Customizing Notification and Annotation Messages 371
APPENDIX E Performance Tuning 375
APPENDIX F SNMP MIBS 383
Setting Default Performance Settings 376
Advanced Settings 377
MIB Files Summary 383
MIB Files 387
MIB OID Values 411
APPENDIX G Third Party Copyrights and Licenses 417
6

Preface
Preface
This User Guide provides detailed information on how to configure and manage your ePrism
Email Security Appliance, and contains the following topics:
• Chapter 1 — “ePrism Overview” on page 11
• Chapter 2 — “Administering ePrism” on page 27
• Chapter 3 — “Configuring Mail Delivery Settings” on page 37
• Chapter 4 — “Directory Services” on page 59
• Chapter 5 — “Mail Security and Encryption” on page 79
• Chapter 6 — “Message Content Scanning” on page 101
• Chapter 7 — “Intercept Anti-Spam” on page 131
• Chapter 8 — “User Accounts and Remote Authentication” on page 195
• Chapter 9 — “Secure WebMail and ePrism Mail Client” on page 211
• Chapter 10 — “Policy Management” on page 219
• Chapter 11 — “Threat Prevention” on page 237
• Chapter 12 — “HALO (High Availability and Load Optimization)” on page 265
• Chapter 13— “Reporting” on page 283
• Chapter 14 — “System Management” on page 301
• Chapter 15 — “Monitoring System Activity” on page 329
• Chapter 16 — “Troubleshooting Mail Delivery” on page 343
The following sections contain supplemental information for the ePrism Email Security
Appliance:
• Appendix A — “Using the ePrism System Console” on page 363
• Appendix B — “Restoring ePrism to Factory Default Settings” on page 367
• Appendix C — “Message Processing Order” on page 369
• Appendix D — “Customizing Notification and Annotation Messages” on page 371
• Appendix E — “Performance Tuning” on page 375
• Appendix F — “SNMP MIBS” on page 383
• Appendix G — “Third Party Copyrights and Licenses” on page 417
7

Related Documentation
If Release Notes are included with your product package, please read them for the latest
information on installing and managing ePrism.
The following documents are included as part of the ePrism documentation set:
TABLE 1. ePrism Documentation
Document
Release Notes
Installation
Guide
User Guide
Intercept Anti-
Spam Quick
Start Guide
Description
Provides up to date information on the product, including new
features, improvements, bug fixes, and any known issues. If
instructions in the Release Notes differ from the Installation Guide
or User Guide, use the instructions in the Release Notes.
Provides detailed information on how to install and provide the initial
configuration for the ePrism Email Security Appliance.
Provides detailed information on how to configure, administer, and
troubleshoot the ePrism Email Security Appliance.
Describes the basic configuration details and recommended
strategies for ePrism’s Intercept Anti-Spam features.
Conventions
The following typographical conventions are used in this guide:
TABLE 2. Typographical Conventions
Typeface
or Symbol Description Example
italic Screen name or data field names Activity Screen, or SMTP Port
bold
courier
font
Bold
courier
Button names, Menu items, and
Screen names
Text displayed on the screen and File
and Directory Names
Text entered by the user
Information that describes important
features or instructions
Select Basic Config ➝ Network
on the menu and click the Apply
button
backup/backup.gzip
Enter: example.com
Please see the following section
for more details
Information that alerts you to potential
problems and issues
Use caution when enabling this
feature
8

Preface
Contacting Technical Support
St. Bernard Software telephone support is available Monday-Friday
07:00am to 4:00pm (Pacific Standard Time)
08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)
15015 Avenue of Science
San Diego, CA 92128
Main: 858.676.2277
FAX: 858.676.2299
Technical Support: 858.676.5050
Technical Support Email: ePrism-support@stbernard.com
Europe, Asia, Africa (UTC)
Unit 4, Riverside Way
Watchmoor Park, Camberley
Surrey, UK
GU15 3YQ
Main: 44.1276.401.640
FAX: 44.1276.684.479
Technical Support: 44.1276.401.642
Technical Support Email: support@uk.stbernard.com
Copyright Information
© 2003-2007 St. Bernard Software, Inc. All rights reserved.
St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or
registered trademarks are hereby acknowledged.
Information in this document is subject to change without notice.
9

CHAPTER 1
ePrism Overview
This chapter provides an overview of the architecture and features of the ePrism Email
Security Appliance, and contains the following topics:
• “What’s New in ePrism 6.5” on page 12
• “ePrism Overview” on page 14
• “ePrism Deployment” on page 20
• “How Messages are Processed by ePrism” on page 22
11

ePrism Overview
What’s New in ePrism 6.5
The ePrism Email Security Appliance version 6.5 adds several new features while considerably
improving the functionality of existing features.
Blocked Senders List
The Blocked Senders List allows end users to specify a list of addresses from which they do not
want to receive mail. These senders will be blocked from sending mail to that specific user via
ePrism. If a sender is on the Blocked Senders List, the message can either be rejected with
notification or discarded by ePrism.
Blocked Senders are configured via Mail Delivery ➝ Anti-Spam ➝ Trusted/Blocked Senders
on the menu.
Virtual Interfaces
Virtual Interfaces are used by ePrism to define additional interfaces and IP addresses to send
and receive mail for specific domains. These Virtual Interfaces are associated with the existing
physical network interfaces on ePrism. ePrism will send all outbound email for a specific domain
using its specified IP address in the Virtual Interfaces configuration. ePrism selects the Virtual
Interface to use for outgoing mail by matching the sender's domain to the domains associated
with the configured Virtual Interfaces.
Virtual Interfaces are configured via Basic Config ➝ Virtual Interfaces on the menu.
Image Spam Analysis
An Image Spam email message typically consists of random text or no text body and contains
an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the
spam message. These types of spam messages are difficult to detect because the message
contains no helpful text or URL characteristics that can be scanned and analyzed.
The Image Spam Analysis feature that performs advanced analysis of image attachments to
help determine if the message is spam or legitimate mail. Similar to ePrism's other Anti-Spam
features that detect spam characteristics in the text of a message, the Image Spam Detection
feature extracts certain characteristics of the attached image to determine if these
characteristics are similar to those seen in actual spam messages.
The Image Spam Detection feature uses the Token Analysis feature to analyze image spam
messages. Token Analysis must be enabled for Image Spam detection to work.
Enable the Image Analysis option via Mail Delivery ➝ Anti-Spam ➝ Intercept ➝ Token
Analysis ➝ Advanced on the menu.
12

What’s New in ePrism 6.5
Intercept Anti-Spam Improvements
The following improvements have been made to ePrism's Intercept Anti-Spam feature:
• The Intercept Anti-Spam engine has been enhanced to increase Intercept's effectiveness
against the latest types of image spam and other spam messages.
• The Intercept training engine and database have been updated to improve the efficiency
and effectiveness of training for spam and legitimate mail.
• Intercept's use of the BorderWare Security Network (BSN) and DNS/URL Block Lists has
been improved to provide more effective reputation and block list contribution to the overall
Intercept spam score decision for a message.
• Bulk Analysis has been modified to reduce the probability of false positives in the Intercept
spam decision. To revert to the previous behaviour and increase the emphasis on Bulk
Analysis results, set the Bulk Analysis weight to 90 in the advanced Intercept settings,
accessed via Mail Delivery ➝ Anti-Spam ➝ Intercept and clicking the Advanced button.
LDAP Paging Support
When querying an LDAP server, the amount of information returned may contain thousands of
entries and sub-entries. Paging allows LDAP information to be retrieved in more manageable
sections to control the rate of data being returned. Previously, ePrism could not retrieve more
entries than the administrative limit configured by Microsoft Active Directory®, requiring the
limit to be increased on the Active Directory server. Active Directory LDAP paging is now
supported by ePrism and removes the requirement to manually set a higher maximum page
size in Active Directory for use with ePrism LDAP user imports.
13

ePrism Overview
ePrism Overview
ePrism is a dedicated Mail Firewall designed for deployment between internal mail servers and
the Internet. ePrism supports the standard mail protocols for processing email messages while
offering a secure method for their processing and delivery. ePrism has been designed
specifically to resist operating system attacks and protect mail servers from direct SMTP and
HTTP connections.
ePrism Deployment
ePrism is generally configured to accept all mail for a domain or sub-domain, store and process
mail according to specified security policies, and deliver the mail to one or more internal mail
servers for collection by users. ePrism is ideally suited for deployment in parallel with an existing
firewall, on a DMZ, or on an internal network.
See “ePrism Deployment” on page 20 for more detailed information on deploying ePrism.
Mail Delivery Security
ePrism has a sophisticated mail delivery system with several security features and benefits to
ensure that the identifying information about your company’s email infrastructure remains
private.
• For a company with multiple domain names, ePrism can accept, process and deliver mail to
private email servers.
• For a company with multiple private email servers, the ePrism can route mail based on the
domain or subdomain to separate groups of email users.
• Security features such as mail mappings and address masquerading allow the ability to hide
references to internal host names.
Content Scanning and Filtering
ePrism implements attachment controls, attachment content scanning, and content filtering
based on pattern and text matching. These controls prevent the following issues:
• Breaches of confidentiality
• Legal liability from offensive content
• Personal abuse of company resources
• Compliance policies
Attachment controls are based on the following characteristics:
• File Extension Suffix — The suffix of the file is checked to determine the attachment type,
such as .exe, or .jpg.
• MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to
identify the content type of the message.
• Content Analysis — The file is analyzed from the beginning to look for characteristics that
can identify the file type. This analysis ensures that the attachment controls are not
circumvented by simply renaming a file.
14

ePrism Overview
• Deep Content Scanning — Attachments such as PDFs or Microsoft Word documents can
be analyzed for words or phrases that match a pattern filter or compliance dictionary.
Virus Scanning
The ePrism Email Security Appliance features optional virus scanning based on Kaspersky
Anti-Virus. Messages in both inbound and outbound directions can be scanned for viruses and
malicious programs. ePrism’s high performance virus scanning provides a vital layer of
protection against viruses for your entire organization. Automatic pattern file updates ensure
that the latest viruses are detected.
Threat Outbreak Control
The Threat Outbreak Control feature provides customers with zero-day protection against early
virus outbreaks. For most virus attacks, the time from the moment the virus is released to the
time a pattern file is available to protect against the virus can be several hours. During this
period, mail recipients are vulnerable to potential threats. ePrism's Threat Outbreak Controls
can detect and take action against early virus outbreaks to contain the virus threat.
Malformed Message Protection
Similar to malformed data packets used to subvert networks, malformed messages allow
viruses and other attacks to avoid detection, crash systems, and lock up mail servers. ePrism
ensures that only correctly formatted messages are allowed into your mail systems. Message
integrity checking protects your mail servers and clients and improves the effectiveness of
existing virus scanning implementations.
Intercept Anti-Spam
The ePrism Email Security Appliance provides a complete and robust set of anti-spam features
specifically designed to protect against the full spectrum of current and evolving spam threats.
ePrism’s Intercept Anti-Spam engine can combine the results of several Anti-Spam features to
provide a better informed decision on whether a message is spam or legitimate mail. These
features include:
• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the
client address or header parameters such as HELO or Envelope-From and Envelope-To.
• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in the
envelope/header/body of a message.
• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and
phrases that are matched against a message.
• Mail Anomalies — Checks various aspects of the incoming message for issues such as
unauthorized SMTP pipelining, missing headers, and mismatched identification fields.
Checks for recent spam and viruses from a specific IP address can also be enabled which
is used in conjunction with the Threat Prevention feature.
• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor
reputation. Messages can also be rejected immediately regardless of the results of other
Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows
administrators to specify how many DNSBLs must trigger to consider the sender as
unreliable.
15

ePrism Overview
• URL Block List — Detects spam by examining the URLs in a message and querying a
SURBL (Spam URI Realtime Block Lists) server to determine if this URL has been used in
spam messages.
• Bulk Analysis — Detect bulk mail spam by checking mail sent to a large numbers of users.
• Token Analysis — Detects spam based on advanced content analysis using databases of
known spam and valid mail. This feature is also specially engineered to effectively detect
Image spam.
• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS
records to identify the source of a message.
• DomainKeys Authentication — Performs a check of a sending host’s DomainKeys DNS
records to identify the source of a message.
Threat Prevention
ePrism’s Threat Prevention capabilities that allow organizations to detect and block incoming
threats in real-time. Threat types can be monitored and recorded to track client IP behaviour and
reputation. By examining mail flow patterns, ePrism detects whether a sending host is behaving
maliciously by sending out viruses, spam, or attempting denial-of-service (DoS) attacks. By
instantly recognizing these types of mail patterns, ePrism can be an effective solution against
immediate attacks. ePrism’s Threat Prevention feature can block or throttle inbound mail
connections before the content is processed to lessen the impact of a large number of inbound
messages.
Trusted and Blocked Senders List
These features allow users to create their own personal Trusted and Blocked Senders Lists
based on a sender’s email address. The Trusted email addresses will be exempt from ePrism’s
spam controls allowing users to trust legitimate senders, while email addresses on the Blocked
Senders List will be prevented from sending mail to that user via ePrism.
Spam Quarantine
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual
user. Users will be able to connect to ePrism either directly or through a summary email to view
and manage their own quarantined spam. Messages can be deleted, or moved to the user’s
local mail folders. Automatic notification emails can be sent to end users notifying them of the
existence of messages in their personal quarantine area.
Secure WebMail
ePrism’s Secure WebMail provides remote access support to internal mail servers. With Secure
WebMail, users can access their mailboxes using email web clients such as Outlook® Web
Access, Lotus iNotes, or ePrism’s own web mail client. ePrism addresses the security issues
currently preventing deployment of web mail services by providing the following protection:
• Strong authentication (including integration with Active Directory)
• Encrypted sessions
• Advanced session control to prevent information leaks on workstations
16

ePrism Overview
Authentication
ePrism supports the following authentication methods for administrators, WebMail users,
Trusted Senders List, and Spam Quarantine purposes:
• User ID and Password
• RADIUS and LDAP
• RSA SecurID® tokens
• SafeWord and CRYPTOCard tokens
Mail Delivery Encryption
All mail delivered to and from ePrism can be encrypted using TLS (Transport Layer Security).
This includes connections to remote systems, local internal mail systems, or internal mail
clients. Encrypted messages are delivered with complete confidentiality both locally and
remotely.
Encryption can be used for the following:
• Secure mail delivery on the Internet to prevent anyone from viewing email while in transit.
• Secure mail delivery across a LAN to prevent malicious users from viewing email other than
their own.
• Create policies for secure mail delivery to branch offices, remote users and business
partners.
• ePrism supports TLS/SSL encryption for all user and administrative sessions.
• TLS/SSL is used to encrypt SMTP sessions effectively preventing eavesdropping and
interception.
Local User Mailboxes
ePrism can host user mailboxes and act as a fully functioning mail server for small offices.
ePrism fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for
retrieving and sending mail.
HALO (High Availability and Load Optimization)
ePrism is the first email firewall to provide enterprises with a fail-safe clustering architecture for
high availability. HALO ensures email is never lost due to individual system failure through its
unique security, cluster management, load balancing and optimization, and "stateful failover"
queue replication capabilities. All systems can be clustered together to increase additional
capacity, throughput, or provide load balancing and optional high availability.
Cluster Management
The cluster management feature allows administrators to manage ePrism clusters and to
synchronize configuration settings across all systems in the cluster. Combined reports and
email database searches may be derived from clustered systems. Specific features include:
• Configuration Replication — This function allows systems to be added to clusters and to
assume the configuration of a defined "master" Cluster Console system.
17

ePrism Overview
• Cluster Synchronization — Systems within a cluster can be synchronized to the defined
"master" system. Any changes to the configuration of the Cluster Console master are
reflected in the configuration of all systems in the cluster.
• Cluster Reporting — ePrism reports can be generated for a single system or for all
systems in a cluster. The email database can be searched by system or by cluster. The
history and status of any message can be instantly retrieved regardless of which system
processed the message.
Load Balancing and Optimization
A basic requirement of high availability is to have an automated or semi-automated mechanism
for switching the mail stream between available systems in the cluster, depending on their
individual availability or health.
Utilizing DNS round-robin techniques or dedicated load balancing hardware, email can be
directed to ePrism systems in a cluster depending on their availability and current load.
Queue Replication
To prevent the loss of email messages during a system failure, ePrism has created a unique
solution with "stateful failover" queue replication technology that replicates queues and
intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a
cluster should fail and there exists undelivered mail in its queue, a mirror system can take
ownership of that queue’s messages and successfully process and deliver them. This ensures
that no email messages are ever lost.
Policy Controls
Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment
control to be customized and applied based on the group membership, domain membership, or
email address of the recipient. User groups can be imported from an LDAP-based directory, and
then policies can be created to apply customized settings to these groups.
For example, you can set up an Attachment Control Policy to allow your Development group to
accept and send executable files (.exe), while configuring your attachment control settings for
all your other departments to block this file type to prevent the spread of viruses among the
general users.
Directory Service Support
ePrism integrates with LDAP (Lightweight Directory Access Protocol) directory services such as
Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:
• LDAP lookup prior to internal delivery — ePrism can check for the existence of an
internal user via LDAP before delivering a message. This feature allows you to reject mail to
unknown addresses in relay domains, reducing the number of attempted deliveries of spam
messages for non-existent local addresses. This check can be performed directly to an
LDAP server or to a cached directory stored locally on ePrism.
• Group/User Imports — An LDAP lookup will determine the group membership of a user
when applying policy-based controls. LDAP users can also be imported and mirrored on
ePrism to be used for services such as the Spam Quarantine.
• Authentication — LDAP can be used for authenticating IMAP access, user mailbox, and
WebMail logins.
18

ePrism Overview
Manageability
• SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP
Relay.
• Mail Routing — LDAP can be used to lookup Mail Routes for a domain to deliver mail to its
destination server.
ePrism provides a complete range of monitoring and diagnostics tools to monitor the system
and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional
security, while comprehensive logs record all mail activity.
• Web Browser-based Management — The web browser management interface displays a
live view of system activity and traffic flows. The management interface can be configured
to display this information for one or many systems, including systems in a local cluster or
systems that are being centrally managed.
• Reporting and Auditing — The reporting and audit features deliver a comprehensive set
of statistics that may be generated at any time or scheduled for automatic delivery. ePrism
includes a wide range of predefined reports, including information on system health, mail
processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily
create customized reports.
• Enterprise integration with SNMP — Using SNMP (Simple Network Management
Protocol), ePrism can generate both information and traps to be used by SNMP monitoring
tools. This extends the administrator’s view of ePrism and allows an instant view of
significant system events, including traffic flows and system failures.
• Alarms — ePrism can generate system alarms that can automatically notify the
administrator via email and console alerts of a system condition that requires attention.
• Archiving — Archiving support allows organizations to define additional mail handling
controls for inbound and outbound mail. These features are especially important for
organizations that must archive certain types of mail for regulatory compliance or for
corporate security policies.
Security Connection
The Security Connection provides an automated software update service. By enabling the
Security Connection, you are automatically notified of any new patches and updates for the
ePrism software. St. Bernard continuously monitors for new vulnerabilities and issues new
updates to defend against them, ensuring that you have them as soon as they are available.
Internationalization
ePrism supports internationalization for annotations, notification messages, and mail database
views. For example, a message is sent to someone who is on vacation and the message used
character set ISO-2022-JP (Japanese), the vacation notification sent back will be in the same
character set. The mail history database can also be viewed using international character sets.
19

ePrism Overview
ePrism Deployment
ePrism is designed to be situated between mail servers and the Internet so that there are no
direct SMTP (Simple Mail Transport Protocol) connections between external and internal
servers.
ePrism is typically installed in one of three locations:
• In parallel with the firewall
• On your DMZ (Demilitarized Zone)
• Behind the existing firewall on the Internal network
SMTP TCP port 25 traffic is redirected from either the external interface of the firewall or from
the external router to ePrism. When the mail is accepted and processed, ePrism initiates an
SMTP connection to the internal mail server to deliver the mail.
ePrism in Parallel with the Firewall
The preferred deployment strategy for ePrism is to be situated in parallel with an existing
network Firewall. ePrism’s inherent firewall security architecture eliminates the risk associated
with deploying an appliance on the perimeter of a network. This parallel deployment eliminates
any mail traffic on the firewall and decreases its overall load.
20

ePrism Deployment
ePrism on the DMZ
Deploying ePrism on the DMZ is an equally secure method of deployment configuration. This
type of deployment prevents any direct connection from the Internet to the internal servers, but
does not ease the existing load on the firewall.
ePrism on the Internal Network
ePrism can also be deployed on the Internal Network. Although this configuration allows a
direct connection from the Internet into the internal network, it is a perfectly legitimate
configuration when dictated by existing network resources.
21

ePrism Overview
How Messages are Processed by ePrism
The following sections describe the sequence in which the various ePrism security features are
applied to any inbound and outbound mail messages and how these settings affect their
delivery.
Trusted Mail
ePrism only processes mail through the spam filters when a message originates from an
"untrusted" source. Trusted sources bypass the spam controls. By default, mail that arrives on a
particular network interface from the same subnet is "trusted".
There are two ways to control how sources of mail are identified and trusted:
1. The network interface the mail arrives on
2. A specified IP address (or address block), or server or domain name
See “Trusted and Untrusted Mail Sources” on page 134 for information on configuring trusted
and untrusted sources.
Inbound and Outbound Scanning
For features that scan both inbound and outbound mail, the following rules apply:
• Mail from trusted source to local recipient — Inbound
• Mail from trusted source to non-local recipient — Outbound
• Mail from untrusted source to local recipient — Inbound
• Mail from untrusted source to non-local recipient — Inbound
SMTP Connection
An SMTP connection request is made from another system. ePrism accepts the connection
request unless one of the following checks (if enabled) is triggered:
• Reject on Threat Prevention — Rejects mail when the client is rejected by the Threat
Prevention feature.
• Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP
commands ahead of time without knowing that the mail server actually supports SMTP
command pipelining. This stops messages from bulk mail software that use SMTP
command pipelining improperly to speed up deliveries.
• Reject on expired ePrism license — Rejects mail if the ePrism license has expired.
• Specific Access Pattern and Pattern Based Message Filter (Reject) — Rejects mail
based on SAP and PBMF for the HELO, Envelope-TO, Envelope-From, and Client IP fields.
• Reject on DNS Block list — Rejects mail if the sender is on a DNSBL and ePrism is set to
reject on DNSBL.
• Reject on BSN (Reputation, Infected, Dial-up) — Rejects mail based on statistics
provided by the St. Bernard Security Network.
At this point, trusted or local networks skip any further "Reject" checks.
22

How Messages are Processed by ePrism
• Reject on unknown sender domain — Rejects mail when the sender mail address has no
DNS A or MX record.
• Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has
no PTR (address to name) record in the DNS, or when the PTR record does not have a
matching A (name to address) record. This setting is rarely used because many servers on
the Internet do not have valid reverse DNS records, and enabling it may result in rejecting
mail from legitimate sources.
• Reject on missing sender MX — Rejects mail when the sender’s mail address is missing
a DNS MX record.
• Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM
command is not in fully-qualified domain form (FQDN).
• Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The
system will perform an LDAP lookup on the recipient’s address to ensure they exist before
delivering the message.
Mail Header and Message Properties
The connection is now accepted. The message will be accepted for processing unless one of
the following occurs:
• Reject on missing addresses — Rejects mail when no recipients in the To: field, or no
senders in the From: field were specified in the message headers.
• Maximum number of recipients — Rejects mail if the number of recipients exceeds the
specified maximum (default is 1000).
• Maximum message size — Rejects mail if the message size exceeds the maximum.
Malformed Content, Virus Checking, and Attachment Control
Messages are scanned for malformed and very malformed messages, viruses, and specific
attachments. If there is a problem, ePrism can be configured with a variety of actions, such as
sending the message to the administrative Quarantine folder.
Threat Outbreak Control
Messages are scanned by Threat Outbreak control to look for virus-like behaviour. These
messages can be quarantined until updated Anti-Virus pattern files are available to rescan
them.
OCF (Objectionable Content Filter)
Messages are scanned for objectionable content using a pre-defined list of words, and a
configurable action is taken.
Pattern Based Message Filters and Specific Access Patterns
The messages are scanned to see if they match any existing Pattern Based Message Filters
(PBMF), or Specific Access Patterns (SAP) set to "Trust" or "Allow Relaying".
23

ePrism Overview
Trusted and Blocked Senders List
If a sender is on a user’s Trusted Sender’s List, the message will skip all remaining checks. If
the sender is on a user’s Blocked Sender’s List, the message will be rejected or discarded
depending on the configuration.
Attachment Content Scanning
Encryption
Deep scanning is performed on attachments for blocked words and phrases.
If enabled, outbound messages are encrypted before being delivered.
Anti-Spam Processing
If the message arrives from an "untrusted" source, it will be processed for spam by the Intercept
Anti-Spam engine. All Intercept features that are enabled will contribute to the final spam score
of a message.
Mail Mappings
The message is now accepted for processing and the following occurs:
• If the recipient address is not for a domain or sub-domain for which ePrism is configured to
accept mail (either as an inbound mail route or a virtual domain) then the message is
rejected.
• If the recipient address is mapped in the Mail Mappings table, then the "To" field in the
message header will be modified as required.
Virtual Mappings
The message is now examined for a match in the Virtual Mapping table. If such a mapping is
found, the envelope-header recipient field will be modified as required. LDAP virtual mappings
will then be processed. Virtual mappings are useful for the following:
• Acting as a wildcard mail mapping, such as any user for example.com goes to
mail.example.com. You can create exceptions to this rule in the mail mappings for
particular users.
• ISPs who need to accept mail for several domains and the envelope-header recipient field
needs to be rewritten for further delivery.
• To deliver to internal servers, use Mail Delivery ➝ Routing ➝ Mail Routing.
In all cases, mappings rely on successful DNS lookups for an MX record.
Relocated Users
When mail is sent to an address that is listed in the relocated user table, the message is
bounced back with a message informing the sender of the relocated user’s new contact
information.
24

How Messages are Processed by ePrism
Mail Aliases
When mail needs to be delivered locally, the local delivery agent runs each local recipient name
through the aliases database. An alias results in the creation of a new mail message to be
created for the named address or addresses. This mail message is then entered back into the
system to be mapped, routed, and so on. This process also occurs with local user accounts for
whom a "forwarder address" has been configured. Local user accounts will be treated like
aliases in this case.
Local aliases are typically used to implement distribution lists or to direct mail for standard
aliases such as mail to the "postmaster" account. LDAP aliases are then processed. LDAP
functionality can be used to search for mail aliases on directory services such as Active
Directory.
Mail Routing
During the mail routing process, there is no modification made to the mail header or the
envelope. A mail route specifies two things:
• Which domains ePrism will accept mail for (other than itself).
• Which hosts the mail should be delivered to.
The message is now delivered to its destination.
See “Message Processing Order” on page 369 for a summary of the message processing
order.
25

CHAPTER 2
Administering ePrism
This chapter describes how to administer and configure basic settings for the ePrism Email
Security Gateway, and contains the following topics:
• “Connecting to ePrism” on page 28
• “Configuring the Admin User” on page 32
• “Web Server Options” on page 35
• “Customizing the ePrism Interface” on page 36
27

Administering ePrism
Connecting to ePrism
To administer ePrism using the web browser administrative interface, launch a web browser on
your computer and enter the IP address or hostname for ePrism as the URL in the location bar.
Your system must be listed in your DNS server to be able to connect via the hostname.
Supported web browsers:
• Microsoft Internet Explorer 6 and greater
• Firefox 1.0 and greater
• Mozilla 1.0 and greater
• Netscape 6.0 and greater
• Safari 1.0 and greater
The login screen will then appear. Enter your admin ID and password.
When logged in, the main ePrism Email Security Gateway Activity screen and main menu will
appear.
28

Connecting to ePrism
Navigating the Main Menu
The main menu consists of the following main categories:
Activity
The Activity screen provides you with a variety of information on mail processing activity, such
as the number of messages in the mail queue, the number of different types of messages
received and sent, and current message activity. If you are running a HALO cluster, you will
also have a Cluster Activity option that will show you the activity statistics for the entire
cluster.
Basic Config
The Basic Config menu allows you to configure some of the basic settings for ePrism including:
• Admin Account
• Alarms
• Customization
• Directory Services (LDAP)
• Network
• Performance
• Static Routes
• SNMP Configuration
• Web Server Configuration
• Virtual Interfaces
Mail Delivery
The Mail Delivery menu allows you to configure the features that affect mail delivery, including
all mail security and anti-spam settings. It includes the following features:
• Anti-Spam (Intercept)
• Anti-Virus
• Outbreak Control
• Content Management
• Mail Access
• Threat Prevention
• Policy
• SMTP Security
• Encryption
• Archiving
• Delivery Settings
• Routing
• DomainKeys Signing
29

Administering ePrism
User Accounts
The User Accounts menu allows you to create local accounts on the ePrism and enable POP
and IMAP access. Management of mirrored user accounts created by LDAP, Remote
Authentication, and Secure WebMail are also configured here. It includes the following features:
• Local Accounts
• Mirrored Accounts (Only displayed if mirrored accounts exist)
• Relocated Users
• Vacations
• POP3 and IMAP
• Secure WebMail
• Remote Authentication
• SecureID Configuration
HALO
The HALO (High Availability and Load Optimization) menu is used to configure and manage
clustered ePrism systems, and includes the following features:
• Cluster Administration
• Queue Replication
• F5 Integration
Status/Reporting
The Status/Reporting menu allows you to view the current status of system services, manage
your mail queue and the quarantine area, and review reports and logs. The menu includes the
following features:
• Status & Utility
• Mail Queue
• Quarantine
• Reporting
• System Logs
• Problem Reporting
• Health Check
• Threat Prevention Status
Management
The Management menu contains options for various ePrism system administration tasks such
as backup and restore, license management, and software updates. The menu includes the
following features:
• Backup & Restore
• Centralized Management
• License Management
• Reboot & Shutdown
• Software Updates
• Security Connection
• SSL Certificates
30

Connecting to ePrism
ePrism System Console
You can access the ePrism system console by connecting a monitor and keyboard to ePrism.
The system console provides a limited subset of administrative tasks and is only recommended
for use during initial installation and network troubleshooting. Routine administration should be
performed via the web browser administration interface. When accessing the system console,
you will be prompted for the UserID and Password for the administrative user.
See “Using the ePrism System Console” on page 363 for more detailed information on using
the system console.
31

Administering ePrism
Configuring the Admin User
The primary admin account is created during the ePrism installation. Select Basic Config ➝
Admin Account from the menu to modify the password or strong authentication methods for
the admin user.
It is recommended that you create additional admin users and use those accounts to manage ePrism
instead of the primary admin account. The primary admin account password should then be written down
and stored in a safe and secure place.
Login Lockout
If login credentials for an admin user are not properly entered after five times in a row, the
account will be locked out for 30 minutes. This lockout can be reset by rebooting ePrism.
Strong Authentication
You can also configure strong authentication for the admin user. These methods of
authentication require a hardware token that provides a response to the login challenge.
You can choose between the following types of secure authentication tokens:
• CRYPTOCard
• SafeWord
• SecurID
Once selected, a configuration wizard will guide you through the steps to configure the token for
the specified authentication method.
See “Strong Authentication” on page 200 for more information on strong authentication
methods.
32

Configuring the Admin User
Adding Additional Administrative Users
There is only one primary admin user account, but additional administrative users can be
added using Tiered Administration. This allows you to configure another user with Full Admin
rights, or with granular permissions that only give admin rights to certain ePrism options. For
example, you may want to add a user who can administer reports or vacation notifications, but
not have any other administrative access.
Granting full or partial admin access to one or more user accounts allows actions performed by
administrators to be logged because they have an identifiable UserID that can be tracked by
the system.
A user with Full Admin privileges cannot modify the profile of the default Admin user. They can,
however, edit others users with Full Admin privileges.
Add an administrative user as follows:
1. From the Basic Config ➝ Admin Account screen, click the Add Admin User button.
2. Enter a User ID, an optional email address to forward mail to, and a password. You can
also set strong authentication methods, if required.
3. At the bottom of the Add a New User screen is a section for Administrator Privileges.
4. Select the required administrative access for the user:
• Full Admin — The user has administrative privileges equivalent to the admin user.
• Administer Aliases — The user can add, edit, remove, upload and download aliases
(not including LDAP aliases.)
33

Administering ePrism
• Administer Filter Patterns — The user can add, edit, remove, upload and download
Pattern Based Message Filters and Specific Access Patterns.
• Administer Mail Queue — The user can administer mail queues.
• Administer Quarantine — The user can view, delete, and release quarantined files.
• Administer Reports — The user can view, configure and generate reports, and view
system activity.
• Administer Users — The user can add, edit, and relocate user mailboxes (except the
Full Admin users), including uploading and downloading user lists. User vacation
notifications can also be configured.
• Administer Vacations — The user can edit local user’s vacation notification settings and
other global vacation parameters.
• Mail History — The user can view the email database history.
• View Activity — The user can view the Activity page and start and stop mail services.
Individual emails can only be viewed if Mail History is also enabled.
• View System Logs — The user can view all system logs files.
See “Tiered Administration” on page 209 for more information on configuring admin access.
Admin Login and WebMail access must be enabled on the network interface that will be used by
tiered administration users. This is set in the Basic Config ➝ Network screen.
34

Web Server Options
Web Server Options
The Web Server Options screen defines the settings used for connecting to ePrism via the web
browser administrative interface. By default, ePrism’s web server uses port 80 for HTTP
requests and port 443 for HTTPS requests. For secure WebMail and administration sessions, it
is recommended that you leave the default SSL encryption enabled to force a connecting web
browser to use HTTPS.
Select Basic Config ➝ Web Server on the menu to configure your web server settings.
• Admin HTTP Port — Indicates the default port 80 for HTTP requests.
• Admin HTTPS Port — Indicates the default port 443 for HTTPS requests.
• Require SSL encryption — Requires SSL encryption for all user and administrator web
sessions.
• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES
ciphers with a key length of 64 bits, for encrypted user and administrator web sessions.
• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2
contains known security issues.
• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.
• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.
• Character set encoding — Select the type of character encoding used for HTML data.
35

Administering ePrism
Customizing the ePrism Interface
The ePrism interface logos can be easily customized by uploading your own organization’s
custom logos to replace the ePrism logo on the main login screen, the administration screen
logo, and the ePrism Mail Client logo. Administrators can also customize the login page title of
the administrative session screen.
Customize a logo as follows:
1. Select Basic Config ➝ Customization on the menu to customize the ePrism logos.
2. Click Browse to choose a file, and then click Next to upload the file.
Revert to the default ePrism graphic by selecting the Default Logo button.
Most graphic formats are supported, but it is recommended that you use graphics suitable
for web page viewing such as GIF and JPEG. The maximum file size is 32k.
TABLE 1. Recommended Image Sizes
Logo Type
Main Screen Logo
Admin Screen Small Logo
ePrism Mail Client Logo
Size in Pixels
285 x 85 pixels
191 x 57 pixels
94 x 28 pixels
36

CHAPTER 3
Configuring Mail Delivery
Settings
This chapter describes how to configure network and mail delivery settings for the ePrism
Email Security Gateway, and contains the following topics:
• “Network Settings” on page 38
• “Virtual Interfaces” on page 42
• “Static Routes” on page 45
• “Mail Routing” on page 46
• “Mail Delivery Settings” on page 48
• “Mail Aliases” on page 53
• “Mail Mappings” on page 55
• “Virtual Mappings” on page 57
37

Configuring Mail Delivery Settings
Network Settings
The basic networking information to get ePrism up and running on the network is configured
during installation time. To perform more advanced network configuration and to configure other
network interfaces, you must use the Basic Config ➝ Network settings screen.
From the network settings screen you can modify the following items:
• Hostname and Domain information
• Default Gateway
• Syslog Host
• DNS and NTP servers
• Network Interface IP Address and feature access settings
• Clustering and Queue Replication interface configuration
• Support Access settings
If you make any modifications to your network settings, you must reboot ePrism. The system will
prompt you to restart after clicking the Apply button.
Configuring Network Settings
Select Basic Config ➝ Network on the menu to configure ePrism's network settings.
• Hostname — Enter the hostname (not the Fully Qualified Domain Name) of the ePrism
Email Security Gateway, such as the hostname eprism in eprism.example.com.
• Domain — Enter the domain name, such as example.com.
• Gateway — Enter the IP address of the default route for ePrism. This is typically the
external router connected to the Internet, or the network Firewall’s interface if ePrism is
located on the DMZ.
• Syslog Host — ePrism can log to a specific syslog host. A syslog host collects and stores
log files from many sources. Enter the IP address of the syslog server that will receive all
logs from ePrism.
38

Network Settings
• Name Server — At least one DNS name server must be configured for hostname
resolution, and it is recommended that secondary name servers be specified in the event
the first DNS server is unavailable.
DNS servers can be queried either in strict order as specified in the configuration, or by the
fastest response. If "Strict Ordering" is selected, the DNS servers will be queried in the
order they are configured. If the first DNS server is unavailable, the next server in the list
will be queried. For "Favor Fastest" mode, ePrism uses DNS caching to determine which of
the configured DNS servers is sending the fastest response. This is the default mode which
will provide the best performance in most cases.
• NTP Server — NTP is critical for accurate timekeeping for the ePrism Email Security
Gateway. Entering a valid NTP server will ensure that the server time is synchronized. It is
recommended that secondary NTP servers be specified in the event the primary NTP
server is unavailable.
Network Interfaces
Enter the required settings for each network interface. You can enter information for up to four
interfaces.
Some of the following options will not be displayed unless the related feature is enabled.
• IP Address — Enter an IP address for this interface, such as 192.168.1.104.
• Netmask — Enter the netmask for this interface, such as 255.255.255.0.
• Media — Select the type of network card. Use Auto select for automatic configuration.
• Large MTU — Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve
performance connecting to servers on the local network. The default is 576 bytes.
For most organizations, the default option of 576 bytes is adequate. This option should only be
changed if needed and with the involvement of a Technical Support representative.
39

Configuring Mail Delivery Settings
• Respond to Ping — Allows ICMP ping requests to this interface. This will allow you to
perform network connectivity tests to this interface, but will cause this interface to be more
susceptible to denial of service ping attacks.
• Trusted Subnet — If selected, all hosts on this subnet are considered trusted for relaying
and anti-spam processing.
• Admin Login — Allows access to this interface for administrative purposes.
• WebMail — Allows access to WebMail via this interface.
• IMAPS Server — Allows secure access to ePrism’s internal IMAP server via this interface.
• IMAP Server — Allows access to ePrism’s internal IMAP server via this interface.
• POP3S Server — Allows secure access to ePrism’s internal POP3 server via this interface.
• POP3 Server — Allows access to ePrism’s internal POP3 server via this interface.
POP and IMAP settings are only displayed if enabled in User Accounts ➝ POP3 and IMAP.
• SNMP Agent — Allows access to the SNMP agent via this interface.
Advanced Parameters
The following advanced networking parameters are TCP extensions that improve the
performance and reliability of communications.
• Enable RFC 1323 — Enable TCP extensions to improve performance and to provide
reliable operations of high-speed paths. This is enabled by default, and should only be
disabled if you experiencing networking problems with certain hosts.
• Enable RFC 1644 — Enable an experimental TCP extension for efficient transaction
oriented (request/response) service. This is disabled by default.
• Path MTU Discovery (RFC 1191) — Disable Path MTU (Maximum Transfer Unit) if
required to resolve delivery problems when interconnecting between specific firewalls and
SMTP proxies. Path MTU is enabled by default.
40

Network Settings
Clustering
The Clustering section is used to enable clustering on a specific network interface. See “HALO
(High Availability and Load Optimization)” on page 265 for more information on configuring
clustering.
• Enable Clustering — Select the check box to enable clustering on this ePrism system.
• Cluster Interface — Select the interface to enable clustering on.
Support Access
Enable Support Access, if required, which allows St. Bernard Technical Support to connect to
this system from the specified IP address. This setting does not need to be enabled during
normal usage, and should only be enabled if requested by St. Bernard Technical Support.
This option only appears if you have installed the Support Access patch in Management ➝
Software Updates.
For security reasons, Support Access communications use SSH (Secure Shell) to establish a
secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network
port. Support Access will only allow a connection to be made from the St. Bernard network.
41

Configuring Mail Delivery Settings
Virtual Interfaces
Virtual Interfaces are used by ePrism to define additional interfaces and IP addresses to send
and receive mail for specific domains. These Virtual Interfaces are associated with the existing
physical network interfaces on ePrism.
ePrism will send all outbound email for a specific domain using its specified IP address in the
Virtual Interfaces configuration. ePrism selects the Virtual Interface to use for outgoing mail by
matching the sender's domain to the domains associated with the configured Virtual Interfaces.
If no Virtual Interface domains match the domain of the sender, or if using the Virtual Interface
results in a non-routable network connection, the ePrism will send the mail via its normal
outbound interface.
ePrism will also accept inbound email arriving via this Virtual Interface's IP address. When a
mail server connects to SMTP port 25 on a Virtual Interface, the customized banner for that
interface will be communicated. If no banner has been specified, the default ePrism banner will
be used (configured via Mail Delivery ➝ Mail Access).
Only TCP port 25 can be used for sending and receiving mail on a Virtual Interface. Virtual
Interfaces can be pinged if ping is enabled on the corresponding physical network interface. Due to
their nature, Virtual Interfaces cannot be pinged from the Status and Utility screen on ePrism.
Domains using Virtual Interfaces can be used with ePrism's Domain-based Policies to provide
flexibility in creating security and content policies for specific domains.
Network Routing of Virtual Interfaces
Virtual Interfaces are routed as follows:
• via a physical interface that shares the same subnet as the Virtual Interface
• via the physical interface that can reach a host specified through a static route
• via the current default route (through the physical interface that connects to the default
router)
For an ePrism with the following characteristics:
• Interface 1: 192.168.1.10/24
• Interface 2: 172.16.1.10/16
• Default Gateway/Router: 172.16.1.1
Adding a Virtual Interface of 192.168.1.20 will route via Interface 1.
Adding a Virtual Interface of 172.16.1.20 will route via Interface 2.
Adding a Virtual Interface of 10.10.1.20 will route via Interface 2 through the default gateway.
If the Virtual Interface has no corresponding physical interface displayed, there is no valid route
through any physical interface and the Virtual Interface will be disabled.
42

Virtual Interfaces
Configuring Virtual Interfaces
To configure Virtual Interfaces, select Basic Config ➝ Virtual Interfaces on the menu.
Administrators must upload a Virtual Interface list in CSV format that contains comma or tab
separated entries in the form:
[domain],[IP Address],[Banner message]
For example:
example1.com,10.2.45.10,example1.com ESMTP
ePrism supports up to 175 Virtual Interfaces. This feature does not currently support IDN
(Internationalized Domain Names).
The file (vip.csv) should be created in CSV file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the file first by clicking the
Download File button, editing it as required, and uploading it using the Upload File button.
A standards-compliant banner should, at minimum, contain the domain name and the keyword
ESMTP, such as "example.com ESMTP". Extra informational text after the ESMTP keyword is
optional, such as "example.com ESMTP Authorized Users Only".
Mail Routing
Each domain that will be used with Virtual Interfaces must have a mail route defined via Mail
Delivery ➝ Routing ➝ Mail Routing to route mail to a destination mail server.
Virtual mappings can also be used for mail routing.
43

Configuring Mail Delivery Settings
DNS MX records must be published for any Virtual Interfaces. Local network devices such as
the default external router must also be properly configured to route traffic to and from the
Virtual Interfaces.
Virtual Interfaces and Trusts
Email arriving via a Virtual Interface is considered "Untrusted" by ePrism for Anti-Spam and
security processing. To configure a client as "Trusted", use a Specific Access Pattern or Pattern
Based Message Filter (PBMF) to trust the client connecting on that Virtual Interface.
To trust a client using a Specific Access Pattern:
1. Select Mail Delivery ➝ Mail Access on the menu.
2. Click the Add Pattern button.
3. Enter the IP address of the client in the Pattern field.
4. Select the Client Access check box.
5. Select "Trust" in the If pattern matches field.
6. Click the Apply button.
44

Static Routes
Static Routes
Static routes are required if the mail servers to which mail must be relayed are located on
another network, such as behind an internal router, firewall, or accessed via a VPN.
Select Basic Config ➝ Static Routes to configure your static routes.
To add a new static route, enter the network address, netmask and gateway for the route, and
then click New Route.
45

Configuring Mail Delivery Settings
Mail Routing
ePrism, by default, accepts mail addressed directly to it and delivers it to local ePrism
mailboxes. You can configure additional domains for ePrism to accept and route mail for using
the Mail Routing menu.
Select Mail Delivery ➝ Routing ➝ Mail Routing from the menu to set up mail routes.
• Sub — Select this check box to accept and relay mail for subdomains of the specified
domain.
• Domain — Enter the domain for which mail is to be accepted, such as example.com.
• Route-to — Enter the address for the server to which mail will be delivered. When using a
FQDN, the corresponding DNS record will be looked up.
• Port — Enter the port number of the SMTP server if it is different from the default port
number of 25. The port number must be between 1 and 65536.
• MX — (Optional) Select the MX check box if you need to look up the mail routes in DNS
before delivery. If this is not enabled, MX records will be ignored. Generally, you do not
need to select this item unless you are using multiple mail server DNS entries for load
balancing/failover purposes. By checking the MX record, DNS will be able to send the
request to the next mail server in the list.
• KeepOpen — (Optional) Select the KeepOpen check box to ensure that each mail message
to the domain will not be removed from the active queue until delivery is attempted, even if
the preceding mail failed or was deferred. This setting ensures that local mail servers
receive higher priority.
The KeepOpen option should only be used for domains that are usually very reliable. If the domain
is unavailable, it may cause system performance problems due to excessive error conditions and
deferred mail.
A list of domains can also be uploaded in one text file. The file must contain comma or tab
separated entries in the form:
[domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open]
For example:
example.com,10.10.1.1,25,on,off,off
46

Mail Routing
The file (domains.csv) should be created in csv file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the domain file first by clicking
Download File, editing it as required, and uploading it using the Upload File button.
LDAP Routing
Click the LDAP Routing button to define mail routes using an LDAP directory server. This is
the preferred method for mail routing for organizations with a large amount of domains.
See “LDAP Routing” on page 76 for more detailed information on using LDAP for mail routing.
Adding Rules for Relays
To allow internal mail systems to relay mail outbound via ePrism, a Specific Access Pattern
must be set up for the system.
1. Select Mail Delivery ➝ Mail Access on the menu.
2. Click the Add Pattern button.
3. Enter the IP address of the system, and select Client Access.
4. Set the if pattern matches field to "Trust".
47

Configuring Mail Delivery Settings
Mail Delivery Settings
The Mail Delivery settings screen allows you to configure parameters related to accepting,
relaying and delivery mail messages.
Select Mail Delivery ➝ Delivery Settings on the menu to configure the following parameters:
Delivery Settings
• Maximum time in mail queue — Enter the number of days for a message to stay in the
queue before being returned to the sender as "undeliverable".
• Maximum time in queue for bounces — Enter the number of days a system-generated
bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable.
Default is 5 days. Set this value to 0 to attempt delivery of bounce messages only once.
• Maximum original message text in bounces — Enter the maximum amount (in bytes) of
original message text that is sent in a non-delivery notification. Range is 10 to 1000000000.
If this field is left blank, the default is set to 5000 bytes.
• Time before delay warning — Number of hours before issuing the sender a notification
that mail is delayed.
• Time to retain undeliverable notice mail — The number of hours to keep undelivered
notice mail addressed to external mail server’s MAILER-DAEMON. These messages are
typically notifications sent to mail servers with invalid return addresses and can be safely
purged. Leave this value blank for no special processing.
48

Mail Delivery Settings
• Deliver mail to local users — Disable this option to prevent mail delivery to local accounts
configured on this ePrism. The postmaster (admin) account will not be affected by this
setting.
Gateway Features
• Masquerade Addresses — Masquerades internal hostnames by rewriting headers to only
include the address of the ePrism.
• Strip Received Headers — Strip all Received headers from outgoing messages.
Default Mail Relay
• Relay To — (Optional) Enter an optional hostname or IP address of a mail server (not this
ePrism system) to relay mail to for all email with unspecified destinations. A recipient’s
email domain will be checked against the Mail Routing table, and if the destination is not
specified the email will be sent to the Default Mail Relay server for delivery. This option is
usually used when the ePrism cannot deliver email directly to remote mail servers.
If you are setting up this mail server as a dedicated webmail system, and all mail originating
from this system should be forwarded to another mail server for delivery, then specify the
destination mail server here.
Do NOT enter the name of your ePrism system as this will cause a relay loop.
BCC All Mail
• Ignore MX record — Enable this option to prevent an MX record lookup for this host to
force relay settings.
• Enable Client Authentication — Enable client SMTP authentication for relaying mail to
another mail server. This option is only used in conjunction with the default mail relay
feature. This allows ePrism to authenticate to a server that it is using to relay mail. With this
configuration, connections to the default mail relay are authenticated, while connections to
other mail routes are not.
• User ID — Enter a User ID to login to the relay mail server.
• Password — Enter and confirm a password for the specified User ID.
ePrism offers an archiving feature for organizations that require storage of all email that passes
through their corporate mail servers. This option sends a blind carbon copy (BCC) of each
message that passes through ePrism to the specified address. This address can be local or on
any other system. Once copied, the mail can be effectively managed and archived from this
account. You must also specify an address that will receive error messages if there are
problems delivering the BCC mail.
49

Configuring Mail Delivery Settings
Very Malformed Mail
Specify the action to be performed when a very malformed message is detected by the system.
A very malformed message may cause scanning engine latency.
Possible actions:
• Just log — Log the event and take no further action.
• Quarantine mail — The message is placed into quarantine.
• Temporarily Reject Mail — Returns an error to the sending server and doesn't accept the
mail. The mail delivery can be attempted again after a period of time.
• Reject mail — The message is rejected with notification to the sending system.
• Discard mail — The message is discarded without notification to the sending system.
Select the Notify check box to allow notifications using the malformed notification settings
(configured via Mail Delivery ➝ Content Management ➝ Malformed Mail) when the action
specified above is performed (except for Just log.)
Mail that is very malformed has not been virus scanned, or filtered for attachments and spam.
Annotations and Delivery Warnings
Administrators can enable and customize Annotations that are appended to all emails and
customize Delivery Failure and Delivery Delay warning messages.
Some mail clients will display notifications and annotations as attachments to a message rather
than in the message body.
Separate annotations can be enabled for different users, domains, and groups using Policies. See
“Policy Management” on page 219 for information on creating policies and configuring separate
annotations.
50

Mail Delivery Settings
The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system
settings that are automatically substituted at the time the message is sent. See “Customizing
Notification and Annotation Messages” on page 371 for a full list of variables that can be
included.
Advanced Delivery Options
Click the Advanced button on the Mail Delivery ➝ Delivery Settings screen to reveal
advanced options for Advanced SMTP Settings, SMTP notifications, and the Received Header.
Advanced SMTP Settings
The following advanced SMTP settings can be configured:
• SMTP Pipelining — Select the check box to disable SMTP Pipelining when delivering mail.
Some mail servers may experience problems with SMTP command pipelining and you may
have to disable this feature if required.
• ESMTP — Select the check box to disable ESMTP (Extended SMTP) when delivering mail.
Some mail servers may not support ESMTP and you may have to disable this option if
experiencing problems.
Caution: Disabling ESMTP will disable TLS encryption on outgoing connections.
• HELO required — Enable this option to require clients to initiate their SMTP session with a
standard HELO/EHLO sequence. It is recommended that you leave this feature
enabled. It should only be disabled when experiencing problems with sending hosts that do
not use a standard HELO message.
• Content Reject Message — This is the text part of the SMTP 552 error message reported
to clients when message content is rejected because the maximum message size has been
exceeded.
51

Configuring Mail Delivery Settings
• Multiple Recipient Reject Mode — Indicates the reject handling of messages with multiple
recipients. This option only applies to features with reject actions such as Malformed and
Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus,
and Intercept Anti-Spam features, including those used within a policy.
The options are as follows:
• All: Reject the message if all recipients reject the message. If some but not all of the
recipients reject the message, the message will be discarded without notification to the
sender for those recipients that rejected the message.
• Any: Reject the message if any recipient rejects the message.
• Never: The message will never be rejected, regardless of any configured reject actions.
For recipients that rejected the message, the message will be discarded without
notification to the sender.
• Send EHLO — Always send EHLO when communicating with another server, even if
their banner does not include ESMTP. Disable EHLO if you are experiencing
communications problems with specific SMTP servers.
Disabling EHLO will disable TLS/SSL encryption.
SMTP Notification
Administrators can select the type of notifications that are sent to the postmaster account.
Serious problems such as Resource or Software issues are selected by default for notification.
• Resource — Mail not delivered due to resource problems, such as queue file write errors.
• Software — Mail not delivered due to software problems.
• Bounce — Send postmaster copies of undeliverable mail. If mail is undeliverable, a single
bounce message is sent to the postmaster with a copy of the message that was not
delivered. For privacy reasons, the postmaster copy is truncated after the original message
headers. If a single bounce message is undeliverable, the postmaster receives a double
bounce message with a copy of the entire single bounce message.
• Delay — Inform the postmaster of delayed mail. In this case, the postmaster receives
message headers only.
• Policy — Inform the postmaster of client requests that were rejected because of (UCE)
policy restrictions. The postmaster will receive a transcript of the entire SMTP session.
• Protocol — Inform the postmaster of protocol errors (client or server), or attempts by a
client to execute unimplemented commands. The postmaster will receive a transcript of the
entire SMTP session.
• Double Bounce — Send double bounced messages to the postmaster.
Received Header
The Received Header is the mail server information displayed in the Received: mail header of a
message. The default can be modified to a more generic identifier to prevent attackers from
knowing the mail server details.
52

Mail Aliases
Mail Aliases
When mail is to be delivered locally, the delivery agent runs each local recipient name through
the aliases database. If an alias exists, a new mail message will be created for the named
address or addresses. This mail message will be returned to the delivery process to be
mapped, routed, and so on. This process also occurs for local user accounts with a specified
"forwarder address". Local user accounts are treated as aliases in this case.
Local aliases are typically used to implement distribution lists, or to direct mail for standard
aliases such as postmaster to real user mailboxes.
For example, the alias postmaster could resolve to the local mailboxes
admin1@example.com, and admin2@example.com. For distribution lists, an alias called
sales@example.com can be created that points to all members of the sales organization of a
company.
Configuring Mail Aliases
Click Mail Delivery ➝ Routing ➝ Mail Aliases on the menu to configure aliases. Click on an
entry to edit a current alias.
Adding a Mail Alias
Click the Add Alias button to add a new alias.
53

Configuring Mail Delivery Settings
The specified alias name must be a valid local mailbox on this ePrism system. Enter the
corresponding mail address for the alias. Click the Add More Addresses button to enter
multiple addresses for this alias.
Uploading Alias Lists
A list of aliases can also be uploaded in one text file. The file must contain comma or tab
separated entries in the form:
[alias],[mail_address]
For example:
sales,fred@example.com
info,mary@example.com
The file (alias.csv) should be created in csv file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the mail alias file first by clicking
Download File, editing it as required, and uploading it using the Upload File button.
LDAP Aliases
Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you
to search LDAP-enabled directories such as Active Directory for mail aliases.
See “LDAP Aliases” on page 67 for more information on LDAP Aliases.
54

Mail Mappings
Mail Mappings
Mail Mappings are used to map an external address to an internal address and vice versa. This
is useful for hiding internal mail server addresses from external users. For mail originating
externally, the mail mapping translates the address in the To: and CC: mail header field into a
corresponding internal address to be delivered to a specific internal mailbox.
For example, mail addressed to joe@example.com can be redirected to the internal mail
address joe@chicago.example.com. This enables the message to be delivered to the
user’s preferred mailbox.
Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender:
header modified by a mail mapping so it appears to have come from the preferred external form
of the mail address, joe@example.com.
Configuring Mail Mappings
Click Mail Delivery ➝ Routing ➝ Mail Mapping on the menu to configure mail address
mappings. Click on an entry to edit a current mapping.
Adding a New Mapping
Click the Add button to add a new mapping.
55

Configuring Mail Delivery Settings
• External mail address — Enter the external mail address that you want to be converted to
the specified internal email address for incoming mail. The specified internal address will be
converted to this external address for outgoing mail.
• Internal mail address — Enter the internal mail address that you want external addresses
to be mapped to for incoming mail. The internal address will be converted to the specified
external address for outgoing mail.
• Extra internal addresses — Enter any additional internal mappings which will be included
in the outgoing mail conversion. Click the Add button for each entry.
When you have completed entering your addresses, click Apply to create the mail mapping.
Uploading Mapping Lists
A list of mappings can also be uploaded in one text file. The file must contain comma or tab
separated entries in the form:
[type ("sender" or "recipient")],[map_in],[map_out],[value ("on"
or "off")]
For example:
sender,joe@chicago.example.com,joe@example.com,on
The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or
another Windows text editor. It is recommended that you download the mail mapping file first by
clicking Download File, editing it as required, and uploading it using the Upload File button.
Access Control via Mail Mappings
ePrism can block all incoming and outgoing mail messages that do not match a configured mail
mapping. This ensures that all incoming and outgoing mail matches a legitimate user as the
destination or source of a message.
Click the Preferences button to enable Mail Mapping Access Control.
If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a
mapping listed in the mail mappings table.
56

Virtual Mappings
Virtual Mappings
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This
process is performed without modifying the To: and From: headers in the mail, as virtual
mappings modify the envelope-recipient address.
For example, ePrism can be configured to accept mail for the domain @example.com and
deliver it to @sales.example.com. This allows ePrism to distribute mail to multiple internal
servers based on the Recipient: address of the incoming mail.
Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for
example.com is sent to mail.example.com. You can create exceptions to this rule in the
Mail Mappings for particular users. Virtual mappings are also useful for ISPs who need to
accept mail for several domains, and situations where the envelope-recipient header needs to
be rewritten for further delivery.
You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may
be more appropriate for delivering mail to internal mail servers.
Configuring Virtual Mappings
Click on Mail Delivery ➝ Routing ➝ Virtual Mapping on the menu to configure mappings.
Click on an entry to edit a current mapping.
Virtual Mappings and Reject On Unknown Recipient/LDAP Checks
When using Virtual Mappings, the Reject on Unknown Recipient and LDAP Recipient lookups
will not be performed for these mapped addresses. This prevents these email addresses from
being rejected by ePrism because the virtual mappings do not exist in an LDAP directory.
57

Configuring Mail Delivery Settings
Adding a Virtual Mapping
Click the Add Virtual Mapping button to add a new mapping.
Enter the domain or address to which incoming mail is directed in the Input box, such as
@example.com. Then enter the domain or address to which mail should be redirected to, such
as @sales.example.com in the Output box.
Uploading Virtual Mapping Lists
A list of virtual mappings can also be uploaded in one text file. The file must contain comma or
tab separated entries in the form:
[map_in],[map_out]
For example:
user@example.com,user
user@example.com,user@sales.example.com
@example.com,@sales.example.com
The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other
Windows text editor. It is recommended that you download the virtual mapping file first by
clicking Download File, editing it as required, and uploading it using the Upload File button.
The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record
to connect to this ePrism Email Security Gateway.
LDAP Virtual Mappings
Click the LDAP Virtual Mappings button to configure and search for virtual mappings using
LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual
mappings. See “LDAP Mappings” on page 69 for more information on configuring LDAP virtual
mappings.
58

CHAPTER 4
Directory Services
This chapter describes how to integrate your existing LDAP directory services with ePrism and
contains the following topics:
• “Directory Service Overview” on page 60
• “Directory Servers” on page 61
• “Directory Users and Groups” on page 63
• “LDAP Aliases” on page 67
• “LDAP Mappings” on page 69
• “LDAP Recipients” on page 71
• “LDAP Relay” on page 73
• “LDAP Routing” on page 76
59

Directory Services
Directory Service Overview
ePrism can utilize LDAP (Lightweight Directory Access Protocol) services for accessing
directories (such as Active Directory, OpenLDAP, and iPlanet) for user and group information.
LDAP can be used with ePrism for mail routing, group lookups for policies, user lookups for mail
delivery, alias and virtual mappings, and authentication.
LDAP was designed to provide a standard for efficient access to directory services using simple
data queries. Most major directory services such as Active Directory support LDAP, but each
differs in their interpretation and naming convention syntax. Other types of supported LDAP
services include OpenLDAP and iPlanet.
Naming Conventions
The method for which data is arranged in the directory service hierarchy is a unique
Distinguished Name. The following is an example of a Distinguished Name in Active Directory:
cn=jsmith,dc=example,dc=com
In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The
user, jsmith, is in the users container. The domain component is analogous to the FQDN
domain name, in this case, example.com.
For all LDAP Directory features, you must ensure you enter values specific to your LDAP
environment and schema.
60

Directory Servers
Directory Servers
The first step in configuring Directory Services on ePrism is to define and configure your
Directory Servers.
Select Basic Config ➝ Directory Services ➝ Servers on the menu to configure your LDAP
servers that will be used for ePrism’s LDAP functions such as user and group membership
lookups, authentication, and mail routing.
Click Add to configure a new LDAP server, or click Edit to modify an existing server:
• Server URI — Enter the server URI (Uniform Resource Identifier) address, such as
ldap://10.10.4.5.
Use "ldaps:" if you are using SSL with the LDAP directory.
• Label — An optional label or alias for the LDAP server.
61

Directory Services
• Type — Select the type of LDAP server, such as Active Directory, or choose Others for
OpenLDAP or iPlanet.
• Bind — Select this check box to bind to the LDAP server with the specified Bind DN and
password.
• Bind DN — Enter the DN (Distinguished Name) for the user to bind to the LDAP server,
such as cn=Administrator,cn=users,dc=example,dc=com for Active Directory
implementations. Ensure that you enter a bind DN specific to your environment.
In Active Directory, if you are using a user account other than Administrator to bind to the LDAP
server, the name must be specified as the full name not the account name, such as "John Smith"
instead of "jsmith".
• Bind Password — Enter the bind password for the LDAP server.
• Search Base — Specify a default starting point for lookups, such as
dc=example,dc=com.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
• Dereference Aliases — Specifies how alias dereferencing is performed during a search:
• Never: Aliases are never dereferenced.
• Searching: Aliases are dereferenced in subordinates of the base object, but not in
locating the base object of the search.
• Finding: Aliases are only dereferenced when locating the base object of the search.
• Always: Aliases are dereferenced when searching and locating the base object of the
search.
• Paged — Select the check box to enable paging support for an Active Directory server.
When querying an LDAP server, the amount of information returned may contain thousands
of entries and sub-entries. Paging allows LDAP information to be retrieved in more
manageable sections to control the rate of data being returned.
• Page Size — Enter the amount of entries in a Page Size for this Active Directory server. If
this field is left blank, the default value of 1000 will be used. The Page Size must match the
size configured in the Active Directory server's LDAP query policy (default is 1000).
Click the Test button to test your LDAP settings and send a test query to the LDAP server.
When finished, click the Apply button to add the LDAP server.
62

Directory Users and Groups
Directory Users and Groups
The Directory Users and Groups screen is used to import user account data from LDAP-based
directory servers. This information is used to provide LDAP lookups for valid email addresses
for the Reject on Unknown Recipient anti-spam option, and import group membership
information for policies.
Local mirror accounts can also be created to allow directory-based users to view and manage
quarantined mail for the Spam Quarantine feature.
Select Basic Config ➝ Directory Services ➝ Users and Groups to import users from a
directory.
Click the Add button to add a new directory user import configuration.
• Directory Server — Select a directory server to perform the search.
• Search Base — Enter the starting base point to start the search from, such as
dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
63

Directory Services
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Query Filter — Enter the appropriate query filter, such as
(|(objectCategory=group)(objectCategory=person)) for Active Directory LDAP
implementations.
If you use Exchange public folders for email, include the following in your query filter:
(objectCategory=publicFolder)
For example,
(|(|(objectCategory=group)(objectCategory=person))(objectCategory=p
ublicFolder))
For iPlanet and OpenLDAP, use:(objectClass=person)
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Result Attributes
This section specifies the fields to return during the LDAP query. LDAP queries can return a lot
of information that is not required and the Result Attributes are used to filter only the data
needed.
• Email attribute — The name of the attribute that identifies the user’s email address. For
Active Directory, iPlanet, and OpenLDAP, use mail.
• Email alias attribute — The name of the attribute that identifies the user’s alternate email
addresses. In Active Directory, the default is proxyAddresses. For iPlanet, use Email.
For OpenLDAP, leave this attribute blank.
• Member Of attribute — The name of the attribute that identifies the group(s) that the user
belongs to. This information is used for Policy controls. In Active Directory, the default is
memberOf (this is case sensitive). For iPlanet, use Member. For OpenLDAP, leave this
blank.
• Account Name attribute — This is the name of the attribute that identifies a user’s account
name for login. In Active Directory, the default is sAMAccountName. For iPlanet, use uid.
For OpenLDAP, use cn.
Click the Test button to test your LDAP settings. Click Apply when finished.
64

Directory Users and Groups
Import Settings
ePrism can automatically import LDAP user data on a scheduled basis. This allows ePrism to
stay synchronized with the LDAP directory.
To import LDAP users and groups, click the Import Settings button in the Basic Config ➝
Directory Services ➝ Directory Users and Groups screen.
• Import User Data — Select the check box to enable automatic import of LDAP user data.
Enabling automatic import ensures that your imported LDAP data remains current with the
information on the LDAP directory server.
• Frequency — Select the frequency of LDAP imports. You can choose between Hourly,
Every 3 Hours, Daily, Weekly, and Monthly.
• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to
schedule an import at 11pm for the period specified in the Frequency field.
Click Apply to save the settings. Click Import Now to immediately begin the import of users.
View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.
Mirror LDAP Accounts as Local Users
To provide local account access for the Spam Quarantine feature, you can mirror the LDAP
accounts which creates a local account on ePrism for each user imported. This provides a
simple method for allowing directory-based users to view and manage quarantined messages if
you have enabled the Spam Quarantine feature.
These local mirror accounts cannot be used as local mail accounts. They can only be used for the
Spam Quarantine. See “Spam Quarantine” on page 187 for more information on configuring the
user-based Spam Quarantine.
To create mirrored LDAP users:
1. Select the Mirror accounts option.
65

Directory Services
2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the
LDAP directory for the specified period of time, the local mirrored account will be deleted.
Note that this only applies to a local mirrored account, not accounts used for the Reject on
Unknown Recipients feature.
3. Click Apply to save the settings. Click Import Now to immediately begin the import of users
and create mirrored accounts.
View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.
Mirrored accounts can be viewed via User Accounts ➝ Mirrored Accounts on the menu.
66

LDAP Aliases
LDAP Aliases
LDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an
alias exists, a new mail message will be created for the named address or addresses. This mail
message will be returned to the delivery process to be mapped, routed, and processed.
LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active
Directory LDAP implementations.
See “Mail Aliases” on page 53 for more information on Mail Aliases.
Select Basic Config ➝ Directory Services ➝ LDAP Aliases to configure LDAP Aliases.
Click the Add button to add a new LDAP alias search.
• Directory Server — Select a directory server to perform the search.
• Search Base — Enter the starting base point to start the search from, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
67

Directory Services
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Alias Attribute — Enter the Alias Attribute that defines the alias mail addresses for a user,
such as (proxyAddresses=smtp:%s@*) for Active Directory implementations.
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active
Directory implementations.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the
settings.
68

LDAP Mappings
LDAP Mappings
LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This
process is performed without modifying the To: and From: headers in the mail, as virtual
mappings modify the envelope-recipient address.
LDAP Virtual Mappings have been tested with Active Directory only, and the examples shown are
for Active Directory LDAP implementations.
See “Virtual Mappings” on page 57 for more information on Virtual Mappings.
Select Basic Config ➝ Directory Services ➝ LDAP Mapping to configure LDAP Virtual
Mappings.
Click the Add button to add a new LDAP Virtual Mapping search.
• Directory Server — Select a directory server to perform the search.
• Search Base — Enter the starting base point to start the search from, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
69

Directory Services
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Incoming Address — Enter the Incoming Address attribute that defines the virtual mapping
for a user, such as (proxyAddresses=smtp:%s) for Active Directory implementations.
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active
Directory implementations.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to
save the settings.
70

LDAP Recipients
LDAP Recipients
The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient
feature configured in Mail Delivery ➝ Anti-Spam ➝ Intercept. You must have Reject on
Unknown Recipient enabled for this feature to work.
When a mail message is received by ePrism, this feature searches an LDAP directory for the
existence of a recipient’s email address. If that user address does not exist in the LDAP
directory, the mail is rejected.
This feature differs from the LDAP Users lookup option which searches for a user using the
imported locally-cached LDAP users database. The LDAP Recipients feature performs a direct
lookup on a configured LDAP directory server for each address.
If using an Active Directory server, it is recommended that the LDAP Users function be used.
If both LDAP Users and LDAP Recipients are enabled with Reject on Unknown Recipient, the
system will lookup the local and mirrored LDAP Users first, and then use the direct query to an
LDAP server.
Select Basic Config ➝ Directory Services ➝ LDAP Recipients on the menu to configure
your LDAP recipient lookups.
Click Add to add a new LDAP Recipients search.
71

Directory Services
• Directory Server — Select a directory server to perform the search.
The directory server Bind password cannot contain a "$" character.
• Search Base — Enter the starting base point to start the search from, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Query Filter — Enter the Query Filter for the LDAP Recipients lookup, such as
(&(objectClass=person)(mail=%s)) for Active Directory implementations.
For OpenLDAP and iPlanet, use (&(objectClass=person)(uid=%s)).
• Result Attribute — Enter the attribute that returns the user’s email address, such as mail
for Active Directory implementations. For OpenLDAP, and iPlanet, you can also use mail.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save
the settings.
72

LDAP Relay
LDAP Relay
The LDAP SMTP Authenticated relay feature allows authenticated clients to use this ePrism as
an external mail relay for sending mail. For example, you may have remote users that need to
send mail via this ePrism system.
These client systems must use a login and password to authenticate to the system before
being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP
relay authentication to authenticate the user to an LDAP directory server.
Configuring LDAP Authenticated SMTP Relay
1. Select Mail Delivery ➝ Mail Access on the menu.
2. Enable the Permit SMTP Authenticated Relay and the LDAP Authenticated Relay
check boxes.
3. Select Basic Config ➝ Directory Services ➝ LDAP Relay on the menu.
73

Directory Services
There are two different ways to provide LDAP support for SMTP authentication: Using Bind, or
querying the LDAP server directly.
The Bind method will only work with Active Directory and iPlanet implementations. The Query Direct
method will only work with OpenLDAP.
• Bind — The Bind method will use the User ID and password to authenticate on a successful
bind. The Query Filter must specify the User ID with a %s variable, such as
(sAMAccountName=%s) for Active Directory. The Result Attribute must be a User ID such
as sAMAccountName. Enter corresponding values specific to your LDAP environment.
For iPlanet, use uid=%s for Query Filter, and mail for Result Attribute.
• Query Directly — The Query Direct method will query the LDAP server directly to
authenticate a user ID and password. The Query Filter must specify the user ID, and the
Result Attribute must specify the password.
For OpenLDAP, use uid=%s for Query Filter, and userPassword for Result Attribute.
For either method, the relay will be refused if the LDAP server direct query or bind attempt fails
for any reason, such as an invalid user name or password, bad query, or if the LDAP server is
not responding.
The directory server Bind password cannot contain a "$" character.
Select a method, and then click Add to add an entry.
You can only use one method, Bind or Query Direct, for all defined LDAP servers. You cannot use
both at the same time.
74

LDAP Relay
• Directory Server — Select a directory server to perform the search.
• Search Base — The Search Base is derived from the Search Base setting in Basic Config
➝ Directory Services ➝ Servers. You must ensure that you complete the Search Base
string with information specific to your LDAP hierarchy, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Query Filter — Enter the Query Filter for the LDAP lookup, such as
(sAMAccountName=%s) for Active Directory implementations.
• Result Attribute — Enter the attribute that returns the user’s account, such as
sAMAccountName for Active Directory implementations.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Use the Test button to perform a test of the LDAP relay configuration. Click Apply to save the
settings.
75

Directory Services
LDAP Routing
LDAP mail routing allows a mail route for a recipient to be queried on a specified LDAP server.
The destination mail server for that domain will be returned and the message will then be routed
to that server. This is the preferred method for mail routing for organizations with a large amount
of domains. Any locally defined mail routes in Mail Delivery ➝ Routing ➝ Mail Routing will be
resolved before LDAP routing.
LDAP routing has been tested only with iPlanet implementations but the examples provided should
work with OpenLDAP depending on your LDAP schema.
Select Basic Config ➝ Directory Services ➝ LDAP Routing to configure your LDAP routing
settings.
Click Add to add a new LDAP route search.
• Directory Server — Select a directory server to perform the search.
• Search Base — The Search Base is derived from the Search Base setting in Basic Config
➝ Directory Services ➝ Servers. You must ensure that you complete the Search Base
string with information specific to your LDAP hierarchy, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.
• Base: Searches the base object only.
76

LDAP Routing
• One Level: Searches objects beneath the base object, but excludes the base object.
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Query Filter — Enter the Query Filter that will search for the Mail Domain of a recipient,
such as (&(cn=Transport Map)(uid=%s)) for iPlanet implementations.
• Result Attribute — Enter the attribute that returns the domain’s mail host, such as
mailHost for iPlanet implementations.
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
Use the Test button to perform a test of the LDAP routing configuration. Click Apply to save
the settings.
77

CHAPTER 5
Mail Security and Encryption
This chapter describes how to configure the mail security features of your ePrism Email
Security Appliance and contains the following topics:
• “SMTP Mail Access” on page 80
• “Anti-Virus” on page 82
• “Threat Outbreak Control” on page 85
• “External Email Message Encryption” on page 90
• “Encrypting Mail Delivery Sessions” on page 94
• “SSL Certificates” on page 97
79

Mail Security and Encryption
SMTP Mail Access
The Mail Access screen allows you to configure features that provide security when ePrism is
accepting mail during an SMTP connection.
Select Mail Delivery ➝ Mail Access to configure your SMTP mail access settings.
• Specific Access Patterns — This feature can be used to search for patterns in a message
for filtering during the SMTP connection. See “Specific Access Patterns (SAP)” on page 140
for detailed information on configuring these filters.
• Pattern Based Message Filtering — Enable this option to use Pattern Based Message
Filtering to reject or accept mail based upon matches in the message envelope, header, or
body. See “Pattern Based Message Filtering (PBMF)” on page 112 for detailed information
on configuring Pattern Based Message Filters.
• Maximum recipients per message — Set the maximum number of recipients accepted per
message. A very large amount of recipients means the message is more likely to be spam
or bulk mail. The default is set to 1000.
• Maximum recipients reject code — Allows administrators to define other errors to return
instead of the default "452 Error: too many recipients" error, such as permanently rejecting
the connection "554".
• Maximum message size — Set the maximum message size that will be accepted by
ePrism.
When attachments are sent with most email messages, the message size grows considerably due
to the encoding methods used. The maximum message size should be set accordingly to
accommodate attachments.
80

SMTP Mail Access
Maximum Unknown Recipients
• Maximum Unknown recipients per message — This value determines how many
unknown recipients are allowed in the message before it will be rejected by ePrism. A high
number of unknown recipients indicates the message is likely spam, or a denial of service
attempt.
• Maximum Unknown recipients reject code — This value indicates the SMTP reject code
to use when the maximum unknown recipients value is exceeded. This should be set to
either 421 (temporary reject) or 554 (permanent reject).
SMTP Authenticated Relay
This feature allows authenticated clients to use ePrism as an external mail relay for sending
mail. For example, you may have remote users that need to send mail via this ePrism system.
Client systems must use a login and password to authenticate to the system before being
allowed to relay mail. These accounts can be local or they can be authenticated via LDAP.
Select Mail Delivery ➝ Mail Access on the menu to enable SMTP Authenticated Relay.
LDAP SMTP Authentication
SMTP authentication can also be performed via an LDAP directory server. Select the check
box to enable LDAP Authenticated Relay, and select the link to configure. This feature can also
be configured via Basic Config ➝ Directory Services ➝ LDAP Relay.
See “LDAP Relay” on page 73 for detailed information on configuring LDAP Authenticated
Relay.
SMTP Banner
The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This
banner contains identifying information for your mail server which can be used as information to
launch attacks against ePrism. This option allows you to customize the SMTP banner and also
remove ePrism’s hostname by using the Domain only option.
81

Mail Security and Encryption
Anti-Virus
ePrism provides an optional virus scanning service. When enabled, all messages (inbound and
outbound) passing through the ePrism Email Security Appliance can be scanned for viruses.
ePrism integrates the Kaspersky Anti-Virus engine which is one of the highest rated virus
scanning technologies in the world. Virus scanning is tightly integrated with the mail engine for
maximum efficiency.
Viruses can be selectively blocked depending on whether they are found in inbound or
outbound messages, and attachments are recursively disassembled to ensure that viruses
cannot be concealed. When a virus-infected message is received, it can be rejected, deleted,
quarantined, or the event can be simply logged. Quarantined messages may be viewed,
forwarded, downloaded, or deleted. Quarantined messages can also be automatically deleted
based on age.
By default, any email attachments that cannot be opened and examined by the mail scanner
because of password-protection are quarantined. This feature prevents password-protected zip
files that contain viruses or worms from being passed through the system.
Virus pattern files are automatically downloaded at regular intervals to ensure that they are
always up to date. Notification messages can be sent to the sender, recipient, and mail
administrator when an infected message is received.
Licensing Anti-Virus
Kaspersky Anti-Virus is a cost option. To enable virus scanning after the 30-day evaluation
period, you must purchase and install a license for each system. See “License Management” on
page 308 for more information on adding licenses.
82

Anti-Virus
Configuring Anti-Virus Scanning
Select Mail Delivery ➝ Anti-Virus from the menu to configure virus scanning for both inbound
and outbound directions.
• Enable Kaspersky virus scanning — Enable or disable virus scanning by selecting the
check box.
Treat as a Virus
• Attachments resembling a known virus — Some types of attachments may resemble a
known virus pattern and could contain malicious code. It is strongly recommended that you
treat attachments with code that resembles a known virus as if they contained a virus.
• Attachments containing unknown viral code — The anti-virus scanner can detect code
that resembles the patterns of a virus. It is strongly recommended that you treat
attachments containing suspected viral code as if they contained viruses.
• Corrupt attachments — Corrupted attachments may not be able to be processed by the
anti-virus scanner and could contain viruses. It is strongly recommended that you treat
corrupt attachments as if they contained viruses.
• Password-protected attachments — Attachments protected by a password cannot be
opened by the anti-virus scanner and could contain viruses. It is strongly recommended
that you treat attachments that cannot be opened as if they contained viruses.
• Attachments causing scan errors — Attachments that are causing errors while being
scanned by the anti-virus scanner may contain viruses. It is strongly recommended that you
treat attachments that cause scanning errors as if they contained viruses.
• Action — Configure the action to be performed for both inbound and outbound mail.
Possible actions include:
• Just log: Log the event and take no further action.
83

Mail Security and Encryption
• Reject mail: The message is rejected with notification to the sending system.
• Quarantine mail: The message is placed into the administrative quarantine area.
• Discard mail: The message is discarded without notification to the sending system.
• Notification — A notification email can be sent to the recipients and sender of a message,
and also the mail system administrator. Select the required check box for both inbound and
outbound mail. In the Inbound Notification and Outbound Notification text boxes, customize
the content for the response message.
Updating Pattern Files
Virus pattern files must be continuously updated to ensure that you are protected from new virus
threats. The frequency of virus pattern file updates can be configured from the Virus Pattern
Files section.
• Update interval (mins) — Select the time interval to configure how often to check for
pattern file updates. Options include 15, 30, and 60 minutes.
• Proxy — If you access the Internet through a proxy server, you must enter its hostname and
port number, such as proxy.example.com:80, for updates to succeed.
• Manual Update — Pattern files can be updated manually by clicking the Get Pattern Now
button.
• Status — Displays the date and time of the last update.
84

Threat Outbreak Control
Threat Outbreak Control
The Threat Outbreak Control feature provides customers with zero-day protection against early
virus outbreaks. For most virus attacks, the time from the moment the virus is released to the
time a pattern file is available to protect against the virus can be several hours. During this
period, mail recipients are vulnerable to potential threats.
ePrism’s Threat Outbreak Controls can detect and take action against early virus outbreaks to
contain the virus threat. If a message is classified as containing a possible virus, the message
can be quarantined, deleted, or the event can be logged. When an updated anti-virus pattern
file is received, any quarantined files will be re-scanned automatically. If a virus is detected with
the new pattern file, the configured anti-virus action is performed on the message. If the hold
period for a message in the quarantine expires and it has not been positively identified as a
virus during that time, the configured "release" action will be performed.
ePrism will examine incoming "untrusted" messages and look for the following characteristics
when deciding if the message indicates an early virus threat:
• The message is bulk (addressed to a large number of recipients) and contains an
executable or common office document attachment (such as .doc). To detect the
message as "Bulk", the Intercept Bulk Analysis feature must be enabled.
• The message originates from an IP address that has recently sent viruses and contains an
executable or common office document attachment. To detect if the client has recently sent
viruses, the Mail Anomalies feature and the Recent virus from Client option must be
enabled.
• The message originates from an IP address with a poor St. Bernard Security Network
(BSN) reputation and contains an executable or common document attachment. To detect
addresses with a poor reputation, the BSN feature must be enabled.
• The anti-virus scanner detects attachments that resemble a known virus or contain
unknown viral code.
• The message was malformed, or was blocked by attachment control and the action was set
to "Discard" or "Reject".
The following table lists the types of executable files and common office document formats that
are scanned by Threat Outbreak Control:
TABLE 1. Executable Files and Common Office Documents
Executable
.bat
.chm
.cmd
.com
.dll
.drv
.exe
Common Office
Documents
.doc
.dot
.ppt
.wk1
.wks
.wp
.xls
85

Mail Security and Encryption
TABLE 1. Executable Files and Common Office Documents
Executable
.js
.jse
.nlm
.ovl
.pif
.scr
.shs
.sys
.vbe
.vbs
.vxd
Common Office
Documents
Configuring Threat Outbreak Control
Select Mail Delivery ➝ Outbreak Control on the menu to configure the Threat Outbreak
Control feature.
Detection
The following options take effect when Threat Outbreak Control is enabled:
• Action — Select the action to perform if a message is detected as having a possible virus:
• Just Log: The message will be delivered and an entry added to the mail logs.
• Reject mail: The message will be rejected with notification to the sender.
86

Threat Outbreak Control
• Quarantine mail: The message will be placed into the administrative quarantine area.
These messages can be viewed and managed via Status/Reporting ➝ Quarantine on
the menu.
• Discard mail: The message will be discarded without notification to the sender.
• Hold Period — Enter the time period (in hours) for which to hold the message in the
administrative quarantine area. The default hold period is 8 hours. In most cases, the Anti-
Virus pattern files will be updated within 2-4 hours of a new virus being discovered. It is
recommended that enough time is configured to allow the opportunity for the files to be
rescanned with updated anti-virus pattern files as they become available.
If the Quarantine expiry period is set to a value less than the "Hold Period", the expiry period takes
precedence and the held message will be expired.
• Notification — Select the users who will receive a notification if a message is detected as
having a possible virus. Options include the "Recipients", the "Sender", and the
"Administrator".
• Notification Message — Enter the text for the automated notification message.
Anti-Virus Action
During the hold period, if a quarantined message is rescanned and determined to have a virus,
the configured Anti-Virus action will be performed, as set in Mail Delivery ➝ Anti-Virus. If the
hold period expires and the message has been determined not to be infected with a virus, the
"Release" action will be performed.
Release
The following options take effect for a quarantined message when its configured "Hold Period"
has elapsed:
• Action — Select the action to perform if the "Hold Period" has elapsed for a quarantined
message:
87

Mail Security and Encryption
• Just Notify: A message will be sent to notify the specified users that the "Hold Period" for
a quarantined message has elapsed without it being classified as a virus. The message
will remain in the quarantine until released manually by the administrator.
• Release mail: The message will be automatically released from the quarantine and
delivered to the original recipients. Notifications can also be enabled to notify users when
the message is released.
If the message was discarded or rejected by Attachment Control or Malformed Mail and was then
quarantined by Threat Outbreak Control, the message will be discarded on release. The final action
will be Threat Outbreak Control and "Quarantine" because of a possible virus.
• Notification — Select the users who will receive a notification if a message is released from
the quarantine. Options include the "Recipients", the "Sender", and the "Administrator".
• Notification Message — Enter the text for the automated notification message.
Threat Outbreak Reports and Logs
Threat Outbreak Control activity is displayed in ePrism’s reports, including the following
information:
• A summary of Threat Outbreak actions and the types of messages blocked, including
information on the number of messages quarantined and released and the number of
malformed, virus-infected messages, and messages that contained a forbidden attachment.
• A list of the top viruses caught and the time and date when they were detected by Threat
Outbreak Control and when they were detected by the Anti-Virus scanner.
88

Threat Outbreak Control
The Top Virus List section also contains a column called Outbreak Control Number indicating
the number of viruses caught by Threat Outbreak Control.
In the Status/Reporting ➝ Reporting ➝ Mail History section, the disposition of messages
caught by Threat Outbreak Control can be searched for based on the message status of
"possible virus".
89

Mail Security and Encryption
External Email Message Encryption
ePrism provides integration with external encryption servers to provide email encryption and
decryption functionality. Email encryption allows individual messages to be encrypted by a
separate encryption server before being delivered to its destination by ePrism. Incoming
encrypted messages can also be sent to the encryption server to be decrypted before ePrism
accepts the message and delivers it to the intended recipient. This integration allows
organizations to ensure that encrypted messages are still processed by ePrism for security
issues, as well as being scanned for content and policy rules.
Email encryption provides organizations with the ability to protect the privacy and confidentiality
of their messages and also conform to any regulatory compliance policies that must ensure that
certain types of data are encrypted before being sent out across the Internet.
Encryption and decryption can be performed for selected email messages via filter rules on the
ePrism. A message filter can be created for specific email sending addresses, IP addresses and
host names of specific SMTP servers, or for specific words located in the subject of a message
such as "Encrypt".
As mail is forwarded back and forth between ePrism and the Encryption server, all mail statistics will
include this additional delivery and mail counts will be higher as a result.
Configuring ePrism Message Encryption and Decryption
ePrism can be set up to integrate with an existing encryption server using the following general
steps:
1. Configure the Encryption server to integrate with ePrism.
2. Create Mail Routes to the Encryption server on ePrism.
3. Enable Encryption and Decryption on ePrism.
4. Create Encryption rules on ePrism to identify messages to be encrypted.
The Encryption server must be on the same network as ePrism. Ensure they are communicating
properly and can see each other on the network by using a utility such as ping.
Configuring the Encryption Server
The existing Encryption server must be set up to relay all mail to the ePrism Email Security
Appliance. Please see the documentation provided by your Encryption server vendor.
In general, outbound and inbound proxies or mail routes must be configured on the Encryption
server to ensure messages are accepted from and passed back to ePrism after being encrypted
or decrypted.
90

External Email Message Encryption
Define Mail Routes for Encryption and Decryption
Mail routes to the Encryption server must be defined for both encrypting and decrypting
messages. To ensure ePrism knows where to route messages for encryption, create a mail
route for the domains .encrypt_reroute and .decrypt_reroute to the address of the
Encryption server.
1. Select Mail Delivery ➝ Routing ➝ Mail Routing to define mail routes.
2. Enter .encrypt_reroute as the Domain, and in the Route-to field, enter the address of
the Encryption server such as 192.168.1.175.
3. Similarly, create a route for .decrypt_reroute as the Domain, and in the Route-to field,
enter the address of the Encryption server such as 192.168.1.175.
The port and IP address may be different depending on the Encryption server configuration.
91

Mail Security and Encryption
Enabling Encryption and Decryption on ePrism
1. Select Mail Delivery ➝ Encryption to configure your encryption settings.
2. Select the Active check box to enable the Encryption and Decryption action as required.
3. Select an Action to perform on a message that is to be encrypted or decrypted.
Select the Redirect to action to send this message to the Encryption server for encryption or
decryption using the mail route specified in the Action Data field.
4. To reroute the message to the Encryption server using the Redirect to action, the Action
Data must be set to the appropriate mail route for encryption and decryption.
Enter encrypt_reroute or decrypt_reroute as the action data. These mail routes
must be defined in Mail Delivery ➝ Routing ➝ Mail Routing to point to the Encryption
server.
5. Select optional notifications to the Recipients, Sender, or Administrator, when a message
has been sent for encryption.
92

External Email Message Encryption
Defining Filter Rules for Encryption
A filter rule must be used to identify what types of messages are to be encrypted. For example,
your organization may use a tag in the subject header such as "Encrypt" which can used to
identify an outgoing message that must be encrypted. Specific email addresses and IP
addresses can also be defined to ensure certain users or servers have their email encrypted.
Encryption rules can be created using either Pattern Based Message Filters (PBMF) or by
using definable dictionaries with the Objectionable Content Filtering and Attachment Scanning
features. The latter features allow dictionaries with specific keywords and phrases to be used to
trigger the encryption rules. See “Message Content Scanning” on page 101 for detailed
instructions on configuring these features.
The filter rule will examine outbound mail messages for specific patterns to redirect mail for
encryption. This could be anything from a user’s email address to a phrase. When setting up
the filter rule, the only criterion is that the filter action is set to Encrypt or Decrypt.
To set up an encryption rule using Pattern Based Message Filters:
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMFs) to set up filters
for encryption purposes.
2. Create a simple rule that checks all outbound mail for the word "Encrypt" in the subject,
and set the action to Encrypt.
The "Encrypt" and "Decrypt" PBMF action will only appear when Encryption and Decryption are
enabled in Mail Delivery ➝ Encryption.
3. A separate filter rule must be created to allow messages arriving from the Encryption
server to be relayed. This action allows ePrism to accept messages back from the
Encryption server that have been encrypted and relay these messages to external
networks.
Create a rule to match the Client IP field to the address of the Encryption server, such as
192.168.1.175, and set the action to Relay.
The filter rule that allows messages to be relayed back must be of a higher priority than any
Encryption rule that is created.
Similarly, you must create a PBMF rule to examine incoming messages that need to be
decrypted before being delivered to the recipient.
93

Mail Security and Encryption
Encrypting Mail Delivery Sessions
ePrism offers a simple mechanism for encrypting mail delivery using SSL (Secure Socket Layer)
and TLS (Transport Layer Security) encryption.
A flexible policy can be implemented to allow other servers and clients to establish encrypted
sessions with ePrism to send and receive mail.
The following types of traffic can be encrypted:
• Server to Server — Used to create an email VPN (Virtual Private Network) and protect
company email over the Internet.
• Client to Server — Many email clients, such as Outlook, support TLS for sending and
receiving mail. This allows email messages to be sent with complete confidentiality from
desktop to desktop, but without the difficulties of implementing other encryption schemes.
Encryption can be enforced between particular systems, such as setting up an email VPN
between two ePrism Email Security Appliances at remote sites. Encryption can also be set as
optional so that users who are concerned about the confidentiality of their messages on the
internal network can specify encryption in their mail client when it communicates with ePrism.
ePrism supports the use of certificates to initiate the negotiation of encryption keys.
ePrism can generate its own site certificates, and can also import Certificate Authority (CA)
signed certificates.
See “SSL Certificates” on page 97 for more information on importing certificates.
Configuring Mail Delivery Encryption
Select Mail Delivery ➝ SMTP Security from the menu to enable email delivery encryption.
94

Encrypting Mail Delivery Sessions
Incoming TLS Mail
• Accept TLS — Enable this option to accept SSL/TLS for incoming mail connections.
• Require TLS for SMTP AUTH — This value is used to require SSL/TLS when accepting
mail for authenticated relay. See “SMTP Authenticated Relay” on page 81 for more detailed
information.
• Log TLS info into Received header — Enabled this option to log TLS information
(including protocol, cipher used, client and issuer common name) into the Received:
message header.
Note: These headers may be modified by intermediate servers and only information
recorded at the final destination is reliable.
Default TLS Policy
• Offer TLS — Enable this option to offer remote mail servers the option of using SSL/TLS
when sending mail.
• Enforce TLS — Enabling this option will require the validation of a CA-signed certificate
when delivering mail to a remote mail server. Failure to do so will result in mail delivery
failure.
Specific Site Policy
This option supports the specification of exceptions to the default settings for TLS/SSL. For
example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS
support.
To exempt a system, specify the IP Address or FQDN (Fully Qualified Domain Name) of the
remote mail server in the Add/Update Site field. Select Don’t Use TLS from the drop-down box
and click the Update button. The exempted mail server will be listed under the Specific Site
Policy.
TLS options include the following:
• Don’t Use TLS — TLS Mail Delivery is never used with the specified system.
• May Use TLS — Use TLS if the specified system supports it.
• Enforce TLS — Deliver to the specified system only if a TLS connection with a valid CAsigned
certificate can be established.
• Loose TLS — Similar to Enforce TLS but will accept a mismatch between the specified
server name and the Common Name in the certificate.
95

Mail Security and Encryption
TLS and Reporting
Report filters can be configured to display any messages that have been encrypted with SSL/
TLS. Select Status/Reporting ➝ Reporting ➝ Report Filters, and select "SSL" in both the
Encryption from Sender and Encryption to Recipient filters. The filters can be enabled when
generating a report to display only SSL/TLS based messages.
The Mail History can also be filtered for SSL/TLS messages via Status/Reporting ➝
Reporting ➝ Mail History by selecting the "ssl" field in the drop-down search menu.
96

SSL Certificates
SSL Certificates
A valid SSL certificate is required to support the encryption services available on ePrism.
The SSL encrypted channel from the server to the web browser (such as when using a URL
that begins with HTTPS), requires a valid digital certificate. You can use self-signed certificates
generated by ePrism, or import certificates purchased from commercial vendors such as
Verisign.
A certificate binds a domain name to an IP address by means of the cryptographic signature of
a trusted party. The web browser can warn you of invalid certificates that undermine secure,
encrypted communications with a server.
The disadvantage of self-signed certificates is that web browsers will display warnings that the
"company" (in this case, the ePrism Email Security Appliance) issuing the certificate is
untrusted. When you purchase a commercial certificate, the browser will recognize the
company that signed the certificate and will not generate these warning messages.
A web server digital certificate can only contain one domain name, such as
server.example.com, and a limitation in the SSL protocol only allows one certificate per IP
address. Some web browsers will display a warning message when trying to connect to any
domain on the server that has a different domain name than the server specified in the single
certificate. Digital certificates eventually expire and are no longer valid after a certain period of
time and need to be renewed before the expiry date.
Install a commercial certificate on the ePrism Email Security Appliance as follows:
1. Select Management ➝ SSL Certificates on the menu.
2. Create a new certificate using the Generate a 'self-signed' certificate button.
3. Click Apply to reboot the system to install the new certificate.
97

Mail Security and Encryption
4. After the reboot, the current certificate and certificate request that was signed by the onboard
Certificate Authority will be displayed. To obtain a commercial certificate, send this
certificate request information to the commercial Certificate Authority (CA) of your choice
(such as Verisign, Entrust, and so on) for signing.
Ensure that the certificate is an Apache type of certificate for a mail server.
SSL Certificate
5. When received from the CA, install the commercial certificate using the Load site
certificate button.
Enter the PEM encoded certificate information from the signed SSL certificate returned by the
CA by copying and pasting the appropriate text into the specified field.
Private Key
Select the Use this Private Key for SSL Certificate check box to use the supplied private key.
Copy and paste the PEM encoded private key into the required field. Do not enable this option
and leave the field blank if the certificate was generated by a request from this ePrism system.
Generating a new self-signed certificate after you have installed a commercial certificate will
overwrite the private key associated with the installed commercial certificate, making it invalid.
98

SSL Certificates
Intermediate Certificate
Some commercial certificates require you to upload an intermediate certificate in addition to the
commercial certificate and the private key. Enter this information into the Intermediate
Certificate section.
99

CHAPTER 6
Message Content Scanning
This chapter describes how to configure the Attachment and Content scanning features of
your ePrism Email Security Appliance, and contains the following topics:
• “Content Scanning Overview” on page 102
• “Attachment Control” on page 103
• “Attachment Content Scanning” on page 106
• “Objectionable Content Filter” on page 110
• “Pattern Based Message Filtering (PBMF)” on page 112
• “Malformed Mail” on page 121
• “Dictionaries” on page 123
• “Message Archiving” on page 125
101

Message Content Scanning
Content Scanning Overview
ePrism’s extensive content management capabilities allow administrators to scan email
messages and attachments to ensure that inappropriate and offense material or sensitive
documents are prevented from being transmitted inbound or outbound.
ePrism’s advanced attachment content scanning performs deep scanning of email attachments,
such as PDF and document files, for patterns of text and phrases defined in a phrase file.
These content filtering and scanning features can also be used by the policy engine to allow
organizations to create different content scanning policies for different sets of domains, groups,
and users.
Select Mail Delivery ➝ Content Management on the menu to configure the content control
and scanning features.
• Inbound Attachment Control — Filters inbound messages based on the type of
attachment.
• Outbound Attachment Control — Filters outbound messages based on the type of
attachment.
• Attachment Content Scanning — Performs deep content scanning on an attachment and
filters the message based on a list of key words.
Note: The advanced content scanning feature is a licensed feature.
• Objectionable Content Filtering (OCF) — The Objectionable Content Filter defines a list of
key words that will cause a message to be blocked if any of those words appear in the
message.
• Pattern Based Message Filtering (PBMF) — Reject or accept mail based on matches in
the message envelope, header, and body.
• Malformed Mail — Scans for malformed messages in incoming mail to protect against
Denial of Service (DoS) attacks.
102

Attachment Control
Attachment Control
Attachment filtering can be used to control a wide range of problems originating from both
inbound and outbound attachments, including the following:
• Viruses — Attachments carrying viruses can be blocked.
• Offensive Content — ePrism blocks the transfer of images which reduces the possibility
that an offensive picture will be transmitted to or from your company mail system.
• Confidentiality — Prevents unauthorized documents from being transmitted through the
ePrism Email Security Appliance.
• Loss of Productivity — Prevents your systems from being abused by employees.
Configuring Attachment Control
Select Mail Delivery ➝ Content Management ➝ Attachment Control to configure
attachment filtering for inbound and outbound messages.
• Default action — This value sets the default action for attachment control for items not
specifically listed in the Attachment Types list. The default is Pass, which allows all
attachments. Any file types defined in the Attachment Types list will override the default
setting.
• Attachment Control — Enable the feature for inbound and outbound mail.
• Attachment Types — Click Edit to configure the controls for each type of attachment.
• Action — Select an action to perform. Options include:
• Just log: Log the event and take no further action.
103

Message Content Scanning
• Reject mail: The message is rejected with notification to the sending system.
• Quarantine mail: The message is placed into the administrative quarantine area.
• Discard mail: The message is discarded without notification to the sending system.
• Notification — Notifications for inbound and outbound messages can be enabled for all
recipients, the sender, and the administrator. Administrators can customize the content for
the Inbound and Outbound notification.
Editing Attachment Types
Click the Edit button to edit your attachment types. You can add file extensions (.mp3), or
MIME content types (image/png). For each attachment type, choose whether you want to
BLOCK or Pass the attachment.
Select the Scan check box to perform content scanning for attachments with the specified
extension.
Click the Add Extension button to add a file extension or MIME type to the list.
104

Attachment Control
• Extension — Enter a specific attachment type extension or MIME type, such as ".mp3" or
"image/png".
• Scan — Select this option to perform content scanning for attachments with the specified
extension.
The system can scan files within an archive file (such as.zip) for forbidden attachments.
The attachment will still be checked for viruses (if anti-virus scanning is enabled) if the
Scan option is deselected.
If an archive file, such as.zip, contains a file type that is blocked, the archive file will be
blocked, even if it is set to Pass. Disable the Scan option if you do not want to scan the
content of the archive file.
Anti-Virus scanning must be enabled to allow archive files to be decompressed and checked for
forbidden attachments.
105

Message Content Scanning
Attachment Content Scanning
ePrism’s Attachment Content Scanning features performs deep scanning of attachments, such
as PDF and Microsoft document files, for patterns of text and phrases. This allows organizations
to use filter rules and policy settings to scan attachments for specific content that could be
considered offensive, private and confidential, or against existing compliance rules.
There are two methods for content scanning of message attachments:
• Text and phrases are searched for in a document using a Pattern-Based Message Filter
(PBMF) and an appropriate PBMF action performed if there is a match.
• ePrism will search the extracted message text for words contained in uploaded compliance
files defined via a policy and perform the configured action if there is a match.
Attachment Content Scanning is a licensed feature and requires a license key to work after an initial
30 day evaluation period.
Unopenable Attachments
The following cases of unopenable documents will result in an attachment being flagged as a
compliance violation if the "Treat unopenable documents as compliancy violations" setting is
enabled.
• Files that are larger than 1 GB
• File types that are not recognized by the scanner
• Files that take longer than one minute to scan
• Malformed or virus-infected attachments
Configuring Attachment Content Scanning
Select Mail Delivery ➝ Content Management ➝ Attachment Scanning to configure your
attachment content scanning options.
• Enable — Select the check box to enable attachment content scanning.
• Treat unopenable documents as compliancy violations — Attachments that are
protected by a password or encrypted may contain text that is a compliance violation.
Enable this feature to treat unopenable documents as though they were not compliant.
Files over 1 GB in size will not be scanned and are classified as non-compliant.
106

Attachment Content Scanning
• Phrase length — This field specifies the length of phrases used for pattern-matching
checks. This number of words will be passed to the scanning engine to check if it matches
any phrases in your compliance file.
Long phrases will result in greater processing times. It is recommended that phrases be four words
or less. The phrase length of the compliance dictionary selected for Attachment Content Scanning
should not be greater than the phrase length selected in this field.
• File Types — Select the types of files to be scanned:
• All Supported Formats: Scans all file formats supported by the content scanner.
• Common Document Formats: Scans only common word processing, spreadsheet,
database, presentation, text, and archive formats.
• Standard Document Formats: Scans only common document formats (word
processing, spreadsheet, database, presentation, text, and archive files), including less
common formats such as graphics and desktop publishing formats.
• Punctuation treatment — Select how the scanning engine should treat punctuation.
• Significant: The punctuation will be considered as part of the word or phrase it appears
in.
• Treat as space: The punctuation will be treated as a space. For example, the phrase
"This, is classified" will be treated as "This is classified". This is the default setting.
• Ignore: The punctuation will be completely ignored.
• Case sensitivity — Select how the scanning engine will treat case sensitivity. If Sensitive
is chosen, capitalization of letters will be taken into effect. For example, the word
"Classified" must appear in the phrase compliance file with the capitalized first letter.
• Notifications — Notifications for inbound and outbound messages can be enabled for all
recipients, the sender, and the administrator. Enter the content for the notification
message.
See “Customizing Notification and Annotation Messages” on page 371 for information on
variables such as %SENDER% and %RECIPIENT%.
The compliance status of messages can be searched in the mail history database via Status/
Reporting ➝ Reporting ➝ Mail History ➝ Advanced on the menu.
107

Message Content Scanning
Using Pattern Based Message Filters for Attachment Scanning
One of the methods that can be used to search for compliance text within a file is to create a
Pattern Based Message Filter (PBMF).
Create a pattern filter as follows:
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) to define a filter
for attachment scanning.
2. Click Add.
3. In the Apply To field, select whether you want to check Inbound, Outbound, or All Mail.
4. In the Message Part field, select Attachment Content.
Selecting Attachment Content will scan the entire email message, including the header, body and
any attachment for matching content.
5. In the Pattern field, enter a pattern to match against.
6. Select the Action to perform on a message that contains the pattern text, such as Reject.
7. Click Apply to add the filter.
Attachment Scanning via Policy Compliancy File
Attachment scanning can also be performed via Policies with a compliance file uploaded and
enabled. The compliance file will contain a list of words and phrases that can be matched
against text contained in scanned attachment files.
In the specified policy, accessed via Mail Delivery ➝ Policy, enable Attachment Scanning, and
select the corresponding phrase file to be used with that policy.
Custom phrase files are uploaded via Mail Delivery ➝ Content Management ➝ Dictionaries.
108

Attachment Content Scanning
The phrase length of the compliance dictionary selected for Attachment Content Scanning should
not be greater than the phrase length selected in the Attachment Content Scanning configuration.
See “Dictionaries” on page 123 for more detailed information on uploading custom dictionary
files.
109

Message Content Scanning
Objectionable Content Filter
The Objectionable Content Filter defines a list of key words that will cause a message to be
blocked if any of those words appear in the message. The Objectionable Content Filter provides
enhanced content filtering functionality and flexibility, allowing users to restrict content of any
form including objectionable words or phrases and offensive content.
The predefined lists provided are configurable and can be updated and customized to meet the
specific needs of any organization. Rules can also be applied to both inbound and outbound
messages preventing unwanted content from entering an organization and prohibiting the
release of sensitive content outside an organization.
OCF words can be extracted from messages that disguise the words with certain techniques.
For example, OCF will detect the word "spam", even if it is disguised as "sp@m" or "s_p_a_m"
using the advanced token recognition component of ePrism’s Token Analysis feature.
OCF has a maximum of 35 characters for a word. OCF does not detect plurals of words. Both plural
and singular word forms need to defined in the dictionaries.
Select Mail Delivery ➝ Content Management ➝ Objectionable Content on the menu to
configure the objectionable content filter.
• Enable OCF — Select the check box to enable OCF.
• Logging — Set the type of logging to perform for OCF processing. This information will
appear in the Mail Transport log.
• No Logging — No OCF logging will be performed.
• First match only — Log the first word that was matched by the filter.
• All matches — Log all words that were matched by the filter.
110

Objectionable Content Filter
• Phrase Files — Select the type of phrase file to use with OCF. The Weak OCF phrase file
contains a small list of common objectionable words and phrases. Moderate and Strong
OCF include a larger list amounts of words and phrases that are considered offensive.
Organizations can create their own OCF phrase files via the Mail Delivery ➝ Content
Management ➝ Dictionaries feature. This may include words and phrases specific to an
organization that need to be blocked.
The OCF dictionaries contain content that is of a vulgar nature. The pre-defined dictionaries should
be viewed with caution as they contain words and phrases that may be offensive.
Notifications
• Action — Set actions for both inbound and outbound messages. The following actions can
be set:
• Just log — Log the event and take no further action.
• Reject mail — The message is rejected with notification to the sending system.
• Quarantine mail — The message is placed into quarantine.
• Discard mail — The message is discarded without notification to the sending system.
• Encrypt — Redirects the message to the Encryption server specified in the Mail
Delivery ➝ Encryption menu.
• Decrypt — Redirects the message to the Decryption server specified in the Mail
Delivery ➝ Encryption menu.
Notifications for inbound and outbound messages can be enabled for all recipients, the sender,
and the administrator. The content for the Inbound and Outbound notification can be
customized.
See “Customizing Notification and Annotation Messages” on page 371 for a full list of system
variables that can be used in the notification.
111

Message Content Scanning
Pattern Based Message Filtering (PBMF)
Pattern Based Message Filtering is the primary tool for creating filter rules on the ePrism.
PBMFs are used for:
• Trusting and blocking messages containing certain text or characteristics
• Creating content filter rules for managing email messages.
An administrator can create filter rules for any aspect of an email message including the
message header, sender, recipient, subject, attachment content, and message body text. For
example, administrators can create a simple text filter that specifies to check messages for the
word "FREE" in the subject. This filter rule is helpful in correcting disadvantages in the other
spam filters.
Specific Access Patterns should be used to trust specific servers to bypass BSN, DNSBL, and other
checks because PBMFs may bypass or interfere with certain content filters such as Content
Scanning and OCF that occur later in ePrism’s processing order.
Email Message Structure
The following is an example of a typical mail message:
112

Pattern Based Message Filtering (PBMF)
Message Envelope
The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are
parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You
will need to look for these in the transport logs or have other knowledge of them.
Message Header
The message header includes the following fields:
• Received from — Indicates the final path that the message followed to get to its
destination. It arrived from "mail.example.com", which delivered it to
"server.example.com" to be put in the mailbox of "user@server.example.com."
• Received by — This indicates a previous "hop" that the message followed. In this case, the
message came via "mail.example.com" which accepted the message addressed to
"user@example.com".
• Delivered-To — The user to be delivered to, in this case "user@example.com".
• Received from — This marks the origin of the message. Note that it is not necessarily the
same as the actual system that originated the message.
• Subject — This is a free form field and displayed by a typical mail client.
• To — This is a free form field and displayed by a typical mail client. It may be different from
the destination address in the Received headers or from the actual recipient.
• From — This is a free form field and is displayed by a typical mail client. It may be different
from the From address in the Received headers. It is typically faked by spammers.
• Message-ID — This is added by the mail server and is often faked by spammers.
Other header fields include Reply-to, Sender and so on. These fields can be forged by
spammers because they do not affect how the mail is delivered.
Message Body
Following the header is the text or content of the message. This content can be formatted or
encoded in many different ways, but in this example, it is displayed as plain text.
Message Attachment
Many emails contain attachments to the main message. ePrism has the ability to decode
attachments to match text found within an attachment using a filter rule.
113

Message Content Scanning
Default Pattern Based Message Filters
Several default Pattern Based Message Filters (PBMF) have been preconfigured to ensure that
mail is not trained in the following situations:
• Outbound Mail To: Contains "@stbernard.com"
• All Mail Subject: Contains "[SPAM]"
• All Mail Subject: Contains "[MAYBE SPAM]"
• All Mail Subject: Contains "Spam summary for"
• All Mail Subject: Contains "Delayed Mail"
• All Mail Subject: Contains "Delivery Status Notification"
• All Mail Subject: Contains "Delivery Failure Notification"
• All Mail Subject: Contains "Undelivered Mail Returned to Sender"
• All Mail Subject: Contains "AutoReply"
• All Mail Subject: Contains "Returned Mail:"
• All Mail From: Contains "postmaster@" + domain
• All Mail From: Contains "MAILER-DAEMON@" + domain
These rules help prevent misconfiguration of the Token Analysis database by ensuring that
forwarded spam messages, delivery notifications, automatic replies, and system messages are
not trained.
Spam messages should never be forwarded within an organization as this will also misconfigure the
Token Analysis training database.
The default St. Bernard PBMF rules can be edited or removed by the administrator via Mail
Delivery ➝ Content Management ➝ Pattern Filters (PBMF) on the menu. All St. Bernard
rules can be deleted using the Remove Default PBMFs button in the PBMF edit view.
Additional "postmaster" and "MAILER-DAEMON" PBMFs need to be created for organizations
supporting multiple domains.
114

Pattern Based Message Filtering (PBMF)
Configuring Pattern Based Message Filtering
Select Mail Delivery ➝ Content Management, and then select Pattern Filters (PBMF) on the
menu.
The pre-defined PBMF rules are provided as examples on how rules are to be created and can be
deleted if not needed without any repercussions.
Click the Add button to add a new pattern to the filter list.
Select the direction of mail for the PBMF rule in the Apply To field, such as All Mail, Inbound,
or Outbound, depending on your requirements.
• All Mail — Mail destined for any domain.
• Inbound mail — Any mail that is destined to a domain that the ePrism is configured to
accept mail for. This will be any domain listed in the Mail Routing table in Mail Delivery ➝
Routing ➝ Mail Routing.
• Outbound mail — Mail destined to any domain that the ePrism is not configured to accept
mail (every domain other than those configured in Mail Routing.)
"Trusted" mail has no bearing on the Inbound/Outbound relationship.
Select the Message Part you want to filter on. ePrism allows you to filter on the following
parameters:
Message Envelope Parameters
These parameters will not be visible to the user. They are the "handshake" part of the SMTP
protocol. You will need to look for these in the transport logs or have other knowledge of them.
• — This parameter allows for a match on any part of the message
envelope which includes the HELO, Client IP and Client Host.
• HELO — This field is easily faked, and is not recommended for use in spam control. It may
be useful in trusting a source of mail. Example: mail.example.com.
115

Message Content Scanning
• Client IP — This field will be accurately reported and may be reliably used for both blocking
and trusting. It is the IP address of the system initiating the SMTP connection. Example:
192.168.1.200.
• Client Host — This field will be accurately reported and may be reliably used for both
blocking and trusting. Example: mail.example.com.
The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be
visible if your client supports reading the message source. They can also be found in the
transport logs. Other header fields may be visible as supported by the mail client.
• Envelope Addr — This matches on either the Envelope To or Envelope From. These fields
are easily faked, and are not recommended for use in spam control. They may be useful in
trusting a source of mail. Example: fred@example.com.
• Envelope To — This field is easily faked, and is not recommended for use in spam control.
It may be useful in trusting a source of mail. Example: fred@example.com.
• Envelope From — This field is easily faked, and is not recommended for use in spam
control. It may be useful in trusting a source of mail. Example: fred@example.com.
Message Header Parameters
Spammers will typically enter false information into these fields, except for the Subject field, and
they are usually not useful in controlling spam. These fields may be useful in trusting certain
users or legitimate source of email.
• — This parameter allows for a match on any part of the message header.
• — This parameter matches the To: or CC: fields.
• CC:
• From:
• Message-ID:
• Received:
• Reply-to:
• Sender:
• Subject:
• To:
There are other header fields that are commonly used, such as List-ID, as well as those added
by local mail systems and clients. You must use Regular Expressions (described below) to
specify these.
Message Body Parameters
• — This parameter allows for a match on any part of the encoded
message body. This encoded content includes Base64, MIME, and HTML. Since messages
are not decoded, a simple text match may not work. Use for text
matching on the decoded content.
• — This parameter allows for a match on the visible decoded message
body.
116

Pattern Based Message Filtering (PBMF)
STA (Token Analysis) Token
Bulk Analysis tokens can also be selected for pattern based message filters. This allows you to
match patterns for common spam words that could be hidden or disguised with fake or invisible
HTML text comments, which would not be caught by a normal pattern filter. For example,
Token Analysis extracts the token "viagra" from the text "viagra" and
"v.i.a.g.r.a.".
Attachment Scanning
Pattern based message filters can be defined to match the content of an entire mail message,
including attachments. This type of PBMF is used with the Attachment Content Scanning
feature. See “Attachment Content Scanning” on page 106 for more information on scanning
attachments.
Match Option
Matching looks for the specified text in each line. You can specify one of the following:
• Contains — Looks for the text to be contained in a line or field. This allows for spaces or
other characters that may make an exact match fail.
• Ends with — Looks for the text at the end of the line or field (no characters, spaces and so
on, between the text and the non-printed end-of-line character.)
• Matches — The entire line or field must match the text.
• Starts with — Looks for the text at the start of the line or field (no characters between the
text and the start of line.)
• Reg Exp — Enter a regular expression to match the text.
Pattern
Enter a text pattern (case insensitive) to search for in the message.
You may also use Regular Expressions which allow you to specify match rules in a more
flexible and granular way. They are based on the standard POSIX specification for Regular
Expressions.
For example, to search for a "blank" message field, use the following regular expression:
^subject:[[:blank:]]*$
Although the Regular Expression feature is supported, St. Bernard cannot help with devising or
debugging Regular Expressions because they have an infinite variety and can be very complex.
Using Regular Expressions is not recommended unless you have advanced knowledge of their
use.
117

Message Content Scanning
Priority
Select a priority for the filter (High, Medium, Low). The entire message is read before making
the decision. If a message matches multiple filters, the filter with the highest priority will be used.
If more than one matched filter has the highest priority, the filter with the strongest action will be
used, in order, from highest priority to lowest (Bypass, Reject, Discard, Quarantine, Certainly
Spam, Archive, Redirect, Trust, Relay, Accept, Just log).
Discard, Quarantine, and Redirect are actions available when creating a custom PBMF action in the
PBMF preferences screen.
If more than one matched rule has the highest priority and highest action, then the filter with the
highest rule number will be used.
Action
When a rule has been triggered, the specified action is performed:
• Bypass — Allow this message to bypass all Intercept anti-spam and Content Management
(Attachment Control, Malformed Message and OCF) processing. This action will override
other PBMF actions for the same priority.
This action does not bypass Anti-Virus scanning.
• Trust — This mail is considered trusted and from a legitimate source. This message will not
be processed for spam.
• Reject — Mail is received, then rejected before the close of an SMTP session. Message is
trained for spam if "Train" is also selected.
• Relay — Relay is enabled for this mail and the message is considered trusted for anti-spam
scanning purposes. Message will be trained as legitimate mail if "Train" is also selected.
• Accept — Mail is accepted and delivered as per normal operation. Message is trained as
legitimate mail if "Train" is also selected.
• Certainly Spam — Mail is received, trained as spam, and then the Intercept action for
"Certainly Spam" is applied.
• Just Log — Take no action, but log the occurrence. "Just Log" can be used to override
other lower priority PBMFs to test the effect of PBMFs without an action taking place.
• BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This
option only appears if you have a BCC email address set up in the Preferences section.
• Do Not Train — Do not use the message for Token Analysis training purposes.
• Configurable Actions — There are several configurable actions that can be defined by the
administrator by clicking the Preferences button. When defined, these actions will appear in
this list.
• Encrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝
Encryption menu.
• Decrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝
Encryption menu.
• Archive (High, Medium, Low) — Redirects the message to an archiving server specified in
the Mail Delivery ➝ Archiving menu.
The "Relay" or "Trust" action can only be used with an Envelope message part because attempted
relays must be rejected immediately after the envelope transaction.
118

Pattern Based Message Filtering (PBMF)
Upload and Download of PBMF Rules
You can create a list of PBMF rules and upload them together in one file. The file must contain
comma or tab separated entries in the form:
[Section],[type],[pattern],[action],[sequence(priority)],[rulen
umber],[direction],[Options]
For example:
to:,contains,friend@example.com,reject,medium,1,both,on
The Options field is used for the "Do-Not-Train" option. The value can be "on" or blank. If the
field is blank, a "Reject" action will be considered "Reject+Train".
The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other
Windows text editor. It is recommended that you download the PBMF file first by clicking
Download File, edit it as required, and upload it using the Upload File button.
PBMF Preferences
Select the Preferences button to define configurable PBMF actions and customize
notifications.
PBMF BCC Action
This is used in conjunction with the BCC PBMF action to define an email address to send a
blind carbon copy of the message to.
PBMF Action
Administrators can define up to six customized actions that can be used for PBMF filters. When
an action has been defined and activated, it will appear in the list of actions when creating a
PBMF rule.
• Active — Select the check box to activate this action.
• Action Name — Enter a descriptive name for this customized action.
• Action — The action can be one of the following:
• Reject: The mail will not be accepted and the connecting mail server is forced to return it.
119

Message Content Scanning
• Discard: The mail will be dropped with no notification.
• Quarantine: The mail will be put into the administrative quarantine area. The quarantine
can be accessed via Status/Reporting ➝ Quarantine on the menu.
• Certainly Spam: Mail is received, trained as spam, and then the Intercept action for
"Certainly Spam" is applied.
• Redirect to: The message will be delivered to the mail address specified in the Action
Data field.
• Accept: Mail is accepted and delivered as per normal operation.
• BCC: The message will be copied to the mail address specified in the Action Data field.
• Do Not Train: Select the check box to ensure that when this action is triggered, the
message will not be trained for spam.
• Action data — For the "Redirect To" action, send the message to a mailbox such as
"spam@example.com". You can also specify a domain such as "spam.example.com".
For BCC, enter an email address to send a blind carbon copy of the message to.
• Notification — Notifications can be enabled for all recipients, the sender, and the
administrator. The content of the notification message can be customized.
120

Malformed Mail
Malformed Mail
Many viruses and denial of service attacks (DoS) try to elude virus scanners by concealing
themselves in malformed messages. The scan engines cannot detect the attachment and pass
the complete message through to an internal server. Some mail clients try to rebuild malformed
messages and may rebuild or activate a virus-infected attachment. Other types of malformed
messages are designed to attack mail servers directly. Most often these types of messages are
used in denial-of-service (DoS) attacks.
ePrism analyzes each message with extensive integrity checks. Malformed messages are
quarantined if they cannot be processed.
Select Mail Delivery ➝ Content Management ➝ Malformed Mail on the menu to enable and
configure malformed email scanning.
• Enable malformed scanning — Select this option to enable scanning for malformed
emails.
• Enable NULL Character Detect — Select this option to enable null character detection.
Any messages containing null characters (a byte value of 0) in the raw mail body will be
considered a malformed message.
The null character detection feature may cause incompatibility with certain mail servers and it is
recommended that this feature be disabled if issues occur.
• Action — Select an action to be performed. Options include:
• Just log: Log the event and take no further action.
• Reject mail: The message is rejected with notification to the sending system.
121

Message Content Scanning
• Quarantine mail: The message is placed into the administrative quarantine area.
• Discard mail: The message is discarded without notification to the sending system.
• Notifications — Notifications for inbound and outbound messages can be enabled for all
recipients, the sender, and the administrator. Enter the content for the notification message.
See “Customizing Notification and Annotation Messages” on page 371 for information on
variables such as %SENDER% and %RECIPIENT%.
122

Dictionaries
Dictionaries
The Dictionaries feature contains default and custom word and phrase dictionaries that can be
used with Objectionable Content Filtering, Spam Dictionaries, and compliancy-based
Attachment Content Scanning.
Each file is a simple word or phrase text file (Unix format) with one word or phrase per line,
such as:
Compliance
Classified
Top Secret
The maximum word length is 35 characters. Both plural and singular word forms need to defined in
the dictionaries. In Policies, the phrase length of the compliance dictionary selected should not be
greater than the phrase length configured in the content scanning configuration.
For example, to define a new dictionary to be used for policy compliance:
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.
2. Click Add to add a new dictionary file.
3. Click Browse to select the file to be uploaded. Click Continue.
123

Message Content Scanning
The file information screen displays the initial contents of the file.
Choose the name of the file, and select the type of file you are uploading. This will indicate
which feature to use with this file.
• Any — This file can be used for any feature
• Compliancy — This file can be used for compliance policy attachment scanning.
• OCF — This file can be used with Objectionable Content Filtering.
• Spam — This file can be used with the Spam Dictionaries Intercept Anti-Spam feature.
Click Continue to finish uploading the file.
The new dictionary will now appear in the list and can be selected when using a dictionarybased
feature such as policy compliance.
124

Message Archiving
Message Archiving
ePrism offers message archiving support allowing organizations to define additional mail
handling controls for inbound and outbound mail. These features are especially important for
organizations that must archive certain types of mail for regulatory compliance or other
corporate security policies. ePrism allows mail to be categorized and selectively archived for
different levels of importance. By providing the ability to classify and archive messages at
different levels, mail of high importance or compliance classification can be archived while
allowing different actions for mail of lower importance. These features also prevent the waste of
unnecessary resources by ignoring spam messages and other types of unwanted mail when
archiving messages.
ePrism can integrate with third-party archiving servers and archive email messages by creating
pattern filters to classify messages and route them to the appropriate archiving server or an
archive email address, while still delivering the email to its original recipients. Mail headers
added to an archived message by ePrism allow administrators to customize their archiving
services for efficient retrieval of archived messages.
Mail archiving can be used with Pattern Based Message Filters, the Objectionable Content
Filter, and Attachment Content scanning, including the use of these features via Policies. When
a message is received by ePrism, these features will search for text within a message and its
attachments. When this text is found, an action can be taken classifying the message for
archiving into one of three categories, "Archive High", "Archive Medium", and "Archive Low".
The Archiving feature then applies the archiving action for each category. For example,
messages categorized as "Archive High" can have an action of "Archive copy to", with the
action data identifying the archiving email address or mail route to archive mail to.
Configuring Message Archiving on ePrism
The ePrism Email Security Appliance can be configured to integrate with third party archiving
servers to archive messages using the following steps:
1. Define an archive email address or a mail route to the archiving server
2. Create Content Management filters to identify messages to be archived
Select Mail Delivery ➝ Archiving on the menu to configure global archiving settings.
Configuration fields for three classifications of archiving will appear for High, Medium, and Low
Importance archiving actions:
125

Message Content Scanning
• Active — Select the check box to activate this archiving action.
• Action Name — Select a name to be displayed as the archiving action for the PBMF, OCF,
and Attachment Scanning features.
• Action — Select the "Archive copy to" action to send the message to an archive server.
• Action data — The action data can contain either an email address or the name of the mail
route for the destination archiving server.
For archiving to an email address, enter an address such as "archive@example.com".
This will be a mailbox that will contain all archived messages. Your archiving server will be
able to pull its data for ePrism’s archived messages from this mailbox.
Mail routes can also be defined in this field to route mail to the archiving server. The action
data will contain the name of the route for each classification, such as
"archive_high_reroute", "archive_medium_reroute", or "archive_low_reroute".
A corresponding mail route will need to be created on ePrism via Mail Delivery ➝ Routing
➝ Mail Routing. See the following section, “Defining Mail Routes for Archiving” on
page 127, for more information on creating mail routes. Mail routes are not required if
archiving to an email address.
• Add header — Select the check box to add an archive header to the message when it is
sent to the destination archive server. This allows the archiving server to store that message
according to its classification in the header and allow for more efficient retrieval of the
message in the future.
• Header data — Enter the mail header data that will be added to the message header, such
as "X-Archive: high".
• Notification — Select optional notifications to the Recipients, Sender, or Administrator
when a message has been archived.
126

Message Archiving
Defining Mail Routes for Archiving
When using the mail routing method for archiving message, mail routes to the Archiving server
must be defined to ensure ePrism knows where to send messages for the appropriate archiving
classification of the message.
For each Archiving classification, a corresponding mail route must created:
• "archive_high_reroute" ➝ .archive_high_reroute
• "archive_medium_reroute" ➝ .archive_medium_reroute
• "archive_low_reroute" ➝ .archive_low_reroute
Select Mail Delivery ➝ Routing ➝ Mail Routing to define mail routes.
Enter the domain, such as ".archive_high_reroute", and enter the destination address of
the archiving server and click Add.
Mail routes are not required if archiving to an email address.
127

Message Content Scanning
Configuring Content Management Filters for Archiving
To classify messages for archiving, ePrism’s content management features, such as PBMF,
OCF, and Attachment Scanning, must be configured to search for text in a message or its
attachment. The corresponding action will be the archive classification, such as "Archive High".
Configuring Pattern Filters (PBMF) for use with Archiving
1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF).
2. Click the Add button.
3. Create a pattern filter looking for the required specific text. In this example, we are
searching for an inbound message subject that starts with the word "Compliancy".
4. Set the Action to the appropriate archive action, such as "Archive High".
5. Click the Apply button to add the pattern filter.
Configuring OCF for Archiving
The Objectionable Content Filter can also be used for classifying and archiving messages.
Custom dictionaries can be created for content specific to your organization. When the OCF
feature finds a word from these dictionaries, an archive action can be applied.
1. Select Mail Delivery ➝ Content Management ➝ Objectionable Content.
2. Enable the OCF feature, and select your customized phrase file, such as "Archive" in this
example.
3. Set the Action to the appropriate archive action for this phrase file, such as "Archive Low".
128

Message Archiving
Configuring Policies for Archiving
The Archiving feature can also be used by the Policy engine to provide customization when
applying archiving actions to different domains or groups of users. When creating a policy, the
Attachment Scanning feature provides actions for archiving when certain text is found in an
attachment.
The Attachment Scanning feature requires a phrase file to match attachment content against
and a corresponding archiving action to perform.
To configure a policy definition:
1. Ensure Attachment Scanning is enabled globally via Mail Delivery ➝ Content
Management ➝ Attachment Scanning.
2. Select Mail Delivery ➝ Policy ➝ Policy Definition in the menu to define a policy.
3. Select the Enable check box to enable Attachment Scanning for this policy.
4. Select the Compliancy file to be used for matching text, such as "Archive" in this example.
5. Set the Action to the appropriate archive action for this phrase file, such as "Archive
Medium".
Customizing Archive Headers using Policies
For each Policy definition, the archive header can be customized for each archiving
classification if it needs to be changed from the default settings.
129

CHAPTER 7
Intercept Anti-Spam
This chapter describes how to configure the Intercept Anti-Spam features of the ePrism Email
Security Appliance and contains the following topics:
• “Intercept Anti-Spam Feature Overview” on page 132
• “Trusted and Untrusted Mail Sources” on page 134
• “Configuring Intercept Anti-Spam” on page 136
• “Intercept Components” on page 139
• “Intercept Advanced Features” on page 177
• “Trusted and Blocked Senders” on page 181
• “Spam Quarantine” on page 187
131

Intercept Anti-Spam
Intercept Anti-Spam Feature Overview
ePrism’s Intercept Anti-Spam features have been developed to take advantage of its extensive
mail control features and provides a solutions-based approach where each anti-spam feature,
when enabled, provides input to the final spam score of a message. Information retrieved by all
of the enabled Anti-Spam features results in a more informed decision on whether the message
is in fact spam or legitimate mail.
Thresholds can be set to take appropriate action on a message based on its score and
classification, such as Certainly Spam, Probably Spam, and Maybe Spam. A different action can
be set for each threshold, such as "Redirect" to a spam quarantine for messages that are
classified as Certainly Spam, or "Modify Subject Header" for messages that are classified as
Maybe Spam.
Administrators can use the advanced Intercept options to provide more granular control over
each anti-spam Intercept component for their environment, however, the default Intercept
configuration has been engineered to provide maximum protection against spam without
additional configuration.
ePrism’s Intercept Anti-Spam engine includes the following components:
• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the
client address or header parameters such as HELO or Envelope-From and Envelope-To.
• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in any
aspect of a mail message, including the envelope, header, body and any attachments.
• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and
phrases that are matched against the message.
• Mail Anomalies — Checks various aspects of the incoming message for issues such as
unauthorized SMTP pipelining, missing headers, and mismatched identification fields.
Checks for recent spam and viruses from a specific IP address can also be enabled which is
used in conjunction with the Threat Prevention feature.
• BorderWare Security Network (BSN) — The BSN helps to identify spam by reporting a
collection of metrics about the sender of a mail message, including their overall reputation,
whether the sender is a dial-up, and whether the sender appears to be virus-infected, based
on information collected from ePrism systems and DNS Block Lists worldwide. This
information can be used by the ePrism Email Security Appliance to reject the message, or
used as part of the overall anti-spam decision.
• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor
reputation. Messages can also be rejected immediately regardless of the results of other
Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows
administrators to specify how many DNSBLs must trigger to consider the sender as
unreliable.
• URL Block List — URL Block Lists contain a list of domains and IP addresses of URLs that
have appeared previously in spam messages. This feature is used to determine if the
message is spam by examining any URLs contained in the body of a message to see if they
appear on a block list.
• Bulk Analysis — Detects bulk mail spam by checking to see if the message was sent to a
large numbers of users.
• Token Analysis — Detects spam based on advanced content analysis using databases of
known spam and valid mail.
132

Intercept Anti-Spam Feature Overview
• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS
records to identify and validate the source of a message to determine whether a message
was spoofed.
• DomainKeys Authentication — Performs a check of a sending host’s DomainKeys DNS
records to identify and validate the source of a message to determine whether a message
was spoofed.
User-Based Options
Other anti-spam options can be enabled to allow end users to create a list of Trusted and
Blocked Senders, and also manage their own spam quarantine area:
• Trusted and Blocked Senders List
• User Spam Quarantine
133

Intercept Anti-Spam
Trusted and Untrusted Mail Sources
ePrism must be properly configured for interaction with local and remote mail servers. ePrism
only processes mail through the spam filters when a message originates from an "untrusted"
source. Trusted sources will bypass the spam controls.
There are two ways to control how sources of mail are identified and trusted:
1. Trusted Subnet — All mail from a specific network interface is considered trusted.
2. Specific Access Pattern — An IP address (or address block), server, or domain name is
identified as trusted using a specific access pattern rule.
Trusted Subnet
By default, mail that arrives on a particular network interface from the same subnet is "trusted".
To change this setting, perform the following steps:
1. Select Basic Config ➝ Network on the menu.
2. For the specified interface, disable Trusted Subnet.
Trusting via Specific Access Patterns
To trust a system with a specific access pattern:
1. Select Mail Delivery ➝ Mail Access on the menu.
2. For Specific Access Patterns, click Add Pattern.
3. Enter the IP address or hostname of the system in the Pattern field.
4. Select the Client Access check box.
5. Select Trust in the If pattern matches field, and then click Apply to add the rule.
134

Trusted and Untrusted Mail Sources
135

Intercept Anti-Spam
Configuring Intercept Anti-Spam
To enable and configure ePrism’s Intercept Anti-Spam features, select Mail Delivery ➝ Anti-
Spam ➝ Intercept on the menu.
Intercept Actions
In the Intercept Actions section, administrators can assign actions for three levels of spam score
thresholds. The categories are as follows:
• Certainly Spam — Any message with a score over this threshold (Default: 99) is almost
guaranteed to be certainly spam. These types of messages require a strong action such as
Reject Mail or Redirect To.
• Probably Spam — Any message with a score over this threshold (Default: 90) is probably
spam. This threshold indicates a message with a very high spam score, but not high enough
to be Certainly Spam. These messages should be treated with a lighter action than Certainly
Spam, such as Redirect To or Modify Subject Header, but should not be rejected.
• Maybe Spam — Any message with a score over this threshold (Default: 60) might be spam
but should be treated with caution to prevent false positives. This threshold indicates
messages which could be spam, but could also be legitimate mail. It is recommended that a
light action such as Modify Subject Header or Just Log be used.
For each category you can set the following fields and actions:
• Threshold — Set the threshold for this category to the specified spam score. It is
recommended that administrators leave these value at their defaults.
• Action — Specify one of the following actions:
• Just log: An entry is made in the log, and no other action is taken.
136

Configuring Intercept Anti-Spam
• Modify Subject Header: The text specified in the Action Data field will be inserted into
the message subject line.
• Add header: An "X-" mail header will be added as specified in the Action Data field.
• Redirect to: The message will be delivered to the mail address or server specified in the
Action Data field.
• Discard mail: The message is rejected without notification to the sender.
• Reject mail: The mail will not be accepted and the connecting mail server is forced to
return it.
• BCC: Send a blind carbon copy of the message to the mail address specified in the
Action Data field.
• Quarantine Mail: The message is sent to the administrative quarantine area.
• Action data — Depending on the specified action:
• Modify Subject Header: The specified text will be inserted into the subject line, such as
[SPAM].
• Redirect to: Send the message to a mailbox such as "spam@example.com". The
message can also be redirected to a spam quarantine server such as
"spam.example.com".
• Add header: An "X-" message header will be added with the specified text as, such as
"X-Reject: spam". The header action data must start with "X-" and must contain a colon
followed by a space.
If this is not specified, the phrase "X-Reject" will be prepended to the header. For example,
if "spam" is entered, the full header will be "X-Reject: spam". If a header is entered with a
colon, such as "Reason:spam", the full header will be "X-Reason:spam".
Anti-Spam Header
Anti-spam headers are added to all messages for diagnostic purposes and contain data on the
spam processing applied to the message and its metrics. Enable this option to include the
header with the message. The header output is similar to the following:
X-BTI-AntiSpam: score:99,sta:99/022,dcc:passed,dnsbl:passed,
sw:off,bsn:95 passed,spf:off,dk:off,pbmf:none,ipr:1/5,
trusted:no,ts:no,bs:no,ubl:matched/1
TABLE 1. Anti-Spam Header Description
Item
score
sta
dcc
dnsbl
sw
bsn
Description
Overall Intercept score
Token Analysis score
Bulk Analysis check
DNS Block List check
Spam Dictionaries
BorderWare Security Network
reputation
137

Intercept Anti-Spam
TABLE 1. Anti-Spam Header Description
Item
spf
dk
pbmf
ipr
trusted
ts
bs
ubl
Description
SPF results
DomainKeys results
Pattern Based Message Filters
Mail Anomalies checks
Trusted or non-trusted
Trusted Senders List
Blocked Senders List
URL Block List check
138

Intercept Components
Intercept Components
Each component of the Intercept Anti-Spam engine can be enabled or disabled depending on
your environment. To configure advanced settings for each feature, select its link from the list.
Select the Enable check box for a specific feature and then select the spam feature link to
review or customize the default settings. When finished, click the Apply button to save the
configuration.
Each Intercept Anti-Spam feature is discussed in more detail in the following sections.
Reject on Unknown Recipient
This option rejects mail if the intended recipients do not exist locally or in an LDAP directory.
This option is used in conjunction with LDAP Users and the LDAP Recipients feature.
ePrism will determine if a user exists as follows:
• Checks if the user is in the local database of imported LDAP Users
• Performs a direct lookup on an LDAP user directory with the LDAP Recipients feature.
If using an Active Directory server, it is recommended that the LDAP Users function be used.
Configure LDAP Users and Groups and LDAP Recipients via the Basic Config ➝ Directory
Services menu.
139

Intercept Anti-Spam
See “Directory Users and Groups” on page 63 for more information on importing LDAP users for
user lookups. See “LDAP Recipients” on page 71 for information on configuring the LDAP
Recipients feature.
You can override Reject on Unknown Recipient by using a Specific Access Pattern set to "Allow
Relaying" or "Trust".
Specific Access Patterns (SAP)
Specific Access Patterns (SAP) are always enabled by default and can be used to either accept
or reject mail during an SMTP connection. These rules override all others, allowing them to be
used for special trusting and blocking cases to allow email where it would be otherwise blocked,
or to block email when it would otherwise be allowed. Specific access patterns allow an
administrator to respond to local filtering requirements such as the following:
• Allowing other systems to relay mail through ePrism
• Rejecting all messages from specific systems
• Allowing all messages from specific systems (effectively trusting the server)
• Trust addresses that may be blocked by BSN, DNSBL, or the URL Block List.
Configuring Specific Access Patterns
Select Mail Delivery ➝ Mail Access on the menu.
To define a Specific Access Pattern, click the Add Pattern button.
• Pattern — Enter a mail address, IP address, hostname, or domain name.
• Client Access — Specify a domain, server hostname, or IP address. This item is the most
reliable and may be used to block spam as well as trust clients.
140

Intercept Components
Only the Client Access parameter can be relied upon since spammers can easily forge all other
message properties. These parameters, however, are useful for trusting.
• HELO Access — Specify either a domain or server name.
• Envelope-From Access — Specify a valid email address.
• Envelope-To Access — Specify a valid email address.
None of the previous three options are reliable as spammers can easily fake this property.
• If Pattern Matches:
• Reject: The connection will be dropped.
• Allow relaying: Messages from this address will be relayed. These messages will be
processed for spam.
• Trust: Messages from this address will be relayed and not processed for spam.
Matching Rules
When you specify a Specific Access Pattern rule, it can take the following forms:
• IP Address — ePrism will match the IP address such as, "192.168.1.10", or you can use
a more general address form such as "192.168" that will match anything in that address
space.
For the Client Access parameter, ePrism also supports CIDR (Classless Inter-Domain Routing)
format so that administrators can specify a pattern for a network such as "192.168.0.0/24".
• Domain Name — ePrism will match the supplied domain name, such as "example.com",
with any subdomain such as "mail.example.com", "sales.mail.example.com" and
so on.
• Address — ePrism will match an exact email address, such as "user@example.com", or
a more general rule such as "@example.com".
Pattern Based Message Filters.
Pattern Based Message Filtering is the primary tool used for augmenting anti-spam controls
and trusting and blocking messages. An administrator can specify that mail is rejected or
trusted according to the contents of the message header, including the sender, recipient,
subject, attachment content, and message body text.
See “Pattern Based Message Filtering (PBMF)” on page 112 for detailed information on
configuring PBMFs.
141

Intercept Anti-Spam
Spam Dictionaries
ePrism provides a built-in Spam Dictionaries filter. When enabled, all inbound messages
passing through the ePrism Email Security Appliance are scanned for spam words and phrases
that appear in the dictionary. Messages with words or phrases in their subject or body that
match the phrase list are more likely to be spam. ePrism’s Intercept Anti-Spam engine will use
this information to help decide if the message is spam or legitimate mail.
ePrism includes a basic pre-configured spam words list that can be used for Spam Dictionary
filtering. St. Bernard’s default list includes very common spam words such as "prescription" and
"viagra". The full default list can be viewed and saved. Administrators can use this list to build
and upload their own custom spam word list.
It is recommended that administrators review this default spam words list to ensure any included
words are not part of their organizations functions. For example, the word "prescription" should be
removed if the company is involved with the pharmaceutical industry.
Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select Spam Dictionaries on the
menu to configure the options for this feature.
• Enable Spam Dictionaries — Select the check box to enable the Spam Dictionaries
feature. Message content will be checked against the spam word lists and the final result will
be used by the Intercept engine.
• Phrase file — Select the phrase file used for anti-spam checks. This can be the "Default
Spam Words" list provided by St. Bernard, or a custom list uploaded via Mail Delivery ➝
Content Management ➝ Dictionaries. See the following section for more information on
adding a custom dictionary.
• Logging — Select the type of logging for messages that contain matched spam words and
phrases. This logging information will appear in the Mail Transport logs. Choose from the
following:
• No logging: No logging will be performed.
• First match only: Only the first matching word will be displayed.
• All matches: All matched words will be displayed.
142

Intercept Components
Adding a Spam Dictionary
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries on the menu to view the
default Spam Words list.
2. Select the Default Spam Words list. The Default Spam Words file contains a list of
common words that are typically seen in spam messages.
3. Click Download to save and view the text file of spam words. The list contains one word or
phrase per line, such as the following:
free pic
free pics
free picz
meds
medz
Administrators can use this base list to create their own dictionary of spam words by editing
the text file and adding one word or phrase per line. Default words that are not required can
be deleted.
The maximum length for a dictionary word or phrase is 35 characters.
143

Intercept Anti-Spam
To upload the new spam dictionary file:
1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.
2. Click Add to add a new dictionary file.
3. Click Browse to select the file to be uploaded. Click Continue.
144

Intercept Components
The file information screen displays the initial contents of the file. You can change both the
name of the list and the type of dictionary.
Set the Type of file to spam. This indicates that this dictionary file can be used with the Spam
Dictionaries feature.
Click Continue to finish uploading the file. The new dictionary will now appear in the list and
can be selected when using Spam Dictionaries.
145

Intercept Anti-Spam
Mail Anomalies
The Mail Anomalies feature performs checks on incoming messages to help determine whether
the message is coming from a known source of spam or is legitimate mail. Systems that send
spam have certain characteristics that can give away the nature of the sending system. Many
spammers deploy scripts and use spoofed or false information when sending mail. By checking
incoming connections for patterns of these behaviours, ePrism can help to determine whether
mail from an incoming system is legitimate or spam.
The Mail Anomalies feature checks messages for a variety of information that may reveal
discrepancies between the message’s sending host and the host listed in the message
envelope and contents, and information about messages recently sent by the sending host. A
message must fail four or more checks to be classified as spam.
The following anomalies indicators can be enabled by the administrator. If a message fails four
or more checks, the weight assigned to Mail Anomalies in the Intercept advanced settings will
be the score used for Intercept processing.
DNS Information
The following checks relate to issues with DNS record lookups for the sending host:
• Missing client reverse DNS — Checks if the sending host has a PTR (address to name)
record and the PTR record has a matching A (name to address) record.
• Missing sender MX — Check if the sender mail address has a DNS MX record.
This check is more restrictive than the check for Unknown sender domain. If Unknown
sender domain fails then this check will also fail. It is recommended that only one of the two
checks be used at the same time.
146

Intercept Components
• Unknown sender domain — Check if the sender mail address has a DNS A or MX record.
This check is less restrictive than the check for Missing sender MX. If this check fails then
Missing sender MX will also fail. It is recommended that only one of these two checks be
used at the same time.
• Invalid HELO/EHLO hostname — Checks if the HELO/EHLO address is a valid
hostname.
• Unknown HELO/EHLO domain — Checks if the HELO/EHLO address has a DNS A or
MX record.
Client Behaviour
The following checks relate to issues with the connecting client’s SMTP connection and
message information:
• Unauthorized pipelining — Check if the client sends SMTP commands ahead of time
without knowing that the mail server actually supports SMTP command pipelining. This
check detects bulk mail software that improperly uses SMTP command pipelining to speed
up deliveries.
• HELO/EHLO doesn’t match client — Check if the HELO/EHLO address matches the
sending host address.
• Missing From header — Check if the From header is present.
• Missing To header — Check if the To header is present.
• Envelope sender doesn’t match From header — Check if the From header matches the
envelope sender address.
Recent Activity
The following checks identify clients who have recently sent spam or viruses and will only work
if Threat Prevention (configured via Mail Delivery ➝ Threat Prevention) is enabled.
• Recent spam from client — Check if the sending host recently sent spam.
• Recent virus from client — Check if the sending host recently sent a virus.
147

Intercept Anti-Spam
BorderWare Security Network
The BorderWare Security Network (BSN) helps to identify spam by reporting behavior
information for a collection of metrics about the sender of a mail message, including their overall
reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected
or sends large amounts of spam messages, based on information collected from customer
ePrism systems and global DNS Block Lists.
This information can be used by the ePrism Email Security Appliance to either reject the
message immediately or contribute to the Intercept score if a message is detected from a
source with a poor reputation or numerous virus infections.
If this option is enabled, ePrism will ask for statistics from the BSN Domain service for the
sender IP of each message received, excluding those from trusted and known networks. Using
the information returned from BSN, ePrism can make a decision about whether a message is
spam or legitimate mail. A reputation of "0" indicates the sender is extremely reliable and rarely
sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and
often sends spam or viruses. An IP address with no previous information from any source is
assigned a value "50".
BSN Statistics Sharing
Statistics from your ePrism can also be shared with BSN by selecting the share statistics option.
The following message count statistics and the upstream client IP are sent to the BSN network
when Share Statistics is enabled on ePrism:
• Total mail
• Clean mail
• Spam mail
• Virus mail
• Unknown recipient
• Known recipients
• Malformed mail
BSN Domain service queries use the DNS protocol on UDP port 53. BSN statistics sharing uploads
to the BSN network using HTTPS on port 443. These ports must be opened up on your network
firewall if ePrism is located behind the firewall.
Note the following considerations when using BSN:
• If the BSN server is not available, the DNS request times out. This may affect performance
and requires monitoring for timed-out connections. Remove any servers which you do not
use to prevent time-outs.
• If a message that you want to receive from a client is blocked by BSN, add a Specific Access
Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be
used to "Bypass" (skip anti-spam and content checks), "Trust" (to accept and train as valid
mail) or "Accept" (just accept without training) the message, however, this may interfere with
later ePrism processing and using SAPs is recommended.
148

Intercept Components
BSN Trusting for Relays
Administrators can trust friendly local networks or addresses of known mail servers in their
environment that relay mail via ePrism. These specific networks and servers can be added to
the "relays" IP Address list in the Threat Prevention feature to prevent them from being blocked
by Threat Prevention and BSN, as well as ensuring that reputation statistics for these
addresses will not be reported to BSN.
For example, it is possible that in ePrism environments with a backup MTA (Mail Transfer
Agent) system, the backup system may be misclassified by BSN. If ePrism is offline, mail will
be collected by the backup MTA as specified in the organization's MX records. When ePrism
comes back online, this mail (which may include spam, viruses, and other types of infected
mail) from the backup MTA will be forwarded to ePrism for processing. If BSN is enabled, this
backup system may receive a low reputation score by BSN.
To add a system to the relays list:
1. Click the internal hosts and friendly mail relays link on the BSN menu.
2. The relays static IP/CIDR list screen will appear:
3. Add the address of any internal relays and a description, and then click the Add button.
149

Intercept Anti-Spam
Configuring BSN Checks
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then BorderWare Security Network on
the menu.
• Enable — When BSN is enabled, incoming messages will be checked against the spam
information gathered by the BSN network.
• BSN Domain — Enter the BSN domain to query. The default (ipdns.borderware.com)
is the primary BSN domain, and should not be modified.
• Share Statistics — Enable BSN information, such as spam and virus statistics for
connecting client IP addresses, from this ePrism to be shared with the BSN network.
Port 443 must be enabled outbound to allow statistics to be uploaded to the BSN server. There are
no security risks associated with sharing statistics. ePrism does not relay any private or sensitive
information to the BorderWare Security Network.
• Check Relays — When this option is enabled, the configured amount of received headers
will be checked with BSN. For example, an email message may have been relayed by four
mail servers before it reached ePrism. Use this field to specify how many relay points,
starting from the latest headers to the earliest, should have their reputation checked via
BSN. Acceptable values are between "0" and "ALL". Recommended values are "0" (off), "1"
or "2". The default is "0" (off).
Check Relays should be enabled if ePrism is installed behind another MTA or mail gateway. This
ensures the relay before the intermediary MTA is checked.
• Exclude Relays — This option specifies how many received headers to exclude from BSN
checks, starting from the earliest header to the most recent. For example, if Check Relays is
enabled, setting this value to 1 means that the first relay point will not be checked. Note that
some ISPs include the originating dial-up IP as the first relay point which can lead to
legitimate mail being classified as spam by BSN. Recommended values are "0" (off) or "1".
The default is "0" (off).
This setting will only be enabled if Check Relays is also enabled.
As an example of using the Check Relays and Exclude Relays options, consider the following
scenario:
Server A -> Server B -> Server C -> Server D -> ePrism
With the mail relayed via four previous servers (A-D), the received headers of a message will
appear in the following order:
150

Intercept Components
Received: D
Received: C
Received: B
Received: A
Setting the Check Relays option tells ePrism to start with server "D" and check the configured
number of received headers. If Check Relays is set to "3", it will check "D", "C", and "B".
Use the Exclude Relays option to tell ePrism to ignore the configured number of received
headers starting at the end of the header list regardless of what the Check Relays option is set
to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks.
BSN Connection Rejects
By default, ePrism uses BSN feedback as part of the Intercept decision. To override this default
behavior, ePrism can use BSN information for connection level rejects. When overriding the
default behavior with BSN, ePrism provides the following options:
• Reject on BSN Reputation — If enabled, the ePrism Email Security Appliance will reject
messages from senders whose reputation is above the configured Reputation Threshold. A
reputation of "0" indicates the sender is extremely reliable and rarely sends spam or
viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends
spam or viruses. An IP address with no previous information from any source is assigned a
value "50".
BSN rejects can be overridden by creating a Specific Access Pattern to "Trust" the rejected
address. BSN rejects cannot be overridden by a policy. Pattern Based Message Filtering
can also be used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to
accept and train as valid mail) or "Accept" (just accept without training) the message,
however, this may interfere with later ePrism processing and using SAPs is recommended.
• Reputation Threshold — Enter a reputation threshold over which a message will be
rejected. Generally, a rejection threshold of "70" to "75" will reject at least 60% of spam
messages. If desired, this threshold can be set to a less aggressive value of "90" which
results in about 40% of spam messages being rejected via this feature.
• Reject on Infection — If enabled, the ePrism Email Security Appliance will reject
messages from senders whose infection score is above the configured Infection Threshold.
• Infection Threshold — Indicates the criteria for rejecting messages based on whether the
sending host is Currently infected (received in last hour), or Recently infected (received in
last day). This is setting is only valid when Reject on Infection is enabled.
• Reject Connection From Dial-ups — If enabled, the ePrism Email Security Appliance will
reject messages sent directly from dial-up connections.
151

Intercept Anti-Spam
If a message is not rejected because it violates a BSN threshold, the reputation score and
information about whether the sender is a dial-up can be incorporated into the overall Intercept Anti-
Spam decision.
• BSN Reject Message — This option allows the administrator to customize the reject
message for BSN. Use "%s" to specify the IP address of the rejected sender, such as:
go to http://intercept.borderware.com/lookup?ip=%s
BSN rejection, infection, and dial-up log messages will include a URL similar to the following:
BSN 450: blocked by Intercept: go to http://
intercept.borderware.com/ lookup?ip=[client_ip]
where the client_IP is the connecting system that was rejected. Clicking the URL will open
up a web page displaying BSN reputation statistics on the specified IP address.
152

Intercept Components
DNS Block List
DNS Block Lists (DNSBL) contain the addresses of known sources of spam and are
maintained by both commercial and non-commercial organizations. The DNSBL mechanism is
DNS-based resulting in a lookup on the specified DNSBL server for every server that attempts
to connect to ePrism.
The weight assigned to DNS Block Lists in the Intercept advanced settings will be the score
(default is 80) used by Intercept processing when a DNSBL is triggered for a message. If a
sender is matched on more than one DNS Block List, this will increase the weight score
assigned by Intercept for each list it is matched on.
Note the following considerations when using DNSBL:
• If the DNSBL server is not available the DNS request will time out. This may affect
performance and requires monitoring for timed-out connections. Remove any servers
which you do not use to prevent time-outs.
• If a message that you want to receive is blocked by a DNSBL, add a Specific Access
Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be
used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to accept and train
as valid mail) or "Accept" (just accept without training) the message, however, this may
interfere with later ePrism processing and using SAPs is recommended.
Configuring DNSBL
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then select DNS Block List to configure
the options for this feature:
• Enable DNSBLs — Select this check box to enable DNSBL lookups.
• Check Relays — The Check Relays setting deals with spammers who are relaying their
messages, usually illegally, through an intermediate server. The information about the
originating server is carried in the headers of the message. Use this field to specify how
many relay points, starting from the latest headers to the earliest, should be checked
against a DNS Block List. Acceptable values are between "0" and "ALL". It is recommended
that this option be left at the default value of "0" (off), or set to "1" or "2".
153

Intercept Anti-Spam
This option should be enabled if ePrism is behind another MTA or mail gateway. This ensures the
relay before the intermediary MTA is checked.
• Exclude Relays — This option defines how many received headers to exclude from DNSBL
checks, starting from the earliest to the most recent. Some ISPs include the originating dialup
IP as the first relay point which can result in legitimate mail being blocked by DNSBLs
that block dial-ups. It is recommended to set this value to "1" or "0". Use "1" if any of the
DNSBL servers utilized include dynamic IP addresses (such as a dial-up connection). If the
DNSBL service does not include dial-ups, set this to "0" to ensure mail originating from
webmail systems are not rejected.
As an example of using the Check Relays and Exclude Relays options, consider the
following scenario:
Server A -> Server B -> Server C -> Server D -> ePrism
With the mail relayed via four previous servers (A-D), the received headers of a message
will appear in the following order:
Received: D
Received: C
Received: B
Received: A
Setting the Check Relays option tells ePrism to start with server "D" and check the
configured number of received headers. If Check Relays is set to "3", it will check "D", "C",
and "B".
Use the Exclude Relays option to tell ePrism to ignore the configured number of received
headers starting at the end of the header list regardless of what the Check Relays option is
set to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks.
• Reject on DNSBL — Enable the check box to reject mail from blocked clients regardless of
other message processing.
Reject on DNSBL will reject the message at SMTP connection time regardless of other Intercept
processing. Caution should be used when enabling this feature. Note that this feature, if enabled,
cannot be disabled by a Policy.
• DNSBL Reject Threshold — The number of Block Lists to trigger before rejecting based on
DNSBL. If this value is set to "2", the server must appear on at least two DNSBLs before
being rejected.
154

Intercept Components
DNSBL Domains
Click Edit to modify the list of your DNSBL domain serves. Click Update when finished.
The default DNSBL servers supplied will cover most cases and should not be changed without
careful consideration.
155

Intercept Anti-Spam
URL Block Lists
URL Block Lists contain a list of domains and IP addresses of URLs that have appeared
previously in spam, phishing, or other malicious messages. This feature is used to determine if
the message is spam by examining any URLs contained in the body of a message to see if they
appear on a block list.
Similar to DNS Block Lists, the URL Block List will be queried to see if a URL exists on the
configured block list server. If a match is found, this information will be used by the Intercept
engine to decide whether a message is spam or legitimate mail.
If the URL in a message is matched on a URL Block List, it will be assigned a score as per the
URL Block List weighting configured in the Intercept advanced Component Weight setting
(default is 90.) If a URL is matched on more than one URL Block List, this will increase the
weight of the score assigned by Intercept for each list it is matched on.
To configure URL Block Lists:
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then select URL Block List on the menu.
Select the Enable UBLs check box to enable URL Block List checks.
UBL Domains
URLs can be checked either by a SURBL (Spam URI Realtime Block Lists) method that
performs lookups for a domain using the base domain or IP addresses of the URL, or a DNSBL
lookup that can query a DNS Block List server to lookup the full domain using the resolved host
IP address for the URLs in a message.
St. Bernard provides a default SURBL server that can be used for the URL Block List. Other
SURBL or DNSBL lists can be added by the administrator, but caution must be taken when
adding servers as some free services may introduce false positives.
Click the Edit button to configure the SURBL and DNSBL server lists.
156

Intercept Components
UBL Whitelist
Administrators can define a list of domains and IP addresses that will be trusted, even if
messages from those addresses contain URLs that appear in a URL Block List.
Enter a domain name or IP address to be trusted and then click the Add button.
If a domain is entered (such as "example.com"), all subdomains of that domain will also be
included (such as "www.example.com").
A list of domain names and IP addresses can also be uploaded in one text file. The entries
must appear one per line in the form:
192.168.1.100
192.168.10.200
example.com
The file (ubl_wl.csv) should be created in csv file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the file first by clicking Download
File, editing it as required, and uploading it using the Upload File button.
157

Intercept Anti-Spam
Bulk Analysis
Bulk Analysis utilizes a set of servers that maintain databases of message checksums derived
from numeric values that uniquely identify a message. Mail users and ISPs all over the world
submit checksums of all messages received. The database records how many of each message
is submitted. If requested, the Bulk Analysis server can return a count of how many instances of
a message have been received. ePrism uses this count to determine the disposition of a
message.
A Bulk Analysis server receives no mail, address, headers, or any similar information, but only
the cryptographically secure checksums of such information. A Bulk Analysis server cannot
determine the text or other information that corresponds to the checksums it receives. It only
acts as a clearinghouse of counts of checksums computed by clients. This Bulk Analysis
provides a simple but very effective way to successfully identify spam and control its disposition
while updating its database with new spam message types.
The weight assigned to Bulk Analysis in the Intercept advanced settings will be the score used
by Intercept processing if the message is considered bulk.
You must allow a connection on UDP port 6277 on your firewall or router to allow communications
with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow
down mail delivery.
Bulk Analysis Considerations
When implementing Bulk Analysis, consider the following:
• Educate your user community about this tool and request them to submit mailing lists and
other bulk mail sources that need to be trusted. This step is crucial if Bulk Analysis and
Token Analysis are to work properly.
• Set your Intercept spam dispositions so that users can recognize that a mail has been
mistakenly identified as spam. This will allow users to report back false positives. The
Modify Subject Header disposition is well suited for this task.
158

Intercept Components
Configuring Bulk Analysis
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Bulk Analysis
to configure its options.
Threshold Settings
The threshold is used to determine what should happen to mail when it has been classified.
• If bulk exceeds — Bulk Analysis returns a number showing how many times the message
has been identified. This can be zero (unique and therefore not bulk) or another number,
such as 1352, indicating that the message has been reported as bulk this many times.
It may also return the value "many". This is a special Bulk Analysis value returned when
Bulk Analysis has seen a certain message in such volumes and in such a frequency that it
is most certainly considered "bulk".
For Bulk Analysis to be useful, you need to specify a threshold that will trigger an action. It
is recommended that you enter either "many" or a value of 50 or 100.
Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and
sent in. It is recommended that you leave the default settings. These settings effectively
counter the efforts of spammers to randomize message content and evade detection as
bulk. Results of the various counts can be viewed in the transport logs.
Click the Advanced button to reveal additional settings such as From, ID, and IP. The
selected checksums must be supported by the Bulk Analysis server to work properly and it
is recommended that you use the default settings.
These additional settings should be used with caution, as they may increase the risk of false
positives.
159

Intercept Anti-Spam
• Bulk Analysis Warning Threshold — The threshold for the expected Bulk Analysis
successful response rate, as a percentage of total number of Bulk Analysis queries
performed. If the successful response rate falls below this value, an alarm will be generated.
It is acceptable to have some value of loss depending on network connectivity. This feature
is used to determine whether communication between ePrism and the Bulk Analysis
network is occurring properly.
Bulk Analysis Servers
Click Edit in the Bulk Analysis Servers section to configure your server settings, if required.
he default Bulk Analysis server supplied will cover most cases and should not be changed without
careful consideration.
You must allow a connection on UDP port 6277 on your firewall or router to allow communications
with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow
down mail delivery.
Bulk Analysis Trusted and Blocked Entry List
Administrators can create exceptions to bulk classifications by using the Trusted and Blocked
List. In many cases, it may be easier to specify such exceptions using Pattern Based Message
Filters, in which case the mail bypasses all anti-spam settings. It is recommended that Pattern
Based Message Filters be used for creating exceptions. The Bulk Analysis trusted and blocked
entry list feature is useful for removing legitimate bulk mail, such as mailing lists, from
consideration as bulk while letting it be scanned by Intercept for other spam characteristics.
Click Edit to add entries to the Trusted and Block Entry lists. Click Apply to add the new entry.
160

Intercept Components
Token Analysis
Token Analysis is a sophisticated method of identifying spam based on statistical analysis of
mail content. Simple text matches can lead to false positives because a word or phrase can
have many meanings depending on the context. Token Analysis provides a way to accurately
measure how likely any particular message is to be spam without having to specify every word
and phrase.
Token Analysis achieves this by deriving a measure of a word or phrase contributing to the
likelihood of a message being spam. This is based on the relative frequency of words and
phrases in a large number of spam messages. From this analysis, it creates a table of
"discriminators" (words associated with spam) and associated measures of how likely a
message is spam.
When a new incoming message is received, Token Analysis analyzes the message, extracts
the discriminators (words and phrases), finds their measures from the table, and aggregates
these measures to produce a spam metric for the message. This spam metric is the score
assigned by Token Analysis to be used in the Intercept Anti-Spam decision.
Token Analysis has a built-in weighting mechanism that assigns a value between 0 and 100 to
indicate whether a message is spam. A message with a low metric (closer to 0) is considered to
be legitimate, while a message with a high metric (closer to 100) is considered to be spam.
Token Analysis uses three sources of data to build its run-time database:
• The initial tables supplied are based on analysis of known spam.
• Tables derived from an analysis of local legitimate mail. This is referred to as "local
learning" or "training".
• Training provided by spam from PBMF Spam, Bulk Analysis, DNSBL, SPF, and
DomainKeys Intercept components.
How Token Analysis Works
Consider the following simple message:
---------------------------------------------------------------
Subject: Get rich quick!!!!
Click on http://getrichquick.com to earn millions!!!!!
---------------------------------------------------------------
Token Analysis will break the message down into the following tokens:
[Get] [rich] [quick!!!] [Click] [on] [http:// getrichquick.com]
[to] [earn] [millions!!!!!]
Each token is looked up in the database and a spam metric is retrieved. The token "Click" has
a high metric of 91, whereas the word "to" is neutral (indicating neither spam nor legitimate.)
These metrics are aggregated using statistical methods to give the overall score for the
message of 98.
161

Intercept Anti-Spam
Mail messages with a spam metric of 90 or greater are very likely to be spam. Lower values (50-
60) indicate possible spam, while very low values (20-25) are unlikely to be spam. These spam
metrics are the score assigned by Token Analysis as part of the final Intercept Anti-Spam
decision.
Configuring Token Analysis
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Token Analysis
to configure its properties.
When enabled, Token Analysis will always run in training mode and analyze all local mail. Local
mail is assumed to be not spam and the frequency of the words found in this mail may therefore
be used to modify the values supplied by St. Bernard’s master list. For example, a mortgage
company may use the word "refinance" quite frequently in its regular mail. The likelihood of this
word suggesting spam would therefore be reduced.
Token Analysis trains messages for spam if one of the following features (if enabled) classifies a
message as spam:
• PBMF spam
• Bulk Analysis
• DNS Block Lists
• URL Block Lists
• BSN Reputation
Token Analysis can train messages from the following sources as legitimate mail:
• PBMF "Train" action
• Trusted Subnet
162

Intercept Components
Token Analysis Modes
• Training Only — Token Analysis will analyze local mail but will NOT classify incoming mail.
• Scanning and Training — Token Analysis will analyze local mail AND will classify
incoming mail.
Rebuild Database
Click the Rebuild Database button to rebuild the Token Analysis database. The run-time
engine is built and rebuilt at two hour intervals using several sources such as the supplied
spam data, updated data from St. Bernard, trained spam from other Intercept features, and
local training. Since the database is not built for the first time until two hours after installation,
you can use this option to immediately rebuild the Token Analysis database.
Delete Training
Click the Delete Training button to remove all training material. You should delete all training
material if your ePrism system has been misconfigured and starts to treat "trusted" mail as
"untrusted" or vice versa.
Token Analysis Advanced Options
Click the Advanced button to reveal additional Token Analysis options. These options are for
advanced configuration only, and it is highly recommended that the default values be used.
Modifications to the default values may decrease Token Analysis accuracy and should be used
with care.
Neutral Words
Neutral words are words that may or may not indicate spam. For example, a mortgage
company may want to build a neutral word list that includes "refinance" or "mortgage" because
these words show up quite frequently in spam mail. By adding them to the neutral word list, the
likelihood of this word suggesting spam would therefore be reduced to a neutral value.
• Default Neutral Words — Select the check box to enable the neutral words list. This list
helps prevent pollution of the Token Analysis database. It is recommended that you leave
this option enabled.
• Uploaded Neutral Words — Enables the use of the uploaded neutral words list.
163

Intercept Anti-Spam
Upload a file using the Upload Neutral Words button. The file must be in text format and
contain a list of neutral words with one word per line. Uploading a new list will replace the
previous neutral words list.
The system will automatically rebuild the Token Analysis database during the upload of a neutral
words list. This process may take some time to complete.
Token Analysis and Languages
The Token Analysis spam database is based on English language spam. As a result, it may not
be initially responsive to spam created in other languages. The ability to learn means that it can
readily adapt to other languages. Ensure that Bulk Analysis is enabled because all mail
identified as "bulk" by Bulk Analysis will be used by Token Analysis to train as spam. Assuming
that some of these bulk messages are in the local language, Token Analysis will build a
database that reflects that language.
Token Analysis will train on local legitimate mail from the moment the system is started. This will
help properly characterize the local language use by building up a database of good words to
help prevent mail messages from being classified as spam.
To train ePrism with known local language spam mail, it is recommended that you set up rules
to use the "Certainly Spam" action in Pattern Based Message Filters (PBMF). Messages
specified as "spam" will be forwarded to Token Analysis and will increase its database of local
language words.
Japanese, Chinese, and Korean Language
Token Analysis can alter the processing behavior for Japanese, Chinese, and Korean language
messages to ensure they are not automatically classified as spam. These include the following
character sets:
• Japanese major character sets — ISO-2022-JP, EUC-JP, Shift-JIS
• Chinese major character sets — GB2312, HZ-GB-2312, BIG5, GB7589, GB7590,
GB8565.2-88, GB12052, GB/T12345, GB/T13131, GB/T13132, GB/T13000.1, ISO-2022-
CN, ISO-2022-CN-EXT
• Korean major character sets — KS C 5601 (KS C 5601-1987), EUC-KR, ISO-2022-KR
For each character set, select how Token Analysis will process the message:
• Default — All content is processed by Token Analysis. If you receive legitimate mail in these
languages, this may result in false positives.
• No Token Analysis Scan — Token Analysis scanning will be turned off for all messages
containing Japanese, Chinese, and Korean language characters.
• Lenient Token Analysis Scan — Token Analysis scanning will be turned off for only the
parts of the message containing Japanese, Chinese, and Korean language characters. The
rest of the message will be processed normally. If there are 20 or fewer tokens in the
message of non-Japanese, Chinese, and Korean characters, the Token Analysis scan will
be skipped for that message.
164

Intercept Components
Image Analysis
An Image Spam email message typically consists of random text or no text body and contains
an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the
spam message. These types of spam messages are difficult to detect because the message
contains no helpful text or URL characteristics that can be scanned and analyzed.
The Image Spam Analysis feature performs advanced analysis of image attachments to help
determine if the message is spam or legitimate mail. Similar to ePrism's other Anti-Spam
features that detect spam characteristics in the text of a message, the Image Analysis feature
extracts certain characteristics of the attached image to determine if these characteristics are
similar to those seen in actual spam messages.
1. Ensure the Enable Token Analysis option is enabled using "Scanning and Training" mode.
2. Select the Enable Image Analysis check box in the Options section.
3. Click the Apply button.
Allow at least 24 hours for the Token Analysis scanner to scan and train incoming mail and
update its database to see an improvement in spam catch rates.
To accelerate this process:
1. Select Management ➝ Security Connection on the menu, and then click the Connect
Now button to retrieve the latest Token Analysis database updates.
2. Select Mail Delivery ➝ Anti-Spam ➝ Intercept ➝ Token Analysis on the menu, and
then click the Rebuild Database button to perform a manual rebuild of the Token Analysis
database. (The database is rebuilt automatically every two hours.)
Diagnostics
The diagnostics section allows administrators to configure diagnostic options for Token
Analysis to help with troubleshooting.
• Enable X-STA Headers — This setting inserts X-STA (Token Analysis) headers into all
messages. These are not visible to the user (although they can be filtered in most mail
clients), but can be used to gather information on why mail is processed in a particular way.
The following headers will be inserted:
• X-STA-Metric: The "score" assigned by Token Analysis, such as 95, which would
indicate a spam message.
• X-STA-NotSpam: Indicates the words with the highest non-spam value found in the
message.
• X-STA-Spam: Indicates the words with the highest spam value found in the message.
• Enable Monitoring — Select the check box to enable the monitoring of messages received
by the specified email address.
• Monitor email for — Enter an email address that you would like to monitor.
• Copy to — Copy messages and the Token Analysis diagnostic to this email address.
165

Intercept Anti-Spam
Token Analysis Training
The following sections allow you to define advanced parameters for Token Analysis training,
such as legitimate and spam mail training settings.
Legitimate Mail Settings
The following settings are advanced options for the handling of legitimate mail:
• Valid Training Sources — Select Trusted/Local Mail to train all local trusted network mail
for Token Analysis, or select No Training.
If "No Training" is selected, the Heuristic 1 Intercept Decision strategy should be used that deemphasizes
Token Analysis. This prevents false positives from occurring when using the Heuristic 2
strategy.
• Local Limit — Enter the maximum number of messages from local users that can be used
for Token Analysis training. When the limit is reached, older training messages are deleted
as new messages arrive. Default is 20000.
• Local Threshold — Set the threshold for messages from local users to be used for training.
If the Token Analysis classification for the message is greater than or equal to the specified
number, the message will be used for training.
• Source Weighting % — For Token Analysis to be useful and efficient, the training must be
based on well selected data. The initial database supplied represents well selected data,
and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail
from the trusted network.
• Default: Enter a percentage for the weight of the default Token Analysis database of valid
mail.
166

Intercept Components
• Uploaded: Enter the weight of locally uploaded valid mail. Legitimate mail can be
uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text
Unix mbox format. A minimum of ten messages should be uploaded to be effective.
• Trusted-net: Enter the weight of mail from trusted networks that are automatically trained
as valid mail.
When uploading mail, it is recommended that you set the weighting to 60% for Default, 20% for
Upload, and 20% for Trusted. Significant changes to the source weighting may decrease Token
Analysis accuracy.
Spam Training
Select which features (if enabled) that will be used for spam training:
• BSN Reputation — Train using mail marked as spam by BSN Reputation.
• BSN DUL — Train using mail marked as spam by BSN DUL.
• Bulk Analysis — Train using mail marked as spam by Bulk Analysis.
• DNSBL — Train using mail marked as spam by DNSBL.
• Domain Keys — Train using mail marked as spam by DomainKeys.
• PBMF — Train using mail marked as spam by PBMF.
• SPF — Train using mail marked as spam by SPF.
• URL Block List — Train using mail marked as spam by URL Block List.
Spam Settings
The following settings are advanced options for the handling of spam mail:
• Spam Limit — Enter the maximum number of spam messages used for training.
• Spam Training Threshold — Set the threshold for spam messages to be used for training.
If the Token Analysis classification for the message is less than or equal to the specified
number, the message will be used for training.
• Source Weighting — For Token Analysis to be useful and efficient, the training must be
based on well selected data. The initial database represents well selected data and is
therefore highly weighted, compared to uploaded spam mail or bulk mail from Bulk
Analysis.
• Default: Enter a percentage for the weight of the default Token Analysis database of
spam mail.
• Uploaded: Enter the weight of locally uploaded spam mail. Spam mail can be uploaded
by clicking the Upload Spam Mail button. The mail must be in plain-text Unix mbox
format. A minimum of ten messages should be uploaded to be effective.
• Detected: Weight of mail from Bulk Analysis, DNSBL, UBL Block Lists, PBMF or BSN
automatically trained as spam.
When uploading mail, it is recommended to set the weighting to 60% for Default, 20% for Upload,
and 20% for Bulk. Significant changes to the source weighting may decrease Token Analysis
accuracy.
167

Intercept Anti-Spam
Dictionary Spam Count
Recent changes to the way that spammers compose their messages can reduce the
effectiveness of the Token Analysis filter. By introducing large numbers of normal words into
their spam messages, they can hide their content because the normal words outweigh the spam
words and result in a low spam count. More aggressive settings may result in more false
positives. ePrism counters this in two ways:
1. All words in the ePrism dictionary are now assigned a base level of how likely they are to be
spam. In a normal message, this increased level will not result in a false positive, since the
overall count is low. In a spam message, the result is different; the normal words will not
counteract the spam content, and the message is correctly identified as spam.
2. Training on local mail now works to reduce this base level closer to zero. This further
reduces the likelihood of a false positive.
The Dictionary Count is set to one "1" by default. This should be sufficient for most situations. It
is recommended that you only change the default value if the following conditions occur:
• If there are too many false positives and this is not alleviated by training, then the Dictionary
Count should be set to zero "0", disabling this feature.
• If too much spam is passing then the Dictionary Count can be increased. Try increasing the
value to "10". If this results in too many false positives, reduce it to "5".
This setting should only be considered for modification if other measures (training, threshold
changes, uploading spam and/or legitimate mail) have been tried and have not provided the desired
result.
Troubleshooting Token Analysis
Token Analysis is a very effective anti-spam tool and provides the mail administrator with a
variety of options to finely tune this feature for their particular environment. With these advanced
controls, there is a greater chance of creating a configuration that may result in excessive false
positives (mail marked as spam when they are legitimate) or false negatives (mail not marked
as spam when they are spam.)
The following are some considerations when troubleshooting issues with Token Analysis:
For excessive false positives:
• Ensure that the system has gone through a cycle of training.
• Ensure that any mailing lists that the organization sends out are trusted (via PBMF) as
"accept".
• Check for tokens that may be words used by the organization for their regular business. For
example, a financing company would want the words "mortgage" or "refinance" to be
allowed as legitimate tokens.
• Lower the component weighting in the Intercept advanced settings.
For excessive false negatives:
• If Bulk Analysis is enabled, ensure that it is working properly and it is using Token Analysis
for training.
• Check that any mailing lists received by the users are trusted (via PBMF) as "Bypass" or
"Accept".
168

Intercept Components
Sender Policy Framework (SPF)
Sender Policy Framework is a sender authentication technology that prevents spammers from
spoofing mail headers and impersonating a legitimate email user or domain to prevent phishing
attacks. Unsuspecting users may reply to these seemingly legitimate addresses with personal
and confidential information.
SPF provides a means for authenticating the source of an email by querying the sending
domain’s DNS records. The SPF protocol allows server administrators to describe their email
servers in their DNS records. By comparing the headers of the email with the SPF value, the
receiving host can verify that the email is originating from the legitimate mail server for that
domain. This prevents spammers from sending forged emails.
ePrism’s SPF actions only apply to incoming mail messages that have failed an SPF check (the
email message does not match the corresponding published SPF record.) If a specific mail
server does not have an existing SPF record then the message is processed normally. It is
possible, however, that administrators may misconfigure their DNS SPF records resulting in
false positives and legitimate hosts being blocked from sending you mail.
The weight assigned to SPF in the Intercept advanced settings will be the score used by
Intercept processing if the message fails an SPF check.
SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a
mechanism to prevent forged emails rather than an anti-spam measure. It is dependent on
network administrators publishing their legitimate email servers in their DNS records and
ensuring these records are properly configured. St. Bernard encourages customers that use
SPF in their DNS infrastructure to review their own SPF records to ensure they are accurate.
SPF Records
The SPF protocol allows you to describe your email servers in an SPF TXT record that is
attached to the domain's DNS record. A typical SPF DNS record is as follows:
example.com IN TXT "v=spf1 mx -all"
Administrators will add this data as a TXT record to their domain (example.com). The first part
is the name part of the record, such as "example.com", and the text in quotes is entered as
your TXT record data.
• "v=sp1" identifies the TXT record as an SPF string.
• "mx" specifies that mail can come from only the mail servers defined in your MX records.
• "all" specifies that no other servers are able to send from the specified domain.
You can set TXT records for both domains and individual hosts. For more information on SPF
and defining TXT records, see: http://spf.pobox.com/.
169

Intercept Anti-Spam
Configuring SPF
Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select SPF on the menu to configure
Sender Policy Framework settings.
• Enable SPF — Select the check box to enable SPF verification.
• Strip incoming SPF headers — This option removes any "Received-SPF" header from
incoming messages. Spammers may attach their own forged SPF headers to create the
impression that the email is from a legitimate source
• Add outgoing SPF header — This option adds an SPF header to the outgoing message.
170

Intercept Components
DomainKeys
DomainKeys is another sender authentication technology used to prevent spammers from
spoofing mail headers and launching phishing attacks. The sender of an email message is
authenticated by querying the sending domain’s DNS records. The DomainKeys protocol
allows server administrators to add a digital signature to their outgoing messages that can be
validated via DNS.
The domain owner generates a public and private key pair to use for signing all outgoing
messages. The public key is published in their DNS records and the private key is used to sign
outbound messages. By verifying the signature in the headers of the email using the public key,
the receiving host can verify that the email is originating from the legitimate mail server for that
domain. This prevents spammers from sending forged emails. ePrism also supports the signing
of outgoing messages with DomainKeys using the Policy engine.
ePrism’s DomainKeys actions only apply to incoming mail messages that have failed a
DomainKeys check (such as the email message does not match the corresponding published
DomainKeys record.) If a specific mail server does not have an existing DomainKeys record
then the message is processed normally. It is possible, however, that administrators may
misconfigure their DNS DomainKeys records, resulting in false positives and legitimate hosts
being blocked from sending you mail. The weight assigned to DomainKeys in the Intercept
advanced settings will be the score used by Intercept processing if the message fails a
DomainKeys check.
Configuring DomainKeys
Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select DomainKeys
Authentication to configure DomainKeys settings.
• Enable DomainKeys Authentication — Select the check box to enable DomainKeys
authentication.
• Strip incoming DK headers — Removes Authentication-Results: headers attached to
incoming messages. This option protects against spammers who add a forged
DomainKeys header to the message.
• Add Authentication Header — Adds an Authentication-Results: header to incoming
messages after they have been processed and verified by DomainKeys.
• Temporary DNS Error — Consider the message as spam in the event a DNS error
prevents a DomainKeys lookup for a sender’s key.
171

Intercept Anti-Spam
The message will be considered spam if any of the following checks are true:
• No Signature When Required — Consider the message as spam when there is no
signature, even if the sender says they sign all messages.
• No Signature When Not Required — Consider the message as spam when there is no
signature and the sender says they may not sign all messages.
• Invalid Signature — Consider the message as spam when the signature is invalid.
• Key Revoked — Consider the message as spam when the key used to sign the message is
no longer valid.
• Invalid Message Syntax — Consider the message as spam when the signature cannot be
checked because the message has invalid syntax.
• No Key — Consider the message as spam when the sending domain did not provide a key
for the selector specified in the message.
• Bad Key — Consider the message as spam when the sending domain provides an
unusable key.
Sender Testing DomainKeys
These checks can also be performed for messages from senders who are testing their
DomainKeys implementation by inserting a test flag into their DomainKeys DNS records. It is
recommended that you use the default settings which permit more lenient checks to be
performed against these test messages.
DomainKeys Log Messages
The response codes for DomainKeys processing will appear in the Mail Transport logs as
follows:
0 - Pass
1 - Neutral
2 - Fail
3 - Soft Fail
4 - Temporary Error
5 - Permanent Error
The logs will also indicate which DomainKeys check caused the error:
DomainKeys: from=user@example.com, result=permerror(bad key)
172

Intercept Components
DomainKeys Outbound Message Signing
To enable signing of outgoing messages, the domain owner generates a public/private key
pair. The private key is used by ePrism to digitally sign the message (prepended as a header)
using this key. The public key is then published in the domain’s DNS records. The receiving
system can authenticate the message by querying the domain owner’s DNS records for the
public key.
ePrism supports the signing of outgoing messages with DomainKeys using the Policy engine.
This allows administrators to allow signing for only certain domains which have been
configured in DNS for use with DomainKeys.
Select Mail Delivery ➝ DomainKeys Signing to configure global settings.
When enabled, the use of DomainKeys message signing must be configured via Policies.
Select Mail Delivery ➝ Policy ➝ Policy Definition to edit an existing policy or to add a new
policy. The DomainKeys signing section appears at the bottom of the policy screen.
• Enable — Select the check box to enable or disable signing of outbound messages in this
policy.
• Remove duplicate headers — Select the check box to remove duplicate headers, such as
Subject and To: fields, from the signature calculation. Any headers listed with the "h=" tag
in the DomainKeys header will be filtered for duplication and the corresponding headers will
be removed from the message envelope. This option should only be enabled if
experiencing issues with rejected messages due to duplicate headers.
• Canonicalization — This option specifies how white space characters are treated during
signing. The default is "No Folding White Space" which ignores these characters during
signing. This option is more lenient so that messages reformatted in transit, such as spaces
or lines inserted into or removed from the message by intermediate systems between the
signer and the receiver, are still valid. Selecting "Simple" keeps the signed message intact
to include white space characters so that any lines that are reformatted in transit will fail
validation.
173

Intercept Anti-Spam
• List Headers — When signing, place a list of the headers included into the DomainKey-
Signature: header. It is recommended that this option be enabled. When enabled, only
those headers listed will be used in verifying the signature. If this is option is disabled, then
all headers following the signature will be used in verifying the signature. Any headers
added by intermediary systems after the message is signed will cause the signature to be
invalid. Disabling the option increases security, but can create a large number of "invalid"
signatures because of headers added by intermediary systems.
• Selector Name — Set the Selector to use for DomainKeys signing.
• Selector List — Click the Edit button to edit the DomainKeys Selector list.
Selector List
A DomainKeys selector is a tag for a DNS record that is used by others to verify your
DomainKeys signature. This tag can be comprised of any characters, such as upper and lower
case letters, digits, dashes, underscores, and so on. Each selector has an associated public
and private key that can be generated by ePrism or via external methods. The selector is stored
in a DNS TXT record with the tag:
._domainkey.
Click the Add Selector button to add a new Selector to the list.
• Name — Enter a descriptive name for this selector.
• Selector — Enter the tag name for this selector.
• Private and Public Key — Displays the Private and Public Keys. These can be generated
automatically by choosing a key size and clicking the Generate Key Pair button.
Alternately, these keys can be generated externally and pasted into the respective text
boxes.
174

Intercept Components
• Key Size — Select the key size for the generated key pair. Larger keys result in a more
secure implementation because it decreases the probability of the keys being
compromised. It is recommended that a minimum of 1024 be selected.
• Generate Key Pair — Click the button to allow ePrism to generate a private/public key pair.
The resulting keys will be displayed in the respective information boxes above.
• Granularity — The selector record can also ensure that only a specific sender (a person or
entity) is allowed to use that particular selector. This is indicated by entering the portion of
the sender's email address that will appear to the left of the "@" symbol. For example,
"techsupport" will ensure those only messages from "techsupport@example.com"
are allowed to use the configured selector.
• Testing — Select the check box to indicate that this DomainKeys DNS record is being used
for testing only. This allows the administrator to perform testing on the validity of their
DomainKeys configuration. Receivers will generally be more lenient with verification errors
if the sender is in testing mode.
• Notes — An additional area for comments by the administrator. For example, an
administrator might list reasons why a particular selector was revoked.
DomainKeys DNS Record
When the private/public key pair have been created, ePrism automatically generates a TXT
record that can be used with your DNS server for DomainKeys signing. This record contains a
copy of your public key that receiving sites will use to authenticate the digital signature in your
outgoing messages.
A domain using DomainKeys (such as "example.com") will have a new subdomain in their
DNS configured as "_domainkey" prefixed to the domain, such as
"_domainkey.example.com".
A typical DomainKeys DNS record is as follows:
_domainkey.example.com IN TXT "t=y; o=-; n=notes;
r=test@example.com"
Administrators will add this data as a TXT record to their DomainKeys domain
(_domainkey.example.com). The first part is the name part of the record, and the text in
quotes is entered as your TXT record data.The TXT data contains information on the
DomainKeys policy, such as the following:
• "o=-" means all emails from this domain are signed
• "o=~" means some emails from this domain are signed
• "t" means Test
• "r" to enter the responsible email address
175

Intercept Anti-Spam
• "n" to enter free form notes on the record
Public key records are identified by a specific Selector (which allow a domain to have more than
one public key in DNS) and stored in separate TXT records for that DomainKeys domain name.
For example, the previously defined "_domainkey.example.com" domain will contain name
entries for each selector, such as:
selector1
The corresponding TXT data consists of various options and the public key to be used, such as:
g=; k=rsa; t=y; p=MEwwPQRJKoZ&ldots;
The value after "p=" is the public key. There are also other fields available for granularity (g),
test (t), and notes (n).
176

Intercept Advanced Features
Intercept Advanced Features
Click the Advanced button to reveal advanced Intercept Anti-Spam features that can be
enabled and configured by the administrator.
Advanced Intercept Components
The following additional Intercept Components appear when the Advanced button is selected.
• Reject on unknown sender domain — Rejects mail when the sender’s mail address does
not appear in the DNS as an A or MX record. This option applies to "untrusted" mail only.
• Reject on missing sender MX — Rejects mail when the sender’s mail address has no
DNS MX record.
• Reject on non FQDN sender — Rejects mail when the client MAIL FROM command is not
in the form of an FQDN (Fully Qualified Domain Name) such as "mail.example.com".
This option applies to "untrusted" mail only.
• Reject on unauth pipelining — Rejects mail when SMTP commands are sent ahead of
the message even though the SMTP server supports pipelining. This option blocks mail
from bulk mail software that uses SMTP command pipelining improperly to speed up
deliveries.
• Reject on missing addresses — Reject mail when no recipients (To:) or sender (From:)
were specified in the message headers. These fields are the optional To: and From: fields,
not the corresponding Envelope fields.
• Reject on missing reverse DNS — Reject mail from a host when the host IP address has
no PTR (address to name) record in the DNS, or when the PTR record does not have a
matching A (name to address) record.
Many servers on the Internet do not have valid Reverse DNS records. Setting this option may
result in rejecting mail from legitimate sources. It is recommended that you do not enable this
option.
These options are similar to those available in Mail Anomalies, but these options will reject if a
single match is found, while Mail Anomalies provides a score if a cross-section of four or more
matches are found.
177

Intercept Anti-Spam
Intercept Decision Strategy
The Intercept Decision Strategy allows administrators to alter the way in which Intercept
processes messages for spam.
• Highest Score — The Highest Score method will use the maximum score derived from all
the scans that were processed. For example, if Bulk Analysis, Mail Anomalies, and DNS
Block List are enabled, and DNS Block List results in the highest contributing score for all
the scans, then that score will be used.
To achieve similar results to the Anti-Spam behaviour of previous versions of ePrism, set the
decision strategy to Highest Score and set all component weights to 100.
• Sum of Weights — The message is initially classified by taking the maximum score of the
Token Analysis check. The weight of any other enabled components with a spam score is
then added.
The component weights should be adjusted to be lower than their default settings when using the
Sum of Weights decision strategy.
• Heuristic 1 — Components are divided into objective and subjective categories. Objective
components are DNS Block List, URL Block List, Mail Anomalies, BSN Dial-up, Bulk
Analysis, SPF, and DomainKeys. Subjective components are Spam Dictionaries, Token
Analysis, and BSN reputation. The message is classified initially by combining the
subjective scores and the classification is then adjusted by combining the objective scores.
A baseline is established with a subjective filter. If Token Analysis scores a message at 60,
a baseline of "Maybe Spam" is established. One additional objective filter that triggers will
categorize the message as "Probably Spam". Two objective filters will increase the level to
"Certainly Spam".
• Heuristic 2 — This strategy is similar to the Heuristic 1 strategy except that the subjective
component scores are weighted more heavily in the final decision than in Heuristic1.
• Statistical — Scans are processed independently and the resulting score represents the
probability that a message is spam based on statistical computation of the results.
• Bayesian — Scans are processed independently and the resulting score represents the
probability that a message is spam based on Bayesian computation of the results.
178

Intercept Advanced Features
Intercept Component Weights
Administrators can customize the Intercept engine by configuring the weights for each Intercept
component that will help determine the final spam score for a message. These values
represent the scores that will be used if that component is triggered.
For example, if a mail message triggers a DNS Block List, the spam score contribution for that
message will be the defined weight, such as 80. If the message also triggers a classification by
Bulk Analysis, the Bulk Analysis weight, such as 75, will be added also.
The final result of these scores will be decided by your selected Decision Strategy, such as
Highest Score or Sum of Weights. Valid weights for each component are from 0 to 100. Set the
weight to "0" if you want that feature to have no bearing on the final spam score of a message.
Set this value to "100" if you want this component to have a strong weight on the final spam
score of a message.
The default accuracies are recommended by St. Bernard, and any modifications to these
percentages should be performed with careful consideration.
• Spam Dictionaries — A value of 0 means that this indicator is a completely unreliable
indicator of spam. A value of 100 means that this indicator is a completely reliable indicator
of spam. A list of accurate spam words should be configured with a weight close to 100.
More general word lists should be configured with lower weights.
• Mail Anomalies — This value is used when a message fails four or more anomaly checks.
A value of 0 means that this indicator is a completely unreliable indicator of spam. A value
of 100 means that this indicator is a completely reliable indicator of spam.
• DNS Block List — A value of 0 means that this indicator is a completely unreliable
indicator of spam. A value of 100 means that this indicator is a completely reliable indicator
of spam. The DNS Block List should generally have a weight between 60 and 80. The
weight assigned will be higher if the sender is matched on more than one DNS Block List.
• BorderWare Security Network Reputation — BSN contributes its own unique score
between 0 and 100 and cannot be assigned a configurable weight.
179

Intercept Anti-Spam
• BorderWare Security Network Dial-up — A value of 0 means that this indicator is a
completely unreliable indicator of spam. A value of 100 means that this indicator is a
completely reliable indicator of spam. BorderWare Security Network Dial-up should
generally have a weight between 60 and 80.
• Bulk Analysis — A value of 0 means that this indicator is a completely unreliable indicator
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.
Bulk Analysis should generally have a weight between 70 and 80.
• Token Analysis — A value of 0 means that this indicator is a completely unreliable indicator
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.
The default value is 100, however, the weight should be lowered if false positives are
occurring.
• SPF — A value of 0 means that this indicator is a completely unreliable indicator of spam. A
value of 100 means that this indicator is a completely reliable indicator of spam. SPF should
generally have a weight of 50.
• DomainKeys Authentication — A value of 0 means that this indicator is a completely
unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable
indicator of spam. DomainKeys should generally have a weight of 90.
• URL Block List — A value of 0 means that this indicator is a completely unreliable indicator
of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.
The URL Block List should generally have a weight between 60 and 80. The weight
assigned will be higher if the sender is matched on more than one URL Block List.
Click the Reset button to return the weights to the default values.
180

Trusted and Blocked Senders
Trusted and Blocked Senders
ePrism allows end users to configure their own Trusted and Blocked Senders Lists.
Trusted Senders List
The Trusted Senders List allows users to create their own lists of senders who they want to
receive mail from to prevent them from being blocked by ePrism’s spam filters. Users can
utilize the WebMail/ePrism Mail Client interface to create their own Trusted Sender’s List based
on a sender’s email address. Trusted Senders can also be added directly via the Spam
Quarantine summary email.
If the message is rejected for reasons other than spam, such as viruses or attachment controls, the
Trusted Senders List will have no effect.
The Trusted Senders List overrides the following anti-spam actions:
• Modify Subject Header
• Add Header
• Redirect
The following rules also apply for the Trusted Senders List:
• A Reject or Discard action will reject or drop the message regardless of the settings in the
Trusted Senders List.
• If the action is set to Just Log or BCC, the trusted message will pass through, but will still be
logged or BCC’d by ePrism.
• PBMF spam actions set to Medium or High priority cannot be trusted, allowing
administrators to ensure that a strong security policy is enforced.
• The Trusted Senders List cannot trust items rejected by the administrator during the SMTP
connection such as BSN and DNSBL checks.
Blocked Senders List
The Blocked Senders List allows end users to specify a list of addresses from which they do not
want to receive mail. These senders will be blocked from sending mail to that specific user via
ePrism. If a sender is on the Blocked Senders List, the message can either be rejected with
notification or discarded by ePrism.
The Trusted Senders List is processed before the Blocked Senders List. If a Blocked Sender also
appears in the Trusted Senders List, the email will be delivered.
In the event there are multiple recipients for a message and only specific recipients have
blocked the sender, the message will be delivered for those recipients that did not block the
sender and the message will be rejected for those who have blocked the sender.
Local ePrism users can log in and create their own list of Blocked Senders. Users do not need
a local account on the system as logins can be authenticated via LDAP to an authentication
server and the user's Trusted/Blocked Senders List is saved locally on ePrism.
181

Intercept Anti-Spam
Enabling Trusted and Blocked Senders
The Trusted and Blocked Senders List must be enabled globally by the administrator to allow
users to configure their own lists.
Enable the Trusted and Blocked Senders List globally as follows:
1. Select Mail Delivery ➝ Anti-Spam ➝ Trusted/Blocked Senders.
2. Select the Permit Trusted or Permit Blocked Senders lists check box to enable these
features.
3. Enter the maximum number of list entries for each user. The default is "100". Valid values
are from "1" to "1000000".
4. For Blocked Senders, select the action to perform when a user on the Blocked Senders List
attempts to send mail via ePrism.
• Reject — The message will be rejected with notification to the sender.
• Discard — The message will be discarded without notification to the sender.
5. Enter the internal mail server host domain. This is the domain part of the email address
appended to local user names, such as "example.com".
182

Trusted and Blocked Senders
Configuring WebMail Access
WebMail access must enabled on a network interface in Basic Config ➝ Network to allow
users to login to ePrism via ePrism Mail Client/WebMail to manage their Trusted/Blocked
Senders List.
In User Accounts ➝ Secure WebMail, you must also enable the Trusted/Blocked Senders
controls for the end user when they login to the ePrism Mail Client/WebMail interface.
183

Intercept Anti-Spam
Imported Trusted/Blocked Senders List
Trusted/Blocked Senders Lists can be manually or automatically updated from a global list
located on an external web server. The list update can be scheduled to occur at regular
intervals. The list can be updated immediately by clicking the Update imported list now button.
It is recommended that organizations use either the personal Trusted/Blocked Senders List or
the imported list, and not both at the same time.
To configure the Imported Trusted/Blocked Senders List:
1. Select the Enable imported list check box.
2. Enter the List source URL where the Trusted/Blocked Senders List can be retrieved from,
such as:
http://listserver.example.com/bwlist.csv
HTTPS is also supported for the List source URL.
3. Select the Automatic update check box to enable scheduled updates, and select the days
and time to retrieve the list.
4. To perform a manual update, click the Update imported list now button.
For ePrism systems configured in a cluster, each cluster member must be configured to import this
list independently.
184

Trusted and Blocked Senders
Import List File
The Trusted/Blocked Senders List file must be in CSV format and contain comma or tab
separated entries in the form:
[recipient],[sender],[block or trust]
For example:
user@example.com,spam@example1.com,block
user@example.com,hacker@example1.com,block
user@example.com,friend@example1.com,trust
user@example.com,friend2@example1.com,trust
The file (bwlist.csv) should be created in CSV file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the file first by clicking the
Download File button, editing it as required, and uploading it using the Upload File button.
Adding Trusted/Blocked Senders
To create their own Trusted/Blocked Senders List, the end user can login to their ePrism
ePrism Mail Client/WebMail account, and select Trusted Senders or Blocked Senders from
the menu.
Users do not need a local account on the system. Logins can be authenticated via RADIUS or
LDAP to an authentication server such as Active Directory. The user’s Trusted Senders List is
saved locally on the system. See “Remote Accounts and Directory Authentication” on page 202 for
more detailed information on setting up user authentication.
The Trusted and Blocked Senders Lists are based on a sender’s email address. Enter an email
address and click the Add button. Trusted Senders can also be added directly via the Spam
Quarantine summary email.
185

Intercept Anti-Spam
186

Spam Quarantine
Spam Quarantine
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual
user or to a single user. This allows users to view and manage their own quarantined spam by
giving them the ability to view, release the message to their inbox, or delete the message.
Spam Quarantine summary notifications can be sent to users notifying them of existing mail in
their quarantine. The email notification itself can contain links to take action on messages
without having to login to the quarantine.
To quarantine mail, the administrator must set the action for an Intercept spam level, such as
"Certainly Spam", to Redirect To, and set the action data to the FQDN (Fully qualified domain
name) of the ePrism system (to host the quarantine on the current system) or another ePrism
running the spam quarantine feature.
The Spam Quarantine must be enabled on the destination system if you choose to quarantine mail
on a separate ePrism.
Local Spam Quarantine Account
To access quarantined mail, a local account must exist for each user. This account can be
created locally, or you can use the LDAP Mirrored Users feature to import user accounts from
an LDAP compatible directory (such as Active Directory) and mirror them on the local system.
See “Directory Users and Groups” on page 63 for more information on importing and mirroring
LDAP user accounts.
Configuring the Spam Quarantine
Select Mail Delivery ➝ Anti-Spam ➝ Spam Quarantine on the menu.
187

Intercept Anti-Spam
• Enable Spam Quarantine — Select the check box to enable the spam quarantine.
• Expiry Period — Select an expiry period for mail in each quarantine folder. Any mail
quarantined for longer than the specified value will be deleted.
• Folder Size Limit — Set a value, in megabytes, to limit the amount of stored quarantined
mail in each quarantine folder.
• Enable Summary Email — Select the check box to enable a summary email notification
that alerts users to mail that has been placed in their quarantine folder.
Notifications can only be sent to accounts the ePrism is aware of such as local accounts or LDAP
mirrored user accounts.
• Limit # of message headers sent — Specify the maximum number of headers to be sent in
the notification message. Set to "0" for all message headers to be sent.
• Remember # of past summary keys — Enter the amount of days that users are allowed to
access previously sent spam summaries. The default is 8.
When doing spam summaries every 12 hours, a value of 8 would result in only the last four days of
spam summaries being accessible.
• Notification Domain — Enter the domain for which notifications are sent to. This is typically
the Fully Qualified Domain Name of the email server.
The Spam Quarantine only supports one domain.
• Notification Days — Select the specific days to send the summary.
• Notification Times — Select the time of day to send the summary notifications.
The Spam Summary processing will begin at this time, but the actually delivery of the summary
notifications will not be performed until the processing (which may take several minutes) is
complete.
• Spam Folder — Indicate the Spam Folder name. This must be an RFC821 compliant mail
box name. This folder will appear in a user’s mailbox when they have received quarantined
spam.
• Mail Subject — Enter a subject for the notification email.
• Allow Trusting Senders — Inserts a link in the notification summary to allow the user to
add the sender to their Trusted Senders List.
• Allow reading messages — Inserts a link in the notification summary to allow the user to
read the original message.
• Allow releasing of email — Inserts a link in the notification summary to allow the user to
release it to their inbox.
• Mail subject — Enter the subject of spam summary notification message. ePrism system
variables can be used in the subject. See “Customizing Notification and Annotation
Messages” on page 371.
Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored user accounts.
188

Spam Quarantine
Spam Summary Message
If enabled, a summary email notification can be sent to alert users to mail that has been placed
in their quarantine folder. Additional options allow the end user to read the message, release
the message from the quarantine to their inbox, or add the sender to their Trusted Senders list,
via the links in the spam summary message.
Setting Spam Redirect Options
To quarantine spam mail to the Spam Quarantine, you must set the Intercept action to Redirect
to and set the action data to the FQDN of the spam quarantine server.
To quarantine mail to the spam quarantine, use the following procedure:
1. Go to Mail Delivery ➝ Anti-Spam ➝ Intercept.
2. Set the Action for the spam level (such as "Certainly Spam") to Redirect to.
3. Set the Action data to the FQDN of the spam quarantine (either this ePrism, or another
ePrism system running the quarantine) such as "spam.example.com".
189

Intercept Anti-Spam
Configuring Dedicated Spam Quarantine Server
To ensure that spam redirected from another ePrism is properly quarantined on a dedicated
Spam Quarantine server, it is recommended that a pattern filter be created to ensure these
messages are classified as "Certainly Spam" by the dedicated Quarantine server.
1. Login to the ePrism set up as the dedicated Spam Quarantine server.
2. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) on the menu.
3. Click the Add button to add a new pattern filter.
4. Add a pattern to match the Client IP address of the ePrism system that will be redirecting
mail to this quarantine server. Set the action as "Certainly Spam".
5. Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu.
6. For the "Certainly Spam" spam category, set the action to Redirect To and the action data
to the address of the Quarantine Server.
Accessing Quarantined Spam
The quarantined spam folder can be viewed using the ePrism Mail Client/WebMail interface.
Users can log in to their local or mirrored account on ePrism and view their own quarantine
folder.
If you do not require or do not want the end users to log in locally to ePrism to retrieve these
messages, they can simply use the linked actions contained in the spam quarantine summary
notification to manage quarantined messages.
WebMail access must be enabled on a network interface in Basic Config ➝ Network to allow
users to log into ePrism locally or use the linked actions in the spam quarantine summary
notification.
Users can also use IMAP to access the quarantine folders. You must enable IMAP globally and
on your trusted network interfaces as required. This allows users to connect to the system via
IMAP and move spam messages out of the quarantine into their own folders.
190

Spam Quarantine
Accessing the Quarantine Folder via IMAP
To enable access to the quarantine folder via IMAP:
1. Select User Accounts ➝ POP3 and IMAP to enable IMAP globally.
2. Select Basic Config ➝ Network to enable IMAP on a specific network interface.
3. Connect from a client using IMAP to view the "spam_quarantine" folder.
To retrieve false positives (messages that are not spam) from the quarantine, configure the
client email application with two separate accounts, one for their normal account, and one for
the spam quarantine. With this configuration you can drag and drop message from the
quarantine to your mail account.
Enabling WebMail and Spam Quarantine Access
In Basic Config ➝ Network, enable the WebMail check box for a specific network interface to
allow users to login to WebMail.
In User Accounts ➝ Secure WebMail, enable the Personal Quarantine Controls option to
provide users with the spam quarantine controls in the ePrism Mail Client/WebMail interface.
191

Intercept Anti-Spam
Accessing the Quarantine folder using ePrism Mail Client/WebMail
To access the quarantine folder via ePrism Mail Client/WebMail:
1. Log into your ePrism WebMail account.
2. Select Spam Quarantine on the left menu.
Click the Release link to release the message back into your inbox.
Click the Trusted Sender link to automatically add the sender to your Trusted Sender List.
Spam Quarantine in a Cluster
The User Spam Quarantine can be run in a clustered environment, but there are additional
steps that need to be performed for this feature to work correctly.
• The Spam Quarantine should be enabled on the master Cluster Console only. The cluster
will automatically synchronize the configuration with the other cluster members.
• You must set your Intercept options to use an action of Redirect To, and set the action data
to a hostname that will be used specifically for the Cluster Console’s network interface. For
example, set your redirect action to "redirect.example.com".
• On the Cluster Console, go to Mail Delivery ➝ Routing ➝ Mail Routing, and create a mail
route for "redirect.example.com" to point to the IP address of the network interface on
the Cluster Console that communicates with the other cluster members. This mail route will
be automatically propagated to the other cluster member systems.
192

Spam Quarantine
• On the Cluster Console, create a Specific Access Pattern rule set to an action of "Trust"
for the Client IP of the network interface of the cluster members that communicate with the
Cluster Console. This will ensure messages being redirected from the member system will
be trusted.
• If you are running Token Analysis, create a Pattern Based Message Filter rule on the
Cluster Console set to the action of "Do Not Train" for the Client IP of the network interface
of the cluster members that communicate with the Cluster Console. This prevents the
message from being trained when it is sent to the master Cluster Console for the spam
quarantine.
193

CHAPTER 8
User Accounts and Remote
Authentication
This chapter describes how to setup and administer local and remote user accounts and
POP/IMAP access on your ePrism Email Security Appliance, and contains the following topics:
• “POP3 and IMAP Access” on page 196
• “Local User Mailboxes” on page 197
• “Mirror Accounts” on page 199
• “Strong Authentication” on page 200
• “Remote Accounts and Directory Authentication” on page 202
• “Relocated Users” on page 205
• “Vacation Notification” on page 206
• “Tiered Administration” on page 209
195

User Accounts and Remote Authentication
POP3 and IMAP Access
ePrism fully supports local user mailboxes. Mail is delivered to ePrism mailboxes after the same
processing that applies to all other destinations. Users can use any POP or IMAP-based mail
client (such as Outlook, Netscape, Eudora, and so on) to download their messages. Users can
also be configured to access these mailboxes using the ePrism Mail Client.
It is recommended that you use the secure versions of POP and IMAP to ensure passwords are not
transmitted in clear text.
Select User Accounts ➝ POP3 and IMAP on the menu to enable or disable POP and/or IMAP
mailboxes.
To complete the procedure, you must also enable POP3 and IMAP access (and their secure
versions) on your network interfaces via the Basic Config ➝ Network menu.
196

Local User Mailboxes
Local User Mailboxes
Select User Accounts ➝ Local Accounts on the menu to add new users and configure local
user mail profile settings.
Click the Add a New User button to begin the new user configuration:
• User ID — Enter an RFC821 compliant mail box name for the user.
• Forward email to — Enter an optional address to forward all mail to.
• Set and Confirm Password — Enter and confirm the user’s password. The user should
change this password the first time they log in.
• Strong Authentication — Select a strong authentication method, if required. Strong
authentication is explained in more detail in the next section.
• Disk Space Quota — Enter an optional user disk space quota in megabytes (MB). Enter a
value of "0" for no quota.
• Accessible IMAP/WebMail Servers — Select the available IMAP and WebMail servers
that this user can access.
197

User Accounts and Remote Authentication
Upload and Download User Lists
You can upload lists of users using comma or tab separated text files. You can specify the login
ID, password, email address, and disk quota in megabytes. Use the following format:
[login],[password],[email address],[quota]
For example,
user1,ajg7rY,user1@example.com,0
The file (user.csv) should be created in csv file format using Excel, Notepad or other Windows
text editor. It is recommended that you download the user list file first by clicking File
Download, editing it as required, and then uploading it using the File Upload button.
Mailbox Options
Click the Options button to set the maximum mailbox size (in bytes) for all local mailboxes. Set
this value to 0 to disable the limit.
The value must not be smaller than the Maximum message size limit set in Mail Delivery ➝ Mail
Access. If you set this value to 0, users will be able to send any size of message.
198

Mirror Accounts
Mirror Accounts
LDAP user accounts can be imported from an LDAP directory server and mirrored on the local
ePrism system. This allows you to create local accounts based on the LDAP account to allow
these users to login locally for the Spam Quarantine feature.
These mirror accounts are not local accounts that can accept mail, they are only used for the Spam
Quarantine feature.
See “Directory Users and Groups” on page 63 for more detailed information on creating mirror
accounts.
If you have imported LDAP user accounts via Basic Config ➝ Directory Services ➝ Users
and Groups, a new option will appear in the Local Accounts menu called Mirror Accounts
that displays all mirrored user accounts.
You can remove selected individual user’s mirror accounts or remove all of them by clicking the
Remove All button.
When using the Remove All button, users are removed as a background process and if you have
many pages of users, it may take several minutes for this operation to complete.
199

User Accounts and Remote Authentication
Strong Authentication
By default, user authentication is based on UserID and password. ePrism also supports strong
authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware
token devices provide an additional authentication key that must be entered in addition to the
UserID and password.
You can select a strong authentication type in the Strong Authentication drop-down menu of the
user’s profile.
CRYPTOCard
The CRYPTOCard option is supported by a local authentication server and requires no external
system for authentication. When CRYPTOCard is selected, you will be prompted to program the
card at that time using the token configuration wizard.
Only manually programmable CryptoCard RB-1 tokens are supported.
SafeWord
SafeWord Platinum and Gold tokens are supported by a local authentication server, and require
no external system for authentication. When SafeWord is selected, you will be prompted to
program the card at that time using the token configuration wizard.
Only manually programmable SafeWord tokens are supported.
200

Strong Authentication
SecurID
To configure RSA SecurID, you must set up the system as a valid client on the ACE Server,
and create an sdconf.rec (ACE Agent version 4.x) file and upload it to ePrism.
Although newer ACE servers are supported, the sdconf.rec file must be for version 4.x of the ACE
Agent. Versions greater than 4.x generate a different format of this file.
Select User Accounts ➝ SecurID on the menu to configure SecurID.
Click the Browse button to find and load a sdconf.rec file. Click Upload when finished.
After enabled SecureID via User Accounts ➝ SecurID, it must also be enabled for a network
interface in the Basic Config ➝ Network screen.
Ensure that ePrism’s domain name is listed in your DNS server. SecurID authentication may not
work properly if a DNS record does not exist.
201

User Accounts and Remote Authentication
Remote Accounts and Directory Authentication
Directory authentication allows users to be authenticated without having a local ePrism account.
When an unknown user logs in, ePrism will send the UserID and password to the specified
LDAP or RADIUS server. If the user is authenticated, ePrism will log them in and provide access
to the specified server or servers.
LDAP and RADIUS are widely used, and provide a convenient way of allowing access to
internal mail servers or web mail servers such as Outlook Web Access. Users who login locally
to an Exchange server based on an Active Directory identity can use the same identity to use
Outlook Web Access with ePrism’s Secure WebMail service.
If both LDAP and RADIUS services are defined, the system will try to authenticate via RADIUS first,
and then LDAP if the RADIUS authentication fails.
Configuring Directory Authentication
Select User Accounts ➝ Remote Auth from the menu to configure LDAP and RADIUS
authentication.
If you want to use LDAP for authentication, click the New button in the LDAP Sources section to
define a new LDAP source.
202

Remote Accounts and Directory Authentication
• Directory Server — Select a configured LDAP directory server for authentication.
• Search Base — Enter the starting base point to start the search from, such as
cn=users,dc=example,dc=com.
• Scope — Enter the scope of the search such as Subtree, One Level, or Base.
• Base: Searches the base object only.
• One Level: Searches objects beneath the base object, but excludes the base object.
• Subtree: Searches the entire subtree of which the base distinguished name is the
topmost object, including that base object.
• Query Filter — Enter a specific query filter to search for a user in your LDAP directory
hierarchy. For Active Directory implementations, use (ObjectClass=user).
• Timeout — The maximum interval, in seconds, to wait for the search to complete.
• Account name attribute — Enter the account name result attribute that identifies a user’s
login or account name, such as sAMAccountName for Active Directory implementations.
You will need to enter the appropriate Query Filter and Account name attribute for your particular
LDAP infrastructure if you use another LDAP service such as OpenLDAP and iPlanet.
203

User Accounts and Remote Authentication
RADIUS Authentication
Click the New button in the Radius Servers to configure a RADIUS server for authentication.
• Server — Enter the FQDN or IP address of the RADIUS server.
• Shared Secret — Enter the shared secret for the RADIUS server. A shared secret is a text
string that acts as a password between a RADIUS server and client. Choose a secure
shared secret of at least 8 characters in length, and include a mixture of upper and
lowercase alphabetic characters, numbers, and special characters such as the "@" symbol.
When you add a RADIUS server, the administrator of the RADIUS server must also list this ePrism
Email Security Appliance as a client using the same shared secret. All listed RADIUS servers must
contain the same users and credentials.
• Timeout — Enter a timeout value to contact the RADIUS server.
• Retry — Enter the retry interval to contact the RADIUS server.
The server "This ePrism Email Security Appliance" will only be made accessible for mirror
users. See “Directory Users and Groups” on page 63 for more information on settings up
mirrored accounts.
The other servers listed in the Accessible Servers option are configured via User Accounts ➝
Secure WebMail. See “Secure WebMail” on page 212 for more detailed information on
configuring this feature.
204

Relocated Users
Relocated Users
Use the Relocated Users screen to return information to the sender of a message on how to
reach users that no longer have an account on the ePrism system. A full domain can also be
specified if the address has changed for a large number of users.
Select User Accounts ➝ Relocated Users on the menu to configure the relocation
information.
Click the Add button to add a new relocated user.
Enter a user or domain name in the User field, such as user, user@example.com, or
@example.com to specify an entire domain.
In the "User has moved to…" field, enter any appropriate contact information for the relocated
user, such as their new email address, street address, or phone number.
205

User Accounts and Remote Authentication
Vacation Notification
When a user will be out of the office, they can enable Vacation Notification which sends an
automated email reply to incoming messages. The reply message is fully configurable, allowing
a user to personalize the vacation notification message.
Vacation Notifications are processed after mail aliases and mappings. You must create notifications
for a specific end user and not for an alias or mapping.
The process for configuring Vacation Notification includes the following steps:
1. The administrator enables Vacation Notification globally.
2. Individual settings can be configured as follows:
• The administrator configures Vacation Notification for the user via User Accounts.
• The user configures their own Vacation Notification via ePrism Mail Client/WebMail.
Select User Accounts ➝ Vacations from the menu to enable Vacation Notification globally.
• Enable Vacation Notification — Enable or disable the service globally for all users.
• Domain Part of Email Address — Enter the domain name to be appended to local user
names. This value will be used for all local users.
• Interval Before Re-sending — The number of days after a previous notification was sent to
send another reply if a new email arrives from the original sender.
206

Vacation Notification
Default Vacation Notification Profile
Enter the subject and contents for the default notification message. Users will be able to
change the subject and message from their own user profile.
Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary
notifications for non-local users.
Click on an email address to edit the user’s vacation notification settings.
From this screen, an administrator can configure the notification settings, including the address
that incoming mail will receive a vacation response from.
207

User Accounts and Remote Authentication
User Vacation Notification Profile
An administrator can configure vacation notifications for individual users via their user profile in
the User Accounts menu. Users can configure their own Vacation Notification settings in their
profile via ePrism Mail Client.
To configure Vacation Notification:
1. Login to ePrism Mail Client and select User Profile on the menu.
2. Set the Vacation Start Date by selecting the required date on the left calendar.
3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out
automatically during this time.
4. Modify the default subject and contents of the response message.
5. Click Save User Profile.
Vacation notifications are not sent to emails marked as "bulk" such as mailing lists and system
generated messages. Notifications are also not sent to messages identified as spam.
208

Tiered Administration
Tiered Administration
Tiered Administration allows an administrator to assign additional administrative access
permissions on a per-user basis. For example, the administrator can designate another user as
an alternate administrator by selecting the Full Admin option in their user profile.
To enable administrator permissions, select a user profile from the User Accounts ➝ Local
Accounts menu. Enable each administrative option as required for that user by selecting the
corresponding check box.
WebMail/ePrism Mail Client access must be enabled on the network interface that will be used by
tiered administration users. This is set in the Basic Config ➝ Network screen.
To distribute administrative functions, the administrator can configure more selective
permissions to authorize a user only for certain tasks such as administering users and reports,
configuring anti-spam filter patterns, or viewing the email database.
• Full Admin — The user has administrative privileges equivalent to the admin user.
• Administer Aliases — The user can add, edit, remove, upload and download aliases (not
including LDAP aliases.)
• Administer Filter Patterns — The user can add, edit, remove, upload and download
Pattern Based Message Filters and Specific Access Patterns.
• Administer Mail Queue — The user can administer mail queues.
• Administer Quarantine — The user can view, delete, and send quarantined files.
• Administer Reports — The user can view, configure and generate reports, and view
system activity.
• Administer Users — The user can add, edit, and relocate user mailboxes (except the Full
Admin users), including uploading and downloading user lists. User vacation notifications
can also be configured.
• Administer Vacations — The user can edit local user’s vacation notification settings and
other global vacation parameters.
• Mail History — The user can view the email history database.
• View Activity — The user can view the Activity page and start and stop mail services.
Individual emails can only be viewed if View Email Database is also enabled.
• View System Logs — The user can view all logs.
209

User Accounts and Remote Authentication
Granting full or partial admin access to one or more user accounts allows actions taken by
administrators to be logged because they have an identifiable UserID that can be tracked by the
system.
A user with Full Admin privileges cannot modify the profile of the Admin user. They can, however,
edit other users with Full Admin privileges.
Logging In With Tiered Admin Privileges
When tiered administrative privileges have been assigned to a user, they can access them via
the ePrism Mail Client interface by logging in locally to ePrism.
Select the type of feature you want to administer via the top-left drop down menu.
210

CHAPTER 9
Secure WebMail and
ePrism Mail Client
This chapter describes how to setup Secure WebMail and the ePrism Mail Client on your
ePrism Email Security Appliance, and contains the following topics:
• “Secure WebMail” on page 212
• “ePrism Mail Client” on page 216
211

Secure WebMail and ePrism Mail Client
Secure WebMail
The Secure WebMail feature provides a highly secure mechanism for accessing webmail
services such as Microsoft OWA (Outlook Web Access), Lotus iNotes, and IMAP servers.
Webmail services provide an attractive, easy to use remote interface for users to access their
mail server mailboxes remotely via a web browser.
As these webmail services are accessible from the Internet, they present a number of security
challenges. The Secure WebMail feature is designed to support the use of webmail services
while protecting Webmail servers from Internet attacks. The connection is managed using a full
application proxy. ePrism completely recreates all HTTP/HTTPS requests made by the external
client to the internal webmail server.
Configuring Secure WebMail and ePrism Mail Client
Select Basic Config ➝ Network, and then select the WebMail check box to enable WebMail
access on a network interface.
Select User Accounts ➝ Secure WebMail to configure Secure WebMail and ePrism Mail
Client options.
212

Secure WebMail
Access Types
The following options enable controls in the WebMail interface for features such as the Spam
Quarantine, Trusted Senders, and administrative access.
• Administrative Access — Enables access to administrative functions if the user has
administrative privileges, such as via Tiered Administration.
• Local Mail — Enables access to IMAP servers on the local network.
• Proxy Mail — Enable proxy mail access to other IMAP servers.
• Personal Quarantine Controls — Enables the Spam Quarantine controls. The Spam
Quarantine must be enabled globally via Mail Delivery ➝ Anti-Spam ➝ Spam
Quarantine.
• Trusted/Blocked Senders List — Enables the Trusted and Blocked Senders List controls.
These features must be enabled globally via Mail Delivery ➝ Anti-Spam ➝ Trusted/
Blocked Senders.
For organizations that only want to use local mailboxes for the Spam Quarantine controls or
Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while
enabling Personal Quarantine Controls and Trusted/Blocked Senders. This displays only those
functions to the end user when they log into the ePrism Mail Client/WebMail account. Personal
Quarantine and Trusted/Blocked Senders can be disabled if you are only using the Spam
Quarantine summary email for these features and users do not need to login locally.
At least one of these options must be enabled to allow WebMail access on a specified interface in
Basic Config ➝ Network. If all of these access options are disabled, the WebMail access option
on an interface will be disabled.
213

Secure WebMail and ePrism Mail Client
Servers
Webmail servers must be running one of the following: IMAP, Outlook Web Access (OWA), or
Lotus iNotes.
• Cached server passwords — This option, when enabled, will keep a copy of the user’s
password until they explicitly log out. If a user switches servers, they will not need to reenter
their password.
• Share cookies between servers — Enable this option to ensure that when a user moves
from server to server or is redirected to another server, the user’s session cookies are also
passed along.
• Upload Maximum File Size — Enter the maximum file size allowed in megabytes.
Click the Add Server button to add an internal server to be accessed.
• Address — Enter the IP address, hostname, or URL of the server. Add users to this server
by selecting the corresponding check box for that user.
• Label — Enter an optional label to describe this server.
• Users who may access this server — Select the users who will be able to access this
server.
• Automatic Server Login — Select this option to try the user’s WebMail ID/Login first before
prompting for an ID and password. Leave this option disabled to force a login prompt for
each new server. This option enables single login capabilities to allow users to login to
ePrism and their WebMail server with only one login.
214

Secure WebMail
This option should be disabled if the server is set to expire passwords after three failed attempts.
• Use Most Recent — Select this option to try the most recently used credentials first when
changing servers.
This option only applies to users with more than one accessible WebMail server.
• Force Compatibility — Select this option to ensure support for Outlook Web Access 2000
and limited support for OWA 2003.
• Make Invisible — Use this option to make the server invisible to users in the Secure
WebMail server drop-down list.
• Keep Alive — Specify the frequency to send keep-alive messages to the WebMail server
to keep the client connection alive.
215

Secure WebMail and ePrism Mail Client
ePrism Mail Client
The ePrism Mail Client is the native webmail client for the ePrism Email Security Appliance.
Using the ePrism Mail Client, you can access local mailboxes, IMAP Servers, administrative
access, the Spam Quarantine, and the Trusted Senders List.
From a web browser, enter the hostname or IP address of the ePrism system running the
ePrism Mail Client. Login with your local user ID and password. (The login can also be
authenticated using LDAP or RADIUS.)
When successfully logged in, the ePrism Mail Client interface will be displayed.
Configuring ePrism Mail Client Options
In the User Accounts ➝ Secure Webmail screen, you can configure popup options, the sent
mailbox folder, and other ePrism Mail Client features in the ePrism Mail Client Options section.
To see popup windows, your web browser must have popups enabled.
• New Mail Popup — Enable a popup window for new mail notifications.
• Minimize Popups — Minimize the use of new popup browser windows by using the main
frame.
216

ePrism Mail Client
• Enable Inline HTML-mail Viewing — Enables the viewing of HTML mail. For security
reasons, any scripts and fetches for external objects are filtered out.
• Save Sent Mail — Enables saving of sent mail in the user’s mailbox.
• Sent Mail-box — The name of the sent mail folder if enabled.
• Editable From — Enables a user to edit the From: field when composing mail.
217

CHAPTER 10
Policy Management
This chapter describes how to use and configure Policy controls for users, groups, and
domains, and contains the following topics:
• “Policy Overview” on page 220
• “Creating Policies” on page 223
• “Domain Policies” on page 224
• “Group Policies” on page 226
• “User Policies” on page 231
• “Managing Policies” on page 233
• “Policy Diagnostics” on page 234
219

Policy Management
Policy Overview
ePrism’s Policy controls allow specific mail security features to be customized and applied to
different email domains, user groups, or individual users.
The features that can be used with Policy controls include the following:
• Annotations
• Anti-Virus
• Archiving
• Attachment Control
• Attachment Content Scanning
• Intercept Anti-Spam
• Objectionable Content Filter
Policy controls enable granular settings to be applied for each specific domain, group, or user.
For example, Intercept Anti-Spam settings can be enabled for specific domains, while turned off
for other domains. Each Anti-Spam action can be customized to configure one domain to reject
spam messages, while another domain can be configured to modify the subject header of a
spam message. Spam thresholds and Intercept component weights can also be customized for
different domains, groups, and user addresses.
Anti-Virus and Attachment Control actions for inbound and outbound mail can also be
specifically defined for the requirements of each domain, group, or user. For example, you can
enable inbound and outbound Anti-Virus and Attachment Control checks for some domains,
while only checking inbound mail for other domains.
Sender and Recipient Policy Determination
When a message arrives, ePrism will determine a set of policy settings for each message
recipient as follows:
• If the message is trusted, and is addressed to a non-local recipient, then the sender’s policy
settings will be used for that recipient.
• If the message is untrusted, or is trusted but addressed to a local recipient, then the
recipient’s policy settings will be used for that recipient.
Policy Hierarchy
Policy settings are processed after any mail mappings etc. If the final recipient is a local user or a
user in a domain that ePrism routes mail for, then it is considered a local recipient.
There are four types of policies that can apply to a user: the Domain Policy, Group Policy, User
Policy, and Default Policy. Recipients can belong to multiple policies, for example, the recipient
"user@example.com" may have a user-based policy for "user@example.com" and a policy
based on the domain "example.com".
The final policy for the recipient will be the merging of any existing policies for that user, with
conflicting settings resolved in the following order of precedence:
1. User policy (user@example.com)
220

Policy Overview
2. Group policy (Sales)
3. Domain policy (example.com)
4. Default policy
For example, if User and Domain are defined and enabled and the Anti-Virus feature is defined
and enabled in only the Domain policy but undefined in the other policies, Anti-Virus will be
enabled. To override this Domain policy for a user, define the Anti-Virus feature as disabled in
the User Policy.
Multiple Group Policies
In cases where a user belongs to multiple groups, the group order takes precedence. In the
Group Policy configuration screen, administrators can order the list of groups into an order of
priority.
For example:
• A user belongs to Group1 and Group2
• Group 1 Policy is set to a higher priority then Group 2 Policy
• Group 1 Policy has Token Analysis enabled and defined
• Group 2 Policy has Token Analysis disabled and defined
The final result is that the user’s email will be scanned by Token Analysis.
Groups policies are not merged as they are with user and domain policies. If a user belongs to
more than one group, only the first group policy in the specified group ordering is applied.
PBMF Priority
When using PBMFs with policies, there may be situations with conflicting priorities for global
PBMFs and policy PBMFs. When processing PBMFs, ePrism makes the following decisions:
1. The priority of all actions are taken into consideration. If there is only one "High" priority
action, that filter will be used.
2. For PBMFs with the same priority, policies are resolved in the following order:
• User Policy
• Group Policy
• Domain Policy
• Default Policy/Global
3. For the same priority and same policy, actions are resolved in the following order:
• Bypass
• Reject
• Discard
• Quarantine
• Certainly Spam
• Redirect
• Trust
• Relay
• Accept
221

Policy Management
• Just Log
When creating Pattern Based Message Filters (PBMFs) in policies, certain message parts such
as Envelope-to and Envelope-from, Client IP, and Host, are not available. These PBMFs can
cause actions to trigger before the recipients are known, such as on a connecting client IP
address, and therefore are not available for use in Policies.
BCC and Do Not Train actions will not prevent lower priority actions from being triggered. For
example, a BCC action at "High" priority in the global PBMF list and an Accept action at "Medium"
priority in a policy will result in an Accept and the BCC option.
222

Creating Policies
Creating Policies
The following sections describe how to enable and define policies. The general steps are as
follows:
1. Define global ePrism settings
2. Enable the Default Policy
3. Add and define new Domain, Group, and User Policies
Define Global ePrism Settings
Before creating your specific domain and user policies, it is recommended that administrators
define globally their default ePrism settings for Anti-Virus, Attachment Control, Anti-Spam
features, and so on, before defining more granular policies based on these global settings.
These settings will be inherited by the Default policy which is the policy used by all users that
do not belong to a specific policy.
If you disable a feature globally, it cannot be enabled by a policy. The feature will be completely
disabled, regardless of how a policy is configured.
Enable the Default Policy
Select Mail Delivery ➝ Policy ➝ Policy Definition to enable the default policy.
The Default policy cannot be deleted. The policy name "Default" is a reserved word specifically to
be used as the Default policy for users that are not defined to a specific policy.
223

Policy Management
Domain Policies
When global settings have been defined, more granular policy settings can be configured by
creating policies for specific domains, groups, and users.
Domain policies can be created to enable different policies for different domains in an
organization. For example, administrators might require that different domains need separate
annotations (such as a legal disclaimer) appended to their messages.
Create a policy definition for this domain as follows:
1. Select Mail Delivery ➝ Policy ➝ Policy Definition to configure customized policies.
2. Click the Add Policy button.
3. Enter a descriptive name for this domain policy, such as "example.com".
4. Select the Enable check box to enable this policy.
5. Go to the Annotations section of the policy.
6. Select the Enable check box and the Define check box to enable annotations for this
domain policy.
7. Select the Define check box for the Annotation "Edit" field, and then click the Edit button to
customize the annotation for this domain.
8. Customize the annotation and click Apply, and then click Return to Policy.
224

Domain Policies
9. Click Apply to save the "example.com" domain policy.
10. Select Mail Delivery ➝ Policy ➝ Domain Policy to add the "example.com" domain.
11. Select the "example.com" policy in the Policy drop-down list.
12. Enter the domain that this policy will apply to, such as:
example.com
Use a leading "." to indicate subdomains of the specified domain, such as:
.example.com
This will match:
a.example.com, b.example.com, c.d.example.com
but not "example.com".
13. Click Add to add the domain to the Domain Policy list.
Uploading and Downloading Domain Policy Lists
A list of domains and corresponding policies can also be uploaded in one text file. The file must
contain comma or tab separated entries in the form:
[Domain],[policy name]
For example:
example.com,Domain1
The file (domain_policy.csv) should be created in csv file format using Excel, Notepad or
another Windows text editor. It is recommended that you download the domain file first by
clicking Download File, editing it as required, and uploading it using the Upload File button.
225

Policy Management
Group Policies
Policies can be customized for user’s who belong to specific group. For example, a "Sales"
group might have different attachment content scanning policies than users in the Development
group. Group policies are also useful for providing different annotations or anti-spam features
for each user group.
Group membership information must be imported from an LDAP directory. Click the LDAP
Import button which will take you to the Directory Users and Groups screen where LDAP users
and group names can be imported. A Directory Server must be set up before you can import
users and groups.
See “Directory Users and Groups” on page 63 for more detailed information on setting up
directory services for group imports.
When you have set up your Directory Users and groups configuration, click Apply.
Click the Import Now button which will import users and their corresponding group
memberships from an LDAP directory. When the import is completed, the group list will appear
226

Group Policies
in your Group Policy screen. Schedules imports can set up by clicking the Import Settings
button.
Select the "New" group view to show the groups that you just imported and are currently
unassigned. New imported groups will display "New" as their policy category, indicating that the
group has just been imported and currently has no policy.
These new groups can then either be assigned the "Default" policy, an existing configured
policy, or be set as "Unassigned". Groups configured as "New" or "Unassigned" do not have an
active policy.
A reimport of groups will change all previously "New" groups to "Unassigned".
227

Policy Management
Re-Ordering Groups
Group policies are applied in the order listed if the user belongs to more than one group. For
example, in the case of annotations, the annotation for a user belonging to multiple groups will
be their first group listed in the group order.
Groups can be reordered for priority by clicking the Re-Order Groups button.
A list of "Assigned" groups (groups assigned to a policy) will be displayed. Select a group to be
moved, and then click the Up or Down buttons to move the group up and down the list order.
Groups can be moved immediately to the top or bottom of the list using the Top and Bottom
buttons.
When finished the re-ordering of groups, click the Apply button.
228

Group Policies
Assigning Group Policies
Policies can now be assigned to each group by selecting a specific policy from the drop-down
box. In this example, we have created a Group Policy 1 policy that we will apply to specific
groups.
In this example, the Canada, India, and Japan groups have been configured to use the Group
Policy 1 policy. When you are finished setting the policies for the required groups, ensure the
groups that have been modified are selected, and then click the Apply link.
Uploading Group Policy Lists
A list of groups and corresponding policies can also be uploaded in one text file. The file must
contain comma or tab separated entries in the form:
[group],[policy name]
For example:
sales,salesgroup
The file (group_policy.csv) should be created in csv file format using Excel, Notepad or
another Windows text editor. It is recommended that you download the group file first by
clicking Download File, editing it as required, and uploading it using the Upload File button.
229

Policy Management
Orphaned Groups
Orphaned LDAP groups are groups that have been deleted from the LDAP directory but still
exist in ePrism’s local group list. Any policies configured for these orphaned groups will not be
processed.
Click the Delete Orphans button to remove these groups from ePrism’s group policy screen.
Disabling Group Policy
Group Policies can be disabled if they are not being used for Policies in your organization. This
may help performance for organization’s that have a large number of directory users and do not
need to use Group Policy. Click the Disable Group Policy button to disable this feature.
230

User Policies
User Policies
Policies can be customized for individual user addresses. The User policy will take precedence
over Domain and Group policies, and are useful for creating individual exceptions to these
policies.
In the following example, a user policy will be created with customized anti-virus settings.
Configure a user policy as follows:
1. Select Mail Delivery ➝ Policy ➝ Policy Definition.
2. Click the Add Policy button.
3. Enter a descriptive name for this policy, such as "User Policy".
4. Select the Enable check box to enable this policy.
5. Go to the Anti-Virus section of the policy.
6. Select Kaspersky Virus Scanning and ensure the Define check box is checked.
7. Customize the actions and notifications for inbound and outbound virus scanning.
8. When finished, click Apply to save this policy.
9. Select Mail Delivery ➝ Policy ➝ User Policy to add a user address.
231

Policy Management
10. Select the User Policy created in the previous steps in the Policy drop-down list.
11. Enter the user address, such as "user@example.com" in the Email field.
12. Click Add to add the user address to the User Policy list.
Uploading and Downloading User Address Lists
A list of users can also be uploaded in one text file. The file must contain comma or tab
separated entries in the form:
[email],[policy name]
For example:
user@example.com,User Policy
The file (email_policy.csv) should be created in csv file format using Excel, Notepad or
another Windows text editor. It is recommended that you download the user file first by clicking
Download File, editing it as required, and uploading it using the Upload File button.
232

Managing Policies
Managing Policies
When several domain, group, and user policies have been created and customized, they can
be managed from the Mail Delivery ➝ Policy ➝ Policy Definition screen.
The Enabled field indicates if a policy is on and active or disabled.
Each individual policy can be edited by clicking on its corresponding name.
To delete policies, select the corresponding check box of the policies you want to delete, then
click the Remove button.
Enable Verbose Logging
The Enable Verbose Logging feature enables additional logging information in the Mail
Transport log file for policies. Click the Enable Verbose Logging button to enable this feature.
The mail log can be viewed via Status/Logs ➝ System Logs ➝ Mail Transport.
The message displayed will contain information similar to the following:
policy_recipient=,
policy_user= (remote=F),
domain_policy=, group_policy=,
group_name=, user_policy=
default_policy=
233

Policy Management
Policy Diagnostics
The Policy Diagnostics screen allows administrators to test their policy structure to ensure that
the final result for a specific user is the desired result. There are several policies that can apply
to a single user, including domain policies, user policies, group policies, and the default policy.
By entering the user’s email address in the diagnostic screen, the final result of each policy
feature will be displayed, including information on which policies were overridden by another
policy with higher priority.
Select Mail Delivery ➝ Policy ➝ Policy Diagnostic on the menu to configure and run policy
diagnostics.
• Sender — Enter a sender address for this test if you are testing an outbound message. This
field can be left blank to indicate any sender for inbound mail.
• Recipient — Enter the test recipient for the policy. The final result displayed during the
diagnostics will be the final policy result for this specific user.
• Direction — Select a direction for the message to determine policy results when the
message is inbound or outbound.
• Trusted — Select whether the message is considered to be from a trusted or untrusted
source.
Click Lookup to start the policy diagnostics.
234

Policy Diagnostics
The Policy Diagnostic summary screen provides the administrator with a detailed analysis of
how the various active policies combine to determine the final disposition of mail messages.
The Policy Diagnostics table displays the ePrism features that can be configured on a perpolicy
basis.
Each column displays the contributions to the disposition of the message by each policy (User,
Group, Domain, and Default).
For each feature, an "X" indicates the defined policy was used to determine the final result. Any
policies that were overridden by the applied policy are indicated by an "_". An empty column
indicates that a matching policy was not found by the policy resolution engine.
At the end of each feature row, the final result of the policy is indicated such as "Disabled" for
Kaspersky Anti-Virus.
As policies are initialized with reasonable defaults and those values may match the overall
default setting, it can appear that a particular policy has been overridden when in fact there is
no apparent configuration responsible for this. For example, the default setting for attachment
scanning is 'disabled'. If a user policy is defined, but attachment scanning is not part of that
definition and nothing else overrides the default then it will appear that the contribution has
come from the user policy.
235

CHAPTER 11
Threat Prevention
This chapter describes how to configure ePrism’s Threat Prevention features to detect and
automatically respond to security threats, and contains the following topics:
• “Threat Prevention Overview” on page 238
• “Configuring Threat Prevention” on page 239
• “Creating Threat Prevention Rules” on page 241
• “Static Address Lists” on page 251
• “Dynamic Address Lists” on page 253
• “F5 Blocking” on page 256
• “Cisco Blocking” on page 261
• “Threat Prevention Status” on page 264
237

Threat Prevention
Threat Prevention Overview
ePrism provides a threat prevention feature to detect and mitigate incoming threats. By default,
ePrism can recognize the following threats:
• Directory harvesting
• Denial of Service attacks
• Connections from blocked addresses
• Connections originating from addresses that send spam
• Connections originating from addresses that send viruses
Historical information about connecting IP addresses and how they behave are retained,
allowing a configurable set of actions including accept or reject that will be determined at
connection time based on current and historical data.
This information can also be pushed to a perimeter F5 or Cisco device that can be configured to
rate limit, throttle or block a given IP address for a period of time before it reaches ePrism.
How Threat Prevention Works
The Threat Prevention feature performs the following tasks.
• Determines the threat level of connecting IP addresses and retains historical statistics about
that address
• Acts on the connection’s IP address based on its connection history
The Threat Prevention feature is contacted at several stages of mail delivery for a specific client
IP address:
1. At connection request time, the history for the IP address is provided to the rules script that
determines if the connection should be allowed or rejected, and how to further classify the
address into a specific data group.
2. After early mail scanning, the number of known and unknown recipients and DNSBL results
are added to the history of the connecting address.
3. After full mail scanning, the results of Anti-Virus, Anti-Spam, and Malformed message
scanning are recorded in the history of the address.
4. Prior to connection, an F5 or Cisco device (if configured) may block an IP address before it
reaches ePrism if ePrism is configured to push threat prevention information to the device.
238

Configuring Threat Prevention
Configuring Threat Prevention
A Connection Rules script is run each time a client tries to connect to ePrism. This configurable
script determines whether to accept or reject a connection based on its threat prevention
history. The script performs an evaluation of the connection and drives the reject and accept
decision for the threat prevention feature. The script is also responsible for moving IP
addresses into appropriate data groups.
Select Mail Delivery ➝ Threat Prevention on the menu to configure ePrism’s threat
prevention features.
ePrism Email Security Appliance implements connection rule checking by using a scripting
language to drive the decision making process. The script can reject or accept mail given
various statistics available at the time of client connection. The listed default rules are
processed in order.
• Description — A description for the rule.
• Condition — Condition statement to execute.
• List — Defines which list to insert the IP address.
• Action — Action to take if the condition is "True", such as Accept or Reject.
• Reject Code — Reply code to send to the connecting client. For Reject, this is 450
(temporary) or 550 (permanent). For Accept, the reply code is set to 220.
• Move — Select the arrows to modify the ordering of the connection rules.
239

Threat Prevention
Click the Add Rule button to add a new connection rule.
This rules are fully configurable, and the system will check the script when saved to ensure
there are no syntax or execution errors. When you are finished with your changes, click the
Apply button. The results of the script test will be shown, including existing syntax errors.
Click the Advanced button to see the entire connection rules script based on the configured
rules.
Resetting to Defaults
See the following section “Creating Threat Prevention Rules” on page 241 which describes how to
create these rules.
Press the Reset to Defaults button to replace all existing rules with the default set of rules.
240

Creating Threat Prevention Rules
Creating Threat Prevention Rules
The Threat Prevention feature runs a connection rules script each time a client tries to connect
to ePrism. The script determines whether to accept or reject a connection based on its threat
prevention history. The script is also responsible for moving IP addresses into appropriate
dynamic lists, such as "infected" or "spammers".
The full script itself is not editable, but it is updated with the condition statements and actions
that are defined for each Threat Prevention rule. These rules are configurable, and the system
will check the script when new rules are applied to ensure there are no syntax or execution
errors.
Basic Rule Structure
The basic structure of a connection rule is as follows:
• Rule Condition — A set of criteria that must be met for the rule to be triggered, such as
"stats1h.virus > 10" (10 or greater virus-infected messages sent in the last hour). ePrism
collects over 15 different types of data that can be used to create a rule condition.
• Action — Action to take when the rule condition is met, such as "Accept" or "Reject".
• Reply code — The reply code to send back to the sending server, such as temporarily
reject (450) or permanently reject (550).
• Add to Dynamic List — Add the IP address to a configured dynamic list, if applicable. For
example, a sender that triggers a spam rule can be placed in the "spammers" dynamic list.
Default Connection Rules
The default connection rules are active when the Threat Prevention feature is enabled. These
rules include checks for typical conditions such as blocked clients, virus and junk mail senders,
and denial of service (DoS) attempts. The default rules are also helpful in learning how to put
together condition statements for customized connection rules.
Any of the default rules can be customized to change any aspect of the rule to better suit the needs
of your organization.
241

Threat Prevention
Blacklisted clients
This rule checks if the client is already blocked by ePrism. The condition statement "is_blacklist"
simply checks if the client is listed in the blacklist static IP address list. If the check is true, the
client will be rejected and added to the blacklisted dynamic IP address list.
Directory harvesters
This rule checks if the client has been involved with directory harvesting activities intended to
discover valid email addresses from ePrism. The following condition statement is used to
identify if a client is considered a directory harvester:
stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3 &&
(!is_internal && !is_mynetworks )
This statement indicates:
• If the number of invalid recipients from the client in the last 30 minutes is greater than or
equal to 50
• and the number of good recipients from the client in the last 30 minutes is less than 3
• and the client does not exist in the internal or mynetworks static lists (to trust the client)
• then the connecting system is rejected and entered into the harvesters dynamic IP address
list
Big virus senders
This rule checks if the client has recently sent a large number of viruses. The following condition
statement is used to identify if a client is considered a source of viruses:
stats1h.virus > 10 && stats1h.perc_virus_to_messages > 50 &&
stats1h.perc_ham_to_messages < 25 && (!is_internal &&
!is_mynetworks)
This statement indicates:
• If the number of viruses received from this client in the last hour is greater than 10
• and the percentage of virus infected messages received from this client in the last hour is
greater than 50
• and the percentage of clean messages received from this client in the last hour is less than
25
• and the client does not exist in the internal or mynetworks static lists (to trust the client)
• then the connecting system is rejected and entered into the infected dynamic IP address list
DNSBL clients (on more than one list)
This rule checks if the client has been listed on more than one DNS Block List of blocked clients.
If the client is on more than one DNSBL, it is a known open-relay that may send out a large
number of spam messages. The following condition statement is used to identify if a client is on
more than one DNSBL:
block_list > 1 && (!is_internal && !is_mynetworks)
242

Creating Threat Prevention Rules
This statement indicates:
• If the client exists on more than one DNSBL
• and the client does not exist in the internal or mynetworks static lists (to trust the client)
• then the connecting system is temporarily rejected and entered into the spammers dynamic
list
DNSBL clients
This rule checks if the client exists on only one DNS Block List. In this case, there is the
possibility that the client is on this DNSBL by mistake, and ePrism makes additional checks to
examine its recent history of mail messages. The following condition statement is used to
identify if a client is on one DNSBL and sends a large number of spam messages:
block_list == 1 && stats30m.bad_mail > 10 && stats30m.ham < 2 &&
(!is_internal && !is_mynetworks)
This statement indicates:
• If the client exists on only one DNSBL
• and the number of spam and junk messages received from this client in the last 30 minutes
is greater than 10
• and the number of clean messages received from this client in the last 30 minutes is less
than 2
• and the client does not exist in the internal or mynetworks static lists (to trust the client)
• then the connecting system is temporarily rejected and entered into the spammers dynamic
IP address list
Junk senders
This rule checks if the client sends out a large amount of spam or junk mail in proportion to the
number of legitimate messages. The following condition statement is used to identify if a client
is sending a large amount of spam or junk messages compared to legitimate messages:
stats1h.bad_mail > 20 && stats1h.perc_ham_to_spam < 25 &&
stats5m.messages > 10 && (!is_internal && !is_mynetworks)
This statement indicates:
• If the number of spam and junk messages received from this client in the last hour is
greater than 20
• and the percentage of clean messages compared to spam received from this client in the
last hour is less than 25
• and the number of messages sent from this client in the last five minutes is greater than 10
• and the client does not exist in the internal or mynetworks static lists (to trust the client)
• then the connecting system is temporarily rejected and entered into the tarpit dynamic IP
address list
243

Threat Prevention
Internal DoS
This rule checks if the client is on an internal network and is using a lot of open connections that
may result in a denial of service. The following condition statement is used to identify if an
internal client is creating a large amount of open connections:
open_connections > 50 && is_internal
This statement indicates:
• If the number of open connections from this client is greater than 50
• and the client is listed in the internal static address list
• then the connecting system is temporarily rejected
External DoS
This rule checks if an external client is using a lot of open connections that may result in a denial
of service. The following condition statement is used to identify if an external client is creating a
large amount of open connections:
open_connections > 20 && !is_internal
This statement indicates:
• If the number of open connections from this client is greater than 20
• and the client is not listed in the internal static address list
• then the connecting system is temporarily rejected
Excessive senders
This rule checks if a client is sending too many messages that could result in a denial of service.
The following condition statement is used to identify if a client is sending an abnormal amount of
messages:
!is_peers && !is_internal && stats1h.messages > 50000
This statement indicates:
• If the client is not listed in the peers and internal static address lists (to trust the client)
• and the number of messages sent from this client in the last hour is greater than 50000
• then the connecting system is temporarily rejected
244

Creating Threat Prevention Rules
Creating Connection Rules
To create customized connection rules for the Threat Prevention feature, select Mail Delivery
➝ Threat Prevention on the menu, and then click the Add Rule button.
The following options can be configured:
• Description — Enter a descriptive summary of the rule.
• Condition — Enter a condition statement to execute, such as:
stats1h.bad_mail > 20 && (!is_internal && !is_mynetworks)
This statement checks if the client has sent more than 20 virus-infected or spam messages
in the last hour, and is not on the internal or mynetworks IP address lists.
See the following section "Building Condition Statements" for detailed information on creating
these statements.
• Action — Action to take if the condition is "True". Options are Accept Mail or Reject Mail.
• Reject Code — Reply code to send to the connecting client. For Reject, this is 450
(temporary) or 550 (permanent). For Accept, the reply code is set to 220.
• Reject Message — A customized reject message to send to the connecting client. The
%IP% variable can be used to indicate the IP address of the client.
• Add to List — Select a Dynamic Address List to add the client IP address to if the condition
is true. These lists can be viewed and configured via Mail Delivery ➝ Threat Prevention
➝ Dynamic Lists.
245

Threat Prevention
Building Condition Statements
The Threat Prevention rules are based on condition statements that are used to create various
criteria for the connecting clients and their historical behaviour.
The following tables describe the variables, parameters, and Boolean operators available to
create Threat Prevention rules.
General Statistics
The following are general statistics that can be used when creating connection rules. They
include items such as the IP address of the connecting client and how many open connections a
client is using.
TABLE 1. General Statistics
Statistic
ip_address
current_group
open_connections
block_list
rule_no
Description
The IP address of the connecting client.
The name of the current Dynamic list the client
IP addresses is in, if any.
The current number of open connections to
this IP address.
If DNS Block lists are enabled, this indicates
the number of lists the IP address matched.
Indicates the connection rule number for
ordering purposes.
For example, as part of your condition statement to prevent denial of service attacks, check that
the client does not have a large amount of open connections:
IP Lists
open_connections > 50
The following parameters indicate if the client IP address is listed in any of the pre-defined Static
IP lists (defined via Mail Delivery ➝ Threat Prevention ➝ Static Lists on the menu.)
This allows you to check if the client IP address is trusted because it is identified as an internal
system, a network under your control, or a peer address. The client can also be blocked if it
appears in the local blacklist.
TABLE 2. IP Lists
Static IP List
is_internal
is_mynetworks
Description
Checks if the client IP address is listed in the internal
address list.
Checks if the client IP address is listed in the
mynetworks address list.
246

Creating Threat Prevention Rules
TABLE 2. IP Lists
Static IP List
is_peers
is_blacklist
Description
Checks if the client IP address is listed in the peers
address list.
Checks if the client IP address is listed in the blacklisted
address list.
For example, to check if the connecting client is in the blacklist static IP list, use the following
condition statement:
is_blacklist
If the client is already listed in the blacklist IP list, the condition is true and the configured action
executed.
These lists can also be used to ensure clients are trusted because they are considered internal
or under an organization's control. For example, to check for a large amount of open
connections, and to ensure this client is not an internal client, use the following statement:
open_connections > 50 && !is_internal
This statement checks clients who have more than 50 open connections and do not belong to
the internal static IP list.
Email Statistics
The following email statistics can be used to build condition statements in the connection rules
based on the types of messages received. These statistics identify the number of messages
based on their classification, such as virus-infected, malformed, spam, and clean. Several
statistics also indicate the percentage of one type of message to another, such as the
percentage of spam messages to total messages received.
TABLE 3. Email Statistics
Email Statistic
messages
virus
malformed
spam
ham
connection_attempts
bad_mail
bad_recipients
Description
Total number of messages from successful connections.
Number of virus-infected messages.
Number of malformed messages.
Number of spam messages (Intercept Certainly Spam
or Probably Spam, PBMF spam).
Number of messages that were clean (not spam, virus,
or malformed).
Number of attempted connection attempts.
Number of viruses, malformed, and spam messages.
Number of unknown recipients (or 0 if the "Reject on
unknown recipient" feature is disabled).
247

Threat Prevention
TABLE 3. Email Statistics
Email Statistic
good_recipients
perc_ham_to_messages
perc_virus_to_messages
perc_spam_to_messages
perc_malformed_to_messag
es
perc_bad_to_messages
perc_ham_to_spam
Description
Number of legitimate recipients.
Percentage of clean messages to the total amount of
messages.
Percentage of virus-infected messages to the total
amount of messages.
Percentage of spam messages to the total amount of
messages.
Percentage of malformed messages to the total
amount of messages.
Percentage of bad messages (virus, malformed, and
spam) to the total amount of messages.
Percentage of clean messages to the total amount of
spam messages.
These email statistics must be used in combination with a specific time period. This allows you
to check for the number of certain types of email messages, such as "spam" messages, in a
certain time period such as 24 hours.
The following table describes various time periods that can be used in conjunction with the email
statistics variables.
TABLE 4. Statistics Time Periods
Time Period
Description
stats1m
Statistics for the last minute
stats5m
Statistics for the last 5 minutes
stats15m
Statistics for the last 15 minutes
stats30m
Statistics for the last 30 minutes
stats1h
Statistics for the last hour
stats24h Statistics for the last 24 hours (1
day)
Specify the time period and the email statistics parameter separated by a "." (period).
For example, to check how many spam messages were received in the last 24 hours, use the
following:
stats24h.spam
To check the percentage of the number of spam messages compared to the total amount of
messages in the last hour, use the following:
stats1h.perc_spam_to_messages
248

Creating Threat Prevention Rules
Boolean Operators and Syntax
The following are the Boolean operators that can be used when building condition statements.
To combine operators, use the following syntax to ensure the order: (a && (b || c)). This
indicates the result of "a" AND ("b" OR "c").
TABLE 5. Boolean Operators
Boolean Operator
&&
Description
and
! not
|| or
> Greater than
< Less than
== Equal to
>= Greater than or equal
to
= 50 && stats30m.good_recipients < 3
This example checks the number of good and bad recipients in the last 30 minutes. If the bad
recipients are greater than or equal to 50, and the good recipients are less than 3, then the
condition is true.
Connection Rules Script Error Checking
When you are finished with the changes and additions to the connection rules, click the Apply
button. The results of the script test will be shown, including any syntax errors if they occur.
249

Threat Prevention
If an error occurs, examine the rule you just applied and check the condition statement to
ensure that it conforms to the proper syntax and that any variables or parameters are entered
correctly.
250

Static Address Lists
Static Address Lists
Static IP/CIDR address lists are used to define specific groups of IP addresses that affect
Threat Prevention processing. When a client connects, the connection rules script will look up
the client’s IP address in the existing Static Address Lists and perform any defined actions for
that list. This allows you to trust, block, or provide additional classification for a specific IP
address or subnet.
For example, if the address is listed in the blacklist, the connection rules script will reject the
message. Addresses in the peers or mynetworks list can be exempted from some of the checks
because they are known sources or internal networks of your organization.
It is critical that administrators add any non-routable networks used locally to the internal
address list and ensure any networks under an organization’s control or friendly networks are
listed in the mynetworks and peers list respectively. This prevents any local addresses from
being affected by Threat Prevention processing.
Select Mail Delivery ➝ Threat Prevention ➝ Static Lists to define your static address lists.
• blacklist — List of any IP addresses or networks from which you will never want to receive
email.
• internal — List of internal non-routable IP addresses from which you will always accept
mail, such as the 192.168.0.0 network.
• mynetworks — A list of networks and subnets that are under your organization’s control
from which you will always accept mail.
• peers — A list of special sites such as peer ISP networks from which you will typically
always accept mail.
The peers list is not used by the default connection rules. Administrators must modify the current
rules or add a new connection rule to use this list.
• relays — A list of mail servers that need to relay mail via ePrism. This prevents these
servers from being blocked by content-based Threat Prevention rules and BSN, as well as
being reported to BSN.
Click the Add button to add a new IP list.
251

Threat Prevention
Enter a name and description for this address list, and then enter one of the following address
types:
• Single IP address, such as 192.168.1.25.
• Subnet in CIDR format (such as 192.168.0.1/24)
• Class A, B, or C subnet with trailing octets removed (such as 192.168)
Enter a comment that can be used to further describe the addresses in this list.
When finished, click the Add button to add the new list.
Uploading and Downloading Addresses
A list of addresses can also be uploaded in one text file. The file must contain comma or tab
separated entries in the form:
[address],[description]
For example:
192.168.0.0/16,non-routable
The file (ipcidr.csv) should be created in csv file format using Excel, Notepad or another
Windows text editor. It is recommended that you download the file first by clicking Download
File, editing it as required, and uploading it using the Upload File button.
252

Dynamic Address Lists
Dynamic Address Lists
The Threat Prevention feature can place IP addresses into Dynamic Address lists for a
specified period of time and set the response to connection requests for clients falling into
these groups. These dynamic lists can be configured to provide a specific action (such as 450
temporary reject or 550 permanent reject) and a time period to execute that action.
Dynamic lists differ from Static lists because their contents are always changing based on the
latest threat prevention data. Static lists are used by the administrator to define trusted and
blocked lists based on addresses specific to their organization. Dynamic lists build their data
from the history of connecting addresses and assign specific rules and actions to these
addresses based on that history.
IP addresses are added to these lists by the Threat Prevention connection rules script if they
match a specific behavior. For example, messages from an IP address that indicate harvesting
of email addresses will be put into the harvesters list.
When that same IP address tries to connect again after being added to the list, it will be
rejected with a configured reject code for the list if it is configured with the reject action. For
example, the harvesters list will reject with code "550 denied due to too many unknown
recipients". No further statistics will be gathered on that IP address during this early reject
period and further Threat Prevention rules will not be applied. An IP address can be released
from a dynamic list after a configurable period of time. Dynamic lists can contain tens of
thousands of IP addresses.
Dynamic lists with an action of "Just Log" will pass the request on to the rules processing script.
The rules script can then specify its own reject or accept action. If the rules script specifies an
accept action, further statistics will be gathered as the mail is received and processed.
Integration with F5 and Cisco Devices
The dynamic lists defined on ePrism can also be pushed to an F5 or Cisco device. If this
feature is configured, any IP addresses that are added to a Dynamic list by the connection rules
script will be pushed to an F5 or Cisco device and added to a group list of the same name. This
allows the F5 or Cisco device to process further connections from the IP address and to act
accordingly without the connection reaching ePrism.
253

Threat Prevention
Configuring Dynamic Lists
Select Mail Delivery ➝ Threat Prevention ➝ Dynamic Lists to configure your threat
prevention dynamic lists.
There are five predefined dynamic lists:
• blacklisted — Addresses that have been blocked.
• harvesters — Addresses known to be involved in email address directory harvesting.
• infected — Addresses known to send virus-infected messages.
• spammers — Addresses known to send large amounts of spam.
• tarpit — Group used to temporarily reject connections to slow down incoming connections
from an address.
Select a group to edit its properties, or click the Add button to add a new group.
• Name — Enter a descriptive name for this list. If you are pushing data to an F5 or Cisco
device, this list name must match the group name configured on the device.
254

Dynamic Address Lists
• Description — Enter a description of this list.
• Action — Action to take if a connection IP is listed in this group. Choices are Reject Mail, or
Just Log.
• Reject Code — If the selected action is Reject Mail, reply to the connection request with
this reject code. Choose between "450" (temporary) or "550" (permanent).
• Reject Message — Enter the reason provided to the client for rejecting the connection.
This message is only used if the action is set to Reject Mail.
• Entry Duration — Enter the duration (in seconds) for an IP to remain in this list after it has
been placed into this group by a connection rule. This duration period only applies to the
groups on ePrism and is not pushed to an F5 or Cisco device.
• Maximum Entries — If the entry is not rejected, only allow this many address entries at
once in the list. This value can range from 0 to 100000. Set to "0" for unlimited.
• Push to Cisco Devices — Select the check box to push data to all configured Cisco
devices. The list name must be identical to the group name defined on the Cisco device.
Only one dynamic list can be assigned to push information to a Cisco device.
• Push to F5 Devices — Select the check box to push data to all configured F5 devices. The
Group name must be identical to the group name defined on the F5 device.
255

Threat Prevention
F5 Blocking
Administrators can push ePrism’s Threat Prevention information to an existing F5 device.
The F5 device can then be configured to rate limit, throttle, or block a given IP address.
The dynamic lists defined with ePrism’s Threat Prevention feature can be used to populate data
groups on the F5 with the same name. For examples, IP addresses already defined into a
"spammers" group can be pushed to the same group name on the F5 device allowing it to
manage the response to these addresses. The F5 device will then be responsible for acting on
those IP addresses. When an item is removed from a Threat Prevention dynamic list, it is
automatically removed from the F5 data group.
Note that the duration period of the IP addresses only applies to the Dynamic lists on ePrism.
The ePrism constantly pushes updated list information to the F5 every 30 seconds to ensure the
lists are current and accurate. Any expired IP addresses will be removed and new addresses
since the last update will be added to the F5 device’s list. The Dynamic list is also fully
synchronized with the F5 device every hour.
Administrators must then configure iRules on the F5 device to act on the data groups as
appropriate. The Threat Prevention feature will not automatically create iRules on the F5 device.
The F5 device must be version 9.0.5 or greater.
Select Mail Delivery ➝ Threat Prevention ➝ F5 Blocking to define your F5 devices.
Click Add to add a new F5 device.
256

F5 Blocking
• Name — Enter a descriptive name to refer to this specific F5 device.
• URL — Enter the full URL for the F5 device, such as https://10.10.5.200.
• User Name — Enter a valid user name to log into the F5 device.
• Password — A corresponding password for the user name entered above.
Click the Test button to test your connection and login parameters on the F5 device.
Enabling Data Transfer to an F5 Device
ePrism’s Threat Prevention feature can be configured to push items from its own defined
dynamic lists to F5 data groups of the same name on one or more F5 devices.
To enable data to be pushed to F5, ensure that each Dynamic list defined on ePrism in Mail
Delivery ➝ Threat Prevention ➝ Dynamic Lists has the Push to F5 Devices check box
enabled.
257

Threat Prevention
Configuring F5 Data Groups
The Dynamic list names defined on ePrism must be manually created on the F5 devices. These
groups are not automatically created via the Threat Prevention feature.
On the F5 device, you must create the groups using "external file" address data groups, not address
groups. External file address groups can be updated frequently with many IP addresses without
affecting F5 performance.
To create groups on the F5 device:
1. Log in to the F5 administration interface.
2. Select Local Traffic ➝ iRules, and then click the Data Group list tab.
3. Click Create, and then enter the same group name as the data group defined in ePrism’s
Threat Prevention feature.
4. Select External file (not Address), and a subset of options will appear.
5. Enter the group name and select Address in the File Contents list.
6. Click Finished.
7. Repeat the steps for each data group required. This procedure must be repeated on each
F5 device.
258

F5 Blocking
8. Create an iRule for the data group.
An iRule for the default set of data groups provided with Threat Prevention would be similar
to the following:
when CLIENT_ACCEPTED {
if {[matchclass [IP::remote_addr] equals $::harvesters] } {
TCP::respond "550 Message Rejected - Too many unknown
recipients\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::spammers] } {
TCP::respond "550 Message Rejected - Too much spam\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::blacklisted] } {
TCP::respond "550 Message Rejected - client
blacklisted\r\n"
drop
}
}
if {[matchclass [IP::remote_addr] equals $::infected] } {
TCP::respond "550 Message Rejected - Infected\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::tarpit] } {
pool slow_rateclass
}
259

Threat Prevention
9. Create any rate shaping classes, virtual hosts, pools, and so on, as necessary for normal
configuration of an MTA. In the previous example, a pool called "slow_rateclass" is required
that would be configured with rate shaping to allow a limited rate of traffic.
10. Click the Test button in the Mail Delivery ➝ Threat Prevention ➝ F5 Blocking menu to
verify that you have configured the F5 device correctly in the Threat Prevention feature.
ePrism will attempt to list the contents of the F5 data group. If successful, the list of IP
addresses which have been pushed to the F5 device will be displayed. The test feature will
not interrupt mail delivery or communications with the F5 and can be used at any time.
In version 9.0.5 of F5, you cannot view the contents of external file data groups from the F5 web
interface. Use the Test button in ePrism’s Threat Prevention menu to view the contents of external
file data groups.
ePrism and F5 Integration Notes
Note the following considerations when integrating ePrism and an F5 device:
• The Threat Prevention feature updates continuously but also synchronizes with each F5
Data Group once an hour to ensure there are no discrepancies.
• If the F5 device does not contain a data group, Threat Prevention will attempt to synchronize
with it indefinitely, once every second. It will report the warning once every 30 seconds in
the mail logs for this condition.
• If there is a loss of communications between ePrism and the F5 device, the Threat
Prevention feature will retry the connection to the F5 up to ten times.
• When using F5 integration with an ePrism cluster, only the master Cluster Console’s data
groups will get pushed to the F5 device.
260

Cisco Blocking
Cisco Blocking
Administrators can push Threat Prevention information to an existing Cisco device. ePrism can
update the Cisco device with information from one Dynamic Address List. The Cisco device
can then be configured to block a given IP address by adding it to an appropriate IP named
ACL (Access Control List). When an item is removed from ePrism’s Threat Prevention list, it is
automatically removed from the Cisco IP access list.
ePrism utilizes the IP named access control list feature to forward information to the Cisco device.
Cisco IOS version 11.2 or later is required for ePrism and Cisco integration.
Select Mail Delivery ➝ Threat Prevention ➝ Cisco Blocking to define your Cisco devices.
Click the Add button to add a new Cisco device.
• Name — Enter a descriptive name to refer to this specific Cisco device.
• URL — Enter the full telnet URL for the Cisco device, such as telnet://
192.168.1.175.
• User Name — Enter a valid user name to log into the Cisco device.
• User Password — A corresponding password for the user name entered above.
• Administrative Password — Enter the administrative (enable) password for this device.
261

Threat Prevention
Enabling Data Transfer to a Cisco Device
ePrism’s Threat Prevention feature can be configured to push items from a defined Dynamic
Address List to an IP access list on a Cisco device. To enable data to be pushed to the Cisco
device, select a Dynamic list defined on ePrism in Mail Delivery ➝ Threat Prevention ➝
Dynamic Lists, and ensure the Push to Cisco Devices check box enabled.
When using Cisco integration with an ePrism cluster, only the master Cluster Console’s data groups
will get pushed to the Cisco device.
The Cisco device can only accept one dynamic list. It is recommended that the blacklisted list be
used to block clients at the Cisco device.
Note that the duration period of the IP addresses only applies to the Dynamic lists on ePrism.
The ePrism constantly pushes updated list information to the Cisco device every 30 seconds to
ensure the lists are current and accurate. Any expired IP addresses will be removed and new
addresses since the last update will be added to the Cisco device’s list. The Dynamic list is also
fully synchronized with the Cisco device every hour.
Ensure that the Maximum Entries value is customized to the capabilities of your Cisco device. Large
values may overrun a smaller load Cisco device that can only handle a certain amount of access list
entries.
262

Cisco Blocking
Cisco Device Configuration
Configure the Cisco device as follows to integrate with ePrism’s Threat Prevention feature:
For IOS version 12.1 and later, ePrism lists are automatically created on the Cisco device when
group information is pushed, however, the IP access group must still be assigned to a specific
interface.
1. Log in to the Cisco device with the enable privilege.
2. Change to configure mode:
#configure terminal
3. Change to interface mode:
# interface FastEthernet x/y (where x and y are ethernet
device)
4. Attach the IP access group to the ePrism Dynamic Address list:
# ip access-group in
5. Exit from the config-if mode:
# exit
6. Perform the same steps for each Cisco interface as required.
263

Threat Prevention
Threat Prevention Status
The Threat Prevention Status screen displays the current state of the threat prevention feature
and provides information on the current number of items in each specified list, such as the
number of addresses listed as "spammers".
Select Status/Reporting ➝ Threat Prevention Status from the menu to view the current threat
status.
A summary of the entire threat prevention database is displayed, including the following:
• Number of IPs in the Threat Prevention database
• Number of open connections and open connections in a DNSBL
• The number of items in each defined data group, such as "tarpit", "harvesters", "spammers",
"infected", and "blacklisted".
Administrators can search for the state of a specific IP address by entering it in the search field
and clicking the right-arrow button.
A new table will appear for that specific IP address displaying statistics on the number of
messages from that IP address during a time period and the types of messages received.
To reset the status data, click Reset Threat Prevention History.
264

CHAPTER 12
HALO (High Availability and
Load Optimization)
This chapter describes the high availability and load optimization features of the ePrism Email
Security Appliance, and contains the following topics:
• “HALO Overview” on page 266
• “Configuring Clustering” on page 268
• “Cluster Management” on page 274
• “Configuring the F5 Load Balancer” on page 278
• “Queue Replication” on page 279
265

HALO (High Availability and Load Optimization)
HALO Overview
HALO (High Availability Load Optimization), is the fail-safe clustering architecture for high
availability for the ePrism Email Security Appliance. HALO enables two or more ePrism systems
to act as a single logical unit for processing a mail stream while providing load balancing and
high availability benefits.
HALO ensures that mail messages are never lost due to security vulnerabilities or individual
system failures. The clustering architecture is illustrated in the following diagram.
Cluster Management
The ePrism systems participating in the cluster will be grouped together by connecting a
network interface to a separate network called the Cluster Network. The ePrism systems will
communicate clustering information with each other via this network. Systems can also be
added or removed from clusters without interruption to mail services. It is recommended that all
systems in the cluster should be running on the same platform, and that the cluster network be
separated from the main production network.
One system is configured to be the Cluster Console which is the "master" system where all
cluster administration and configuration will be performed. When an ePrism system is added to
the cluster, its configuration will automatically be synchronized with the Cluster Console. Any
changes to the configuration on the Cluster Console will also be replicated to every cluster
member.
The ePrism cluster will be treated as a logical unit for processing mail and system configuration.
266

HALO Overview
Load Balancing
Although the ePrism cluster will be treated as one system, email is processed independently by
each cluster member and requires the use of a load balancing system to distribute mail flow
between the systems in the cluster.
Load Balancing via DNS
A DNS round-robin technique can be used to distribute incoming SMTP connections via DNS
to the systems in the cluster, as shown in the following example MX records:
example.com IN MX 10 mail1.example.com
example.com IN MX 10 mail2.example.com
Priority can be given to specific servers by configuring different priority values, as follows:
example.com IN MX 5 mail1.example.com
example.com IN MX 10 mail2.example.com
Using a Load Balancer
You can also use a hardware load balancing device, such as the F5 BIG-IP, Cisco, or other
similar load balancer. The load balancer is configured to send the mail stream to systems in a
cluster. If one of the systems fails, the load balancer will distribute the load between the
remaining systems.
The load balancer can be configured to distribute the mail stream connections intelligently
across all systems in the cluster, using techniques such as round-robin, and distribution by
system load and availability.
267

HALO (High Availability and Load Optimization)
Configuring Clustering
The following sections describe how to install and configure a cluster. In these examples, a
cluster of two systems is described. The procedure requires the following steps:
1. Hardware and Licensing — Ensure all systems are of the same hardware and have the
same software versions and are properly licensed. This includes the ePrism license, the
Stateful Failover license, and any other options. Ensure the member cluster systems are
new installations with no changes to the default configuration. When they are connected to
the cluster, they will receive their configuration from the Cluster Console.
2. Cluster Network Configuration — Configure a network interface on each system for
clustering.
Using an M1000 (which only has two network cards) in a clustering scenario requires that it be
deployed internally using a single interface model so that the second network card can be used for
clustering.
3. Create the cluster — From the Cluster Console system, create the cluster.
4. Add Cluster members — From the Cluster Console, add the cluster member systems.
Step 1: Hardware and Licensing
All cluster members, including the Cluster Console, should be the same level of hardware, and
be running the same version of software and update patches.
All cluster members must also have all the same additional features (such as Kaspersky Anti-
Virus) installed and licensed before integration into the cluster. Member systems should be new
installations with no changes to the default configuration except for additional licensed options.
It is critical that the cluster member systems be new installations with no changes to the default
configuration except for licensed options, networking, and HALO settings. The admin passwords
must also be identical.
Step 2: Cluster Network Configuration
The following instructions describe how to configure the network settings for two ePrism
systems in a cluster.
1. Connect an unused network interface from each ePrism to a common network switch, or
connect each interface with a crossover network cable. This will form the "cluster network",
a control network where clustering information will be passed back and forth between the
ePrism systems that form the cluster. For security reasons, this network should be isolated
on its own and not be connected to the main network. For a cluster of two systems, a
crossover network cable can be connected between the selected interfaces providing a
secure connection without the need for a switch.
2. On each ePrism system, go to the Basic Config ➝ Network screen.
3. On the network interface that you want to use for clustering, ensure that an IP address has
been configured, and that the Trusted Subnet and Admin Login check boxes are enabled.
268

Configuring Clustering
4. In the Clustering section of the Network settings screen, select the Enable Clustering
check box and choose the network interface that is connected to the cluster control
network.
Ensure that the selected interface has been already configured with an IP address before enabling
clustering.
269

HALO (High Availability and Load Optimization)
Step 3: Creating the Cluster
The following instructions describe how to create the cluster and initialize the Cluster Console
system.
1. Select HALO ➝ Cluster Administration on the menu. Before continuing, ensure that this
is the system that you want to be the Cluster Console system.
2. Click the Configure button to start the cluster configuration process.
3. The system will prompt you for information on setting up the cluster. First, you must enter
the admin user and password for the system that will be configured as the Cluster Console.
Click the Add or Update Member button to add the system as the Cluster Console, and
then click Close to finish.
4. The Cluster Management console is then displayed.
270

Configuring Clustering
Step 4: Adding Cluster Members
The following instructions describe how to add other systems to the cluster.
It is critical that any additions or deletions from the cluster configuration be performed with only a
single administrator logged in. If any changes are performed during a cluster configuration change,
there is a risk that initialization of a member will not process correctly.
1. Add cluster members by clicking the Add/Remove button in the Cluster Management
console.
2. Enter the Cluster Member hostname or IP Address, an optional name for the system, and
the Admin login ID and password.
All cluster systems must have the same Admin user password.
3. Click the Add or Update Member button to add the system.
4. When systems are added to a cluster, the configuration of the Cluster Console system is
replicated automatically to the new cluster member. This process will take some time to
complete, and the Cluster Management screen will indicate that the cluster member is
initializing.
271

HALO (High Availability and Load Optimization)
It is critical that no other configuration changes are made to the Cluster Member or Cluster Console
while the member is initializing.
When a system is added to the cluster, the configuration of the Cluster Console is replicated
to the new node with the following exceptions:
• Unique networking settings such as host name and IP address, and network interface
specific settings
• Local users and any WebMail related information
• Any reporting related information
• Centralized management information
• Token analysis databases
• Vacation notification related information is only partially replicated
Local user accounts cannot be used on a Cluster Member.
5. When the initialization of the member is complete, the Cluster Management console will
appear, displaying both the Cluster Console and the new cluster member.
272

Configuring Clustering
Troubleshooting Cluster Initialization
The following table describes common issues that occur when configuring a cluster.
TABLE 1. Troubleshooting Cluster Initialization
Issue
Blank 'Address' field when setting
up the cluster console
Connection check fails
Very slow to display the initialization
screen in the console
window for a new cluster member
Solution
The interface has not been correctly initialized.
Go to Basic Config ➝ Network and scroll down to the
Clustering section. Select the Cluster Interface, click
Update, and reboot.
The interface on the Console may not be configured correctly.
The target cluster member machine is not running or the
interface on the target node is not configured correctly.
The hardware or software of the cluster sub-net may not
be configured correctly.
Check the cluster subnet between the Console and the
target cluster member.
Try clicking the Refresh now button on the Console
screen.
273

HALO (High Availability and Load Optimization)
Cluster Management
The Cluster Management screen is accessed on the Cluster Console via HALO ➝ Cluster
Administration, displaying mail processing statistics for each individual cluster member. All
cluster management and configuration must be performed from the Cluster Console system.
Any configuration changes made to the Cluster Console are automatically replicated to the
cluster member servers.
Cluster Commands
The following commands can be performed for the entire cluster or for individual cluster member
systems:
• Queues — Select the appropriate button to Run, Stop, and Flush the mail queues.
• Send — You can Enable or Disable the sending of mail from the cluster or specified system.
• Receive — You can Enable or Disable the receiving of mail for the cluster or specified
system.
Activate/Deactivate Members
When member systems are added to a cluster, they are assigned an active state to process
mail for the cluster. If you need to take this system out of the cluster for maintenance purposes,
the system can be temporarily deactivated from the cluster by using the Deactivate button. A
deactivated cluster member is still monitored, and can process mail, but its configuration will not
be synchronized with the Cluster Console. The state of the email queue is not changed when a
cluster member is deactivated.
The Cluster Console itself cannot be deactivated. To perform maintenance on the Cluster
Console, you must deactivate all cluster members individually. This effectively deactivates the
entire cluster. When your maintenance is completed, reactivate each cluster member.
274

Cluster Management
To reactivate a disabled cluster member, click the Activate button. Activating a cluster member
will synchronize its configuration information by comparing the last time of replication and
update the system with the configuration from the Cluster Console. A complete
resynchronization will be required if the replication times do not exactly match.
A cluster member will be deactivated automatically if the Cluster Console is unable to
communicate with it, and an alarm will be issued when this occurs. Email processing is not
affected by this deactivation.
Start-Up Configuration
Click the Configure button to select an action to perform when a cluster member system
restarts.
• Wait for Console — The cluster member, after a restart, will wait until it contacts the
Cluster Console system and synchronize before processing mail. The system will try to
contact the console for five minutes before starting without synchronization.
• Start immediately — The cluster member will start immediately without contacting and
synchronizing its configuration with the Cluster Console system.
Cluster Activity
When a cluster is activated, a new Cluster Activity option appears on the Activity menu, and
provides an activity screen displaying the combined activity of all cluster members. To see the
activity for just the current system, use the Activity option from the menu.
Cluster Reporting
ePrism reports can be generated for a single system or for all systems in a cluster. The email
database can also be searched on a single system or on the entire cluster. The history and
status of any message can be instantly retrieved regardless of which system processed the
message. See “Viewing and Generating Reports” on page 284 for more information on cluster
reporting.
275

HALO (High Availability and Load Optimization)
Configuring a New Cluster Console
If you need to assign the Cluster Console role to another system in the cluster, you must log in
to the cluster member you would like to use as the Cluster Console and reconfigure the cluster
from the HALO ➝ Cluster Administration menu. This will essentially deactivate the entire
cluster, and you must add the cluster members again to the cluster once the new Cluster
Console is initialized.
Backup and Restore
You should configure the backup for a cluster member with a unique backup directory for each
cluster system, including the Cluster Console. Separate backup directories are required to
ensure that backups do not inadvertently overwrite the backup from another cluster system.
Restoring from a backup is primarily intended for product recovery after a re-installation or
software upgrade. Restoring clustered systems can potentially cause problems with cluster
configuration and communication, and it is recommended that you use the following procedures
when restoring a member of a cluster system.
See “Backup and Restore” on page 314 for more detailed information on the backup and restore
process.
Restoring a Cluster Member
Use the following procedure to perform a restore on a cluster member system (not the Cluster
Console):
1. From the Cluster Console, remove the member system from the cluster.
2. Disconnect the member system from the cluster network via the network cable.
3. Perform the restore procedure, but only restore Quarantined mail, SSL Certificates,
Token Analysis, and Reporting Data (optional). The member will automatically
synchronize the rest of its configuration with the Cluster Console when it is reintegrated with
the cluster.
4. When the system is restored, disable clustering on the cluster network interface in Basic
Config ➝ Network. Click the Update button but do not reboot.
5. Re-enable clustering on the network interface. Ensure that the specified interface is the one
connected to the cluster network. Click the Update button but do not reboot.
6. Connect the member system’s network cable to the cluster network.
7. From the Cluster Console, add the system back into the cluster.
Restoring the Cluster Console
On each cluster member system, (not the Cluster Console) clear the cluster configuration as
follows:
1. Disable clustering on the cluster network interface of each cluster member in Basic Config
➝ Network. Click the Update button but do not reboot. Re-enable clustering on the network
interface. Ensure that the specified interface is the one connected to the cluster network.
Click the Update button but do not reboot.
2. Disconnect the Cluster Console from the cluster network via the network cable.
276

Cluster Management
3. On the Cluster Console, perform a full restore of all configuration items.
4. When the restore is complete, go to the cluster configuration screen in HALO ➝ Cluster
Administration, and remove all cluster members from the cluster.
5. Reconnect the Cluster Console to the cluster network.
6. Reconfigure the cluster and add the other systems as cluster members.
Trusted Senders List and Spam Quarantine with a Cluster
The Trusted Senders List and Spam Quarantine can be used in a clustering environment.
Please note the following when using these features in a Cluster.
• Trusted Senders List — This feature should only be enabled on the master Cluster
Console system. The cluster will automatically synchronize the configuration with the other
cluster members.
• Spam Quarantine — This feature should only be enabled on the master Cluster Console
system. The cluster will automatically synchronize the configuration with the other cluster
members.
You must set up your Intercept Redirect To actions with a hostname dedicated to the
cluster interface on the Cluster Console system. See “Spam Quarantine” on page 187 for
detailed information on setting up the Spam Quarantine in a clustered environment.
277

HALO (High Availability and Load Optimization)
Configuring the F5 Load Balancer
As part of ePrism’s clustering solution, you can use the F5 BIG-IP F5 iControl load balancer to
control traffic to your clustered systems. ePrism includes a configuration screen where you can
configure the F5 load balancer via the iControl administrative connection.
This integration allows you to configure and communicate the ePrism cluster system nodes
directly to the F5 device. Information on message and traffic load can be communicated directly
with the load balancer resulting in intelligent failover decisions.
See the F5 documentation for more information on configuring the load balancer. Load balancing
integration only works with version of F5 up to version 9. It is recommended that the load balancing
integration be performed on the F5 device itself rather than on ePrism.
Select HALO ➝ F5 Integration from the menu to configure the BIG-IP load balancer.
Click the Config button to setup a new F5 configuration.
• BIG-IP Enabled — Select the check box to enable management of the BIG-IP load balancer
with iControl.
• BIG-IP IP Address — Specify the IP address of the BIG-IP system used for iControl
administrative access.
• Login — Enter the login ID used to configure the load balancer.
• Password — Enter the password for the login ID above.
• Pool — Specify the name of the load balancing pool used for mail flow for the ePrism
cluster.
278

Queue Replication
Queue Replication
The Queue Replication feature enables mail queue replication and stateful failover between
two ePrism systems. In the event that the primary owner of a mail queue is unavailable, the
mirror system can take ownership of the mirrored mail queue for delivery.
Without queue replication, a system with received and queued messages that have not been
delivered may result in lost mail if that system suddenly fails. In large environments, this could
translate into hundreds or thousands of messages.
Queue replication actively copies any queued mail to the mirror system, ensuring that if one
system should fail or be taken offline, the mirror system can take ownership of the queued mail
and deliver it. If the source system successfully delivers the message, the copy of the message
on the mirror server is automatically removed.
In the following diagram, system A and system B are configured to be mirrors of each other’s
mail queues.
Licensing
When a message is received by system A, it is queued locally and a copy of the message is
also immediately sent over the failover connection to the mirror queue on system B.
If system A fails, administrators can login to system B and take ownership of the queued mail to
deliver it. Messages are exchanged between the systems to ensure that the mirrored mail
queues are properly synchronized, preventing duplicate messages from being delivered when
a failed system has come back online.
HALO Queue Replication must be licensed to use it beyond the evaluation period.
See “License Management” on page 308 for more information on licensing optional
components.
279

HALO (High Availability and Load Optimization)
Configuring Queue Replication
Select HALO ➝ Queue Replication from the menu to configure this feature’s options.
• Enable Queue Replication — Select the check box to enable queue replication on this
system. Replication must be enabled on both the source and mirror hosts in the Basic
Config ➝ Network screen.
• Replication Timeout —Specify the time, in seconds, to contact the host system before
timing out.
• Replicate to Host — The mail queues are automatically updated when a message is first
received, and the queues are also synchronized at regular intervals. Press this button to
replicate the queue to the mirror host system immediately.
• Mirrored Messages — This value indicates the current amount of queued mail that is
mirrored on this ePrism.
• Purge Mirrored Messages — Select this button to delete any mail messages in the local
mirror queue. These are the files that are mirrored for another host server.
• Deliver Mirrored Messages — Select this button to take ownership and process the mail
that is mirrored for another source system. If the server is still alive, importing and
processing the mirror queue may result in duplicate messages being delivered.
Do not press this button unless you are certain that the source system is unable to deliver mail.
• Review Mirrored Messages — Select this button to review any mail in the local mirror
queue that is mirrored for another source server.
280

Queue Replication
Queue Replication Interface
You must also enable queue replication on a network interface on both the host and client
server.
Select Basic Config ➝ Network from the menu, and then scroll down to the Queue
Replication section.
These options only appear in the Network settings screen after Queue Replication is enabled.
• Enable Replication — Select the check box to enable queue replication on this system.
• Replication Host — Specify the IP address of the system that will be backing up mail for
this ePrism.
• Replication Client — Specify the IP address of the system that will be backing up its mail
queue to this ePrism.
• Replication I/F — Select the network interface to use for queue replication. This network
interface should be connected to a secure network. It is recommended that queue
replication and clustering functions be run together on their own dedicated subnet.
If you are backing up and restoring configuration information to a different system than the original
and queue replication is enabled, you will have to reconfigure Queue Replication to ensure that it
will work properly.
Importing and Processing Mirrored Messages
If you have two systems that are mirroring each other’s mail queues and one of those systems
fails, you must go to the mirror server and import the mirrored mail to ensure that it is
processing and delivered.
Import the mirrored messages as follows:
1. Ensure that the host server is unavailable. Before importing any mirrored mail, you must
ensure that the host server is not processing mail. If you import and process the mirrored
mail on the mirror server, this may result in duplicate messages if the host server starts
functioning again.
2. On the mirror server, select HALO ➝ Queue Replication from the menu.
281

HALO (High Availability and Load Optimization)
3. You may wish to view the current mirrored my mail by clicking the Review button.
4. Click the Deliver button. This ePrism will take ownership of any queued mail mirrored from
the source server, and process and deliver it.
282

CHAPTER 13
Reporting
This chapter describes the reporting features of the ePrism Email Security Appliance and
contains the following topics:
• “Viewing and Generating Reports” on page 284
• “Viewing the Mail History Database” on page 294
• “Viewing the System History Database” on page 296
• “Report Configuration” on page 299
283

Reporting
Viewing and Generating Reports
ePrism’s reporting functionality provides a comprehensive range of informative reports for the
ePrism Email Security Appliance, including:
• Traffic Summary
• System Health
• Top Mailbox Disk Users
• WebMail Usage
• POP and IMAP Access
• Bulk Analysis and DNSBL Lookup Performance
• Spam Statistics
• Virus and Threat Outbreak Reports
• Recipient Reports
• Health Check reports
The reports are derived from information written to the various systems logs which is then stored
in the database. Reports are stored on the system for online viewing, and can also be emailed
automatically to specified users. Reports can be generated on demand and at scheduled times.
Reports can also be filtered to provide reporting on only mail domains, user groups, or specific
hosts.
Administrators can specify which data is to be included in each report, how it is to be displayed,
the order of data, and the number of entries to report, such as "Top 10 Disk Space Users".
Reports can be generated in four different formats: HTML, PDF, CSV (comma separated
output) and Postscript format.
284

Viewing and Generating Reports
Reporting Menu
To generate and view reports, select Status/Reporting ➝ Reporting ➝ Reports.
To view a previously generated report, click on the report name. To configure a report, click on
the Configure button beside the corresponding report name. Click Generate to immediately
generate the specified report.
Viewing Reports
To view a report, click on the report name, such as Full Report.
285

Reporting
Reports that have been previously generated are listed here. Click on an HTML report name,
such as "rep1.html", to view the contents within the current browser window. Click on the
Finished At time to view it in a popup window. Click on other formats to save the report to your
workstation.
The following illustrates the types of charts and graphs available from the full report.
286

Viewing and Generating Reports
Configuring Reports
Click the Configure button beside a specific report name to configure that report, or click Add
New Report Type to start a new report.
General Report Configuration Parameters
• Report Title — Title to display at the top of the report.
• Email To (HTML, CSV, PDF, PS) — Specify an email address, such as
admin@example.com. Use a comma-separated list if you wish to distribute the report to
multiple users, or assign an alias.
• Paper Size — For PDF and PS formats, select the paper size, such as Letter, A4, or Legal.
• Describe fields in report — Select this option to include a short description of each field in
the report.
• Hosts — If you are running a clustered system, select the specific host you want the report
to apply to. When running reports in a clustered system, if you select "All" hosts in the
report, it will generate a report for each host individually, and then merge the results into
one report.
• Filters — Select a filter, if any, to use with this report. Filters are created from the Status/
Reporting ➝ Reporting ➝ Report Filters menu.
287

Reporting
Automatic Report Generation
Configure and generate automatic reports from the Report Generation section of the
configuration screen.
• Enable Auto Generate — Select this check box to automatically generate reports.
• Auto Generate Report at — Select the time to generate the report.
• Auto Generate on Week Days… — Choose the days of the week to generate the report.
• ...and/or Day(s) of Month — Choose specific days of the month to generate the report.
• Timespan Covered — Select the timespan covered for this report.
• Timespan Ends at… — Select the end of the timespan. It is recommended to set the
timespan end time a few hours prior to report generation to allow all deferred mail to be
finalized.
• ...Timespan Offset (Days Ago) — Select the number of days to offset the timespan. This
amount of time is subtracted before setting the timespan.
Click the Generate Now button to generate a report on demand using the specified settings.
This will also automatically email the report to the specified address.
To generate a report daily at 2.00am for the previous day (up to 11:00pm):
Auto Generate Report at: 02:00
Auto Generate on Week Days: All
Timespan covered: 1 day
Timespan ends at: 23:00
Timespan offset: 0 days
To generate weekly reports on Sunday at 4:00am for the period ending Friday 11:00pm:
Auto Generate Report at: 04:00
Auto Generate on Week Days: Sunday
Timespan covered: 1 week
Timespan ends at: 23:00
Timespan offset: 1 day ago
288

Viewing and Generating Reports
Report Fields
The Fields section allows you to choose which fields or items of information to include in the
report. The fields provided are static and the standard reports use fields pre-selected from this
list to satisfy certain requirements. You can include or exclude fields to any one of the reports
as required.
Columns
• Field ID — This is the ePrism name for this item.
• Title in Report — Designate a title to appear in the report.
• Order — The higher the value, the higher the field will appear in the report. Any number
can be chosen to position the fields as needed.
• Page Break — Choose between no, before, after, and both, to configure page breaks. This
option only applies to PDF and PS format reports.
• Limit — Set a limit for the number of items in a field. For example, enter "10" in the top
viruses field to create a "Top Ten Virus List".
Field Descriptions
The following table describes the fields that appear in the report. Brief descriptions of each field
can be included in the report by configuring it in the general report parameters.
TABLE 1. Reporting Field Descriptions
Field
System name
Date time
Version
Timespan
Uptime
Filter summary
Description
The system host name, such as
server.example.com.
Date and time of report generation.
ePrism software revision.
Period covered by report.
How long the ePrism system has been running
since the last reboot.
A summary of the filters applied to this report.
289

Reporting
TABLE 1. Reporting Field Descriptions
Field
Head comment
Traffic blocking
Blocking pie chart
Total traffic Received
Total traffic sent
Total received message size
Total sent out message size
Trust traffic
Processing time
Spam metrics
Top virus
Recent virus list
Threat Outbreak Control
Summary
Threat Outbreak Virus List
Top PBMFs
Top forbidden attachments
Recent forbidden
attachments
Top compliancy
Top word match
Description
Freeform comment that you may enter.
A table showing the number of messages caught
by each method over the preceding hour, day,
week, month, and report timespan.
A pie chart of the same data as the right hand
column of Traffic Blocking (timespan).
Graphs of the number of messages received per
hour over the reporting period (timespan).
Graphs of the number of messages sent per
hour over the reporting period (timespan).
Total message size of incoming messages per
hour.
Total message size of outgoing messages per
hour.
A table showing the number of messages
classified as "trusted" and "untrusted" and their
disposition over the reporting period.
The average time a message waits between
initial handshake and disposition, including
DNSBL/Bulk Analysis lookups if any. Messages
that are deferred are not included.
Graph of the number of messages per Token
Analysis assigned spam metric (0 - 100).
List of the top viruses found.
List of the most recent viruses found.
The number of messages quarantined by Threat
Outbreak Control and the number of those
messages that were released, malformed,
contained forbidden attachments, or were later
found to contain viruses.
The most commonly detected virus types
detected by Threat Outbreak Control.
List of the top pattern based message filters.
Note that this includes only global PBMFs.
List of the top forbidden attachments caught by
attachment control.
List of the most recent forbidden attachments
caught by attachment control.
List of the most common detected compliancy
violations.
List of spam word and OCF word matches.
290

Viewing and Generating Reports
TABLE 1. Reporting Field Descriptions
Field
Spam Summary
Intercept Component
Weights
Disk usage
Disk load
CPU load
NIC load
Swap usage
Paging
Top mailbox sizes
Webmail
POP
IMAP
Active mail queue
Deferred mail queue
Top senders
Description
Lists the number of messages classified as
certainly spam, probably spam, and maybe
spam
A composite list of the components of the Anti-
Spam Intercept engine and the results of each
component relating to the number of positive
results that were designated by the system as
Certainly Spam, Probably Spam, Maybe Spam,
mixed spam, or not spam at all.
Shows disk usage by partition.
Graph of average disk load (MB/s) over the
reporting period.
Graph of average CPU load (number of waiting
processes) over the reporting period.
Graph for each active network interface load
(Bytes/hour) for the reporting period.
Swap file usage.
Paging usage.
Lists the top users based on the size of their
mailboxes in MB.
The number of WebMail logins and failed
attempts per hour. This does not include "admin"
logins.
Graph showing the number of POP logins and
login failures per hour over the reporting period.
Graph showing the number of IMAP logins and
login failures per hour over the reporting period.
Graph showing number of queued messages (as
sampled every 5 minutes) over the reporting
period.
Graph showing maximum number of messages
(as sampled every 5 minutes) in the deferred
queue over the reporting period.
The top sender (judged by envelope from, not
header from) during the report timespan, sorted
by number of messages. If the title contains one
or more comma characters, the list will be
restricted to those senders which include any
string after the first comma. The limit parameter
in the report configuration sets the maximum
number listed.
291

Reporting
TABLE 1. Reporting Field Descriptions
Field
Top sending hosts
Top recipients
Bulk Analysis Servers
DNSBL Servers
Policy summary
Recipient traffic blocking
Connection summary
End comment
Extra comment
Description
The top sending host names (in FQDN format)
during the report timespan, sorted by number of
messages. If the title contains one or more
comma characters, the list will be restricted to
those sender FQDNs which include any string
after the first comma. The limit parameter in the
report configuration sets the maximum number
listed.
The top recipients during the report timespan,
sorted by number of messages. The sum of the
message sizes is also listed. If the title contains
one or more comma characters, the list will be
restricted to those recipients which include any
string after the first comma. The limit parameter
in the report configuration sets the maximum
number listed.
Graph showing the average round trip, in
seconds, to the preferred Bulk Analysis server
over the reporting period.
Graph showing the round trip, in seconds, to the
DNSBL servers over the reporting period. The
value is averaged over all enabled DNSBL
servers.
A summary of policy actions over certain time
periods.
Traffic blocked by recipients due to policies and
their actions.
Lists the number of connections refused based
on features such as Mail Anomalies, Threat
Prevention, DNSBL, and BSN.
Comment text.
Extra comment text.
Language Support
Any text field in the report configuration can use Western (ISO-8859-1) text. For extended
characters (such as accented letters), configure your browser for Western (ISO-8859-1) and set
the character set encoding in Basic Config ➝ Web Server. You can then use your language
specific keyboard or copy and paste ISO-8859 text into the report configuration fields.
292

Viewing and Generating Reports
Creating Report Filters
You can create custom filters to apply when generating reports. When a filter is selected in the
report configuration editor, the applicable report fields are restricted to those values that include
any string in the supplied list. You can filter by mail domain, user groups, and specific hosts.
Filters for specific viruses, encryption, and attachments types can also be created.
Field values can be separated by a space or by starting a new line. Leave a field blank for no
filtering. Wildcard characters can be used for domains and email addresses, such as:
*@example.com
joe@*.example.com
fred@*example*
Select Status/Reporting ➝ Reporting ➝ Report Filters to create and edit report filters.
You can filter on the following fields:
• Sender domain or email address
• Recipient domain or email address
• Sending host name or IP
• Encryption from Sender
• Encryption to Recipient
• Sender groups
• Recipient groups
• Virus
• Forbidden Attachment
When a filter is created, it will appear in a dropdown list in the report configuration settings. Select
the filter to apply it to the report.
293

Reporting
Viewing the Mail History Database
Every message that passes through ePrism generates a database entry that records
information about how it was processed, including a detailed journal identifying the results of the
mail processing.
Select Status/Reporting ➝ Reporting ➝ Mail History to view the email database.
Columns
• QueueID — Identifies the message in the database.
• Time Received — Time when the message was received by ePrism.
• Subject — Contents of the message subject header field.
• Prior — If a message is forwarded because of alias expansion, bounced, vacation
notification, and so on, a new message in the queue will be created. The QueueID number
in the Prior column links to the original message.
• Journal — Shows how the message was processed, including its disposition.
• Auth — Shows SMTP authentication information, if enabled.
Search
Search for specific message details using the following search fields:
• Search — Select the specific part of the message you want to search on, such as "sender"
or "subject".
• For — Enter a search string. Use a blank field to match any string.
Advanced Search
Select the Advanced button to perform an advanced search of the email database.
294

Viewing the Mail History Database
• Search — Select the specific part of the message you want to search on, such as "sender"
or "subject". Use the "and" fields to select an additional message part and search string.
• Date — You can select a time frame to search for received, disposed, or deferred mail.
• Status — Select a message status to search for, such as "malformed", or "virus".
• Hosts — In a clustered system, you can specify a specific host to perform the search on.
• Max — Enter the maximum number of results (up to 10,000) returned in the search.
• Regex — Select this option to define a search using a regular expression.
After performing a search, you can enter more criteria and use the Refine button to search only
within the previous results.
Displaying Message Details
Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any,
are listed in the Message Disposition section.
295

Reporting
Viewing the System History Database
Select Status/Reporting ➝ Reporting ➝ System History to view the system database.
The system database is a record of system events, such as login failures and disk space usage.
Search
Enter any text to search for an event. You can specify the type of message to narrow the
search. Leave the text area blank to list by event type.
Columns
• Event# — Identifies the event in the database.
• End Time — Time when the event is complete.
• Type — The type of event.
• Device, User — The device or user in the event.
• Text — Associated text for the event.
• #1, #2, #3 — Parameters of the event. These are specific to each event type.
Event Types
The following table describes the event types that can appear in the system database.
TABLE 2. System Database Event Types
Event Type Abbreviation Description Parameters
Admin Actions adm Shows administrative
functions that have been
performed
AV Updates avup The time of the last update,
its success or failure, and the
name of the new pattern file
CPU Load cpuld The load average for the past
1, 5, and 15 minutes
Number of
processes waiting
for CPU. A very
busy system may
have 50 or more
296

Viewing the System History Database
TABLE 2. System Database Event Types
Event Type Abbreviation Description Parameters
DCC Preferred dccpref The round trip time to
preferred Bulk Analysis
server
Disk I/O diskio MB per second transfer, KB
per transfer, transfers per
second for a disk
Disk Usage du Amount of used and total
available disk space for each
disk slice
IMAP I/O impio This shows each IMAP based
transfer of email messages
IMAP Logins implin This shows each successful
IMAP authentication. If the
connection used SSL, the
string "ssl" follows in a
separate column. Note: IMAP
transfers smaller than 50
bytes are not recorded
IMAP Failures impfail Shows the number of IMAP
login failures.
Name of preferred
server
UserID and IP
address
UserID and IP
address
Logins login A single web based login UserID and IP
address
Logouts logout A single web based logout
(not including timed-out
sessions)
UserID and IP
address
Login failures lifail Login failure UserID and IP
address
Network I/O nic Amount of data in and out of
network card
Paging page This shows the swap paging
activity (pages in/out) over 5
seconds
POP I/O popio This shows each POP based
transfer of email messages
POP Logins poplin This shows each successful
POP authentication. If the
connection used SSL, the
string "ssl" follows the IP
address
Number of emails
and bytes
transferred in POP
session
UserID and IP
address
297

Reporting
TABLE 2. System Database Event Types
Event Type Abbreviation Description Parameters
POP Failures popfail This shows each POP
authentication failure. If the
connection used SSL, the
string "ssl" follows the IP
address
Queue Sizes que Number of messages in
active and deferred queues
DNSBL Response rbldns Average round time to
DNSBL server with minimum
and maximum values
Swap usage swap This shows the swap usage,
and total swap space
available
UserID and IP
address
Active queue size
in bytes, deferred
queue size in
bytes
DNSBL server
Used and
available swap
space in
megabytes
298

Report Configuration
Report Configuration
Select Status/Reporting ➝ Reporting ➝ Configure to configure the maximum time email
summaries, system event summaries, and reports are kept on the system, including the
maximum number that are retained.
Email summaries, system events, and reports are included in backups. Each email summary is
about 1,000 bytes in size. For performance reasons, such as backup/restores and searches, it
is recommended to set the email message limits no longer than is required, such as 250,000
messages for an M1000, 500,000 messages for an M3000 and so on.
The email message history is trimmed to the expiry date and number limit, whichever is
smaller. System events occupy less than 2 MB per day, and a setting of 3 months is
reasonable.
The system purges old data every day after 12:00am, and also within a few minutes of saving
the settings in this menu. The data is rolled out depending on the date/time and number
constraints, whichever is less.
Reports will not be generated while the data is being purged.
299

Reporting
Disabling Reporting
The reporting database is populated with information that is obtained by interpreting the system
log files. You have the option of disabling reporting which results in no new information being
saved in the reporting database. Note that all log files are still saved but the reporting engine will
not analyze and interpret them for reports.
Disabling reporting is not recommended, and should only be used if the system is extremely
overloaded, or if you are testing performance levels.
Click the Advanced button on the Status/Reporting ➝ Reporting ➝ Configure screen to
reveal an option for disabling the reporting function.
Software upgrades or system restores will re-enable reporting, if disabled.
300

CHAPTER 14
System Management
This chapter describes the tools used to administer the ePrism Email Security Appliance and
contains the following topics:
• “System Status and Utilities” on page 302
• “Mail Queue Management” on page 305
• “Quarantine Management” on page 306
• “License Management” on page 308
• “Software Updates” on page 311
• “Security Connection” on page 312
• “Reboot and Shutdown” on page 313
• “Backup and Restore” on page 314
• “Centralized Management” on page 321
• “Problem Reporting” on page 326
• “Health Check” on page 327
301

System Management
System Status and Utilities
The Status/Reporting ➝ Status & Utility screen provides the following information:
• A snapshot of the system status, including information on uptime, load average, amount of
swap space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus
pattern file status.
• Controls to start and stop the mail systems and flush the mail queues.
• Diagnostic tools such as a Hostname Lookup function, SMTP Probe, Ping, and Traceroute
utilities that are useful for resolving mail and networking problems.
• System hardware configuration information.
System Status
From the System Status screen, you can view a number of system statistics such as the total
system Uptime, load average, the amount of used swap and disk partition space, RAID status,
NTP server status, and Anti-Virus pattern update status.
302

System Status and Utilities
Utility Functions
The Utility Functions allow you to control the following system services:
• Stop/Start Mail Services — You can stop or start all mail services by clicking on the Stop/
Start Mail System Control option.
• Disable/Enable Sending and Receiving — Alternately, you can also enable or disable
only the Receiving or Sending of mail by clicking the appropriate button. This is useful if you
only want to stop the processing of mail in one direction. For example, you may want to turn
off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to
receive incoming mail.
• Flush Mail Queue — The Flush button is used to reprocess any queued mail in the
system. Only click this button once. If the mail queue does not process, you may be having
other types of delivery problems, and reprocessing the mail queue will only add additional
load to the system.
Diagnostics
The Diagnostics section contains networking and SMTP utilities to help troubleshoot network
and mail delivery issues.
See “Network and Mail Diagnostics” on page 355 for more detailed information on using these
diagnostic tools for troubleshooting.
• Hostname Lookup — Allows you to verify host name resolution by looking up a host on a
DNS name server.
• SMTP Probe — Allows you to send a test email to a remote SMTP server.
• Ping — Ensures network connectivity via ICMP ping
• Traceroute — Ensures routing connectivity by tracing the routes of network data from
source to destination server.
303

System Management
Current Admin and WebMail Users
The Current Admin and WebMail Users section allows you to see who is logged in via the web
admin interface or through a WebMail session.
If you are using Clustering, an admin login may show up several times on the list because of
additional RPC calls related to clustering communications. In these cases you will see the Remote
IP address as the other ePrism systems.
Configuration Information
The Configuration Information section shows you important system information such as the
current version of the system software, the time it was installed, and licensing and hardware
information.
304

Mail Queue Management
Mail Queue Management
The Status/Reporting ➝ Mail Queue screen contains information on mail waiting to be
delivered. You can search for a specific mail message using the search function. Messages
that appear to be undeliverable can be removed by selecting them and then clicking the
Remove link.
Any mail messages in the mail queue can be processed out of the queue by clicking the Flush
Mail Queue button. Only click this button once. If the mail queue does not process, you may be
having other types of delivery problems and reprocessing the mail queue will only add
additional load to the system.
Display Options
The Remove All button is used specifically with the search function. You must enter a search
pattern to use with this button. To delete all mail messages in the queue, enter "@" in the search
field, and then click Remove All.
The following options can be appended to the URL of the Mail Queue screen:
• ?limit=n — Sets the total number of items that will be listed to the specified number. The
default is 2000.
• ?ipp=n — Sets the number of items per page.
• ?order=asc — Sorts items by oldest date first to the most recent.
If the query URL already contains a "?" argument, you must use the "&" instead to add options to
the query.
To set the total number of items to be displayed to 100, use the following URL:
https://server.example.com/ADMIN/mailqueue.spl?limit=100
Use the "&" symbol instead if an "?" option already exists:
https://server.example.com/ADMIN/
mailqueue.spl?action=submit&limit=100
305

System Management
Quarantine Management
Select Status/Reporting ➝ Quarantine to manage the Quarantine folder. This folder contains
messages that have been blocked because of a virus, malformed message, compliance
violation, or an illegal attachment. You can view the details of a message by clicking on its ID
number, or delete the message from quarantine by clicking the Delete button.
Quarantined messages can also be released from the quarantine and delivered to their original
destination by clicking the Release button.
Use the search field to look for specific messages within the quarantine. For example, you could
search for the name of a specific virus so that any quarantined messages infected with that
specific virus will be displayed.
Display Options
The Delete All and Release All buttons are used specifically with the search function. You must
enter a specific search pattern before using these controls. It is recommended that you use the
Expiry Options button to clear the quarantine area of all messages beyond a certain date.
The following options can be appended to the URL of the Quarantined Mail screen:
• ?limit=n — Sets the total number of items that will be listed to the specified number. The
default is 2000.
• ?ipp=n — Sets the number of items per page.
• ?order=asc — Sorts items by oldest date first to the most recent.
If the query URL already contains a "?" argument, you must use the "&" instead to add options to
the query.
To set the total number of items to be displayed to 100, use the following URL:
https://server.example.com/ADMIN/quarantine.spl?limit=100
Use the "&" symbol instead if an "?" option already exists:
https://server.example.com/ADMIN/
quarantine.spl?action=submit&limit=100
306

Quarantine Management
Quarantine Expiry Options
Click the Expiry Options button to configure the quarantine expiry settings. An expiry term can
be set so that quarantined messages will be deleted after a certain period of time. You can use
this feature to flush all messages from the quarantine area on a regular basis.
• Expire only on disk full — The Quarantine will expire messages based on the disk space
percentage configured by the administrator. The default is 90% which expires messages
from the quarantine when the disk is 90% full. Valid values are between 10% and 90%.
• Expire per settings — The Quarantine will expire messages based on the administrator's
configured settings.
• Days — Enter how many days to keep a quarantined message before deleting it.
• Disk usage (percentage) — Enter a percentage of disk usage that can be used by the
quarantine area. If the quarantine area grows beyond this size, messages will be expired.
The disk partition used by the quarantine is the /var partition.
Click Update to enable the settings for new quarantined messages. Click Update and Expire
Now to apply the settings to all messages in the quarantine area.
To delete all messages in the quarantine, set the Days value to "0", and then click Update and
Expire Now.
307

System Management
License Management
The ePrism Email Security Appliance initially starts in evaluation mode which can be used for 30
days. After that time, ePrism stops accepting new mail. Incoming mail will receive an SMTP
failure message explaining that no mail is being accepted because the evaluation period has
elapsed. Existing mail in the queue will still be delivered, and mail in mailboxes will still be
accessible to POP3/IMAP and ePrism Mail Client users.
Use the information in your License Pack to license and activate ePrism. Activating ePrism also
activates your support contract which is valid for 12 months from purchase.
Your Support Contract entitles you to all software upgrades and patches, as well as return-tofactory
warranty on the hardware. Failure to activate your system may delay the delivery of support
services.
ePrism can be licensed both automatically via the Internet and manually. For automatic
licensing, ePrism requires an Internet connection.
Automatic License Activation
License ePrism automatically as follows:
1. Ensure that the system can access the Internet so it can connect to the St. Bernard License
server.
2. Select Management ➝ License Management on the menu.
3. Click the Automatic Activation button. A new web browser window will open up and
display the St. Bernard licensing activation screen.
308

License Management
4. Enter the serial number found in the Psn field from the License Pack. (This is not the
hardware serial number of the system.)
5. Enter the hardware serial number located on the ePrism in the Hsn field.
6. Click Continue to activate the license.
Manual License Activation
To manually activate a license:
1. From a workstation connected to the Internet, go to activate.stbernard.com to obtain
an Activation Key.
2. Select the product or option you want to license, and then enter the appropriate license
information.
3. You will receive an Activation Key that will be used in the following steps.
4. On ePrism, select Management ➝ License Management on the menu.
5. Click the Manual Activation button.
6. Enter the Serial number and Activation Key, and then click Next.
309

System Management
Optional Product Licenses
The following products must be licensed separately. If these options are enabled, they will run in
evaluation mode for 30 days. Use the same licensing procedure described previously to add
these optional licenses.
• Kaspersky Anti-Virus
• HALO Stateful Failover Option
• Attachment Content Scanning
310

Software Updates
Software Updates
It is important to keep your ePrism software updated with the latest patches and upgrades.
A key aspect of good security is responding quickly to new attacks and exposures by updating
the system software when updates are available.
Updates are supplied in special files provided by St. Bernard. These updates can be delivered
or retrieved using a variety of methods, including email, FTP, or from St. Bernard’s support
servers. The Security Connection, if enabled, will download any patches automatically. Security
Connection is discussed in more detail in the next section.
St. Bernard recommends that you backup the current system before performing an update. See
“Backup and Restore” on page 314 for detailed information on the backup and restore procedure.
Select Management ➝ Software Updates on the menu to load and apply software updates.
The Software Updates screen shows updates that are Available Updates (loaded onto
ePrism, but not applied) and Installed Updates (applied and active.) You can install an available
update, or uninstall a previously installed update.
When these software update files are downloaded to your local system, they can be installed
by clicking Browse, navigating to the downloaded file, and then clicking Upload.
After applying any updates, you must restart the system.
311

System Management
Security Connection
The Security Connection is a service running on ePrism that polls St. Bernard’s support servers
for new updates, security alerts, and other important information. When new information and
updates are received, an email notification can be sent to the administrator. It is recommended
that you enable this service.
For security purposes, all Security Connection files are encrypted and contain an MD5-based digital
signature which is verified after decrypting the file.
• Enabled — Select to enable Security Connection.
• Frequency — Specify how often to run the Security Connection service. Choices are daily,
weekly, and monthly.
• Auto Download — Enable this option to allow software updates to be downloaded
automatically. The updates will not be automatically installed. They must be installed via
Management ➝ Software Updates.
• Display Alerts — Enable this option to display any alert messages on the system console.
• Send Email — Enable this option to send an email notification to the address specified
below.
• Notification Mail Address — Specify an email address to receive messages from Security
Connection.
• Support Contract — You must enter a valid Support Contract number. This information is
supplied with your license key at the time of purchase.
Click Update to save your Security Connection configuration.
Click the Connect Now button to run Security Connection immediately.
312

Reboot and Shutdown
Reboot and Shutdown
The ePrism Email Security Appliance can be safely rebooted or shut down from this menu.
Before shutting down, remove any media from the floppy and CD-ROM drives.
Click Reboot now to shutdown the system and reboot.
Click Shutdown now to shutdown the system completely.
See “Restoring ePrism to Factory Default Settings” on page 367 for detailed information on
restarting ePrism and restoring it to factory default settings.
313

System Management
Backup and Restore
ePrism can backup all data, including the database, quarantined items, mail queues, user mail
directories, uploaded user lists, SSL certificates, reports, and system configuration data.
The ePrism Email Security Appliance supports three backup methods:
• Local tape drive (if available)
• FTP server
• Local disk (using browser download to a workstation)
The restore feature can restore any backup items individually. The ePrism system should be
backed up before performing any type of software upgrade or update.
Restoring a clustered system requires a different procedure than outlined in the next section. See
the Cluster Management section starting on page 197 for more information on backing up and
restoring clustered systems.
Restore Considerations
The backup and restore function is primarily intended for product recovery after a re-installation
or upgrade, and it is strongly recommended that all data be restored during a system recovery
rather than individually. As the size of the reporting database can be quite large, you should
restore the reporting database separately after the restoration of the basic system.
You must always restore the system data first before restoring the reporting database.
Starting a Backup
You can perform backups on demand, or you can schedule a tape or FTP backup once per day
via the Management ➝ Backup & Restore ➝ Daily Backup menu.
Select Management ➝ Backup & Restore on the menu to start a backup.
Select the required type of backup and click the Next >> button.
314

Backup and Restore
Local Disk (Direct Backup) Options
The following options are for backing up to the local disk:
• Encrypt backup — Select this option to store the backup file in encrypted form.
• Backup system configuration — Select this option to backup all system configuration
data, including mailboxes, Token Analysis data, licenses and keys. This option must be
enabled if you need to restore system functionality.
• Backup reporting data — Select this option to include reports, email history, and system
event data in the backup.
Backing up reporting data can drastically increase the size of the backup file, resulting in a much
longer backup time. Use scheduled FTP backups to prevent your browser from timing out when
this type of backup is taking place.
When you have set your options, click Next >> to continue.
Verify that your options are correct, and then click Create backup now to start the backup.
The system will prompt you for a location to download the file (backup.gz). The backup file is
saved in a gzip compressed archive.
315

System Management
FTP Backup Options
The following options are for backing up to an FTP server:
• Encrypt backup — Select this option to store the backup file in encrypted form.
• Backup system configuration — Select this option to backup all system configuration
data, including mailboxes, Token Analysis data, licenses and keys. This option must be
enabled if you need to restore system functionality.
• Backup reporting data — Select this option to include reports, email history, and system
event data in the backup.
• FTP server — Enter the host name or IP address of the destination FTP server.
• Username — Enter the username for the FTP server.
• Password — Enter the password for the FTP server.
• Directory — Enter the directory on the FTP server for the backup files.
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.
When you have set your options, click Next >> to continue.
316

Backup and Restore
Verify that your options are correct, and then click Create backup now to start the backup.
You can also click Create scheduled backup which will take you to the Daily Backup menu to
create a scheduled FTP backup.
Daily Scheduled Backup
You can schedule an automatic FTP or tape backup to be performed every day at a specified
time.
Select Management ➝ Backup & Restore ➝ Daily Backup on the menu to configure
automatic daily backups.
• Tape Backup — Select the check box to enable daily tape backups (if available.)
• FTP Backup — Select the check box to enable daily FTP backups. You must configure the
FTP backup settings separately using the Management ➝ Backup & Restore screen.
• Start Time — Set the start time for the backup in 24-hour format using the syntax HH:MM,
such as 02:00 for 2:00AM.
Mail History, System Event History, and Reports cannot be backed up if the daily backup runs
between 12AM and 12:30AM. This is the time period when the reporting database is processing its
rollout information.
317

System Management
FTP Backup Naming Conventions
The naming convention for FTP backups is time stamped as follows:
MX-DATAx.YYMMDDHHMM
Example:
MX-DATA0.0505152245
This indicates that the backup file is from May 15th, 2005 at 10:45PM. When purging old backup
files during routine maintenance, ensure that you examine the timestamps before deleting them.
Restoring from Backup
Select the required type of restore and click the Next >> button.
Restore from Local Disk Options
Enter the local filename that contains your server’s backup data, or click Browse to select the
file from the local drive directory listing. Click Next >> to upload and restore the backup file.
318

Backup and Restore
FTP Restore Options
Enter the following information to restore from an FTP server:
• FTP server — Enter the host name or IP address of the FTP server where the backup file is
stored.
• Username — Enter the username for the FTP server.
• Password — Enter the password for the FTP server.
• Directory — Enter the directory on the FTP server for the backup files.
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.
Click Next >> to connect with the FTP server and restore the backup file.
Restore Options
When the backup file has been successfully retrieved, you can choose which aspects of the
system you want to restore. When finished selecting the restore items, click Restore Now.
If you are restoring reporting data separately, it must be performed after the restoration of the main
system information.
319

System Management
You can view the current status of the restore process in the Status section of the Management
➝ Backup & Restore menu.
When the restore is complete, you should review and edit your network configuration in the
Basic Config ➝ Network screen as required, and click Apply to reboot. This ensures that all
restored network settings have been applied.
If you modified the networking information during the system installation process and then
performed a restore, your new networking information may be overwritten by the restored data.
Ensure that your network settings are correct before updating and rebooting the system.
Backup and Restore Errors
The following table describes the types of errors that can occur when restoring a backup file:
TABLE 1. Backup and Restore Error Codes
Error Code
Description
0 No error
1 Form data missing
2 MIME data missing boundary
3 Invalid form data
4 Unsupported encoding method
5 Unsupported header in MIME data
6 File open error
7 Filename not specified
8 Error writing file
9 Data is incomplete
320

Centralized Management
Centralized Management
The Centralized Management feature allows you to administer multiple ePrism Email Security
Appliances from a single management console. Centralized Management allows you to
perform many routine administrative tasks across all ePrism systems configured in the same
management group.
Centralized Management is used to monitor and administer multiple ePrism systems, including
the ability to copy configuration items such as mail routes, aliases and mappings, RADIUS and
LDAP settings, and so on, to other systems in the management group.
All management group communications are authenticated and transmitted using HTTPS.
You can perform the following functions from the Centralized Management console:
• Start and Stop mail services
• Monitor mail queues
• View statistics of incoming and outgoing mail
• Copy configuration settings to other ePrism systems
• Perform backups
Centralized Management and Clustering
Centralized Management is very different from ePrism’s HALO Clustering features.
Centralized Management is intended for managing multiple ePrism systems with different
configurations, while Clustering is used to monitor and manage multiple systems with identical
configurations for redundancy and load balancing purposes.
See “HALO (High Availability and Load Optimization)” on page 265 for more detailed
information on cluster management.
321

System Management
Configuring Centralized Management
Use the following procedure to initialize and configure Centralized Management.
1. Select Basic Config ➝ Network from the menu.
2. Ensure that Admin Login access is enabled for the specific network interface that will be
communicating with the management group.
3. Select Management ➝ Centralized Management to configure Centralized Management.
The initialization screen will appear indicating that there are no management groups
configured.
4. To create a management group, click Configure. You will need to enter the login and
password of the admin user.
5. Add new members to the management group by clicking the Members button.
322

Centralized Management
6. Enter the group member’s hostname or IP address, an optional name, and the Admin
user’s login and password. Click Add or Update Member.
Once added, click the Close button.
The group member will now appear in the main management console screen.
If the address of a member server changes, the original entry must be removed before adding a
new entry with the new address.
Changing the Centralized Management Console
To change the address of the console you are using, click Edit, enter your new settings, and
then click Add or Update Member. You cannot delete the console you are using from the
management group.
323

System Management
Using the Management Console
From the Centralized Management Console, you can perform a variety of administrative
functions.
Group Commands
The following commands are applied to the entire management group:
• Centralized Management Command — From the drop-down box you can select a specific
function to execute across all members of the management group. The options include
Refresh, Stop All Queues, Run (Start) All Queues, and Backup.
• Select Auto Refresh — Select the time, in seconds, for automatic refresh of settings and
statistics for group members. Select Disable if you do not require Auto Refresh.
Member System Commands
The following commands are only applied to the specified group member:
• Start and Stop Services — You can start and stop services for each management group
member. The current status is also displayed.
• Connect — Connect directly to the specified member and open its administration screen.
• Backup — Backup the member server via FTP. Each group member must have its FTP
backup configured individually before this function will work from the console.
• Copy Configuration — Copy the selected settings from the management console to the
selected member. Each member can be configured individually to receive only certain
settings by selecting the check box of each configuration item.
Click Save to save your selected settings on the management console screen.
324

Centralized Management
Copy Configuration
To copy configuration items from the Centralized Management Console to the group members,
select which items to copy, and then click the Copy button. Click Save to save your settings.
The following configuration settings can be replicated:
• Attachment Control — All items, including Attachment Types, are added to the selected
group member.
• Mail Aliases — All mail aliases will be added to the selected group member.
• Virtual Mappings — All virtual mappings will be added to the selected group member.
• Mail Mapping — All mail mappings will be added to the selected group member.
• Mail Routing — All mail routes will be added to the selected group member.
• Mail Access/Filtering — Message size and patterns settings will be added to the selected
group member.
• Relocated Users — The list of relocated users on a group member will be replaced by
those from the management console.
• Pattern Based Filtering — All anti-spam Pattern Based Filtering settings except the
default settings will be added to the selected group member.
• RADIUS/LDAP — All RADIUS and LDAP configuration settings will be added to the
selected group member.
The mail queue will be temporarily stopped during the replication process.
325

System Management
Problem Reporting
Problem reporting allows you to send important configuration and logging information to St.
Bernard Technical Support for help with troubleshooting system issues. This feature should be
used in conjunction with an existing support request with technical support.
Select Status/Reporting ➝ Problem Reporting to configure your troubleshooting
configuration information.
• Send To — Enter an email address to send the reports. The default is St. Bernard Technical
Support, but you can also put in your own email address so that you can view them before
sending them to St. Bernard.
• Mail Log — Sends the latest daily mail server log.
• Mail Configuration — Sends your current mail configuration file.
• Mail Queue Stats — Sends a snapshot of the latest current mail queue statistics.
• System Messages — Sends the latest daily system message log.
• System Configuration — Sends an XML version of the system configuration.
Click Apply to save the information in the form, and click Send Now to send the information to
the configured email address.
326

Health Check
Health Check
The Health Check service is a cost-option for the ePrism Email Security Appliance that allows
St. Bernard to perform a comprehensive review of your current configuration. St. Bernard’s
Professional Services consultants will provide a comprehensive report identifying the health of
system processes, database inconsistencies and overall performance. Detailed
recommendations for optimizing spam capture effectiveness and performance are then
provided in a Diagnosis Report.
The Diagnosis Report returned to you includes:
• Summary of system review and activities (General Configuration, Network Settings and
Topology, Anti-Spam, Content Filtering, Attachment Control, Anti-Virus, Software Updates)
• Recommendations for each area of concern
• Identification of known software issues
• Details on upcoming releases and patches
• License Key — Enter your license key for the Health Check service.
• System Report — Select the type of system report to generate:
• Health Check now: Send a health check report immediately.
• Health Check + Report now: Send a health check and a full system report immediately.
• Health Check + Report at 3am: Send a health check and full system report at 3am. This
allows the health check and report generation to occur during times of lower activity.
• EMail — This is the St. Bernard email address where system health reports will be sent and
cannot be changed.
Click Submit to start the Health Check service. You will receive verification that the health
check has been sent, and receive notification that you will receive a report.
327

CHAPTER 15
Monitoring System Activity
This chapter describes how to monitor ePrism’s system activity and message processing, and
contains the following topics:
• “Activity Screen” on page 330
• “System Log Files” on page 332
• “Offloading Log Files” on page 335
• “SNMP (Simple Network Management Protocol)” on page 337
• “Alarms” on page 340
329

Monitoring System Activity
Activity Screen
The Activity screen provides a variety of system information and utilities all on one screen,
including:
• Mail service stop and start
• Mail queue statistics
• Queue Activity
• System uptime and CPU load
• Message status and final actions
The following describes the queue statistics columns:
• Arrived — The total number of messages processed by ePrism (messages accepted).
These include messages that were spam, viruses, attachment control, and so on.
• Sent — The total number of messages sent by ePrism, including mailer daemon mail,
quarantine notifications, mail delivery delay notifications, local mail, alarms, reports, and so
on. If a message has multiple recipients, each delivered recipient will be added to the total.
• Spam — The total number of messages considered spam by the Intercept engine.
• Reject — The total number of messages rejected because of client hostname/address
restrictions, SAP rejects, DNSBLs, and PMBFs with reject action.
• Virus — The total number of messages that contained a virus.
• Clean — The total number of messages that were accepted for delivery inbound and
outbound by ePrism and passed all security and spam filters.
330

Activity Screen
Show Recipients/Senders
Click the Show Recipients button to show all recipients for a message if there are multiple
recipients. If there is only one recipient for a message, the message will display the same way
in Show Senders and Show Recipients view.
If there are multiple recipients for a message, the Show Senders view will display a "+" sign in
front of the message. Use this button to expand the message to see all the recipients. This is
useful for seeing the actions and dispositions of a message for each recipient if they belong to
different scanning policies.
Cluster Activity
In a clustered system, an additional Cluster Activity screen is displayed that shows the
combined activity for all clustered systems.
331

Monitoring System Activity
System Log Files
Select Status/Reporting ➝ System Logs on the menu to access the system log files.
Click View in the Current Log column to view the most recent log file.
Click View in the Time Index column to see a list of all log files available on the system in
chronological order including the current log file, old log files (rolled out) and archived (zipped).
The Mail Transport log is the most important log to monitor because it contains a record of all
mail processed by ePrism. See “Examining Log Files” on page 346 for more information on
interpreting the mail transport logs.
Other logs include:
• Authentication — Contains messages from POP, IMAP, and WebMail logins.
• HTTP Access — A log of access to the web server.
• HTTPS Access — A log of SSL web server access.
• HTTP Errors — Contains error messages from the web server.
• HTTPS Engine — Contains messages for the web server encryption engine.
• Messages — Contains system messages, including file uploads.
• Kernel — A log of kernel generated messages.
It is possible that you may receive errors in the kernel logs regarding partition slices. If you your
system is installed with a manufacturer’s diagnostics partition, this is the cause of the error and
does not indicate a critical condition.
• Reporting SQL (when enabled) — This option only appears when SQL logging is enabled
in Status/Reporting ➝ Reporting ➝ Configure. The logs can be downloaded in SQL
format from this screen.
332

System Log Files
Viewing and Searching Log Files
Search for a particular search string by entering a value in the Search field and then clicking the
arrow button.
The following features can be used to help refine log searches:
• For logical "and" and "or" searches, use the keywords "and", "or", and "not".
• Use \and or \or to search for the actual words such as "and" and "or".
• Use a preceding / to search using Unix-style regular expressions.
You can also download the log to a text file by using the Download button. You can then import
this file into a log analysis application for offline processing.
Advanced Search
Click the Advanced Search link to perform advanced searches for all the log files for a specific
log type.
• Logs to Search — Select the log to perform the advanced search in.
• Search Archived — Select the check box to search all current and archived log files.
333

Monitoring System Activity
• Search All Dates — Select the check box to the entire time span. The Date/Time fields
below will be greyed out if this option is selected.
• Date/Time from — Enter a beginning date and time to search from.
• Date/Time to — Enter the end date and time to search to.
• Pattern — Enter a pattern to search for in the logs.
Click the Search button when you are ready to begin the advanced log search.
Configuring a Syslog Host
All of ePrism’s log files can be forwarded to a syslog server which is a host that collects and
stores log files from many sources.
The syslog files can then be analyzed by a separate logging and reporting program.
You can define a syslog host in the Basic Config ➝ Network screen.
334

Offloading Log Files
Offloading Log Files
In environments with large mail throughput requirements, ePrism’s log files, such as mail
transport log information, may grow very quickly. When a certain amount of log files have been
generated, ePrism can automatically compress older files to save disk space.
For backup purposes and offline reporting, ePrism can copy log and reporting files to another
system at regular intervals using FTP or SCP file copy utilities. This allows administrators to
backup the log files to a separate host for analysis and storage. When enabled, the offload will
occur each time a log file is rolled over and for the time period specified in the offload date and
time.
The Offload (Reporting) section is used for organizations requiring a separate reporting server
where logs will be forwarded to for reporting purposes.
Select Status/Reporting ➝ Server Logs ➝ Rollout & Offload on the menu to configure your
rollout and offload settings.
Rollout (Keep Uncompressed)
Configure the number of local uncompressed files to keep on ePrism in the Keep
uncompressed field. When log files are rolled over, ePrism will keep this amount of files
uncompressed on the hard drive. When this value is reached, the files will then be compressed
to save disk space (oldest first). Leave this field blank to leave all log files uncompressed.
335

Monitoring System Activity
Offload (Backup)
• Offload — Select the check box to enable offloading of rollout log files.
• Copy application — Select the program (FTP or SCP) to use for copy rollout files. These
applications must be enabled on the destination host.
• Port — TCP port to be used by the copy application. If this field is left blank, default port
values will be used.
• Host — Enter the host to copy rollout data to using the specified method.
• Folder — Select a folder to copy the rollout data to.
• Construct Filename — Select an identifier for the file name, such as a sequential number
(maillog.1) or a timestamp (maillog.200501010000).
• User — Username to use to log in to the destination host.
• Password — Corresponding password for the specified username.
• Compress — Select the check box to enable gzip compression of the rollout files.
Click the Update button when finished.
Click the Offload now button to begin offloading files immediately.
Click the Offload Again button to reset the information of Offloaded files. This will force an
offload of all files (even those offloaded before) again.You must click Offload Now, or wait for
the next scheduled offload (when a log file has rolled over, or every hour) to start the offloading
process after clicking Offload Again.
336

SNMP (Simple Network Management Protocol)
SNMP (Simple Network Management Protocol)
Simple Network Management Protocol (SNMP) is the standard protocol for network
management. When enabled on ePrism, this feature allows standard SNMP monitoring tools to
connect to the SNMP agent running on ePrism and extract real-time system information.
The information available from the SNMP agent is organized into objects which are described
by the MIB (Management Information Base) files. The information available includes disk,
memory, and CPU statistics, mail queue information, and statistics on the number of spam or
virus-infected emails. An SNMP trap can be sent when the system reboots.
See “SNMP MIBS” on page 383 for detailed information on the objects available in ePrism’s
MIB files.
The SNMP agent service is installed and running by default, but it must be enabled specifically
for each interface in the Basic Config ➝ Network screen. It is strongly advised that the agent
only be configured for the internal (trusted) network.
337

Monitoring System Activity
Configuring SNMP
Select Basic Config ➝ SNMP Configuration on the menu to configure SNMP.
• Send Trap on Reboot — Enable the check box to send a trap message to your SNMP trap
host whenever the system reboots.
• System Contact — (Required) Enter the email address of the contact person for this
system.
• System Location — (Required) Enter the location of the system.
• Read-Only Community — By default, ePrism does not allow read/write access to the
SNMP agent. For read access, you must set up a read-only community string on both the
agent, and your SNMP management application for authentication. It is recommended that
you change the default community string "public" to a more secure value.
The community string is case sensitive.
Permitted Clients
To allow access to ePrism’s SNMP agent, you must specifically add the client system to the list
of SNMP Permitted Clients. The clients can be specified using a host name, IP address, or
network address (192.168.138.0/24). Typically, you will enter the address of your SNMP
management station. Click Add to add the permitted client.
338

SNMP (Simple Network Management Protocol)
Trap Hosts
A trap host is an SNMP management station that will be receiving system traps from ePrism.
ePrism will send an SNMP trap when the system is rebooted.
Enter a list of hosts that will receive trap messages. The hosts can be specified using a host
name or IP address. Click Add to add the trap host.
MIB Files
The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files
must be imported into your SNMP management program. The MIB file contains a list of objects
representing the information that can be extracted from the system’s SNMP agent.
See “SNMP MIBS” on page 383 for detailed information on the contents of the St. Bernard
ePrism Email Security Appliance MIB files.
339

Monitoring System Activity
Alarms
ePrism implements a variety of system alarms to notify the administrator of exceptional system
conditions. Alarms are currently generated from the HALO, LDAP, and Backup subsystems. For
example, you can receive an alarm notification if the daily FTP backup fails, or if communication
is lost with a cluster member. Errors with LDAP user imports will also trigger an alarm.
You can select the type of alarm notifications to receive, such as Critical, Serious, and Warning
events.
These notifications can be sent via:
• Email
• Console Alert
• Activity Screen Alert
The following example shows an alarm appearing on the Activity screen. You must click
Acknowledge to remove the alarm notification.
340

Alarms
Configuring Alarms
Select Basic Config ➝ Alarms on the menu to configure your alarms and notifications.
• Send Escalation Mail — Select the types of alarms that will trigger an email to be sent to
the Escalation Mail Address specified below.
• Send Alarm Mail — Select the types of alarms that will trigger an email to be sent to the
Alarm Mail Address specified below.
You must have a valid email specified in the Email Addresses section for the alarm email to be
sent.
• Alert to Console — Select the types of alarms that will display an alert on the system
console screen.
• Alert to Activity Page — Select the types of alarms that will display an alert on the main
activity screen.
• Escalation Mail Address — Enter an email address to send escalation messages to.
• Alarm Mail Address — Enter an email address to send alarm messages to.
It is recommended that you use SNMP for monitoring of system resources such as disk space and
memory usage. See “SNMP (Simple Network Management Protocol)” on page 337 for more
information.
341

Monitoring System Activity
Alarms List
The following table describes the types of alarms that can be triggered.
TABLE 1. Alarms List
Severity
Critical
Critical
Critical
Critical
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Alarm
LDAP Lookup: LDAP lookup failed during delivery
LDAP Lookup: LDAP lookup: Unable to bind to server
LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server
Queue Replication: Cannot connect to mirror
Clustering: Cluster Error connecting to host [member address]
Clustering: Cluster Error writing to host [member address]
Clustering: Cluster Error closing socket for host [member address]
Clustering: Cluster Error Connection to database
Clustering: Cluster Error query failed: [query error message]
Clustering: Cluster replication Error opening configuration file [file error]
Clustering: Error loading cluster configuration file
Clustering: Cluster Error loading command at [location in configuration
file]
LDAP Import: LDAP import, Import of groups failed
LDAP Import: LDAP import, Import of users failed
LDAP Import: LDAP failed to download users, groups
dccstat: Excessive DCC failures
FTP Backup: FTP Backup Failed [error message]
342

CHAPTER 16
Troubleshooting Mail
Delivery
This chapter describes procedures for troubleshooting mail delivery problems and contains the
following topics:
• “Troubleshooting Mail Delivery” on page 344
• “Troubleshooting Tools” on page 345
• “Examining Log Files” on page 346
• “Network and Mail Diagnostics” on page 355
• “Troubleshooting Content Issues” on page 360
343

Troubleshooting Mail Delivery
Troubleshooting Mail Delivery
When experiencing mail delivery problems, the first step is to examine if the problem is affecting
only incoming mail, outgoing, or both. For example, if you are receiving mail, but not sending
outgoing mail, it is certain that your Internet connection is working properly, or you would not be
receiving mail. In this scenario, you may have issues with the Firewall blocking your outbound
SMTP connections, or some other problem preventing mail delivery.
Problems affecting both inbound and outbound delivery include the following scenarios:
• Network infrastructure and Communications — The most common scenario in which
you are not receiving or sending mail is if your Internet connection is down. This can include
upstream communications with your ISP, your connection to the Internet, or your external
router. You should also check your internal network infrastructure to ensure you can contact
ePrism from your router or firewall.
• DNS — If your DNS is not working or configured properly, mail will not be forwarded to your
ePrism or you will not be able to lookup external mail sites. Check the DNS service itself to
see if it is running, and check your DNS records for any misconfiguration for your mail
services. Ensure that your MX records are setup properly to indicate the ePrism system.
• Firewall — If you are having issues with your Firewall or if it is misconfigured, it may
inadvertently block mail access to and from ePrism. For example, SMTP port 25 must be
opened between the Internet and ePrism and internally to allow inbound and outbound mail
connections.
• Internal Mail Systems — You may be receiving incoming mail to the ePrism, but mail is not
being forwarded to the appropriate internal mail servers. Also, outgoing mail from the
internal servers may not be forwarded to ePrism for delivery. In these scenarios, examine
your internal mail server to ensure it is working properly. Check communications between
the two systems to ensure there are no network, DNS, or routing issues. Also check that
your internal servers are configured to send outgoing mail to ePrism.
• External Mail Systems — If you have a large amount of mail to a particular destination, and
that mail server is currently down, these messages will queue up in the deferred mail queue
to be retried after a period of time. You can view the Mail Transport logs to see the relevant
messages that may indicate why you cannot connect to that particular mail server. The
server could be down, too busy, or not currently accepting connections.
344

Troubleshooting Tools
Troubleshooting Tools
The following sections describe the built-in tools that can be used on the ePrism system to help
troubleshoot mail delivery problems.
Monitoring the Activity Screen
On ePrism’s main Activity screen, you will be able to quickly examine if there are any issues
with mail delivery.
Examine the following items:
• Check the mail queue activity to view the number of Queued, Deferred, and Total
messages in the mail queue. This is a quick indicator of how your mail is processing. Click
the Refresh button frequently to ensure that the mail queues are not building up too high.
• In the Mail Received Recently portion of the activity screen, check the timestamps of your
most recent incoming and outgoing mail. If no mail has been processed in a certain period
of time, this may indicate that the inbound, outbound, or both mail directions are not
working.
• Check the statistics for your mail queues. You may notice mail system latency if you are
receiving a lot of virus, spam, or message rejects.
345

Troubleshooting Mail Delivery
Examining Log Files
Examine the system log files in the Status/Reporting ➝ System Logs screen.
The Mail Transport log is the most important, as it provides a detailed description of each
message that passes through the system.
The start of a single message log entry begins with a smtpd "connect" message, and ends with
the "disconnect" message. To ensure that you are looking at the entries for a specific message,
check the message ID (such as 3A30A3F269 in the previous example) for each log entry to
ensure they are for the same message.
A summary of the actions for this message are included in the log, for example:
Only the first recipient is logged in the overall message summary when more than one recipient is
found within a message.
346

Examining Log Files
Interpreting Text Log Files
Log files can be downloaded as a text file to allow you to analyze the logs offline. When
interpreting Mail Transport log files from the text version, the final message summary appears
as a special analysis string. The analysis string contains a list of codes that are created by the
logging engine to create the message summary in the log.
For example, the following analysis string is interpreted as follows:
analysis=T086FFT001FFT000F000FFF000000TF--5000000000055-F1F-
FF00000000F000FFF000000000000F1FFT001T001
The following table describes each character in the analysis string:
TABLE 1. Analysis Code Descriptions
Analysis Code Description Possible Values
T
Token Analysis T - True, F - False
scanned? (True)
086 Token Analysis Metric 3 digit numeric value
(86)
F
Bulk Analysis
T - True, F - False
Scanned? (False)
F
Bulk Analysis result? T - True, F - False
(False)
T
DNSBL Scanned? T - True, F - False
(True)
001 Number of DNSBL 3 digit numeric value
Rejects
F n/a n/a
F n/a n/a
T
Kaspersky AV
T - True, F - False
Scanned? (True)
000 Number of Viruses 3 digit numeric value
F n/a n/a
000 Viruses detected (0) 3 digit numeric value
F
Malformed Message T - True, F - False
Scanned? (False)
F
Malformed message? T - True, F - False
(False)
F
Attachment Control T - True, F - False
scanned? (True)
000 Inbound Attachments
blocked (0)
3 digit numeric value
347

Troubleshooting Mail Delivery
TABLE 1. Analysis Code Descriptions
Analysis Code Description Possible Values
3 digit numeric value
000 Outbound Attachments
blocked (0)
T
PBMF Scanned?
(True)
F
PBMF triggered?
(False)
- PBMF Action (no
match)
- PBMF Rule Type (no
match)
5 PBMF Priority (5 -
high)
0000000 PBMF Filter number
(PBMF filter number)
T - True, F - False
T - True, F - False
D - Reject
A - Accept
V - Valid
S - Spam
T - Trust
R - Relay
B - BCC
I - Do Not Train
a - Archive Copy
y - Bypass
- None
S - System
G - Group
P - Personal
- None
0 - low, 3 - medium, 5 - high
This is the number of the filter in your
list of PBMFs.
000 PBMF Options See Table 2 "PBMF Options
Description"
5 PBMF "no train" rule 1 digit numeric value
rank (5)
5 PBMF "BCC" rule rank
(5)
1 digit numeric value
- PBMF Configurable
Action
Configurable action associated with the
PBMF. (1-6 or a-e). "-" means no
configurable action.
F SPF scanned? T - True, F - False
1 SPF result Pass = 0
None = 1
Fail = 2,3
Error = 4
Neutral = 5
Unknown = 6
Unknown SPF Mechanism = 7
F n/a n/a
348

Examining Log Files
TABLE 1. Analysis Code Descriptions
Analysis Code Description Possible Values
- n/a n/a
T OCF Scanned (True) T - True, F - False
F OCF Result T - True, F - False
0000 Mail Anomalies checks
performed bitmap
(none)
0000 Mail Anomalies checks
failed bitmap (none)
F
Attachment Content
Scanned (false)
000 Attachment Content
Scanning matches (0)
F
Spam Dictionary
scanned (false)
F
Spam Dictionary
matched (false)
4 digit numeric value. This field is only
decodable via the ePrism logs display.
4 digit numeric value. This field is only
decodable via the ePrism logs display.
T - True, F - False
3 digit numeric value
T - True, F - False
T - True, F - False
F BSN scanned (False) T - True, F - False
00000000 BSN result bitmap
(none)
8 digit numeric value. This field is only
decodable via the ePrism logs display.
0 BSN relays checks 1 digit numeric value
000 BSN Reputation score 3 digit numeric value
F
DomainKeys scanned
(false)
T - True, F - False
1 DomainKeys result
(permanent error)
F
DomainKeys spam
(False)
F
DomainKeys Signed?
(False)
T
URL Block List
Scanned?
001 URL Block Lists
matched
T
Threat Outbreak
Scanned?
001 Number of possible
viruses
0 - Pass
1 - Neutral
2 - Fail
3 - Soft Fail
4 - Temporary Error
5 - Permanent Error
T - True, F - False
T - True, F - False
T - True, F - False
3 digit numeric value
T - True, F - False
3 digit numeric value
349

Troubleshooting Mail Delivery
The following table describe the analysis code for PBMF Options:
TABLE 2. PBMF Options Code Description
Code Description
000 None
001 Do Not Train
002 Notify Admin
003 Notify Admin + Do Not Train
004 Notify Sender
005 Notify Sender + Do Not Train
006 Notify Sender + Notify Admin
007 Notify Sender + Notify Admin + Do Not Train
008 Notify Recipient
009 Notify Recipient + Do Not Train
010 Notify Recipient + Notify Admin
011 Notify Recipient + Notify Admin + Do Not Train
012 Notify Recipient + Notify Sender
013 Notify Recipient + Notify Sender + Do Not Train
014 Notify Recipient + Notify Sender + Notify Admin
015 Notify Recipient + Notify Sender + Notify Admin + Do Not Train
016 BCC
017 BCC + Do Not Train
018 BCC + Notify Admin
019 BCC + Notify Admin + Do Not Train
020 BCC + Notify Sender
021 BCC + Notify Sender + Do Not Train
022 BCC + Notify Sender + Notify Admin
023 BCC + Notify Sender + Notify Admin + Do Not Train
024 BCC + Notify Recipient
025 BCC + Notify Recipient + Do Not Train
026 BCC + Notify Recipient + Notify Admin
027 BCC + Notify Recipient + Notify Admin + Do Not Train
028 BCC + Notify Recipient + Notify Sender
029 BCC + Notify Recipient + Notify Sender + Do Not Train
030 BCC + Notify Recipient + Notify Sender + Notify Admin
031 BCC + Notify Recipient + Notify Sender + Notify Admin + Do Not Train
032 Do Not Quarantine
033 Do Not Quarantine + Do Not Train
350

Examining Log Files
TABLE 2. PBMF Options Code Description
Code
Description
034 Do Not Quarantine + Notify Admin
035 Do Not Quarantine + Notify Admin + Do Not Train
036 Do Not Quarantine + Notify Sender
037 Do Not Quarantine + Notify Sender + Do Not Train
038 Do Not Quarantine + Notify Sender + Notify Admin
039 Do Not Quarantine + Notify Sender + Notify Admin + Do Not Train
040 Do Not Quarantine + Notify Recipient
041 Do Not Quarantine + Notify Recipient + Do Not Train
042 Do Not Quarantine + Notify Recipient + Notify Admin
043 Do Not Quarantine + Notify Recipient + Notify Admin + Do Not Train
044 Do Not Quarantine + Notify Recipient + Notify Sender
045 Do Not Quarantine + Notify Recipient + Notify Sender + Do Not Train
046 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin
047 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin + Do
Not Train
048 Do Not Quarantine + BCC
049 Do Not Quarantine + BCC + Do Not Train
050 Do Not Quarantine + BCC + Notify Admin
051 Do Not Quarantine + BCC + Notify Admin + Do Not Train
052 Do Not Quarantine + BCC + Notify Sender
053 Do Not Quarantine + BCC + Notify Sender + Do Not Train
054 Do Not Quarantine + BCC + Notify Sender + Notify Admin
055 Do Not Quarantine + BCC + Notify Sender + Notify Admin + Do Not Train
056 Do Not Quarantine + BCC + Notify Recipient
057 Do Not Quarantine + BCC + Notify Recipient + Do Not Train
058 Do Not Quarantine + BCC + Notify Recipient + Notify Admin
059 Do Not Quarantine + BCC + Notify Recipient + Notify Admin + Do Not Train
060 Do Not Quarantine + BCC + Notify Recipient + Notify Sender
061 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Do Not Train
062 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin
063 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin +
Do Not Train
351

Troubleshooting Mail Delivery
Action String
The action string displays a code that shows what the final action is for a message. Each action
is represented as True (T) or False (F). For example, in the following string, the eleventh action
code is set to "True", which is Quarantine. If multiple actions were taken, other action codes will
also be set to "True".
FFFFFFFFFFTFFFFFFFFFFF
TABLE 3. Action String
Order Action
1 Has Policy
2 No Action
3 Reject
4 Accept
5 Valid
6 Spam
7 Trust
8 Relay
9 Modify subject
10 Add header
11 Quarantine
12 Discard
13 Just log
14 Bounce
15 Redirect
16 BCC
17 PBMF BCC
18 Bypass
19 Do not train
20 Temporary reject
21 Archive copy
352

Examining Log Files
Policy Codes
The following codes appear when using policies to describe the final disposition and action for
a message due to a policy.
The action codes and actions show up in the "policy=" string in the mail transport logs. For
example:
Jul 17 17:13:35 jimbo postfix/cleanup[8119]: 319D313E14:
policy=Qv,just_log=--, recip=rplant@engineering.example.com
,as_score=0,policy_ids=1:0:0:0
In this case, "policy=Qv" means "Quarantine, possible virus".
TABLE 4. Policy Final Code
Code
- None
W
w
K
V
C
M
F
X
O
v
Description
PBMF
Trusted Senders List
Blocked Senders List
Anti-Virus
Attachment Control
Malformed
OCF
Crash (insufficient data)
Relay
TABLE 5. Policy Final Action
Code
Threat Outbreak Control
Description
- No Action
D
A
V
S
T
R
H
h
Q
d
Reject
Accept
Valid
Spam
Trust
Relay
Modify subject header
Add header
Quarantine
Discard
353

Troubleshooting Mail Delivery
TABLE 5. Policy Final Action
Code
L
B
r
C
c
y
I
z
E
n
Description
Just log
Bounce
Redirect
BCC
PBMF BCC
Bypass
Do not train
Temporary reject
Release (Threat Outbreak)
Just Notify (Threat Outbreak)
354

Network and Mail Diagnostics
Network and Mail Diagnostics
In the Status/Reporting ➝ Status & Utility screen there are mail tools and networking
diagnostic tools such as Hostname Lookups, SMTP Probe, Ping, and Traceroute, to help you
troubleshoot possible networking problems and connectivity issues with other mail servers.
Flush Mail Queue
From the Status/Reporting ➝ Status & Utility screen, and also the main Activity screen, there
is a button that can be used to flush and reprocess all queued mail. You should only use this
utility if you have a high amount of deferred mail that you would like to try and deliver. In
environments with a high amount of deferred mail, this process can take a very long time.
If the deferred mail queue continues to grow, there are other problems that are preventing the
delivery of mail and the Flush button should not be used again.
This button should only be clicked once because it will reprocess all queued mail.
Hostname Lookup
The Hostname Lookup utility is used to perform DNS host lookups. This ensures that
hostnames are being properly resolved by the DNS server.
Enter the FQDN (Fully Qualified Domain Name) of the host you would like to lookup on a name
server, such as server.example.com. In the Query Type field, select the type of DNS
record, such as a typical "A" name host record, or "MX" for a mail server lookup.
Click the Lookup button when ready to test. The name server should provide you with the IP
address for the name you entered. If the result displayed shows "Unknown host", then the
name you entered is not listed in the DNS records.
355

Troubleshooting Mail Delivery
If the name server cannot be contacted, check your DNS configuration in Basic Config ➝
Network. To ensure you have network connectivity use the ping and traceroute commands in
the Status & Utility screen to ensure you have a connection to the network and to the DNS
server.
356

Network and Mail Diagnostics
SMTP Probe
The SMTP (Simple Mail Transport Protocol) Probe is used to test email connectivity with a
remote SMTP server. This allows you to verify that the SMTP server is responding to
connection requests and returning a valid response.
In the SMTP Probe screen, you must enter the destination SMTP server, the envelope header
fields for the sender and recipient (MAIL FROM and RCPT TO), the HELO identifier, and the
message data.
Click the Send Message button to send the test message to the destination SMTP server.
The server should come back with a response.
• SMTP Server — Enter the domain name or IP address of the destination SMTP server that
you want to test.
• Envelope-from (MAIL FROM) — The MAIL FROM part of the email message identifies the
sender. Enter an email address indicating the sender of the message.
• Envelope-to (RCPT TO) — The RCPT TO part of the email message identifies the
recipient of the email. Enter an email address indicating the intended recipient of the
message.
• HELO — The HELO parameter is used to identify the SMTP Client to the SMTP Server.
You can enter any value here, but the sending domain name of the server is usually
specified.
• Message to Send (DATA Command) — This contains the actual test message data. You
can enter an optional subject to ensure a blank subject field is not sent.
The response field will show the result of the SMTP diagnostic probe, including the response
for each SMTP command sent:
Sending mail...

Troubleshooting Mail Delivery
Ping Utility

Network and Mail Diagnostics
Traceroute Utility
Traceroute is used to see the routing steps between two hosts. If you are losing connectivity
somewhere in between ePrism and a receiving host, you can use traceroute to see where
exactly the packet is losing its connection.
The traceroute utility will show each network "hop" as it passes through each router to its
destination. If you are experiencing routing issues, you will be able to see in the trace where
exactly the communication is failing.
Click the Traceroute button on the Status & Utility screen to trace the route to the specified
host.
Enter the IP address or hostname of the system you want to trace the route to, and then click
the Traceroute button. Use Reset to reset the display.
359

Troubleshooting Mail Delivery
Troubleshooting Content Issues
If the mail has been delivered to ePrism successfully, it will undergo security processing before
delivery to its final destination. Many of the security tools used by ePrism, such as Intercept antispam,
content filtering, anti-virus scanning, attachment control, and so on, will cause the
message to be rejected, discarded, and quarantined, without the message being delivered to
the recipient’s mail box.
These tools can often be misconfigured allowing legitimate messages to be incorrectly rejected
or quarantined. If you find that certain mail messages are being blocked when they should not
be, check the following:
• Is there a Specific Access Pattern or Pattern Based Message Filter rule that applies to the
message?
• Is the attachment type or content filtered via Attachment Control or Attachment scanning?
• Are any of the Intercept Anti-Spam features blocking the message?
• Do words from the Objectionable Content Filter (OCF) or Spam Dictionaries appear in the
message?
• Is the message over the maximum size limit?
• Does the user belong to a policy that may block the message?
Mail History Database
Every message that passes through ePrism generates a database entry that records
information about how it was processed, filtered, quarantined, and so on. To see how the
message was handled by ePrism, you can check the Mail History Database to see the
disposition of the message.
Using this information, you can find out which security process is blocking the message, and
then check the configuration and rules to ensure that they are set properly.
Select Status/Reporting ➝ Reporting ➝ Mail History to view processed messages. Examine
the Journal column for full information on how a message was processed and its final
disposition.
360

Troubleshooting Content Issues
Displaying Message Details
Click on a QueueID number to view the details of a message. Dispositions and the final
Intercept score, if any, are listed below the details table in the Message Disposition section.
361

APPENDIX A
Using the ePrism System
Console
The ePrism system console provides a limited subset of administrative tasks and is only
recommended for use during initial installation and network troubleshooting.
Routine administration should be performed via the web browser administration interface.
When accessing the system console, you will be prompted for the UserID and Password for
the administrative user. When accessing the console for the first time after installation, the
default settings are admin for the UserID, and admin for the Password. The password can be
changed from the browser administration interface.
Activity Screen
The console Activity screen provides you with basic activity and statistics information for this
ePrism system.
363

Using the ePrism System Console
Admin Menu
Press any key to log into the console using the admin login.
The Admin menu contains the following functions:
• Exit — Exits the console.
• Hardware Information — Displays the processor type, available memory, and network
interface information.
• Configure Interfaces — Modify the host and domain name, IP address, Gateway, DNS and
NTP servers for all network interfaces.
• Security Connection — Enables automatic updates from St. Bernard.
• Shutdown — Shutdown ePrism.
• Reboot — Shutdown and restart ePrism.
• Switch to Text Mode — Switch from graphical mode to text mode.
Diagnostics Menu
Repair Menu
Misc Menu
The Diagnostics menu contains the following functions:
• Activity Display — Displays CPU usage, network traffic and mail message activity.
• Ping — Allows you to test network connectivity to other systems via the ping utility. An IP
address or host name can be used.
• Traceroute — Displays the routing steps between your ePrism system and a destination
host.
• Reset Network Interface — Resets network interfaces. This function is useful for correcting
connection issues.
• Display Disk Usage — Displays the amount of used and available disk space.
• Display System Processes — Displays information on processes running on the system.
The Repair menu contains the following functions:
• Reset SSL Certificates — Sets certificate information back to the factory defaults. Any
uploaded certificates or private keys will be lost.
• Delete Strong Authentication for Admin — Removes strong authentication for the admin
user login to allow you to use the console password.
The Miscellaneous menu contains the following functions:
• Set Time and Date — Sets the time and date for the system.
• Set Time Zone — Sets your local time zone settings.
• Configure UPS — Configure the link to an Uninterruptible Power Supply (UPS) for
automatic shutdown in the event of a power failure.
• Configure Web Admin — Modify the ports used to access the ePrism web browser
administration interface.
364

• Configure Serial Console — Configure a serial port for using the console over a serial
connection. You must set your terminal program to the following values to use ePrism’s
serial console:
VT100 Emulation
Baud Rate: 9600
Data Bits: 8
Parity: None
Stop Bits: 1
Flow Control: Hardware
• Color Settings — Sets the colors for the console.
365

APPENDIX B
Restoring ePrism to Factory
Default Settings
ePrism can be returned to its factory defaults at any time. You may need to re-initialize the
system if unrecoverable disk errors are found, or if you wish to perform a full restore.
This procedure should only be used after consultation with St. Bernard technical support. You will
lose ALL your configuration data and stored mail if you have not performed a backup.
Re-initialize the system as follows:
1. Select Management ➝ Reboot and Shutdown on the menu.
2. Click the Reboot button, and the system will reboot.
3. When the system restarts, go to the system console and press F1 "Restore" to restore
the system to factory defaults.
Press "r" to reinstall if you upgraded to 6.0 from a previous version and are using an older boot
menu.
4. Press Enter to select graphics mode when prompted.
5. An informational screen will appear. Select OK to continue.
6. Select a keyboard type.
7. Select Auto (to auto partition you drives) or Custom and press Enter. Select OK to
confirm.
8. Select OK at the information screen: "You can install from CDROM…".
9. Use the arrow keys to select Hard Drive from the options and press Enter.
10. When the procedure is complete, an information message will appear: "St. Bernard’s
software has now been loaded….".
11. Select OK and the system will restart.
The system will now be restarted with the factory default configuration. Proceed with the
installation and configuration of the system. See the ePrism Installation Guide for detailed
information on the install procedure.
367

APPENDIX C
Message Processing Order
The following list describes the full order in which incoming messages are processed by
ePrism:
SMTP Connection Checks
• Reject on Threat Prevention
• Reject on unauth SMTP pipelining
• Reject on expired ePrism license
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF) HELO
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF)
Envelope-To
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF)
Envelope-From
• Reject on Specific Access Pattern (SAP) and Pattern Based Message Filter (PBMF) Client
IP
• Reject on DNS Block List (DNSBL)
• Reject on BorderWare Security Network (BSN) reputation
• Reject on BorderWare Security Network (BSN) infected
• Reject on BorderWare Security Network (BSN) dial-up
At this point, local and trusted networks skip any remaining "Reject" checks.
• Reject on unknown sender domain
• Reject on missing reverse DNS
• Reject on missing sender MX
• Reject on non-FQDN sender
• Reject on unknown recipient
• Reject on missing addresses
• Reject if number of recipients exceeds maximum
• Reject if message size exceeds maximum
369

Message Processing Order
Message Checks
• Very Malformed
• Anti-Virus
• Pattern Based Message Filter (PBMF) Bypass (This action skips remaining checks)
• Malformed messages
• Attachment Control
• Threat Outbreak Control
• Message Affirmation
• Objectionable Content Filter (OCF)
• Pattern Based Message Filter (PBMF) (High priority)
• Pattern Based Message Filter (PBMF) (Medium priority)
• Trusted Senders List (Skips remaining checks)
• Blocked Senders List
• Pattern Based Message Filter (PBMF) (Low priority)
• Attachment Content Scanning
• SAP (Trusted and Allow)
• Trusted Network (Skips remaining checks)
• Intercept Anti-Spam Processing:
• SPF
• DomainKeys
• Bulk Analysis
• DNSBL
• Message Anomalies
• Spam Words
• BSN Reputation
• BSN Dial-up
• Token Analysis
• URL Block lists
Message Mappings and Routing
• Mail Mappings
• Virtual Mappings
• Relocated Users
• Mail Aliases
• Mail Routing
• Mail Delivery to its final destination
370

APPENDIX D
Customizing Notification and
Annotation Messages
You can use variables to customize the content of notifications and annotations. ePrism will
substitute your local settings for the variables at the time the message is sent. The following
variables are available:
Not all variables will work with all notification features.
TABLE 1. ePrism System Variables
Variable Description Example
%PROGRAM% or
%PRODUCT%
Product name
St. Bernard ePrism Email
Security Appliance
%HOSTNAME%
Hostname entered on the
Network Settings screen.
mail.example.com
%POSTMASTER_MAIL_ADD
R%
%DISPN%
%DELAY_WARN_TIME%
Email address of the admin
user.
Disposition or Action for a
message. Applicable only to
notifications for message
content security and
management features such
as Anti-Virus, Attachment
Control, Malformed Mail, etc.
Cannot be used in Delivery
failure notifications.
Time before Delay Warning.
Only applicable in Mail
Delivery ➝ Delivery
Settings in the Delivery
Delay Warning section.
admin@example.com
quarantined
4 hours
371

Customizing Notification and Annotation Messages
TABLE 1. ePrism System Variables
Variable Description Example
%MAX_QUEUE_TIME%
5 days
%S_YOU% (%SENDER%)
%R_YOU% (%RECIPIENT%)
%SPAM_FOLDER%
%SPAM_EXPIRY%
%SPAM_MESSAGES%
%WEBMAIL_URL%
Maximum Time in Mail
Queue. Only applicable in
Mail Delivery ➝ Delivery
Settings in the Delivery
Delay Warning section.
"you" Mail address of sender.
Applicable only to
notifications for message
content security and
management features such
as Anti-Virus, Attachment
Control, Malformed Mail, etc.
Cannot be used in Delivery
failure notifications.
"you" Mail address of
recipient. Applicable only to
notifications for message
content security and
management features such
as Anti-Virus, Attachment
Control, Malformed Mail, etc.
Cannot be used in Delivery
failure notifications.
The name of the spam folder
for the user spam quarantine.
Only applicable to the User
Spam Quarantine feature.
The number of days before
quarantined spam is expired.
Only applicable to the User
Spam Quarantine feature.
The information for a spam
message
(Date,From,Subject). Only
applicable to the User Spam
Quarantine.
The URL of the configured
WebMail server. Only
applicable to the User Spam
Quarantine and other
features that use WebMail.
sender@example.com
recipient@example.com
spam_quarantine
30
05/27/04,
joe@example.com, File
for you
http://
eprism.example.com/
372

TABLE 1. ePrism System Variables
Variable Description Example
%NUMSPAM%
Number of spam messages 20
in the spam folder. This
information is sent in a spam
summary digest and is only
applicable to the User Spam
Quarantine.
%NUMSPAMSTAT%
Number of spam messages
and bytes used in the spam
folder. This information is
sent in a spam summary
digest and is only applicable
to the User Spam
Quarantine.
20,10000
None of these variables can be used with the SMTP Banner and SMTP Content Reject message.
373

APPENDIX E
Performance Tuning
There are several factors that can affect the performance of your ePrism system:
• Network bandwidth
• Number of allowed SMTP connections
• Usage of background processes such as Reporting and ePrism Mail Client
• Internet unpredictability: Mail can often arrive in bursts of activity, with only a few
messages arriving one minute, and several hundred the next. In the event of a network
outage, such as a failed router, the amount of queued mail that arrives after the router is
back online can be very large.
• Internet performance: SMTP clients can be very slow at connecting, and the connection
may be disconnected before it is complete.
• The time to process a message is also affected by the size of the email and its
attachments.
• Amount of system resources (Processing power, RAM, and disk space)
These factors must be carefully considered when tuning a system for optimal performance. If
an ePrism system is optimized for throughput to handle high mail loads, other aspects of the
system may suffer from increased latency issues, such as reporting, WebMail/ePrism Mail
Client access, and the possibility of dropped connections by clients who cannot connect to a
busy system. Similarly, allocating too many resources to resolve latency issues will affect mail
throughput performance.
Modifying certain parameters may affect the performance of other aspects of the system, and it is
recommended that you only change these settings to resolve specific performance issues with
guidance from St. Bernard Technical Support. Do NOT experiment with these settings.
375

Performance Tuning
Setting Default Performance Settings
When ePrism is installed and initialized, you must select the default profile for your system, such
as an "M1000 with mail scanning only", or an "M1000 with WebMail".
You may need to change your settings if you enable or disable the use of WebMail after your
initial installation.
Select Basic Config ➝ Performance on the menu to configure your Performance tuning
settings.
376

Advanced Settings
Advanced Settings
Click the Advanced button if you need to adjust any of the individual parameters to create a
custom setting.
377

Performance Tuning
Maximum Number of Processes
This parameter specifies the maximum number of concurrent processes that implement mail
services. This setting limits the number of connections accepted by smtpd, and the number of
outgoing SMTP connections. If this number is set too large, you may run out of swap space.
TABLE 1. Maximum Number of Processes
System Recommended Value Description
M1000 50 (default) This is the default setting and should
not be modified. Set this parameter to
40 if using WebMail.
M2000 200 This is the default setting and should
not be modified. Set this parameter to
150 if using WebMail.
M3000 300 This is the default setting and should
not be modified. Set this parameter to
200 if using WebMail.
M4000 400 This is the default setting and should
not be modified. Set this parameter to
300 if using WebMail.
Maximum Number of Parallel Deliveries
This parameter specifies the maximum number of outgoing SMTP connections to the same
destination. This setting helps limit the number of outgoing connections. The value must be less
than the maximum number of processes, or performance will be degraded.
TABLE 2. Maximum Number of Parallel Deliveries
System
Recommended
Value
Description
M1000 4 (default) This is the default setting and should not
be modified.
M2000 10 You should only increase this value if you
are having problems delivering enough
mail to the internal server
M3000/4000 10
378

Advanced Settings
Maximum Number of Mail Scanners
This parameter specifies the maximum number of mail scanners that can run simultaneously.
This setting limits the overall mail processing and memory footprint. Setting this value too high
or too low may result in reduced performance. Valid settings are from 2 - 20.
TABLE 3. Maximum Number of Mail Scanners
System
Recommended
Value
Description
M1000 2 (default) This is the default setting and should not
be modified.
M2000 6 Increase this value to a maximum of 8
only if performance is an issue.
M3000/4000 6 Increase this value to a maximum of 10
only if performance is an issue.
Raise Priority of Heavy Weight Processes
Increasing the priority of heavyweight processes can increase performance and ePrism Mail
Client response times, but it can reduce the processing resources for other mail processes if it
is set too high. Valid settings are from a default priority of 0 to a maximum priority of 20.
TABLE 4. Raise Priority of Heavy Weight Processes
System Recommended Value Description
M1000 0 (default) This is the default setting
and should not be modified.
M2000 5 Only change this from the
default value if WebMail is
not being used, and you
need to devote more
resources to message
handling.
M3000/4000 10 Set this value to 5 if using
WebMail and/or
performance is not an
issue.
Number of Heavy Weight Processes
This parameter specifies the maximum number of heavy weight mail scanning processes that
can be run simultaneously.
Valid settings are from 1 (Default) - 6 (maximum processes).
Setting a value greater than 2 will not improve performance, and changing this value from the
default setting is not recommended.
379

Performance Tuning
Number of DB Proxies
This parameter specifies the maximum number of database proxies that can be used by the
mail scanning processes. This value is relative to the Maximum Number of Processes setting,
and should be increased in conjunction with the number of maximum processes.
Valid settings are from 2 (Default) - 12 (maximum processes), however, setting this value above
8 will result in diminishing performance returns.
TABLE 5. Number of DB Proxies
System Recommended Value Description
M1000 2 (default) This is the default setting
and should not be modified.
M2000 4 If increasing number of
processes above 50, then
set to 6.
M3000/4000 8 If increasing number of
processes above 150, then
set to 10.
SMTP Connect Timeout
This SMTP parameter specifies the amount of time, in seconds, for an SMTP client to complete
a TCP connection before the connection is dropped. This value defines how long ePrism will
wait for a response before timing out. The default is 0, but there is an overall system timeout of
5 minutes for SMTP connections. Increasing this value may help with sites which have a slow
Internet connection.
SMTP HELO Timeout
This SMTP parameter specifies the amount of time, in seconds, for receiving the SMTP greeting
banner before we drop the connection. The default is 300 seconds, which means that ePrism
will wait 5 minutes to receive the initial SMTP HELO message before timing out. Using a lower
timeout value may increase performance by freeing up more connections. Increasing this value
may help with sites which have a slow Internet connection.
SMTPD Timeout
This SMTP parameter specifies the amount of time, in seconds, to send an SMTP server
response and to receive an SMTP client request before dropping the connection. The default is
300 seconds. When ePrism connects to another mail server to deliver mail, it will drop the
connection if it takes more than 5 minutes to receive a response. A lower value may increase
performance by freeing up connections. Increasing this value may help with sites which have a
slow Internet connection.
380

Advanced Settings
SMTPD Minimum Receive Rate
The minimum rate, in bytes per second, at which a client must send data. The limit will be
enforced after the SMTPD minimum receive rate interval has elapsed. Set this to a higher value
when excessively slow clients are tying up system resources. A value of 0 indicates no
minimum rate. Default is 0.
SMTPD Receive Rate Interval
The time interval, in seconds, which must elapse before the SMTPD minimum receive rate
restriction is enforced for a newly connected client. Set this to a higher value to give clients
longer to establish an acceptable data flow rate. A value of 0 means that the limit is enforced
immediately. Default is 0.
SMTP Tarpit Time
The amount of time, in seconds, to wait before replying to an SMTP client with a 4xx or 5xx
error message (such as the message content was rejected.) The default is 5 seconds. A lower
value may increase performance by freeing up connections. A higher value may deter senders
from sending invalid content such as spam and viruses.
Service Throttle Time
The amount of time, in seconds, to wait before re-starting a Postfix service that exits
unexpectedly. The default is 60 seconds, and must be 1 second at minimum.
Size of Temporary Files Filesystem
Specify the size of the /tmp filesystem at system startup. This setting affects the maximum
size of attachments that may be scanned, and should only be used if you are having problems
with scanning large files. If you increase this setting beyond the amount of physical RAM,
system performance will be degraded due to excessive swapping. You must monitor your
system performance if this setting is used.
Size of Shared Memory block allocated to Database
Specify the size of the shared memory block to make available to the database. Increasing this
value increases the speed of database operations at the cost of having less memory available
for other purposes. Increase this value if you are increasing the number of messages that will
be stored in the email database.
If you change the size of the temp file system or shared memory block, the system will need to be
restarted before these settings takes effect.
381

APPENDIX F
SNMP MIBS
The following sections describe the statistics available from the system’s SNMP MIBS. The
MIB files can be downloaded from Basic Config ➝ SNMP Configuration and clicking the
Download MIBS button.
The MIB files are based on SNMP version 2 and are backwards compatible with version 1.
MIB Files Summary
The following sections contain a summary of the MIB file entries. The raw MIB files are listed at
the end of this appendix.
Memory Usage and Reporting
TABLE 1. Memory Usage and Reporting
Object
memTotalSwap
memAvailSwap
memTotalReal
memAvailReal
memTotalSwapTXT
memAvailSwapTXT
memTotalRealTXT
Description
Total Swap Size configured for the host
Available Swap Space on the host
Total Real/Physical Memory Size on
the host
Available Real/Physical Memory Space
on the host
Total virtual memory used by text
Active virtual memory used by text
Total Real/Physical Memory Size used
by text
383

SNMP MIBS
TABLE 1. Memory Usage and Reporting
Object
memAvailRealTXT
memTotalFree
memMinimumSwap
memShared
memBuffer
memCached
memSwapError
memSwapErrorMsg
Description
Active Real/Physical Memory Space
used by text
Total Available Memory on the host
Minimum amount of free swap required
to be free
Total Shared Memory
Total Buffered Memory
Total Cached Memory
Error flag indicating very little swap
space left
Error message describing the Error
Flag condition
Disk Information
TABLE 2. Disk Information
Object
dskIndex
dskPath
dskDevice
dskMinimum
dskMinPercent
dskTotal
dskAvail
dskUsed
dskPercent
dskPercentNode
dskErrorFlag
dskErrorMsg
Description
Integer reference number (row number)
for the disk MIB.
Path where the disk is mounted.
Path of the device for the partition
Minimum space required on the disk (in
kBytes) before errors are triggered.
Percentage of minimum space required
on the disk before errors are triggered.
Total size of the disk/partition (kBytes)
Available space on the disk
Used space on the disk
Percentage of space used on disk
Percentage of inodes used on disk
Error flag signaling that the disk or
partition is under the minimum required
space configured for it.
A text description providing a warning
and the space left on the disk.
384

MIB Files Summary
System Statistics
TABLE 3. System Statistics
Object
ssIndex
ssErrorName
ssSwapIn
ssSwapOut
Description
Reference Index for each observed
system statistic
The list of system statistic names being
counted
Amount of memory swapped in from
disk (KB/s)
Amount of memory swapped to disk
(KB/s)
The SNMP agent only implements the following statistics that are supported by the kernel. Not
all of the following objects will be available.
TABLE 4. System Statistics If Supported by Kernel
Object
ssCpuRawUser
ssCpuRawNice
ssCpuRawSystem
ssCpuRawIdle
ssCpuRawWait
ssCpuRawKernel
ssCpuRawInterrupt
ssIORawSent
ssIORawReceived
ssRawInterrupts
ssRawContexts
Description
User CPU time
Nice CPU time
System CPU time
Idle CPU time
IOwait CPU time
Kernel CPU time
Interrupt level CPU time
Number of requests sent to a block
device
Number of interrupts processed
Number of requests received from a
block device
Number of context switches
385

SNMP MIBS
Alarm Objects
TABLE 5. Alarm Objects
Object
alTriggerAlarm
alLastChange
alName
alRemoteIpAddr
alDestPort
alAlarm
Description
The flag to trigger an alarm
The time value when the alarm condition
occurs
A textual string containing the name of the
alarm
Source IP address
Destination port number
The alarm trap
Mail System Objects
Current Mail Data
TABLE 6. Current Mail Data
Object
queuedMessages
deferredMessages
totalMessages
Description
The number of queued mail messages.
The number of deferred mail messages.
The total number of mail messages.
Historical Mail Data
TABLE 7. Historical Mail Data
Object
mailIndex
mailInterval
mailRcvd
mailSent
mailSpam
mailReject
mailVirus
mailClean
Description
The value of this object uniquely identifies
each mail stats entry.
Time interval pertaining to the data in this
sequence.
Number of received messages for this
interval.
Number of sent messages for this interval.
Number of spam messages for this
interval.
Number of rejected messages for this
interval.
Number of messages identified as
containing a virus for this interval.
Number of clean messages for this
interval.
386

MIB Files
Traps
The system will send an SNMP trap when the system shuts down and when it restarts.
MIB Files
BORDERWARE-FW-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
OBJECT-TYPE, NOTIFICATION-TYPE,
MODULE-IDENTITY, OBJECT-IDENTITY,
Integer32, enterprises, IpAddress
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DisplayString, DateAndTime
FROM SNMPv2-TC
bwProducts
FROM BORDERWARE-MIB;
bwFirewall MODULE-IDENTITY
LAST-UPDATED "200404110000Z"
ORGANIZATION "Borderware Technology Inc."
CONTACT-INFO
"mibs@borderware.com "
DESCRIPTION
"The private Borderware SNMP extensions."
REVISION "200404110000Z"
DESCRIPTION
"Draft. "
::= { bwProducts 1 }
-- Current mib entries -----------------------------------------
bwFirewallConformance OBJECT IDENTIFIER ::= { bwFirewall 3 }
387

SNMP MIBS
-- OID values assigned in the bwFirewall branch ----------------
bwAlarm
OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The entry for alarm objects."
::= { bwFirewall 100 }
alTriggerAlarm OBJECT-TYPE
SYNTAX Integer32 (0..1)
MAX-ACCESS read-write
STATUS
current
DESCRIPTION
"The flag to trigger an alarm."
::= { bwAlarm 1 }
alLastChange OBJECT-TYPE
SYNTAX
DateAndTime
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"The time value when the alarm condition occurs."
::= { bwAlarm 4 }
-- Removed interface name from implementation
-- alInterface OBJECT-TYPE
-- SYNTAX DisplayString (SIZE (0..255))
-- MAX-ACCESS read-only
-- STATUS current
-- DESCRIPTION
-- "A textual string containing name of the
-- interface."
-- ::= { bwAlarm 7 }
alName OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
388

MIB Files
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"A textual string containing name of the alarm."
::= { bwAlarm 9 }
alRemoteIpAddr OBJECT-TYPE
SYNTAX
IpAddress
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"A source IP address."
::= { bwAlarm 10 }
alDestPort
OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Destination port number."
::= { bwAlarm 15 }
-- definition of trap triggered by the alarm condition.
alAlarm NOTIFICATION-TYPE
OBJECTS {
alLastChange,
alName,
alRemoteIpAddr,
alDestPort
}
STATUS current
DESCRIPTION
"A trap."
::= { bwAlarm 50 }
389

SNMP MIBS
-- Conformance information --------------------------------------------
bwFirewallCompliances OBJECT IDENTIFIER ::= { bwFirewallConformance 1 }
bwFirewallGroups OBJECT IDENTIFIER ::= { bwFirewallConformance 2 }
-- Compliance statements ----------------------------------------------
bwFirewallCompliance MODULE-COMPLIANCE
STATUS
current
DESCRIPTION "The compliance statement for SNMP entities which
implement the BORDERWARE-FW-MIB. "
MODULE
-- this module
MANDATORY-GROUPS { bwAlarmGroup }
::= { bwFirewallCompliances 1 }
bwAlarmGroup OBJECT-GROUP
OBJECTS {
alTriggerAlarm,
alLastChange,
alName,
alRemoteIpAddr,
alDestPort
}
STATUS
current
DESCRIPTION "A collection of objects providing for remote
monitoring. "
::= { bwFirewallGroups 1 }
END
BORDERWARE-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
OBJECT-TYPE, NOTIFICATION-TYPE,
MODULE-IDENTITY, OBJECT-IDENTITY,
Counter32, Integer32, Opaque, enterprises, IpAddress
390

MIB Files
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DisplayString, DateAndTime
FROM SNMPv2-TC;
borderware MODULE-IDENTITY
LAST-UPDATED "200211070000Z"
ORGANIZATION "Borderware Technology Inc."
CONTACT-INFO
"mibs@borderware.com "
DESCRIPTION
"The private Borderware SNMP extensions."
REVISION "200211070000Z"
DESCRIPTION
"Draft."
::= { enterprises 8673 }
-- Current mib entries -----------------------------------------
bwProducts OBJECT IDENTIFIER ::= { borderware 1 }
bwProductId OBJECT IDENTIFIER ::= { bwProducts 2 }
-- ObjectId
bwFirewallServer7 OBJECT IDENTIFIER ::= { bwProductId 1 }
-- Current core mib table entries:
-- memory OBJECT IDENTIFIER ::= { ucdavis 4 }
-- diskTable OBJECT IDENTIFIER ::= { ucdavis 9 }
-- systemStats OBJECT IDENTIFIER ::= { ucdavis 11 }
--
-- Define the Float Textual Convention
-- This definition was written by David Perkins.
--
Float ::= TEXTUAL-CONVENTION
STATUS
current
DESCRIPTION
"A single precision floating-point number. The semantics
391

SNMP MIBS
and encoding are identical for type 'single' defined in
IEEE Standard for Binary Floating-Point,
ANSI/IEEE Std 754-1985.
The value is restricted to the BER serialization of
the following ASN.1 type:
FLOATTYPE ::= [120] IMPLICIT FloatType
(note: the value 120 is the sum of '30'h and '48'h)
The BER serialization of the length for values of
this type must use the definite length, short
encoding form.
For example, the BER serialization of value 123
of type FLOATTYPE is '9f780442f60000'h. (The tag
is '9f78'h; the length is '04'h; and the value is
'42f60000'h.) The BER serialization of value
'9f780442f60000'h of data type Opaque is
'44079f780442f60000'h. (The tag is '44'h; the length
is '07'h; and the value is '9f780442f60000'h."
SYNTAX Opaque (SIZE (7))
--
-- Memory usage/watch reporting.
--
bwSysMemory OBJECT IDENTIFIER ::= { borderware 4 }
memIndex OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Bogus Index. This should always return the integer 0."
::= { bwSysMemory 1 }
memErrorName OBJECT-TYPE
SYNTAXDisplayString
392

MIB Files
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Bogus Name. This should always return the string 'swap'."
::= { bwSysMemory 2 }
memTotalSwap OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Swap Size configured for the host."
::= { bwSysMemory 3 }
memAvailSwap OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Available Swap Space on the host."
::= { bwSysMemory 4 }
memTotalReal OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Real/Physical Memory Size on the host."
::= { bwSysMemory 5 }
memAvailReal OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
393

SNMP MIBS
"Available Real/Physical Memory Space on the host."
::= { bwSysMemory 6 }
memTotalSwapTXT OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total virtual memory used by text."
::= { bwSysMemory 7 }
memAvailSwapTXT OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Active virtual memory used by text."
::= { bwSysMemory 8 }
memTotalRealTXT OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Real/Physical Memory Size used by text."
::= { bwSysMemory 9 }
memAvailRealTXT OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Active Real/Physical Memory Space used by text."
::= { bwSysMemory 10 }
memTotalFree OBJECT-TYPE
394

MIB Files
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Available Memory on the host"
::= { bwSysMemory 11 }
memMinimumSwap OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Minimum amount of free swap required to be free
or else memErrorSwap is set to 1 and an error string is
returned memSwapErrorMsg."
::= { bwSysMemory 12 }
memShared OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Shared Memory"
::= { bwSysMemory 13 }
memBuffer OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Buffered Memory"
::= { bwSysMemory 14 }
memCached OBJECT-TYPE
SYNTAXInteger32
395

SNMP MIBS
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Total Cached Memory"
::= { bwSysMemory 15 }
memSwapError OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Error flag. 1 indicates very little swap space left"
::= { bwSysMemory 100 }
memSwapErrorMsg OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Error message describing the Error Flag condition"
::= { bwSysMemory 101 }
dskTable OBJECT-TYPE
SYNTAXSEQUENCE OF DskEntry
MAX-ACCESSnot-accessible
STATUScurrent
DESCRIPTION
"Disk watching information. Partions to be watched
are configured by the snmpd.conf file of the agent."
::= { borderware 9 }
dskEntry OBJECT-TYPE
SYNTAX
DskEntry
MAX-ACCESS not-accessible
396

MIB Files
STATUS
current
DESCRIPTION
"An entry containing a disk and its statistics."
INDEX { dskIndex }
::= { dskTable 1 }
DskEntry ::= SEQUENCE {
dskIndexInteger32,
dskPathDisplayString,
dskDeviceDisplayString,
dskMinimumInteger32,
dskMinPercentInteger32,
dskTotalInteger32,
dskAvailInteger32,
dskUsedInteger32,
dskPercentInteger32,
dskPercentNodeInteger32,
dskErrorFlagInteger32,
dskErrorMsgDisplayString
}
dskIndex OBJECT-TYPE
SYNTAXInteger32 (0..65535)
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Integer reference number (row number) for the disk mib."
::= { dskEntry 1 }
dskPath OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
397

SNMP MIBS
"Path where the disk is mounted."
::= { dskEntry 2 }
dskDevice OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Path of the device for the partition"
::= { dskEntry 3 }
dskMinimum OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Minimum space required on the disk (in kBytes) before the
errors are triggered. Either this or dskMinPercent is
configured via the agent's snmpd.conf file."
::= { dskEntry 4 }
dskMinPercent OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Percentage of minimum space required on the disk before the
errors are triggered. Either this or dskMinimum is
configured via the agent's snmpd.conf file."
::= { dskEntry 5 }
dskTotal OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
398

MIB Files
DESCRIPTION
"Total size of the disk/partion (kBytes)"
::= { dskEntry 6 }
dskAvail OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Available space on the disk"
::= { dskEntry 7 }
dskUsed OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Used space on the disk"
::= { dskEntry 8 }
dskPercent OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Percentage of space used on disk"
::= { dskEntry 9 }
dskPercentNode OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Percentage of inodes used on disk"
::= { dskEntry 10 }
399

SNMP MIBS
dskErrorFlag OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Error flag signaling that the disk or partition is under
the minimum required space configured for it."
::= { dskEntry 100 }
dskErrorMsg OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"A text description providing a warning and the space left
on the disk."
::= { dskEntry 101 }
systemStats OBJECT IDENTIFIER ::= { borderware 11 }
ssIndex OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Reference Index for each observed systemStat (1)."
::= { systemStats 1 }
ssErrorName OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
400

MIB Files
"The list of systemStats names (vmstat) we're Counting."
::= { systemStats 2 }
ssSwapIn OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Amount of memory swapped in from disk (kB/s)."
::= { systemStats 3 }
ssSwapOut OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Amount of memory swapped to disk (kB/s)."
::= { systemStats 4 }
ssIOSent OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"Blocks sent to a block device (blocks/s). Deprecated, replaced by
the ssIORawSent object"
::= { systemStats 5 }
ssIOReceive OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"Blocks received from a block device (blocks/s). Deprecated, replaced by
the ssIORawReceived object"
401

SNMP MIBS
::= { systemStats 6 }
ssSysInterrupts OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"The number of interrupts per second, including the clock.
Deprecated, replaced by ssRawInterrupts"
::= { systemStats 7 }
ssSysContext OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"The number of context switches per second.
Deprecated, replaced by ssRawContext"
::= { systemStats 8 }
ssCpuUser OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"percentages of user CPU time. Deprecated, replaced by the ssCpuRawUser
object"
::= { systemStats 9 }
ssCpuSystem OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"percentages of system CPU time. Deprecated, replaced by of the
402

MIB Files
ssCpuRawSystem object"
::= { systemStats 10 }
ssCpuIdle OBJECT-TYPE
SYNTAXInteger32
MAX-ACCESSread-only
STATUSdeprecated
DESCRIPTION
"percentages of idle CPU time. Deprecated, replaced by of the
ssCpuRawIdle object"
::= { systemStats 11 }
-- The agent only implements those of the following counters that the
-- kernel supports! Don't expect all to be present.
ssCpuRawUser OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"user CPU time."
::= { systemStats 50 }
ssCpuRawNice OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"nice CPU time."
::= { systemStats 51 }
ssCpuRawSystem OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
403

SNMP MIBS
"system CPU time."
::= { systemStats 52 }
ssCpuRawIdle OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"idle CPU time."
::= { systemStats 53 }
ssCpuRawWait OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"iowait CPU time. This is primarily a SysV thingie"
::= { systemStats 54 }
ssCpuRawKernel OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"kernel CPU time."
::= { systemStats 55 }
ssCpuRawInterrupt OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"interruptlevel CPU time. This is primarily a BSD thingie"
::= { systemStats 56 }
ssIORawSent OBJECT-TYPE
404

MIB Files
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of requests sent to a block device"
::= { systemStats 57 }
ssIORawReceived OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of interrupts processed"
::= { systemStats 58 }
ssRawInterrupts OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of requests received from a block device"
::= { systemStats 59 }
ssRawContexts OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of context switches"
::= { systemStats 60 }
END
BORDERWARE-SMG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-COMPLIANCE, OBJECT-GROUP
405

SNMP MIBS
FROM SNMPv2-CONF
OBJECT-TYPE, OBJECT-IDENTITY, MODULE-IDENTITY,
Counter32, Integer32
FROM SNMPv2-SMI
DisplayString
FROM SNMPv2-TC
borderware, bwProducts, bwProductId
FROM BORDERWARE-MIB;
bwMailFirewall MODULE-IDENTITY
LAST-UPDATED "200405260000Z"
ORGANIZATION "Borderware Technology Inc."
CONTACT-INFO
"mibs@borderware.com "
DESCRIPTION
"The private Borderware Mail Firewall SNMP extensions."
REVISION "200405260000Z"
DESCRIPTION
"Draft. "
::= { bwProducts 11 }
bwMailFirewall4 OBJECT IDENTIFIER ::= { bwProductId 11 }
bwMailFirewallConformance OBJECT IDENTIFIER ::= { bwMailFirewall 3 }
-- Conformance information --------------------------------------------
bwMailFirewallCompliances OBJECT IDENTIFIER ::= { bwMailFirewallConformance 1
}
bwMailFirewallGroups OBJECT IDENTIFIER ::= { bwMailFirewallConformance 2
}
-- Compliance statements ----------------------------------------------
bwMailFirewallCompliance MODULE-COMPLIANCE
STATUS
current
406

MIB Files
DESCRIPTION "The compliance statement for SNMP entities which
implement the BORDERWARE-SMG-MIB. "
MODULE
-- this module
MANDATORY-GROUPS { bwMessagesGroup }
::= { bwMailFirewallCompliances 1 }
-- Group declarations --------------------------------------------------
bwMessagesGroup OBJECT-GROUP
OBJECTS {
queuedMessages,
deferredMessages,
totalMessages
}
STATUS
current
DESCRIPTION "A collection of objects providing for remote
monitoring of current condition of mail handler. "
::= { bwMailFirewallGroups 1 }
bwMailStatsGroup OBJECT-GROUP
OBJECTS {
mailInterval,
mailRcvd,
mailSent,
mailSpam,
mailReject,
mailVirus,
mailClean
}
STATUS
current
DESCRIPTION "A collection of objects providing for remote
monitoring of historical condition of mail handler. "
::= { bwMailFirewallGroups 2 }
-- Table definitions -----------------------------------------------------
407

SNMP MIBS
mailTable OBJECT-GROUP
OBJECTS {
bwMailStatsGroup,
bwMessagesGroup
}
STATUScurrent
DESCRIPTION
"Complete mail activity summary."
::= { bwMailFirewall 10 }
mailEntry OBJECT-TYPE
SYNTAX
SEQUENCE OF MailEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"An entry containing mail statistics."
INDEX { mailInterval }
::= { mailTable 1 }
MailEntry ::= SEQUENCE {
mailIntervalDisplayString,
mailRcvdCounter32,
mailSentCounter32,
mailSpam
Counter32,
mailReject Counter32,
mailVirusCounter32,
mailCleanCounter32
}
mailStatus
OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The entry for current stats on MTA"
::= { mailTable 2 }
408

MIB Files
-- The current data ----------------------------------------------------
queuedMessages OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"The number of queued mail messages."
::= { mailStatus 1 }
deferredMessages OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"The number of deferred mail messages."
::= { mailStatus 2 }
totalMessages OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"The total number of mail messages."
::= { mailStatus 3}
-- The historical data -------------------------------------------------
mailInterval OBJECT-TYPE
SYNTAXDisplayString
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Time interval pertaining to the data in this sequence."
::= { mailEntry 1 }
mailRcvd OBJECT-TYPE
409

SNMP MIBS
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Number of received messages for this interval."
::= { mailEntry 2 }
mailSent OBJECT-TYPE
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Number of sent messages for this interval."
::= { mailEntry 3 }
mailSpam OBJECT-TYPE
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Number of spam messages for this interval."
::= { mailEntry 4 }
mailReject OBJECT-TYPE
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Number of rejected messages for this interval"
::= { mailEntry 5 }
mailVirus OBJECT-TYPE
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
410

MIB OID Values
DESCRIPTION
"Number of messages identified as containig a
virus for this interval."
::= { mailEntry 6 }
mailClean OBJECT-TYPE
SYNTAXCounter32
MAX-ACCESSread-only
STATUScurrent
DESCRIPTION
"Number of clean messages for this interval."
::= { mailEntry 7 }
END
MIB OID Values
The following describes the SNMP MIB OID values:
.1.3.6.1.4.1.8673 ->
.1.1.100.1.0 = bwProducts.bwFirewall.bwAlarm.alTriggerAlarm.0 = INTEGER: 0
.1.1.100.4.0 = bwProducts.bwFirewall.bwAlarm.alLastChange.0 = STRING: 0-1-
1,0:0:0.0
.1.1.100.9.0 = bwProducts.bwFirewall.bwAlarm.alName.0 = STRING: None
.1.1.100.10.0 = bwProducts.bwFirewall.bwAlarm.alRemoteIpAddr.0 = IpAddress:
0.0.0.0
.1.1.100.15.0 = bwProducts.bwFirewall.bwAlarm.alDestPort.0 = INTEGER: 0
.1.11.10.1.1.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.1 =
STRING: Hour
.1.11.10.1.1.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.2 =
STRING: Day
.1.11.10.1.1.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.3 =
STRING: Week
.1.11.10.1.2.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.1 =
Counter32: 5
.1.11.10.1.2.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.2 =
Counter32: 12
411

SNMP MIBS
.1.11.10.1.2.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.3 =
Counter32: 42
.1.11.10.1.3.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.1 =
Counter32: 7
.1.11.10.1.3.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.2 =
Counter32: 19
.1.11.10.1.3.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.3 =
Counter32: 50
.1.11.10.1.4.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.1 =
Counter32: 0
.1.11.10.1.4.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.2 =
Counter32: 0
.1.11.10.1.4.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.3 =
Counter32: 0
.1.11.10.1.5.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.1 =
Counter32: 0
.1.11.10.1.5.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.2 =
Counter32: 0
.1.11.10.1.5.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.3 =
Counter32: 5
.1.11.10.1.6.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.1 =
Counter32: 0
.1.11.10.1.6.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.2 =
Counter32: 0
.1.11.10.1.6.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.3 =
Counter32: 0
.1.11.10.1.7.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.1 =
Counter32: 0
.1.11.10.1.7.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.2 =
Counter32: 3
.1.11.10.1.7.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.3 =
Counter32: 4
.1.11.10.2.1 = bwProducts.bwMailFirewall.mailTable.mailStatus.queuedMessages
= Counter32: 0
.1.11.10.2.2 =
bwProducts.bwMailFirewall.mailTable.mailStatus.deferredMessages = Counter32: 0
.1.11.10.2.3 = bwProducts.bwMailFirewall.mailTable.mailStatus.totalMessages =
Counter32: 0
.4.1.0 = bwSysMemory.memIndex.0 = INTEGER: 0
.4.2.0 = bwSysMemory.memErrorName.0 = STRING: swap
.4.3.0 = bwSysMemory.memTotalSwap.0 = INTEGER: 262016
412

MIB OID Values
.4.4.0 = bwSysMemory.memAvailSwap.0 = INTEGER: 260928
.4.5.0 = bwSysMemory.memTotalReal.0 = INTEGER: 104264
.4.6.0 = bwSysMemory.memAvailReal.0 = INTEGER: 46684
.4.11.0 = bwSysMemory.memTotalFree.0 = INTEGER: 46696
.4.12.0 = bwSysMemory.memMinimumSwap.0 = INTEGER: 16000
.4.13.0 = bwSysMemory.memShared.0 = INTEGER: 29000
.4.14.0 = bwSysMemory.memBuffer.0 = INTEGER: 22640
.4.15.0 = bwSysMemory.memCached.0 = INTEGER: 12
.4.100.0 = bwSysMemory.memSwapError.0 = INTEGER: 0
.4.101.0 = bwSysMemory.memSwapErrorMsg.0 = STRING:
.9.1.1.1 = dskTable.dskEntry.dskIndex.1 = INTEGER: 1
.9.1.1.2 = dskTable.dskEntry.dskIndex.2 = INTEGER: 2
.9.1.1.3 = dskTable.dskEntry.dskIndex.3 = INTEGER: 3
.9.1.1.4 = dskTable.dskEntry.dskIndex.4 = INTEGER: 4
.9.1.2.1 = dskTable.dskEntry.dskPath.1 = STRING: /server/mail
.9.1.2.2 = dskTable.dskEntry.dskPath.2 = STRING: /server/ftp/log
.9.1.2.3 = dskTable.dskEntry.dskPath.3 = STRING: /var
.9.1.2.4 = dskTable.dskEntry.dskPath.4 = STRING: /backup
.9.1.3.1 = dskTable.dskEntry.dskDevice.1 = STRING: /dev/ad0s2e
.9.1.3.2 = dskTable.dskEntry.dskDevice.2 = STRING: /dev/ad0s2d
.9.1.3.3 = dskTable.dskEntry.dskDevice.3 = STRING: /dev/ad0s2f
.9.1.3.4 = dskTable.dskEntry.dskDevice.4 = STRING: /dev/ad0s2g
.9.1.4.1 = dskTable.dskEntry.dskMinimum.1 = INTEGER: -1
.9.1.4.2 = dskTable.dskEntry.dskMinimum.2 = INTEGER: -1
.9.1.4.3 = dskTable.dskEntry.dskMinimum.3 = INTEGER: -1
.9.1.4.4 = dskTable.dskEntry.dskMinimum.4 = INTEGER: -1
.9.1.5.1 = dskTable.dskEntry.dskMinPercent.1 = INTEGER: 10
.9.1.5.2 = dskTable.dskEntry.dskMinPercent.2 = INTEGER: 10
.9.1.5.3 = dskTable.dskEntry.dskMinPercent.3 = INTEGER: 10
.9.1.5.4 = dskTable.dskEntry.dskMinPercent.4 = INTEGER: 10
.9.1.6.1 = dskTable.dskEntry.dskTotal.1 = INTEGER: 2834414
413

SNMP MIBS
.9.1.6.2 = dskTable.dskEntry.dskTotal.2 = INTEGER: 2834414
.9.1.6.3 = dskTable.dskEntry.dskTotal.3 = INTEGER: 2834414
.9.1.6.4 = dskTable.dskEntry.dskTotal.4 = INTEGER: 2834414
.9.1.7.1 = dskTable.dskEntry.dskAvail.1 = INTEGER: 2607590
.9.1.7.2 = dskTable.dskEntry.dskAvail.2 = INTEGER: 2576054
.9.1.7.3 = dskTable.dskEntry.dskAvail.3 = INTEGER: 2499830
.9.1.7.4 = dskTable.dskEntry.dskAvail.4 = INTEGER: 2607660
.9.1.8.1 = dskTable.dskEntry.dskUsed.1 = INTEGER: 72
.9.1.8.2 = dskTable.dskEntry.dskUsed.2 = INTEGER: 31608
.9.1.8.3 = dskTable.dskEntry.dskUsed.3 = INTEGER: 107832
.9.1.8.4 = dskTable.dskEntry.dskUsed.4 = INTEGER: 2
.9.1.9.1 = dskTable.dskEntry.dskPercent.1 = INTEGER: 0
.9.1.9.2 = dskTable.dskEntry.dskPercent.2 = INTEGER: 1
.9.1.9.3 = dskTable.dskEntry.dskPercent.3 = INTEGER: 4
.9.1.9.4 = dskTable.dskEntry.dskPercent.4 = INTEGER: 0
.9.1.100.1 = dskTable.dskEntry.dskErrorFlag.1 = INTEGER: 0
.9.1.100.2 = dskTable.dskEntry.dskErrorFlag.2 = INTEGER: 0
.9.1.100.3 = dskTable.dskEntry.dskErrorFlag.3 = INTEGER: 0
.9.1.100.4 = dskTable.dskEntry.dskErrorFlag.4 = INTEGER: 0
.9.1.101.1 = dskTable.dskEntry.dskErrorMsg.1 = STRING:
.9.1.101.2 = dskTable.dskEntry.dskErrorMsg.2 = STRING:
.9.1.101.3 = dskTable.dskEntry.dskErrorMsg.3 = STRING:
.9.1.101.4 = dskTable.dskEntry.dskErrorMsg.4 = STRING:
.11.1.0 = systemStats.ssIndex.0 = INTEGER: 1
.11.2.0 = systemStats.ssErrorName.0 = STRING: systemStats
.11.3.0 = systemStats.ssSwapIn.0 = INTEGER: 0
.11.4.0 = systemStats.ssSwapOut.0 = INTEGER: 0
.11.7.0 = systemStats.ssSysInterrupts.0 = INTEGER: 233
.11.8.0 = systemStats.ssSysContext.0 = INTEGER: 49
.11.9.0 = systemStats.ssCpuUser.0 = INTEGER: 1
.11.10.0 = systemStats.ssCpuSystem.0 = INTEGER: 7
414

MIB OID Values
.11.11.0 = systemStats.ssCpuIdle.0 = INTEGER: 91
.11.50.0 = systemStats.ssCpuRawUser.0 = Counter32: 483
.11.51.0 = systemStats.ssCpuRawNice.0 = Counter32: 0
.11.52.0 = systemStats.ssCpuRawSystem.0 = Counter32: 2859
.11.53.0 = systemStats.ssCpuRawIdle.0 = Counter32: 20860
.11.55.0 = systemStats.ssCpuRawKernel.0 = Counter32: 2752
.11.56.0 = systemStats.ssCpuRawInterrupt.0 = Counter32: 107
.11.59.0 = systemStats.ssRawInterrupts.0 = Counter32: 47574
.11.60.0 = systemStats.ssRawContexts.0 = Counter32: 10795
415

APPENDIX G
Third Party Copyrights and
Licenses
Apache
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and
distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the
copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other
entities that control, are controlled by, or are under common control with
that entity. For the purposes of this definition, "control" means (i) the
power, direct or indirect, to cause the direction or management of such
entity, whether by contract or otherwise, or (ii) ownership of fifty percent
(50%) or more of the outstanding shares, or (iii) beneficial ownership of such
entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising
permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation source, and
configuration files.
417

Third Party Copyrights and Licenses
"Object" form shall mean any form resulting from mechanical transformation or
translation of a Source form, including but not limited to compiled object
code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form,
made available under the License, as indicated by a copyright notice that is
included in or attached to the work (an example is provided in the Appendix
below).
"Derivative Works" shall mean any work, whether in Source or Object form, that
is based on (or derived from) the Work and for which the editorial revisions,
annotations, elaborations, or other modifications represent, as a whole, an
original work of authorship. For the purposes of this License, Derivative Works
shall not include works that remain separable from, or merely link (or bind by
name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original
version of the Work and any modifications or additions to that Work or
Derivative Works thereof, that is intentionally submitted to Licensor for
inclusion in the Work by the copyright owner or by an individual or Legal
Entity authorized to submit on behalf of the copyright owner. For the purposes
of this definition, "submitted" means any form of electronic, verbal, or
written communication sent to the Licensor or its representatives, including
but not limited to communication on electronic mailing lists, source code
control systems, and issue tracking systems that are managed by, or on behalf
of, the Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise designated in
writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
of whom a Contribution has been received by Licensor and subsequently
incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this
License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive,
no-charge, royalty-free, irrevocable copyright license to
reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or
Object form.
3. Grant of Patent License. Subject to the terms and conditions of this
License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive,
no-charge, royalty-free, irrevocable (except as stated in this
section) patent license to make, have made, use, offer to sell, sell, import,
and otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily infringed by
their Contribution(s) alone or by combination of their Contribution(s) with the
Work to which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in a
lawsuit) alleging that the Work or a Contribution incorporated within the Work
constitutes direct or contributory patent infringement, then any patent
licenses granted to You under this License for that Work shall terminate as of
the date such litigation is filed.
418

4. Redistribution. You may reproduce and distribute copies of the Work or
Derivative Works thereof in any medium, with or without modifications, and in
Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy
of this License; and (b) You must cause any modified files to carry prominent
notices stating that You changed the files; and (c) You must retain, in the
Source form of any Derivative Works that You distribute, all copyright,
patent, trademark, and attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of the Derivative
Works; and (d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must include a
readable copy of the attribution notices contained within such NOTICE file,
excluding those notices that do not pertain to any part of the Derivative
Works, in at least one of the following places: within a NOTICE text file
distributed as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or, within a
display generated by the Derivative Works, if and wherever such third-party
notices normally appear. The contents of the NOTICE file are for informational
purposes only and do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside or as an
addendum to the NOTICE text from the Work, provided that such additional
attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide
additional or different license terms and conditions for use, reproduction, or
distribution of Your modifications, or for any such Derivative Works as a
whole, provided Your use, reproduction, and distribution of the Work otherwise
complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any
Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without any
additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify the terms
of any separate license agreement you may have executed with Licensor
regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names,
trademarks, service marks, or product names of the Licensor, except as
required for reasonable and customary use in describing the origin of the Work
and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in
writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied, including, without limitation, any warranties
or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any risks
associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in
tort (including negligence), contract, or otherwise, unless required by
419

Third Party Copyrights and Licenses
applicable law (such as deliberate and grossly negligent acts) or agreed to in
writing, shall any Contributor be liable to You for damages, including any
direct, indirect, special, incidental, or consequential damages of any
character arising as a result of this License or out of the use or inability to
use the Work (including but not limited to damages for loss of goodwill, work
stoppage, computer failure or malfunction, or any and all other commercial
damages or losses), even if such Contributor has been advised of the
possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or
Derivative Works thereof, You may choose to offer, and charge a fee for,
acceptance of support, warranty, indemnity, or other liability obligations and/
or rights consistent with this License. However, in accepting such obligations,
You may act only on Your own behalf and on Your sole responsibility, not on
behalf of any other Contributor, and only if You agree to indemnify, defend,
and hold each Contributor harmless for any liability incurred by, or claims
asserted against, such Contributor by reason of your accepting any such
warranty or additional liability.
END OF TERMS AND CONDITIONS
Curl, Libcurl
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, .
All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be
used in advertising or otherwise to promote the sale, use or other dealings in
this Software without prior written authorization of the copyright holder.
420

Cyrus-SASL
CMU libsasl
Tim Martin
Rob Earhart
Copyright (c) 2000 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
3. The name "Carnegie Mellon University" must not be used to endorse or
promote products derived from this software without prior written permission.
For permission or any other legal details, please contact Office of Technology
Transfer Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213-
3890 (412) 268-4387, fax: (412) 268-7395 tech-transfer@andrew.cmu.edu
4. Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes software developed by Computing
Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
OF THIS SOFTWARE.
421

Third Party Copyrights and Licenses
DCC
Distributed Checksum Clearinghouse
Copyright (c) 2004 by Rhyolite Software
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Copyright (c) 1987, 1993, 1994
The Regents of the University of California. All rights reserved.
File
Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995.
Software written by Ian F. Darwin and others; maintained 1994-1999 Christos
Zoulas.
This software is not subject to any export provision of the United States
Department of Commerce, and may be exported to any country or planet.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice
immediately at the beginning of the file, without modification, this list of
conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must
display the following acknowledgement:
This product includes software developed by Ian F. Darwin and others.
4. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
422

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
FreeBSD
Copyright 1994-2004 The FreeBSD Project. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are
those of the authors and should not be interpreted as representing official
policies, either expressed or implied, of the FreeBSD Project.
FreeType
The FreeType Project LICENSE
2000-Feb-08
Copyright 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg
Introduction
============
The FreeType Project is distributed in several archive packages; some of
them may contain, in addition to the FreeType font engine, various tools and
contributions which rely on, or relate to, the FreeType Project.
This license applies to all files found in such packages, and which do not
fall under their own explicit license. The license affects thus the
423

Third Party Copyrights and Licenses
FreeType font engine, the test programs, documentation and makefiles, at
the very least.
This license was inspired by the BSD, Artistic, and IJG (Independent
JPEG Group) licenses, which all encourage inclusion and use of free
software in commercial and freeware products alike. As a consequence, its
main points are that:
* We don't promise that this software works. However, we will be interested in
any kind of bug reports. (`as is' distribution)
* You can use this software for whatever you want, in parts or full form,
without having to pay us. (`royalty-free' usage)
* You may not pretend that you wrote this software. If you use it, or only
parts of it, in a program, you must acknowledge somewhere in your
documentation that you have used the FreeType code. (`credits')
We specifically permit and encourage the inclusion of this software,
with or without modifications, in commercial products. We disclaim all
warranties covering The FreeType Project and assume no liability related
to The FreeType Project.
Legal Terms
===========
Definitions
--------------
Throughout this license, the terms `package', `FreeType Project', and
`FreeType archive' refer to the set of files originally distributed by
the authors (David Turner, Robert Wilhelm, and Werner Lemberg) as the
`FreeType Project', be they named as alpha, beta or final release.
'You' refers to the licensee, or person using the project, where `using' is a
generic term including compiling the project's source code as well as linking
it to form a `program' or `executable'. This program is referred to as `a
program using the FreeType engine'.
This license applies to all files distributed in the original FreeType
Project, including all source code, binaries and documentation,
unless otherwise stated in the file in its original, unmodified form
as distributed in the original archive.
If you are unsure whether or not a particular file is covered by this
license, you must contact us to verify this.
The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert
Wilhelm, and Werner Lemberg. All rights reserved except as specified below.
1. No Warranty
--------------
THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL
424

ANY OF THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY
THE USE OR THE INABILITY TO USE, OF THE FREETYPE PROJECT.
2. Redistribution
-----------------
This license grants a worldwide, royalty-free, perpetual and irrevocable
right and license to use, execute, perform, compile, display, copy,
create derivative works of, distribute and sublicense the FreeType
Project (in both source and object code forms) and derivative works
thereof for any purpose; and to authorize others to exercise some or all
of the rights granted herein, subject to the following conditions:
* Redistribution of source code must retain this license file
(`LICENSE.TXT') unaltered; any additions, deletions or changes to the
original files must be clearly indicated in accompanying
documentation. The copyright notices of the unaltered, original
files must be preserved in all copies of source files.
* Redistribution in binary form must provide a disclaimer that states that
the software is based in part of the work of the FreeType Team, in the
distribution documentation. We also encourage you to put an URL to the
FreeType web page in your documentation, though this isn't mandatory.
These conditions apply to any software derived from or based on the FreeType
Project, not just the unmodified files. If you use our work, you must
acknowledge us. However, no fee need be paid to us.
3. Advertising
--------------
Neither the FreeType authors and contributors nor you shall use the name of
the other for commercial, advertising, or promotional purposes without
specific prior written permission.
We suggest, but do not require, that you use one or more of the following
phrases to refer to this software in your documentation or advertising
materials: `FreeType Project', `FreeType Engine', `FreeType library', or
`FreeType Distribution'.
As you have not signed this license, you are not required to accept it.
However, as the FreeType Project is copyrighted material, only this
license, or another one contracted with the authors, grants you the right
to use, distribute, and modify it. Therefore, by using, distributing, or
modifying the FreeType Project, you indicate that you understand and accept
all the terms of this license.
4. Contacts
-----------
There are two mailing lists related to FreeType:
* freetype@freetype.org
425

Third Party Copyrights and Licenses
Discusses general use and applications of FreeType, as well as future and
wanted additions to the library and distribution. If you are looking for
support, start in this list if you haven't found anything to help you in the
documentation.
* devel@freetype.org
Discusses bugs, as well as engine internals, design issues, specific
licenses, porting, etc.
* http://www.freetype.org
Holds the current FreeType web page, which will allow you to download our
latest development version and read online documentation.
You can also contact us individually at:
David Turner
Robert Wilhelm
Werner Lemberg
GD Graphics Library
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003,
2004 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the
National Institutes of Health.
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 by
Boutell.Com, Inc.
Portions relating to GD2 format copyright 1999, 2000, 2001, 2002, 2003, 2004
Philip Warner.
Portions relating to PNG copyright 1999, 2000, 2001, 2002, 2003, 2004 Greg
Roelofs.
Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002, 2003, 2004 John
Ellson (ellson@graphviz.org).
Portions relating to gdft.c copyright 2001, 2002, 2003, 2004 John Ellson
(ellson@graphviz.org).
Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002,
2003, 2004, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,
2000, 2001, 2002, 2003, 2004 Thomas G. Lane. This software is based in part on
the work of the Independent JPEG Group. See the file README-JPEG.TXT for more
information.
Portions relating to GIF compression copyright 1989 by Jef Poskanzer and David
Rowley, with modifications for thread safety by Thomas Boutell.
Portions relating to GIF decompression copyright 1990, 1991, 1993 by David
Koblas, with modifications for thread safety by Thomas Boutell.
Portions relating to WBMP copyright 2000, 2001, 2002, 2003, 2004 Maurice
Szmurlo and Johan Van den Brande.
Portions relating to GIF animations copyright 2004 Jaakko Hyvätti
(jaakko.hyvatti@iki.fi)
426

Permission has been granted to copy, distribute and modify gd in any context
without fee, including a commercial application, provided that this notice is
present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent
is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all
programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided "AS IS." The copyright holders disclaim all
warranties, either express or implied, including but not limited to implied
warranties of merchantability and fitness for a particular purpose, with
respect to this code and accompanying documentation.
Although their code does not appear in the current release, the authors also
wish to thank Hutchison Avenue Software Corporation for their prior
contributions.
Info-ZIP
Copyright (c) 1990-2003 Info-ZIP. All rights reserved.
For the purposes of this copyright and license, "Info-ZIP" is defined as the
following set of individuals:
Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jeanloup
Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase, Greg
Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny
Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, Sergio Monesi,
Keith Owens, George Petrov, Greg Roelofs, Kai Uwe Rommel, Steve Salisbury,
Dave Smith, Christian Spieler, Antoine Verheijen, Paul von Behren, Rich Wales,
Mike White
This software is provided "as is," without warranty of any kind, express or
implied. In no event shall Info-ZIP or its contributors be held liable for
any direct, indirect, incidental, special or consequential damages arising out
of the use of or inability to use this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it freely,
subject to the following restrictions:
1. Redistributions of source code must retain the above copyright notice,
definition, disclaimer, and this list of conditions.
2. Redistributions in binary form (compiled executables) must reproduce
the above copyright notice, definition, disclaimer, and this list of
conditions in documentation and/or other materials provided with the
distribution. The sole exception to this condition is redistribution of a
standard UnZipSFX binary (including SFXWiz) as part of a self-extracting
archive; that is permitted without inclusion of this license, as long as the
normal SFX banner has not been removed from the binary or disabled.
427

Third Party Copyrights and Licenses
3. Altered versions--including, but not limited to, ports to new operating
systems, existing ports with new graphical interfaces, and dynamic, shared, or
static library versions--must be plainly marked as such and must not be
misrepresented as being the original source. Such altered versions also must
not be misrepresented as being Info-ZIP releases--including, but not limited
to, labeling of the altered versions with the names "Info-ZIP" (or any
variation thereof, including, but not limited to, different capitalizations),
"Pocket UnZip," "WiZ" or "MacZip" without the explicit permission of Info-ZIP.
Such altered versions are further prohibited from misrepresentative use of the
ip-Bugs or Info-ZIP email addresses or of the Info-ZIP URL(s).
4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip,"
"UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own
source and binary releases.
JPEG
The authors make NO WARRANTY or representation, either express or implied, with
respect to this software, its quality, accuracy, merchantability, or fitness
for a particular purpose. This software is provided "AS IS", and you, its
user, assume the entire risk as to its quality and accuracy.
This software is copyright (C) 1991-1998, Thomas G. Lane.
All Rights Reserved except as specified below.
Permission is hereby granted to use, copy, modify, and distribute this software
(or portions thereof) for any purpose, without fee, subject to these
conditions:
(1) If any part of the source code for this software is distributed, then this
README file must be included, with this copyright and no-warranty notice
unaltered; and any additions, deletions, or changes to the original files must
be clearly indicated in accompanying documentation.
(2) If only executable code is distributed, then the accompanying documentation
must state that "this software is based in part on the work of the Independent
JPEG Group".
(3) Permission for use of this software is granted only if the user accepts
full responsibility for any undesirable consequences; the authors accept NO
LIABILITY for damages of any kind.
These conditions apply to any software derived from or based on the IJG code,
not just to the unmodified library. If you use our work, you ought to
acknowledge us.
Permission is NOT granted for the use of any IJG author's name or company name
in advertising or publicity relating to this software or products derived from
it. This software may be referred to only as "the Independent JPEG Group's
software".
428

We specifically permit and encourage the use of this software as the basis of
commercial products, provided that all warranty or liability claims are
assumed by the product vendor.
Libspf
The libspf Software License, Version 1.0
Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
ModSSL
Copyright (c) 1998-2004 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must
display the following acknowledgment: "This product includes software
developed by Ralf S. Engelschall for use in the mod_ssl
project http://www.modssl.org/)."
429

Third Party Copyrights and Licenses
4. The names "mod_ssl" must not be used to endorse or promote products derived
from this software without prior written permission. For written permission,
please contact rse@engelschall.com.
5. Products derived from this software may not be called "mod_ssl" nor may
"mod_ssl" appear in their names without prior written permission of Ralf S.
Engelschall.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by Ralf S. Engelschall
for use in the mod_ssl project (http://www.modssl.org/
)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Mpack
(C) Copyright 1993,1994 by Carnegie Mellon University
All Rights Reserved.
Permission to use, copy, modify, distribute, and sell this software and its
documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice
and this permission notice appear in supporting documentation, and that the
name of Carnegie Mellon University not be used in advertising or publicity
pertaining to distribution of the software without specific, written prior
permission. Carnegie Mellon University makes no representations about the
suitability of this software for any purpose. It is provided "as is" without
express or implied warranty.
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
Portions of this software are derived from code written by Bell Communications
Research, Inc. (Bellcore) and by RSA Data Security, Inc. and bear similar
copyrights and disclaimers of warranty.
430

NTP
Copyright (c) David L. Mills 1992-2004
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided that
the above copyright notice appears in all copies and that both the copyright
notice and this permission notice appear in supporting documentation, and that
the name University of Delaware not be used in advertising or publicity
pertaining to distribution of the software without specific, written prior
permission. The University of Delaware makes no representations about the
suitability this software for any purpose. It is provided "as is" without
express or implied warranty.
OpenLDAP
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions in source form must retain copyright statements and
notices,
2. Redistributions in binary form must reproduce applicable copyright
statements and notices, this list of conditions, and the following disclaimer
in the documentation and/or other materials provided with the distribution,
and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each
revision is distinguished by a version number. You may use this Software
under terms of this license revision or under the terms of any subsequent
revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS
IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS,
OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising
or otherwise to promote the sale, use or other dealing in this Software
431

Third Party Copyrights and Licenses
without specific, written prior permission. Title to copyright in this
Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved. Permission to copy and distribute verbatim copies of this
document is granted.
OpenSSH
The licences which components of this software fall under are as follows.
First, we will summarize and say that all components are under a BSD licence,
or a licence more free than that.
OpenSSH contains no GPL code.
1) Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights
reserved
As far as I am concerned, the code I have written for this software can be used
freely for any purpose. Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the protocol
description in the RFC file, it must be called by a name other than "ssh" or
"Secure Shell".
However, I am not implying to give any licenses to any patents or copyrights
held by third parties, and the software includes parts that are not under my
direct control. As far as I know, all included source code is used in
accordance with the relevant license agreements and can be used freely for any
purpose (the GNU license being the most restrictive); see below for details.
Note that any information and cryptographic algorithms used in this software
are publicly available on the Internet and at any major bookstore, scientific
library, and patent office worldwide. More information can be found e.g. at
"http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions
and restrictions. Use only at your own responsibility. You will be responsible
for any legal consequences yourself; I am not making any claims whether
possessing or using this is legal or not in your country, and I am not taking
any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE
THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
432

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE
OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR
DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR
A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was
contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights
reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this copyright notice is retained.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE
DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING
FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky
3) ssh-keyscan was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres .
Modification and redistribution in source and binary forms is permitted
provided that due credit is given to the author and the OpenBSD project by
leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo
Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen
@author Antoon Bosselaers
@author Paulo Barreto
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
433

Third Party Copyrights and Licenses
5) One component of the ssh source code is under a 3-clause BSD license, held
by the University of California, since we pulled these parts from original
Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of
California. All rights reserved. Redistribution and use in source and binary
forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term
BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
434

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must
display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be use to
endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may
"OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
435

Third Party Copyrights and Licenses
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes
cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
PAM
Redistribution and use in source and binary forms of Linux-PAM, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain any existing copyright notice,
and this entire permission notice in its entirety, including the disclaimer of
warranties.
2. Redistributions in binary form must reproduce all prior and current
copyright notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of any author may not be used to endorse or promote products
derived from this software without their specific prior written permission.
ALTERNATIVELY, this product may be distributed under the terms of the GNU
General Public License, in which case the provisions of the GNU GPL are
required INSTEAD OF the above restrictions. (This clause is necessary due to a
potential conflict between the GNU GPL and the restrictions contained in a BSDstyle
copyright.)
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
PHP
The PHP License, version 3.0
Copyright (c) 1999 - 2002 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
436

3. The name "PHP" must not be used to endorse or promote products derived from
this software without prior written permission. For written permission, please
contact group@php.net.
4. Products derived from this software may not be called "PHP", nor may "PHP"
appear in their name, without prior written permission from group@php.net.
You may indicate that your software works in conjunction with PHP by saying
"Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from
time to time. Each version will be given a distinguishing version number. Once
covered code has been published under a particular version of the license, you
may always continue to use it under the terms of that version. You may also
choose to use such covered code under the terms of any subsequent version of
the license published by the PHP Group. No one other than the PHP Group has the
right to modify the terms applicable to covered code created under this
License.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes PHP, freely available from ".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
437

Third Party Copyrights and Licenses
PostgreSQL
Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group
Portions Copyright (c) 1994, The Regents of the University of California
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose, without fee, and without a written agreement is
hereby granted, provided that the above copyright notice and this paragraph and
the following two paragraphs appear in all copies.
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND
THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE,
SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
438

A
Access Control via Mail Mappings 56
Action String 352
Active Directory 18
Activity screen 330, 345
Add Authentication Header 171
Adding a Spam Dictionary 143
Admin Login 40
Admin User 32
Advanced SMTP Settings 51
Alarms 340
Alarms List 342
Analysis Code Descriptions 347
Annotations 50
Anti-Spam Header 137
Anti-Virus 82
Archiving 19, 125
Mail Routes 127
Attachment Content Scanning 102, 106
Attachment Control 23, 102, 103
Attachment Types 103
Authentication 17
Authentication log 332
Automatic License Activation 308
B
Backup
Errors 320
FTP 316
Local Disk 315
Naming Conventions 318
BCC (Blind Carbon Copy) 49
Blocked Senders List 16, 181
BSN (BorderWare Security Network) 132, 148
BSN Whitelisting 149
Check Relays 150
Exclude Relay 150
Reject Message 152
Reject on BSN Reputation 151
Reject on Infection 151
Statistics Sharing 148
Bulk Analysis 16, 132, 158
Servers 160
C
Cached server passwords 214
Canonicalization 173
Centralized Management 321
Console 324
Copy Configuration 325
Certificate 97
Certificate Authority (CA) 98
Chinese character set 164
Cisco blocking 261
Clustering 41, 266
Activity 275, 331
Adding Cluster Members 271
Administration 274
Backup and Restore 276
Configuration 268
Console 266
Interface 41
Network Configuration 268
Reporting 275
Troubleshooting Cluster Initialization 273
Compliancy 108, 123
Configuration Information 304
Configuring Spam Controls 136
Connection Rules 245
Content Reject Message 51
Content Scanning 102, 106
Copy Configuration 325
CRYPTOCard 17, 32, 200
Current Admin and WebMail Users 304
Customization 36
Customizing Notification and Annotation
Messages 371
D
Daily Backup 317
Default Connection Rules 241
Default Logo 36
Default Mail Relay 49
Default policy 223
Default Spam Words 143
Delete Strong Authentication for Admin 364
Delivery Settings 48
Delivery Warning 50
Diagnostics 303
Dictionaries 123
Dictionary Spam Count 168
Directory Authentication 202
Directory Groups 63
Directory Servers 61
Directory Services 61
Directory Users 63
Disabling Group Policy 230
Disabling Reporting 300
Disk Space Quota 197
DMZ (Demilitarized Zone) 20
DNS 39
Favor Fastest 39
Strict Ordering 39
DNS Block List (DNSBL) 15, 132, 153
Check Relays 153
Domains 155
Exclude Relays 154
Reject Threshold 154
Rejects 154
Domain policies 224
DomainKeys 16, 133, 171
Add Authentication Header 171
Canonicalization 173
439

DNS Record 175
Granularity 175
Log Messages 172
Outbound message signing 173
Selector 174
Selector List 174
Temporary DNS Error 171
Testing 172, 175
Dynamic Lists 253
E
Enable NULL Character Detect 121
Enable Sending and Receiving 303
Encryption 94
Envelope sender doesn’t match From header 147
ePrism Mail Client 216
Escalation Mail 341
ESMTP (Extended SMTP) 51
External message encryption 90
F
F5 Blocking 256
F5 Cluster Configuration 278
Factory Default Settings 367
Flush Mail Queue 303, 355
G
Gateway 38
Group policies 226
Group Policy
Disabling 230
Orphaned Groups 230
H
HALO (High Availability and Load
Optimization) 17, 266
Health Check service 327
HELO 51, 113, 115, 141
HELO/EHLO doesn’t match client 147
Hostname Lookup 303, 355
I
Image Spam Analysis 165
IMAP 17, 196
Inbound Attachment Control 102
Intercept 15, 132
Advanced Features 177
Component Weights 179
Decision Strategy 178
Internationalization 19
Invalid HELO/EHLO hostname 147
iPlanet 18
J
Japanese character set 164
K
KeepOpen 46
Kernel Log 332
Korean character set 164
L
Large MTU 39
LDAP (Lightweight Directory Access Protocol) 18,
60
LDAP Aliases 54, 65, 67
LDAP Recipients 71, 139
LDAP Routing 76
LDAP SMTP Authenticated relay 73
LDAP SMTP Authentication 81
LDAP Users 139
LDAP Virtual Mappings 58, 69
License Management 308
Load Balancing 18
Using DNS 267
Local Accounts 197
Log Files 332, 346
Log TLS info into Received header 95
Login page title 36
M
Mail Access 80
Mail Aliases 25, 53
Mail Anomalies 15, 132, 146
Mail History 294, 360
Mail Mappings 24, 55
Mail Queue Management 305
Mail Routing 25, 46
Mail Transport log 347
MAILER-DAEMON 48
Malformed messages 15, 102, 121
Manual License Activation 309
Masquerade Addresses 49
Maximum mailbox size 198
Maximum message size 23, 80
Maximum Number of Mail Scanners 379
Maximum Number of Parallel Deliveries 378
Maximum Number of Processes 378
Maximum number of recipients 23
Maximum original message text in bounces 48
Maximum recipients per message 80
Maximum recipients reject code 80
Maximum time in mail queue 48
Maximum time in queue for bounces 48
Maximum Unknown Recipients 81
Maximum Unknown recipients per message 81
Maximum Unknown recipients reject code 81
Message Body 113
Message Disposition 295, 361
Message Envelope 113
Message Processing Order 369
440

Messages Log 332
MIB (Management Information Base) 337, 339
OID Values 411
MIME (Multipurpose Internet Mail Extensions) 14
Mirror Accounts 65, 199
Missing client reverse DNS 146
Missing From header 147
Missing sender MX 146
Missing To header 147
MTU 39
Multiple Recipient Reject Mode 52
N
Network Interfaces 39
Network Settings 38
Neutral Words 163
NTP (Network Time Protocol) 39
Number of Database Proxies 380
Number of Heavy Weight Processes 379
O
OCF (Objectionable Content Filter) 23, 102, 110
OpenLDAP 18
Optional Product Licenses 310
Outbound Attachment Control 102
P
Pattern Based Message Filtering (PBMF) 15, 80,
102, 108, 132, 141
Action 119
BCC Action 119
Preferences 119
Priority 118
Performance Tuning 375
Personal Quarantine Controls 213
Ping 303, 358, 364
Policy 18, 220
Diagnostics 234
hierarchy 220
Verbose Logging 233
POP3 17, 196
Problem Reporting 326
Q
Quarantine expiry options 307
Quarantine Management 306
Queue replication 18, 279
Interface 281
R
RADIUS 204
Raise Priority of Heavy Weight Processes 379
Raw Mail Body 116
Reboot 313, 364
Received Header 52
Reject Connection From Dial-ups 151
Reject on BSN 22
Reject on BSN Reputation 151
Reject on DNSBL 22, 154
Reject on expired license 22
Reject on Infection 151
Reject on missing addresses 23, 177
Reject on missing reverse DNS 23, 177
Reject on missing sender MX 23, 177
Reject on non FQDN sender 23, 177
Reject on Threat Prevention 22
Reject on unauth pipelining 22, 177
Reject on unknown recipient 23, 139
Reject on unknown sender domain 23, 177
Relaying mail 47
Relocated Users 24, 205
Remote Authentication 202
Re-Ordering Groups 228
Replication Client 281
Replication Host 281
Reporting SQL Log 332
Reports 284
Automatic Report Generation 288
Configuration 299
Disabling 300
Fields 289
Filters 293
Generating 285
Viewing 285
Require TLS for SMTP AUTH 95
Reset Network Interface 364
Reset SSL Certificates 364
Respond to Ping 40
Restore
Errors 320
FTP 319
Local Disk 318
Restoring a Cluster Member 276
Restoring from Backup 318
Restoring the Cluster Console 276
RFC 1323 40
RFC 1644 40
Rollout and Offload 335
S
SafeWord 17, 32, 200
Searching Log Files 333
Secure WebMail 16, 212
SecurID 17, 32, 201
Security Connection 19, 312, 364
Selector List 174
Send EHLO 52
Sender Policy Framework (SPF) 16, 133, 169
SPF Records 169
Serial Console 365
Service Throttle Time 381
Show Recipients 331
441

Shutdown 313, 364
Size of Shared Memory block 381
Size of Temporary Files Filesystem 381
SMTP 17
SMTP Authenticated Relay 81
SMTP Banner 81
SMTP Connect Timeout 380
SMTP HELO Timeout 380
SMTP Notification 52
SMTP Pipelining 51
SMTP Probe 303, 357
SMTP Security 94
SMTP Tarpit Time 381
SMTPD Minimum Receive Rate 381
SMTPD Receive Rate Interval 381
SMTPD Timeout 380
SNMP (Simple Network Management
Protocol) 19, 40, 337
Community string 338
MIBS 383
Permitted Clients 338
Trap Hosts 339
Software Updates 311
Spam Dictionaries 15, 132, 142
Spam Quarantine 16, 133, 187, 277
in a Cluster 192
Spam Summary Message 189
Specific Access Patterns (SAP) 15, 22, 80, 132, 140
SSL (Secure Socket Layer) 94
SSL Certificates 97
Static Lists 251
Static Routes 45
Status & Utility 302
Stop and Start Mail Services 303
Strip incoming DK headers 171
Strip Received Headers 49
Strong Authentication 32, 197, 200
Support Access 41
Supported web browsers 28
SURBL (Spam URI Realtime Block Lists) 16
Syslog 334
Syslog Host 38
System Console 31, 363
System event types 296
System History 296
System Logs 332, 346
Advanced Search 333
System Status 302
Default Connection Rules 241
Dynamic Lists 253
F5 Blocking 256
Static Lists 251
Status 264
Tiered Administration 33, 209
Time before delay warning 48
Time to retain undeliverable notice mail 48
TLS (Transport Layer Security) 17, 94
Reporting 96
Token Analysis 16, 132, 161
Advanced Options 163
Delete Training 163
Token 117
Training 166
Troubleshooting 168
Traceroute 303, 359, 364
Troubleshooting Content Issues 360
Troubleshooting Mail Delivery 344
Troubleshooting Tools 345
Trusted and Untrusted Mail 134
Trusted Senders List 16, 133, 181, 213, 277
Trusted Subnet 40, 134
U
Unauthorized pipelining 147
Unknown HELO/EHLO domain 147
Unknown sender domain 147
UPS 364
URL Block List 16, 132, 156
User policy 231
V
Vacation Notification 206
Very Malformed Mail 50
Virtual Interfaces 42
Virtual Mappings 24, 57
Virus pattern files 84
W
Web Server Options 35
X
X-STA Header 165
T
TCP extensions 40
Temporary DNS Error 171
Threat Outbreak Control 85
Threat Prevention 16, 238
Cisco blocking 261
Creating Connection Rules 245
442