eprism email security appliance user guide

ePrism Email Security ApplianceUser Guide

Software Version: 6.0Last Revision: 2/1/06

Preface 7

CHAPTER 1 ePrism Overview 11What’s New in ePrism 6.0 12ePrism Overview 17ePrism Deployment 25How Messages are Processed by ePrism 27

CHAPTER 2 Administering ePrism 31Connecting to ePrism 32Configuring the Admin User 36Web Server Options 39Customizing the ePrism Interface 40

CHAPTER 3 Configuring Mail Delivery Settings 41Network Settings 42Static Routes 46Mail Routing 47Mail Delivery Settings 49Mail Aliases 55Mail Mappings 57Virtual Mappings 59

CHAPTER 4 Directory Services 61Directory Service Overview 62Directory Servers 64Directory Users and Groups 66LDAP Aliases 70LDAP Mappings 72LDAP Recipients 74LDAP Relay 76LDAP Routing 79

CHAPTER 5 Mail Security and Encryption 81SMTP Mail Access 82Anti-Virus 85E-Mail Message Encryption 88

3

4

Encrypting Mail Delivery Sessions 92SSL Certificates 95

CHAPTER 6 Attachment and Content Scanning 99Content Scanning Overview 100Attachment Control 101Attachment Content Scanning 104Objectionable Content Filter 108Pattern Based Message Filtering (PBMF) 110Malformed Mail 119Dictionaries 121

CHAPTER 7 Intercept Anti-Spam 123Intercept Anti-Spam Feature Overview 124Trusted and Untrusted Mail Sources 126Configuring Intercept Anti-Spam 127Intercept Components 129Intercept Advanced Features 158Trusted Senders 162Spam Quarantine 165

CHAPTER 8 User Accounts and Remote Authentication 171POP3 and IMAP Access 172Local User Mailboxes 173Mirror Accounts 175Strong Authentication 176Remote Accounts and Directory Authentication 178Relocated Users 181Vacation Notification 182Tiered Administration 185

CHAPTER 9 Secure WebMail and ePrism Mail Client 187Secure WebMail 188ePrism Mail Client 192

CHAPTER 10 Policy Management 195Policy Overview 196

Creating Policies 199Domain Policies 201Group Policies 203User Policies 208Managing Policies 210Policy Diagnostics 211

CHAPTER 11 Threat Prevention 213Threat Prevention Overview 214Configuring Threat Prevention 215Static Address Lists 217Dynamic Address Lists 219F5 Blocking 222Cisco Blocking 226Threat Prevention Status 229

CHAPTER 12 HALO (High Availability and Load Optimization) 231HALO Overview 232Configuring Clustering 234Cluster Management 240Configuring the F5 Load Balancer 244Queue Replication 245

CHAPTER 13 Reporting 249Viewing and Generating Reports 250Viewing the Mail History Database 260Viewing the System History Database 262Report Configuration 264

CHAPTER 14 System Management 267System Status and Utilities 268Mail Queue Management 271Quarantine Management 272License Management 274Software Updates 276Security Connection 277Reboot and Shutdown 278

5

6

Backup and Restore 279Centralized Management 288Problem Reporting 293

CHAPTER 15 Monitoring System Activity 295Activity Screen 296System Log Files 298Offloading Log Files 301SNMP (Simple Network Management Protocol) 303Alarms 306

CHAPTER 16 Troubleshooting Mail Delivery 309Troubleshooting Mail Delivery 310Troubleshooting Tools 311Examining Log Files 312Network and Mail Diagnostics 318Troubleshooting Content Issues 323

APPENDIX A Using the ePrism System Console 325

APPENDIX B Restoring ePrism to Factory Default Settings 329

APPENDIX C Message Processing Order 331

APPENDIX D Customizing Notification and Annotation Messages 333

APPENDIX E Performance Tuning 335Setting Default Performance Settings 336Advanced Settings 337

APPENDIX F SNMP MIBS 343MIB Files Summary 343MIB Files 347MIB OID Values 371

APPENDIX G Third Party Copyrights and Licenses 375

Preface

Preface

This ePrism User Guide provides detailed information on how to configure and manage your ePrism Email Security Appliance, and contains the following topics:

• Chapter 1 — “ePrism Overview” on page 11• Chapter 2 — “Administering ePrism” on page 31• Chapter 3 — “Configuring Mail Delivery Settings” on page 41• Chapter 4 — “Directory Services” on page 61• Chapter 5 — “Mail Security and Encryption” on page 81• Chapter 6 — “Attachment and Content Scanning” on page 99• Chapter 7 — “Intercept Anti-Spam” on page 123• Chapter 8 — “User Accounts and Remote Authentication” on page 171• Chapter 9 — “Secure WebMail and ePrism Mail Client” on page 187• Chapter 10 — “Policy Management” on page 195• Chapter 11 — “Threat Prevention” on page 213• Chapter 12 — “HALO (High Availability and Load Optimization)” on page 231• Chapter 13— “Reporting” on page 249• Chapter 14 — “System Management” on page 267• Chapter 15 — “Monitoring System Activity” on page 295• Chapter 16 — “Troubleshooting Mail Delivery” on page 309

The following Appendices contain supplemental information for ePrism:

• Appendix A — “Using the ePrism System Console” on page 325• Appendix B — “Restoring ePrism to Factory Default Settings” on page 329• Appendix C — “Message Processing Order” on page 331• Appendix D — “Customizing Notification and Annotation Messages” on page 333• Appendix E — “Performance Tuning” on page 335• Appendix F — “SNMP MIBS” on page 343• Appendix G — “Third Party Copyrights and Licenses” on page 375

7

8

Related Documentation

If release notes are included with your product package, please read them for the latest information on installing and managing your ePrism.

The following documents are included as part of the ePrism documentation set:

• Release Notes — Provides up to date information on the product, including any known issues. If instructions in the Release Notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes.

• ePrism Installation Guide — Provides instructions on how to install and provide the initial configuration for the ePrism Email Security Appliance.

• ePrism User Guide — Provides detailed information on how to configure and administer the ePrism Email Security Appliance.

Contacting Technical Support

St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)

15015 Avenue of Science San Diego, CA 92128 Main: 858.676.2277 FAX: 858.676.2299 Technical Support: 858.676.5050 Technical Support Email: [email protected]

Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ

Main: 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support Email: [email protected]

Last Edit: 2/1/06 Version: 6.0

Preface

Copyright Information

© 2003-2006 St. Bernard Software, Inc. All rights reserved.

St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged.

Information in this document is subject to change without notice.

9

CHAPTER 1 ePrism Overview

This chapter provides an overview of the architecture and features of the ePrism Email Security Appliance, and contains the following topics:

• “What’s New in ePrism 6.0” on page 12• “ePrism Overview” on page 17• “ePrism Deployment” on page 25• “How Messages are Processed by ePrism” on page 27

11

ePrism Overview

12

What’s New in ePrism 6.0

The ePrism Email Security Appliance version 6.0 adds several new features while considerably improving the functionality of existing features.

Intercept™ Anti-Spam

ePrism 6.0 introduces the Intercept Anti-Spam engine that offers considerable improvements in ePrism’s existing anti-spam technology:

• Simplified and Efficient Administration — Intercept provides administrators with powerful default settings and simpler actions to increase the efficiency of Anti-Spam administration. Intercept’s default Anti-Spam settings provide a strong default configuration to ensure that organizations can deal with a majority of spam messages with little additional configuration. Intercept’s improved anti-spam technologies require no training to capture a majority of spam when first enabled.

• Powerful and Comprehensive Anti-Spam Processing — Intercept introduces enhanced spam fighting technologies to provide a more informed and accurate decision on whether a message is spam or legitimate mail. The addition of technologies such as Spam Dictionaries, IP Reputation and DomainKeys™ ensures that Intercept catches spam and reduces false positives.

• Hosted Anti-Spam Services — New hosted technologies such as IP Reputation, Bulk Analysis, DNS Black Lists, and the introduction of the BorderWare Security Network (BSN) allow customers to more efficiently monitor and trap real-world spam and provide feedback for analysis purposes.

Intercept is configured via Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu.

New Anti-Spam Features

ePrism v6.0 incorporates several new and exciting anti-spam features to help simplify the administration of the ePrism while ensuring a high level of spam detection and low false positive statistics.

• Local IP Reputation — Many spammers and attackers do not send mail from legitimate mail sources. ePrism inspects the incoming IP address and decides whether the IP address is valid or not based on the incoming connection’s behaviour. This information is then used in the overall Intercept decision process to help determine the nature on an incoming message.

• BorderWare Security Network (BSN) — The BSN helps to identify spam by reporting behavior information about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages. This is based on information collected from customer ePrism e-mail servers and global DNS Block Lists. This information can be used by ePrism to either reject the message immediately or contribute to the Intercept score.


• Spam Dictionaries — Pre-defined spam dictionaries containing known spam words and phrases are included with ePrism to help eliminate the need to initially train ePrism systems. By providing spam default dictionaries, ePrism systems can provide strong spam protection after installation without any additional configuration.

• DomainKeys — ePrism’s existing anti-phishing features have been enhanced to include Yahoo DomainKeys. DomainKeys is a popular sender authentication technology to validate sending servers to ensure they are delivering legitimate mail.DomainKeys can be used in combination with the existing Sender Policy Framework (SPF™) features to provide a full range of anti-phishing support. These sender authentication technologies are integrated with ePrism’s Intercept Anti-Spam engine to allow Intercept to make highly informed decisions about the nature and source of incoming messages.

Threat Prevention

ePrism 6.0 introduces threat prevention capabilities that allow organizations to detect and block incoming threats in real-time. Threat types can be monitored and recorded to track client IP behaviour and reputation. By examining mail flow patterns, ePrism detects whether a sending host is behaving maliciously by sending out viruses, spam, or attempting denial-of-service (DoS) types of attacks.

By instantly recognizing these types of mail patterns, ePrism can be an effective solution against immediate attacks. ePrism’s Threat Prevention feature can block or throttle inbound mail connections before the content is processed to lessen the impact of a large number of inbound messages.

Threat Prevention features can also be integrated with third party perimeter devices, such as F5 BIG-IP® traffic managers and Cisco IOS® based devices. By pushing threat information to a perimeter device, threats can be blocked at the network edge to reduce incoming mail traffic before it reaches ePrism.

Threat Prevention is configured via Mail Delivery ➝ Threat Prevention on the menu.

Message Encryption

ePrism encryption support now includes the ability to encrypt and decrypt individual messages when used in conjunction with a third party encryption product. E-mail encryption helps organizations address compliancy needs while ensuring that the privacy of confidential e-mails is maintained. This integration allows organizations to ensure that encrypted messages are still processed by ePrism for security issues such as viruses, malformed mail, and content filtering and scanning.

Message encryption is configured via Mail Delivery ➝ Encryption on the menu.

13

ePrism Overview

14

Advanced Content Filtering and Scanning

Several new content filtering features have been added to provide more powerful filtering rules that can be integrated directly into organizational policies.

• Advanced Content Scanning — ePrism’s advanced content scanning feature can perform deep scanning of e-mail attachments for content filtering purposes, ensuring that private and confidential content is not sent out over the Internet. Document attachments such as PDFs and Microsoft Word documents can be scanned for individual words and phrases that may be blocked due to compliancy policies.

• Expanded Filtering Options — Several new content filtering actions allow filter rules to be created that encrypt, quarantine, BCC, notify, redirect, or discard messages, in addition to existing filter actions. These new filter options provide greater flexibility when setting up and enforcing e-mail policies using ePrism.

• Dictionaries — ePrism 6.0 adds custom dictionary support for content filtering allowing organizations to easily match simple words and phrases against message and attachment content.

• Policy Integration — Content filtering is integrated with ePrism’s policy engine allowing organizations to create different sets of filter rules for different sets of users, groups, and domains.

Content filtering and scanning is configured via Mail Delivery ➝ Content Management on the menu.

Policies

ePrism 6.0 introduces an improved policy engine that provides more policy options and enhanced granularity.

• Policy Feature Integration — ePrism v6.0 offers more variables for defining policy, including Anti-Virus, Intercept Anti-Spam, Content Filtering, Attachment Control, Compliancy, Dictionary support, Annotations, and DomainKeys. Almost all aspects of ePrism’s e-mail security features are integrated with policies to provide organizations with complete control and flexibility over how their e-mail is handled.

• Improved Policy Granularity — Organizations now have more granularity over policy decisions allowing administrators to customize policy rules for specific users or a set of users. Different actions and rules can be applied to different users to provide more comprehensive organizational policies.

• User-based Policies — ePrism 6.0 introduces user-based policies to the existing group and domain policies. Administrators can now create policies on a per user basis to provide a more granular policy configuration.

• Policy Diagnostics — Administrators can run diagnostics to view the result of their policy configuration. By entering the e-mail address of a specific user, a chart will display what policies


are applied to that user and the final result. Diagnostics reduce the administrative effort by helping to eliminate any policy conflicts.

Policies are configured via Mail Delivery ➝ Policy on the menu.

Advanced Log Searches

A new advanced search menu allows administrators to search all current and archived log files of a particular log type for specific patterns. Advanced log searches are accessed via Status/Reporting ➝ System Logs ➝ Advanced Search.

Log Rollout and Offload

ePrism can automatically compress older files to save disk space when a certain amount of log files have been generated. For backup purposes and offline reporting, ePrism can also copy log and reporting files to another system at regular intervals using FTP or SCP file copy utilities. This allows administrators to backup the log files to a separate host for analysis and storage.

Configure log rollout and offload via Status/Reporting ➝ System Logs ➝ Rollout and Offload.

Show Multiple Recipients on Activity Screen

On the main Activity screen, messages with multiple recipients can be expanded to see all recipients of the message and their disposition by clicking the Show Recipients button.

New Mail Delivery Options

The following new options have been added to the Mail Delivery ➝ Delivery Settings menu.

• Maximum time in queue for bounces — Specifies how many days a system-generated bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable.

• Maximum original message text in bounces — Specifies the maximum amount of original message text (in bytes) that is sent in a non-delivery notification.

• Deliver mail to local users — Disable this option to prevent delivery to local users. The postmaster (admin) account will not be affected by this setting.

The following new options have been added to the Delivery Settings (Advanced) screen.

• Multiple Recipient Reject Mode — Indicates the reject handling of messages with multiple recipients, such as reject if all recipients reject a message, or if only one recipient rejects a message. This option only applies to features with reject actions such as Malformed and Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus, and Intercept Anti-Spam features, including those used within a policy.

15

ePrism Overview

16

• Send EHLO — Always send EHLO when communicating with another server, even if their banner does not include ESMTP. Disable this option if you are experiencing communications problems with specific SMTP servers.

• Received Header Setting — The Received Header is the mail server information displayed in the Received: mail header of a message. The default is "St. Bernard ePrism Email Security Appliance", but this can be modified to a more generic identifier to prevent attackers from knowing the mail server details.

Configurable Mail Routing SMTP Port

The SMTP port in Mail Delivery ➝ Routing ➝ Mail Routing can now be configured to ports other than 25 for special cases where mail delivery on another port is required.

ePrism Overview

ePrism OverviewePrism is a dedicated Mail Firewall designed for deployment between internal mail servers and the Internet. ePrism supports the standard mail protocols for processing e-mail messages while offering a secure method for their processing and delivery. ePrism has been designed specifically to resist operating system attacks and protect mail servers from direct SMTP and HTTP connections.

Firewall-Level Network and System Security

ePrism delivers the most complete security available for e-mail systems. ePrism runs on S-Core™, a customized and hardened Unix operating system. S-Core does not allow uncontrolled access to the system. There is no command line access and the system runs as a "closed" system, preventing accidental or deliberate misconfiguration by administrators, which is a common cause of security vulnerabilities.

ePrism Deployment

ePrism is generally configured to accept all mail for a domain or sub-domain, store and process mail according to specified security policies, and deliver the mail to one or more internal mail servers for collection by users. ePrism is ideally suited for deployment in parallel with an existing firewall, on a DMZ, or on an internal network.

See “ePrism Deployment” on page 25 for more detailed information on deploying ePrism.

17

ePrism Overview

18

Mail Delivery Security

ePrism has a sophisticated mail delivery system with several security features and benefits to ensure that the identifying information about your company’s e-mail infrastructure remains private.

• For a company with multiple domain names, ePrism can accept, process and deliver mail to private e-mail servers.

• For a company with multiple private e-mail servers, the ePrism can route mail based on the domain or subdomain to separate groups of e-mail users.

• Security features such as mail mappings and address masquerading allow the ability to hide references to internal host names.

Content Scanning and Filtering

ePrism implements attachment controls, attachment content scanning, and content filtering based on pattern and text matching. These controls prevent the following issues:

• Breaches of confidentiality• Legal liability from offensive content• Personal abuse of company resources• Compliancy policies

Attachment controls are based on the following characteristics:

• File Extension Suffix — The suffix of the file is checked to determine the attachment type, such as .exe, or .jpg.

• MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to identify the content type of the message.

• Content Analysis — The file is analyzed from the beginning to look for characteristics that can identify the file type. This analysis ensures that the attachment controls are not circumvented by simply renaming a file.

• Deep Content Scanning — Attachments such as PDFs or Microsoft Word documents can be analyzed for words or phrases that match a pattern filter or compliancy dictionary.

Virus Scanning

The ePrism Email Security Appliance features optional virus scanning based on Kaspersky Anti-Virus. Messages in both inbound and outbound directions can be scanned for viruses and malicious programs. ePrism’s high performance virus scanning provides a vital layer of protection against viruses for your entire organization. Automatic pattern file updates ensure that the latest viruses are detected.

ePrism Overview

Malformed Message Protection

Similar to malformed data packets used to subvert networks, malformed messages allow viruses and other attacks to avoid detection, crash systems, and lock up mail servers. ePrism ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients and improves the effectiveness of existing virus scanning implementations.

Intercept Anti-Spam

The ePrism Email Security Appliance provides a complete and robust set of anti-spam features specifically designed to protect against the full spectrum of current and evolving spam threats. ePrism’s Intercept Anti-Spam engine can combine the results of several Anti-Spam features to provide a better informed decision on whether a message is spam or legitimate mail. These features include:

• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the client address or header parameters such as HELO or Envelope-From and Envelope-To.

• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in the envelope/header/body of a message.

• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and phrases that are matched against a message.

• IP Reputation (IPR) — The IP Reputation feature can check various aspects of the incoming message for issues such as unauthorized SMTP pipelining, missing headers, and mismatched identification fields. Checks for recent spam and viruses from a specific IP address can also be enabled which is used in conjunction with the Threat Prevention feature.

• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts that are blacklisted. Messages can also be rejected immediately regardless of the results of other Anti-Spam processing if the client is blacklisted on a DNSBL. A configurable threshold allows administrators to specify how many DNSBLs must trigger to consider the sender as blacklisted.

• Bulk Analysis — Detect bulk mail (spam) by checking mail sent to a large numbers of users.• Token Analysis — Detects spam based on advanced content analysis using databases of

known spam and valid mail.• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS records

to identify the source of a message.• DomainKeys — Performs a check of a sending host’s DomainKeys DNS records to identify

the source of a message.

19

ePrism Overview

20

Trusted Senders List

This feature, accessed via WebMail/ePrism Mail Client, allows users to create their own personal Trusted Senders List based on a sender’s e-mail address. These e-mail addresses will be exempt from ePrism’s spam controls allowing users to whitelist legitimate senders.

Spam Quarantine

The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to connect to ePrism either directly or through a summary e-mail to view and manage their own quarantined spam. Messages can be deleted, or moved to the user’s local mail folders. Automatic notification e-mails can be sent to end users notifying them of the existence of messages in their personal quarantine area.

Secure WebMail

ePrism’s Secure WebMail provides remote access support to internal mail servers. With Secure WebMail, users can access their mailboxes using e-mail web clients such as Outlook® Web Access, Lotus iNotes, or ePrism’s own web mail client, the ePrism Mail Client. ePrism addresses the security issues currently preventing deployment of web mail services by providing the following protection:

• Strong authentication (including integration with Active Directory)• Encrypted sessions• Advanced session control to prevent information leaks on workstations

Authentication

ePrism supports the following authentication methods for administrators, WebMail users, Trusted Senders List, and Spam Quarantine purposes:

• User ID and Password • RADIUS and LDAP

• RSA SecurID® tokens• SafeWord tokens• CRYPTOCard tokens

ePrism Overview

Message and Delivery Encryption

ePrism provides integration with external encryption servers to provide e-mail encryption and decryption functionality. E-mail encryption allows individual messages to be encrypted by a separate encryption server before being delivered to its destination by ePrism. Incoming encrypted messages can also be sent to the encryption server to be decrypted before ePrism accepts the message and delivers it to the intended recipient.

This integration allows organizations to ensure that encrypted messages are still processed by ePrism for security issues such as viruses, malformed mail, and content filtering and scanning.

Mail Delivery Encryption

All mail delivered to and from ePrism can be encrypted using TLS (Transport Layer Security). This includes connections to remote systems, local internal mail systems, or internal mail clients. Encrypted messages are delivered with complete confidentiality both locally and remotely.

Encryption can be used for the following:

• Secure mail delivery on the Internet to prevent anyone from viewing e-mail while in transit.• Secure mail delivery across a LAN to prevent malicious users from viewing e-mail other than

their own.• Create policies for secure mail delivery to branch offices, remote users and business partners.• ePrism supports TLS/SSL encryption for all user and administrative sessions. • TLS/SSL is used to encrypt SMTP sessions effectively preventing eavesdropping and

interception.

Local User Mailboxes

ePrism can host user mailboxes and act as a fully functioning mail server for small offices. ePrism fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for retrieving and sending mail.

HALO (High Availability and Load Optimization)

ePrism provides enterprises with a fail-safe clustering architecture for high availability. HALO ensures e-mail is never lost due to individual system failure through its unique security, cluster management, load balancing and optimization, and "stateful failover" queue replication capabilities.

All systems can be clustered together to increase additional capacity, throughput, or provide load balancing and optional high availability.

21

ePrism Overview

22

Cluster Management

The cluster management feature allows administrators to manage ePrism clusters and to synchronize configuration settings across all systems in the cluster. Combined reports and e-mail database searches may be derived from clustered systems. Specific features include:

• Configuration Replication — This function allows systems to be added to clusters and to assume the configuration of a defined "master" Cluster Console system.

• Cluster Synchronization — Systems within a cluster can be synchronized to the defined "master" system. Any changes to the configuration of the Cluster Console master are reflected in the configuration of all systems in the cluster.

• Cluster Reporting — ePrism reports can be generated for a single system or for all systems in a cluster. The e-mail database can be searched by system or by cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message.

Load Balancing and Optimization

A basic requirement of high availability is to have an automated or semi-automated mechanism for switching the mail stream between available systems in the cluster, depending on their individual availability or health.

Utilizing DNS round-robin techniques or dedicated load balancing hardware, e-mail can be directed to ePrism systems in a cluster depending on their availability and current load.

Queue Replication

To prevent the loss of e-mail messages during a system failure, ePrism has created a unique solution with "stateful failover" queue replication technology that replicates queues and intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a cluster should fail and there exists undelivered mail in its queue, a mirror system can take ownership of that queue’s messages and successfully process and deliver them. This ensures that no e-mail messages are ever lost.

Policy Controls

Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment control to be customized and applied based on the group membership, domain membership, or e-mail address of the recipient. User groups can be imported from an LDAP-based directory, and then policies can be created to apply customized settings to these groups.

For example, you can set up an Attachment Control Policy to allow your Development group to accept and send executable files (.exe), while configuring your attachment control settings for all your other departments to block this file type to prevent the spread of viruses among the general users.

ePrism Overview

Directory Service Support

ePrism integrates with LDAP (Lightweight Directory Access Protocol) directory services such as Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:

• LDAP lookup prior to internal delivery — ePrism can check for the existence of an internal user via LDAP before delivering a message. This feature allows you to reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries of spam messages for non-existent local addresses. This check can be performed directly to an LDAP server or to a cached directory stored locally on ePrism.

• Group/User Imports — An LDAP lookup will determine the group membership of a user when applying policy-based controls. LDAP users can also be imported and mirrored on ePrism to be used for services such as the Spam Quarantine.

• Authentication — LDAP can be used for authenticating IMAP access, user mailbox, and WebMail logins.

• SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP Relay.• Mail Routing — LDAP can be used to lookup Mail Routes for a domain to deliver mail to its

destination server.

Manageability

ePrism provides a complete range of monitoring and diagnostics tools to monitor the system and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, while comprehensive logs record all mail activity.

• Web Browser-based Management — The web browser management interface displays a live view of system activity and traffic flows. The management interface can be configured to display this information for one or many systems, including systems in a local cluster or systems that are being centrally managed.

• Reporting and Auditing — The reporting and audit features deliver a comprehensive set of statistics that may be generated at any time or scheduled for automatic delivery. ePrism includes a wide range of predefined reports, including information on system health, mail processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily create customized reports.

• Enterprise integration with SNMP — Using SNMP (Simple Network Management Protocol), ePrism can generate both information and traps to be used by tools like HP OpenView, Tivoli, BMC Patrol and CA Unicenter. This extends the administrator’s view of ePrism and allows an instant view of significant system events, including traffic flows and system failures.

• Alarms — ePrism can generate system alarms that can automatically notify the administrator via e-mail and console alerts of a system condition that requires attention.

23

ePrism Overview

24

Security Connection

The Security Connection provides an automated software update service. By enabling the Security Connection, you are automatically notified of any new patches and updates for the ePrism software. St. Bernard continuously monitors for new vulnerabilities and issues new updates to defend against them, ensuring that you have them as soon as they are available.

Internationalization

ePrism supports internationalization for annotations, notification messages, and mail database views. For example, a message is sent to someone who is on vacation and the message used character set ISO-2022-JP (Japanese), the vacation notification sent back will be in the same character set. The mail history database can also be viewed using international character sets.

ePrism Deployment

ePrism DeploymentePrism is designed to be situated between mail servers and the Internet so that there are no direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers.

ePrism is typically installed in one of three locations:

• In parallel with the firewall• On your DMZ (Demilitarized Zone)• Behind the existing firewall on the Internal network

SMTP TCP port 25 traffic is redirected from either the external interface of the firewall or from the external router to ePrism. When the mail is accepted and processed, ePrism initiates an SMTP connection to the internal mail server to deliver the mail.

ePrism in Parallel with the Firewall

The preferred deployment strategy for ePrism is to be situated in parallel with an existing network Firewall. ePrism’s inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of a network. This parallel deployment eliminates any mail traffic on the firewall and decreases its overall load.

25

ePrism Overview

26

ePrism on the DMZ

Deploying ePrism on the DMZ is an equally secure method of deployment configuration. This type of deployment prevents any direct connection from the Internet to the internal servers, but does not ease the existing load on the firewall.

ePrism on the Internal Network

ePrism can also be deployed on the Internal Network. Although this configuration allows a direct connection from the Internet into the internal network, it is a perfectly legitimate configuration when dictated by existing network resources.

How Messages are Processed by ePrism

How Messages are Processed by ePrismThe following sections describe the sequence in which the various ePrism security features are applied to any inbound and outbound mail messages and how these settings affect their delivery.

Trusted Mail

ePrism only processes mail through the spam filters when a message originates from an "untrusted" source. Trusted sources bypass the spam controls. By default, mail that arrives on a particular network interface from the same subnet is "trusted".

There are two ways to control how sources of mail are identified and trusted:

1. The network interface the mail arrives on2. A specified IP address (or address block), or server or domain name

See “Trusted and Untrusted Mail Sources” on page 126 for information on configuring trusted and untrusted sources.

Inbound and Outbound Scanning

For features that scan both inbound and outbound mail, the following rules apply:

• Mail from trusted source to local recipient — Inbound• Mail from trusted source to non-local recipient — Outbound• Mail from untrusted source to local recipient — Inbound• Mail from untrusted source to non-local recipient — Inbound

SMTP Connection

An SMTP connection request is made from another system. ePrism accepts the connection request unless one of the following checks (if enabled) is triggered:

• Reject on Threat Prevention — Rejects mail when the client is rejected by the Threat Prevention feature.

• Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This stops messages from bulk mail software that use SMTP command pipelining improperly to speed up deliveries.

• Reject on expired ePrism license — Rejects mail if the ePrism license has expired.• Specific Access Pattern (Reject) — Rejects mail on specific access patterns for the HELO,

Envelope-TO, Envelope-From, and Client IP fields.

27

ePrism Overview

28

• Reject on DNS Block list — Rejects mail if the sender is on a DNSBL and ePrism is set to reject on DNSBL.

• Reject on BSN (Reputation, Infected, Dial-up) — Rejects mail based on statistics provided by the BorderWare Security Network.

At this point, any trusted or local networks skip any further "Reject" checks.

• Reject on unknown sender domain — Rejects mail when the sender mail address has no DNS A or MX record.

• Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. This setting is rarely used because many servers on the Internet do not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate sources.

• Reject on missing sender MX — Rejects mail when the sender’s mail address is missing a DNS MX record.

• Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM command is not in fully-qualified domain form (FQDN).

• Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The system will perform an LDAP lookup on the recipient’s address to ensure they exist before delivering the message.

Mail Header and Message Properties

The connection is now accepted. The message will be accepted for processing unless one of the following occurs:

• Reject on missing addresses — Rejects mail when no recipients in the To: field, or no senders in the From: field were specified in the message headers.

• Maximum number of recipients — Rejects mail if the number of recipients exceeds the specified maximum (default = 1000).

• Maximum message size — Rejects mail if the message size exceeds the maximum.

Malformed Content, Virus Checking, and Attachment Control

Messages are scanned for malformed and very malformed messages, viruses, and specific attachments. If there is a problem, ePrism can be configured with a variety of actions, such as sending the message to a Quarantine folder.

OCF (Objectionable Content Filter)

Messages are scanned for objectionable content and a configurable action is taken.

How Messages are Processed by ePrism

Pattern Based Message Filters and Specific Access Patterns

The messages are scanned to see if they match any existing Pattern Based Message Filters (PBMF), or Specific Access Patterns (SAP) set to Trust or Allow Relaying.

Attachment Content Scanning

Deep scanning is performed on attachments for blocked words and phrases.

Anti-Spam Processing

If the message arrives from an "untrusted" source, it will be processed for spam as follows:

• Sender Policy Framework (SPF)• DomainKeys• Bulk Analysis• DNS Block List (DNSBL)• IP Reputation• Spam Dictionaries• BorderWare Security Network (BSN) Reputation• BorderWare Security Network (BSN) Dial-up• Token Analysis

Mail Mappings

The message is now accepted for processing and the following occurs:

• If the recipient address is not for a domain or sub-domain for which ePrism is configured to accept mail (either as an inbound mail route or a virtual domain) then the message is rejected.

• If the recipient address is mapped in the Mail Mappings table, then the "To" field in the message header will be modified as required.

29

ePrism Overview

30

Virtual Mappings

The message is now examined for a match in the Virtual Mapping table. If such a mapping is found, the envelope-header recipient field will be modified as required. LDAP virtual mappings will then be processed. Virtual mappings are useful for the following:

• Acting as a wildcard mail mapping, such as any user for example.com goes to exchange.example.com. You can create exceptions to this rule in the mail mappings for particular users.

• ISPs who need to accept mail for several domains and the envelope-header recipient field needs to be rewritten for further delivery.

• To deliver to internal servers, use Mail Delivery ➝ Routing ➝ Mail Routing.

Note: In all cases, mappings rely on successful DNS lookups for an MX record.

Relocated Users

When mail is sent to an address that is listed in the relocated user table, the message is bounced back with a message informing the sender of the relocated user’s new contact information.

Mail Aliases

When mail needs to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. An alias results in the creation of a new mail message to be created for the named address or addresses. This mail message is then entered back into the system to be mapped, routed, and so on. This process also occurs with local user accounts for whom a "forwarder address" has been configured. Local user accounts will be treated like aliases in this case.

Local aliases are typically used to implement distribution lists or to direct mail for standard aliases such as mail to the "postmaster" account. LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on directory services such as Active Directory.

Mail Routing

During the mail routing process, there is no modification made to the mail header or the envelope. A mail route specifies two things:

• Which domains ePrism will accept mail for (other than itself).• Which hosts the mail should be delivered to.

The message is now delivered to its destination.

See “Message Processing Order” on page 331 for a summary of the message processing order.

CHAPTER 2 Administering ePrism

This chapter describes how to administer and configure basic settings for the ePrism Email Security Appliance, and contains the following topics:

• “Connecting to ePrism” on page 32• “Configuring the Admin User” on page 36• “Web Server Options” on page 39• “Customizing the ePrism Interface” on page 40

31

Administering ePrism

32

Connecting to ePrism

To administer ePrism using the web browser administrative interface, launch a web browser on your computer and enter the IP address or hostname for ePrism as the URL in the location bar.

Note: Your system must be listed in your DNS server to be able to connect via the hostname.

Supported web browsers:

• Microsoft Internet Explorer 6 and greater• Firefox 1.0 and greater• Mozilla 1.0 and greater• Netscape 6.0 and greater• Safari 1.0 and greater

The login screen will then appear. Enter your admin ID and password.

When logged in, the main ePrism Email Security Appliance Activity screen and main menu will appear.


Navigating the Main Menu

The main menu consists of the following main categories:

Activity — The Activity screen provides you with a variety of information on mail processing activity, such as the number of messages in the mail queue, the number of different types of messages received and sent, and current message activity. If you are running a HALO cluster, you will also have a Cluster Activity option that will show you the activity statistics for the entire cluster.

Basic Config — The Basic Config menu allows you to configure some of the basic settings for ePrism including:

• Admin Account• Alarms• Customization• Directory Services (LDAP)• Network• Performance• Static Routes• SNMP Configuration• Web Server Configuration

Mail Delivery — The Mail Delivery menu allows you to configure the features that affect mail delivery, including all mail security and anti-spam settings. It includes the following features:

• Anti-Spam (Intercept)• Anti-Virus• Content Management• Mail Access• Threat Prevention• Policy• SMTP Security• Encryption• Delivery Settings• Routing

33


34

User Accounts — The User Accounts menu allows you to create local accounts on the ePrism and enable POP and IMAP access. Management of mirrored user accounts created by LDAP, Remote Authentication, and Secure WebMail/ePrism Mail Client are also configured here. It includes the following features:

• Local Accounts• Mirrored Accounts (Only displayed if mirrored accounts exist)• Relocated Users• Vacations• POP3 and IMAP• Secure WebMail• Remote Authentication• SecureID Configuration

HALO — The HALO (High Availability and Load Optimization) menu is used to configure and manage clustered ePrism systems, and includes the following features:

• Cluster Administration• Queue Replication• F5 Integration

Status/Reporting — The Status/Reporting menu allows you to view the current status of system services, manage your mail queue and the quarantine area, and review reports and logs. The menu includes the following features:

• Status & Utility• Mail Queue• Quarantine• Reporting• System Logs• Problem Reporting• Threat Prevention Status

Management — The Management menu contains options for various ePrism system administration tasks such as backup and restore, license management, and software updates. The menu includes the following features:

• Backup & Restore• Centralized Management• License Management• Reboot & Shutdown• Software Updates


• Security Connection• SSL Certificates

ePrism System Console

You can access the ePrism system console by connecting a monitor and keyboard to ePrism. The system console provides a limited subset of administrative tasks and is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the web browser administration interface. When accessing the system console, you will be prompted for the UserID and Password for the administrative user.

See “Using the ePrism System Console” on page 325 for more detailed information on using the system console.

35


36

Configuring the Admin User

The primary admin account is created during the ePrism installation. Select Basic Config ➝ Admin Account from the menu to modify the password or strong authentication methods for the admin user.

Note: It is recommended that you create additional admin users and use those accounts to manage ePrism instead of the primary admin account. The primary admin account password should then be written down and stored in a safe and secure place.

Strong Authentication

You can also configure strong authentication for the admin user. These methods of authentication require a hardware token that provides a response to the login challenge.

You can choose between the following types of secure authentication tokens:

• CRYPTOCard

• SafeWord

• SecurID

Once selected, a configuration wizard will guide you through the steps to configure the token for the specified authentication method.

See “Strong Authentication” on page 176 for more information on strong authentication methods.

Configuring the Admin User

Adding Additional Administrative Users

There is only one primary admin user account, but additional administrative users can be added using Tiered Administration. This allows you to configure another user with Full Admin rights, or with granular permissions that only give admin rights to certain ePrism options. For example, you may want to add a user who can administer reports or vacation notifications, but not have any other administrative access.

Granting full or partial admin access to one or more user accounts allows actions performed by administrators to be logged because they have an identifiable UserID that can be tracked by the system.

Note: A user with Full Admin privileges cannot modify the profile of the default Admin user. They can, however, edit others users with Full Admin privileges.

Add an administrative user as follows:

1. From the Basic Config ➝ Admin Account screen, click the Add Admin User button.

2. Enter a User ID, an optional e-mail address to forward mail to, and a password. You can also set strong authentication methods, if required.

3. At the bottom of the Add a New User screen is a section for Administrator Privileges.

37


38

4. Select the required administrative access for the user:• Full Admin — The user has administrative privileges equivalent to the admin user.• Administer Aliases — The user can add, edit, remove, upload and download aliases (not

including LDAP aliases.)• Administer Filter Patterns — The user can add, edit, remove, upload and download

Pattern Based Message Filters and Specific Access Patterns.• Administer Mail Queue — The user can administer mail queues.• Administer Quarantine — The user can view, delete, and release quarantined files.• Administer Reports — The user can view, configure and generate reports, and view system

activity.• Administer Users — The user can add, edit, and relocate user mailboxes (except the Full

Admin users), including uploading and downloading user lists. User vacation notifications can also be configured.

• Administer Vacations — The user can edit local user’s vacation notification settings and other global vacation parameters.

• Mail History — The user can view the e-mail database history.• View Activity — The user can view the Activity page and start and stop mail services.

Individual e-mails can only be viewed if Mail History is also enabled.• View System Logs — The user can view all system logs files.

See “Tiered Administration” on page 185 for more information on configuring admin access.

Note: Admin Login and WebMail access must be enabled on the network interface that will be used by tiered administration users. This is set in the Basic Config ➝ Network screen.

Web Server Options

Web Server OptionsThe Web Server Options screen defines the settings used for connecting to ePrism via the web browser administrative interface. By default, ePrism’s web server uses port 80 for HTTP requests and port 443 for HTTPS requests. For secure WebMail and administration sessions, it is recommended that you leave the default SSL encryption enabled to force a connecting web browser to use HTTPS.

Select Basic Config ➝ Web Server on the menu to configure your web server settings.

• Admin HTTP Port — Indicates the default port 80 for HTTP requests.• Admin HTTPS Port — Indicates the default port 443 for HTTPS requests.• Require SSL encryption — Requires SSL encryption for all user and administrator web

sessions.• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES ciphers

with a key length of 64 bits, for encrypted user and administrator web sessions.• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2 contains

known security issues.• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.• Character set encoding — Select the type of character encoding used for HTML data.

39


40

Customizing the ePrism Interface

The ePrism interface logos can be easily customized by uploading your own organization’s custom logos to replace the ePrism logo on the main login screen, the administration screen logo, and the ePrism Mail Client logo. Administrators can also customize the login page title of the administrative session screen.

Customize a logo as follows:

1. Select Basic Config ➝ Customization on the menu to customize the ePrism logos.2. Click Browse to choose a file, and then click Next to upload the file.

Revert to the default ePrism graphic by selecting the Default Logo button.Most graphic formats are supported, but it is recommended that you use graphics suitable for web page viewing such as GIF and JPEG. The maximum file size is 32k.

TABLE 1. Recommended Image Sizes

Logo Type Size in Pixels

Main Screen Logo 285 x 85 pixels

Admin Screen Small Logo 191 x 57 pixels

ePrism Mail Client Logo 94 x 28 pixels

CHAPTER 3 Configuring Mail Delivery Settings

This chapter describes how to configure network and mail delivery settings for the ePrism Email Security Appliance, and contains the following topics:

• “Network Settings” on page 42• “Static Routes” on page 46• “Mail Routing” on page 47• “Mail Delivery Settings” on page 49• “Mail Aliases” on page 55• “Mail Mappings” on page 57• “Virtual Mappings” on page 59

41

Configuring Mail Delivery Settings

42

Network Settings

The basic networking information to get ePrism up and running on the network is configured during installation time. To perform more advanced network configuration and to configure other network interfaces, you must use the Basic Config ➝ Network settings screen.

From the network settings screen you can modify the following items:

• Hostname and Domain information• Default Gateway• Syslog Host• DNS and NTP servers• Network Interface IP Address and feature access settings• Clustering and Queue Replication interface configuration• Support Access settings

Note: If you make any modifications to your network settings, you must reboot ePrism. The system will prompt you to restart after clicking the Apply button.

Configuring Network Settings

Select Basic Config ➝ Network on the menu to configure ePrism's network settings.

• Hostname — Enter the hostname (not the Fully Qualified Domain Name) of the ePrism Email Security Appliance, such as the hostname eprism in eprism.example.com.

• Domain — Enter the domain name, such as example.com.

Network Settings

• Gateway — Enter the IP address of the default route for ePrism. This is typically the external router connected to the Internet, or the network Firewall’s interface if ePrism is located on the DMZ.

• Syslog Host — ePrism can log to a specific syslog host. A syslog host collects and stores log files from many sources. Enter the IP address of the syslog server that will receive all logs from ePrism.

• Name Server — At least one DNS name server must be configured for hostname resolution, and it is recommended that secondary name servers be specified in the event the primary DNS server is unavailable.

• NTP Server — NTP is critical for accurate timekeeping for the ePrism Email Security Appliance. Entering a valid NTP server will ensure that the server time is synchronized. It is recommended that secondary NTP servers be specified in the event the primary NTP server is unavailable.

Network Interfaces

Enter the required settings for each network interface. You can enter information for up to four interfaces.

Note: Some of the following options will not be displayed unless the related feature is enabled.

• IP Address — Enter an IP address for this interface, such as 192.168.1.104.• Netmask — Enter the netmask for this interface, such as 255.255.255.0.• Media — Select the type of network card. Use Auto select for automatic configuration.

43


44

• Large MTU — Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve performance connecting to servers on the local network. The default is 576 bytes.Note: For most organizations, the default option of 576 bytes is adequate. This option should only be changed if needed and with the involvement of a Technical Support representative.

• Respond to Ping — Allows ICMP ping requests to this interface. This will allow you to perform network connectivity tests to this interface, but will cause this interface to be more susceptible to denial of service ping attacks.

• Trusted Subnet — If selected, all hosts on this subnet are considered trusted for relaying and anti-spam processing.

• Admin Login — Allows access to this interface for administrative purposes.• ePrism Mail Client — Allows access to the ePrism Mail Client via this interface.• IMAPS Server — Allows secure access to ePrism’s internal IMAP server via this interface.• IMAP Server — Allows access to ePrism’s internal IMAP server via this interface.• POP3S Server — Allows secure access to ePrism’s internal POP3 server via this interface.• POP3 Server — Allows access to ePrism’s internal POP3 server via this interface.

Note: POP and IMAP settings are only displayed if enabled in User Accounts ➝ POP3 and IMAP.

• SNMP Agent — Allows access to the SNMP agent via this interface.

Advanced Parameters

The following advanced networking parameters are TCP extensions that improve the performance and reliability of communications.

• Enable RFC 1323 — Enable TCP extensions to improve performance and to provide reliable operations of high-speed paths. This is enabled by default, and should only be disabled if you experiencing networking problems with certain hosts.

• Enable RFC 1644 — Enable an experimental TCP extension for efficient transaction oriented (request/response) service. This is disabled by default.

• Path MTU Discovery (RFC 1191) — Disable Path MTU (Maximum Transfer Unit) if required to resolve delivery problems when interconnecting between specific firewalls and SMTP proxies. Path MTU is enabled by default.

Network Settings

Clustering

The Clustering section is used to enable clustering on a specific network interface. See “HALO (High Availability and Load Optimization)” on page 231 for more information on configuring clustering.

• Enable Clustering — Select the check box to enable clustering on this ePrism system.• Cluster Interface — Select the interface to enable clustering on.

Support Access

Enable Support Access, if required, which allows St. Bernard Technical Support to connect to this system from the specified IP address. This setting does not need to be enabled during normal usage, and should only be enabled if requested by St. Bernard Technical Support.

Note: This option only appears if you have installed the Support Access patch in Management ➝ Software Updates.

For security reasons, Support Access communications use SSH (Secure Shell) to establish a secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network port. Support Access will only allow a connection to be made from the St. Bernard network.

45


46

Static Routes

Static routes are required if the mail servers to which mail must be relayed are located on another network, such as behind an internal router, firewall, or accessed via a VPN.

Select Basic Config ➝ Static Routes to configure your static routes.

To add a new static route, enter the network address, netmask and gateway for the route, and then click New Route.

Mail Routing

Mail RoutingePrism, by default, accepts mail addressed directly to it and delivers it to local ePrism mailboxes. You can configure additional domains for ePrism to accept and route mail for using the Mail Routing menu.

Select Mail Delivery ➝ Routing ➝ Mail Routing from the menu to set up mail routes.

• Sub — Select this check box to accept and relay mail for subdomains of the specified domain.• Domain — Enter the domain for which mail is to be accepted, such as example.com.• Route-to — Enter the address for the server to which mail will be delivered. When using a

FQDN, the corresponding DNS record will be looked up.• Port — Enter the port number of the SMTP server if it is different from the default port

number of 25. The port number must be between 1 and 65536.• MX — (Optional) Select the MX check box if you need to look up the mail routes in DNS

before delivery. If this is not enabled, MX records will be ignored. Generally, you do not need to select this item unless you are using multiple mail server DNS entries for load balancing/failover purposes. By checking the MX record, DNS will be able to send the request to the next mail server in the list.

• KeepOpen — (Optional) Select the KeepOpen check box to ensure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred. This setting ensures that local mail servers receive higher priority. Note: The KeepOpen option should only be used for domains that are usually very reliable. If the domain is unavailable, it may cause system performance problems due to excessive error conditions and deferred mail.

47


48

A list of domains can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open]

For example:

example.com,10.10.1.1,25,on,off,off

The file (domains.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

LDAP Routing

Click the LDAP Routing button to define mail routes using an LDAP directory server. This is the preferred method for mail routing for organizations with a large amount of domains.

See “LDAP Routing” on page 79 for more detailed information on using LDAP for mail routing.

Mail Delivery Settings

Mail Delivery SettingsThe Mail Delivery settings screen allows you to configure parameters related to accepting, relaying and delivery mail messages.

Select Mail Delivery ➝ Delivery Settings on the menu to configure the following parameters:

Delivery Settings

• Maximum time in mail queue — Enter the number of days for a message to stay in the queue before being returned to the sender as "undeliverable".

• Maximum time in queue for bounces — Enter the number of days a system-generated bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable. Default is 5 days. Set this value to 0 to attempt delivery of bounce messages only once.

• Maximum original message text in bounces — Enter the maximum amount (in bytes) of original message text that is sent in a non-delivery notification. Range is 10 to 1000000000. If this field is left blank, the default is set to 5000 bytes.

• Time before delay warning — Number of hours before issuing the sender a notification that mail is delayed.

• Time to retain undeliverable notice mail — The number of hours to keep undelivered notice mail addressed to external mail server’s MAILER-DAEMON. These messages are

49


50

typically notifications sent to mail servers with invalid return addresses and can be safely purged. Leave this value blank for no special processing.

• Deliver mail to local users — Disable this option to prevent mail delivery to local accounts configured on this ePrism. The postmaster (admin) account will not be affected by this setting.

Gateway Features

• Masquerade Addresses — Masquerades internal hostnames by rewriting headers to only include the address of the ePrism.

• Strip Received Headers — Strip all Received headers from outgoing messages.

Default Mail Relay

• Relay To — (Optional) Enter an optional hostname or IP address of a mail server (not this ePrism system) to relay mail to for all e-mail with unspecified destinations. A recipient’s e-mail domain will be checked against the Mail Routing table, and if the destination is not specified the e-mail will be sent to the Default Mail Relay server for delivery. This option is usually used when the ePrism cannot deliver e-mail directly to remote mail servers. If you are setting up this mail server as a dedicated ePrism Mail Client system, and all mail originating from this system should be forwarded to another mail server for delivery, then specify the destination mail server here. Note: Do NOT enter the name of your ePrism system as this will cause a relay loop.

• Ignore MX record — Enable this option to prevent an MX record lookup for this host to force relay settings.

• Enable Client Authentication — Enable client SMTP authentication for relaying mail to another mail server. This option is only used in conjunction with the default mail relay feature. This allows ePrism to authenticate to a server that it is using to relay mail. With this configuration, connections to the default mail relay are authenticated, while connections to other mail routes are not.

• User ID — Enter a User ID to login to the relay mail server.• Password — Enter and confirm a password for the specified User ID.

BCC All Mail

ePrism offers an archiving feature for organizations that require storage of all e-mail that passes through their corporate mail servers. This option sends a blind carbon copy (BCC) of each message that passes through ePrism to the specified address. This address can be local or on any other system. Once copied, the mail can be effectively managed and archived from this account. You must also specify an address that will receive error messages if there are problems delivering the BCC mail.


Annotations and Delivery Warnings

Administrators can enable and customize Annotations that are appended to all e-mails and customize Delivery Failure and Delivery Delay warning messages.

Note: Some mail clients will display notifications and annotations as attachments to a message rather than in the message body.

Note: Separate annotations can be enabled for different users, domains, and groups using Policies. See “Policy Management” on page 195 for information on creating policies and configuring separate annotations.

The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system settings that are automatically substituted at the time the message is sent. See “Customizing Notification and Annotation Messages” on page 333 for a full list of variables that can be included.

51


52

Advanced Delivery Options

Click the Advanced button on the Mail Delivery ➝ Delivery Settings screen to reveal advanced options for Advanced SMTP Settings, SMTP notifications, actions for Very Malformed Mail messages, and the Received Header.

Advanced SMTP Settings

The following advanced SMTP settings can be configured:

• SMTP Pipelining — Select the check box to disable SMTP Pipelining when delivering mail. Some mail servers may experience problems with SMTP command pipelining and you may have to disable this feature if required.

• ESMTP — Select the check box to disable ESMTP (Extended SMTP) when delivery mail. Some mail servers may not support ESMTP and you may have to disable this option if experiencing problems. Caution: Disabling ESMTP will disable TLS encryption on outgoing connections.

• HELO required — Enable this option to require clients to initiate their SMTP session with a standard HELO/EHLO sequence. It is recommended that you leave this feature enabled. It should only be disabled when experiencing problems with sending hosts that do not use a standard HELO message.

• Content Reject Message — This is the text part of the SMTP 552 error message reported to clients when message content is rejected because the maximum message size has been exceeded.


• Multiple Recipient Reject Mode — Indicates the reject handling of messages with multiple recipients. This option only applies to features with reject actions such as Malformed and Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus, and Intercept Anti-Spam features, including those used within a policy. The options are as follows:All: Reject the message if all recipients reject the message. If some but not all of the recipients reject the message, the message will be discarded without notification to the sender for those recipients that rejected the message.Any: Reject the message if any recipient rejects the message. Never: The message will never be rejected, regardless of any configured reject actions. For recipients that rejected the message, the message will be discarded without notification to the sender.

• Send EHLO — Always send EHLO when communicating with another server, even if their banner does not include ESMTP. Disable EHLO if you are experiencing communications problems with specific SMTP servers. Caution: Disabling EHLO will disable TLS/SSL encryption.

SMTP Notification

Administrators can select the type of notifications that are sent to the postmaster account. Serious problems such as Resource or Software issues are selected by default for notification.

• Resource — Mail not delivered due to resource problems, such as queue file write errors.• Software — Mail not delivered due to software problems.• Bounce — Send postmaster copies of undeliverable mail. If mail is undeliverable, a single

bounce message is sent to the postmaster with a copy of the message that was not delivered. For privacy reasons, the postmaster copy is truncated after the original message headers. If a single bounce message is undeliverable, the postmaster receives a double bounce message with a copy of the entire single bounce message.

• Delay — Inform the postmaster of delayed mail. In this case, the postmaster receives message headers only.

• Policy — Inform the postmaster of client requests that were rejected because of (UCE) policy restrictions. The postmaster will receive a transcript of the entire SMTP session.

• Protocol — Inform the postmaster of protocol errors (client or server), or attempts by a client to execute unimplemented commands. The postmaster will receive a transcript of the entire SMTP session.

• Double Bounce — Send double bounced messages to the postmaster.

53


54

Very Malformed Mail

Specify the action to be performed when a very malformed message is detected by the system. A very malformed message may cause scanning engine latency.

Possible actions:

• Just log — Log the event and take no further action.• Quarantine mail — The message is placed into quarantine.• Temporarily Reject Mail — Returns an error to the sending server and doesn't accept the

mail. The mail delivery can be attempted again after a period of time. • Reject mail — The message is rejected with notification to the sending system.• Discard mail — The message is discarded without notification to the sending system.

Select the Notify check box to allow notifications using the malformed notification settings (configured via Mail Delivery ➝ Content Management ➝ Malformed Mail) when the action specified above is performed (except for Just log.)

Caution: Mail that is very malformed has not been virus scanned, or filtered for attachments and spam.

Received Header

The Received Header is the mail server information displayed in the Received: mail header of a message. The default is "St. Bernard Software ePrism Email Security Appliance", but this can be modified to a more generic identifier to prevent attackers from knowing the mail server details.

Mail Aliases

Mail AliasesWhen mail is to be delivered locally, the delivery agent runs each local recipient name through the aliases database. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and so on. This process also occurs for local user accounts with a specified "forwarder address". Local user accounts are treated as aliases in this case.

Local aliases are typically used to implement distribution lists, or to direct mail for standard aliases such as postmaster to real user mailboxes.

For example, the alias postmaster could resolve to the local mailboxes [email protected], and [email protected]. For distribution lists, an alias called [email protected] can be created that points to all members of the sales organization of a company.

Configuring Mail Aliases

Click Mail Delivery ➝ Routing ➝ Mail Aliases on the menu to configure aliases. Click on an entry to edit a current alias.

Adding a Mail Alias

Click the Add Alias button to add a new alias.

55


56

The specified alias name must be a valid local mailbox on this ePrism system. Enter the corresponding mail address for the alias. Click the Add More Addresses button to enter multiple addresses for this alias.

Uploading Alias Lists

A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[alias],[mail_address]

For example:

sales,[email protected]

info,[email protected]

The file (alias.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the mail alias file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

LDAP Aliases

Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for mail aliases.

See “LDAP Aliases” on page 70 for more information on LDAP Aliases.

Mail Mappings

Mail MappingsMail Mappings are used to map an external address to an internal address and vice versa. This is useful for hiding internal mail server addresses from external users. For mail originating externally, the mail mapping translates the address in the To: and CC: mail header field into a corresponding internal address to be delivered to a specific internal mailbox.

For example, mail addressed to [email protected] can be redirected to the internal mail address [email protected]. This enables the message to be delivered to the user’s preferred mailbox.

Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender: header modified by a mail mapping so it appears to have come from the preferred external form of the mail address, [email protected].

Configuring Mail Mappings

Click Mail Delivery ➝ Routing ➝ Mail Mapping on the menu to configure mail address mappings. Click on an entry to edit a current mapping.

Adding a New Mapping

Click the Add button to add a new mapping.

57


58

• External mail address — Enter the external mail address that you want to be converted to the specified internal e-mail address for incoming mail. The specified internal address will be converted to this external address for outgoing mail.

• Internal mail address — Enter the internal mail address that you want external addresses to be mapped to for incoming mail. The internal address will be converted to the specified external address for outgoing mail.

• Extra internal addresses — Enter any additional internal mappings which will be included in the outgoing mail conversion. Click the Add button for each entry.

When you have completed entering your addresses, click Apply to create the mail mapping.

Uploading Mapping Lists

A list of mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[type ("sender" or "recipient")],[map_in],[map_out],[value ("on" or "off")]

For example:

sender,[email protected],[email protected],on

The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the mail mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Access Control via Mail Mappings

ePrism can block all incoming and outgoing mail messages that do not match a configured mail mapping. This ensures that all incoming and outgoing mail matches a legitimate user as the destination or source of a message.

Click the Preferences button to enable Mail Mapping Access Control.

Note: If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a mapping listed in the mail mappings table.

Virtual Mappings

Virtual MappingsVirtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address.

For example, ePrism can be configured to accept mail for the domain @example.com and deliver it to @sales.example.com. This allows ePrism to distribute mail to multiple internal servers based on the Recipient: address of the incoming mail.

Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for example.com is sent to exchange.example.com. You can create exceptions to this rule in the Mail Mappings for particular users. Virtual mappings are also useful for ISPs who need to accept mail for several domains, and situations where the envelope-recipient header needs to be rewritten for further delivery.

Note: You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may be more appropriate for delivering mail to internal mail servers.

Configuring Virtual Mappings

Click on Mail Delivery ➝ Routing ➝ Virtual Mapping on the menu to configure mappings. Click on an entry to edit a current mapping.

59


60

Adding a Virtual Mapping

Click the Add Virtual Mapping button to add a new mapping.

Enter the domain or address to which incoming mail is directed in the Input box, such as @example.com. Then enter the domain or address to which mail should be redirected to, such as @sales.example.com in the Output box.

Uploading Virtual Mapping Lists

A list of virtual mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[map_in],[map_out]

For example:

[email protected],user [email protected],[email protected] @example.com,@sales.example.com

The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the virtual mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Note: The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record to connect to this ePrism Email Security Appliance.

LDAP Virtual Mappings

Click the LDAP Virtual Mappings button to configure and search for virtual mappings using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual mappings. See “LDAP Mappings” on page 72 for more information on configuring LDAP virtual mappings.

CHAPTER 4 Directory Services

This chapter describes how to integrate your existing LDAP directory services with ePrism and contains the following topics:

• “Directory Service Overview” on page 62• “Directory Servers” on page 64• “Directory Users and Groups” on page 66• “LDAP Aliases” on page 70• “LDAP Mappings” on page 72• “LDAP Recipients” on page 74• “LDAP Relay” on page 76• “LDAP Routing” on page 79

61

Directory Services

62

Directory Service Overview

ePrism can utilize LDAP (Lightweight Directory Access Protocol) services for accessing directories (such as Active Directory, OpenLDAP, and iPlanet) for user and group information. LDAP can be used with ePrism for mail routing, group lookups for policies, user lookups for mail delivery, alias and virtual mappings, and authentication.

LDAP was designed to provide a standard for efficient access to directory services using simple data queries. Most major directory services such as Active Directory support LDAP, but each differs in their interpretation and naming convention syntax. Other types of supported LDAP services include OpenLDAP and iPlanet.

Naming Conventions

The method for which data is arranged in the directory service hierarchy is a unique Distinguished Name. The following is an example of a Distinguished Name in Active Directory:

cn=jsmith,dc=example,dc=com

In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The user, jsmith, is in the users container. The domain component is analogous to the FQDN domain name, in this case, example.com.

Note: For all LDAP Directory features, you must ensure you enter values specific to your LDAP environment and schema.

Directory Service Overview

Active Directory LDAP Results Limit

Active Directory has a default limit of 1000 entries that can be returned from an LDAP query. With large queries, the results may be truncated. It is recommended that you modify the default maximum page size to ensure that LDAP User and Group imports will work successfully.

Use the following procedure to modify the default maximum page size limit in Active Directory:

1. Login to the Active Directory system as an administrator.2. Open a command prompt, and enter the following commands (in bold):

c:\>ntdsutil.exe ntdsutil: ldap policies ldap policy: connections server connections: Connect to server [Servername] Binding to [Servername] ... Connected to [Servername] using credentials of locally logged on user server connections: q ldap policy: Show Values

Policy Current(New)

MaxPoolThreads 8 MaxDatagramRecv 1024 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxActiveQueries 20 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5

ldap policy: set Maxpagesize to 50000 ldap policy: commit Changes ldap policy: q ntdsutil: q Disconnecting from [Servername]

63

Directory Services

64

Directory Servers

The first step in configuring Directory Services on ePrism is to define and configure your Directory Servers.

Select Basic Config ➝ Directory Services ➝ Servers on the menu to configure your LDAP servers that will be used for ePrism’s LDAP functions such as user and group membership lookups, authentication, and mail routing.

Click Add to configure a new LDAP server, or click Edit to modify an existing server:

• Server URI — Enter the server URI (Uniform Resource Identifier) address, such as ldap://10.10.4.5. Note: Use "ldaps" if you are using SSL with the LDAP directory.

• Label — An optional label or alias for the LDAP server.• Type — Select the type of LDAP server, such as Active Directory, or choose Others for

OpenLDAP or iPlanet.

Directory Servers

• Bind — Select this check box to bind to the LDAP server with the specified Bind DN and password.

• Bind DN — Enter the DN (Distinguished Name) for the user to bind to the LDAP server, such as cn=Administrator,cn=users,dc=example,dc=com for Active Directory implementations. Ensure that you enter a bind DN specific to your environment.Note: In Active Directory, if you are using a user account other than Administrator to bind to the LDAP server, the name must be specified as the full name not the account name, such as "John Smith" instead of "jsmith".

• Bind Password — Enter the bind password for the LDAP server.• Search Base — Specify a default starting point for lookups, such as dc=example,dc=com.• Timeout — The maximum interval, in seconds, to wait for the search to complete.• Dereference Aliases — Specifies how alias dereferencing is performed during a search:

Never: Aliases are never dereferenced.Searching: Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search.Finding: Aliases are only dereferenced when locating the base object of the search.Always: Aliases are dereferenced when searching and locating the base object of the search.

Click the Test button to test your LDAP settings and send a test query to the LDAP server.

When finished, click the Apply button to add the LDAP server.

65

Directory Services

66

Directory Users and Groups

The Directory Users and Groups screen is used to import user account data from LDAP-based directory servers. This information is used provide LDAP lookups for valid e-mail addresses for the Reject on Unknown Recipient anti-spam option, and import group membership information for policies.

Local mirror accounts can also be created to allow directory-based users to view and manage quarantined mail for the Spam Quarantine feature.

Select Basic Config ➝ Directory Services ➝ Users and Groups to import users from a directory.

Click the Add button to add a new directory user import configuration.

• Directory Server — Select a directory server to perform the search.• Search Base — Enter the starting base point to start the search from, such as

dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.


Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Query Filter — Enter the appropriate query filter, such as (|(objectCategory=group)(objectCategory=person)) for Active Directory LDAP implementations.If you use Exchange public folders for e-mail, include the following in your query filter: (objectCategory=publicFolder)

For example,(|(|(objectCategory=group)(objectCategory=person))(objectCategory=publicFolder))

For iPlanet and OpenLDAP, use: (objectClass=person).

• Timeout — The maximum interval, in seconds, to wait for the search to complete.

Result Attributes

This section specifies the fields to return during the LDAP query. LDAP queries can return a lot of information that is not required and the Result Attributes are used to filter only the data needed.

• Email attribute — The name of the attribute that identifies the user’s e-mail address. For Active Directory, iPlanet, and OpenLDAP, use mail.

• Email alias attribute — The name of the attribute that identifies the user’s alternate e-mail addresses. In Active Directory, the default is proxyAddresses. For iPlanet, use Email. For OpenLDAP, leave this attribute blank.

• Member Of attribute — The name of the attribute that identifies the group(s) that the user belongs to. This information is used for Policy controls. In Active Directory, the default is memberOf (this is case sensitive). For iPlanet, use Member. For OpenLDAP, leave this blank.

• Account Name attribute — This is the name of the attribute that identifies a user’s account name for login. In Active Directory, the default is sAMAccountName. For iPlanet, use uid. For OpenLDAP, use cn.

Click the Test button to test your LDAP settings. Click Apply when finished.

67

Directory Services

68

Import Settings

ePrism can automatically import LDAP user data on a scheduled basis. This allows ePrism to stay synchronized with the LDAP directory.

To import LDAP users and groups:

Click the Import Settings button in the Basic Config ➝ Directory Services ➝ Directory Users and Groups screen.

• Import User Data — Select the check box to enable automatic import of LDAP user data. Enabling automatic import ensures that your imported LDAP data remains current with the information on the LDAP directory server.

• Frequency — Select the frequency of LDAP imports. You can choose between Hourly, Every 3 Hours, Daily, Weekly, and Monthly.

• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to schedule an import at 11pm for the period specified in the Frequency field.

Click Apply to save the settings. Click Import Now to immediately begin the import of users.

View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.


Mirror LDAP Accounts as Local Users

To provide local account access for the Spam Quarantine feature, you can mirror the LDAP accounts which creates a local account on ePrism for each user imported. This provides a simple method for allowing directory-based users to view and manage quarantined messages if you have enabled the Spam Quarantine feature.

Note: These local mirror accounts cannot be used as local mail accounts. They can only be used for the Spam Quarantine. See “Spam Quarantine” on page 165 for more information on configuring the user-based Spam Quarantine.

To create mirrored LDAP users:

1. Select the Mirror accounts option.2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the LDAP

directory for the specified period of time, the local mirrored account will be deleted. Note that this only applies to a local mirrored account, not accounts used for the Reject on Unknown Recipients feature.

3. Click Apply to save the settings. Click Import Now to immediately begin the import of users and create mirrored accounts.

View the progress of LDAP imports via Status/Reporting ➝ System Logs ➝ Messages.

Mirrored accounts can be viewed via User Accounts ➝ Mirrored Accounts on the menu.

69

Directory Services

70

LDAP Aliases

LDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and processed.

Note: LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations.

See “Mail Aliases” on page 55 for more information on Mail Aliases.

Select Basic Config ➝ Directory Services ➝ LDAP Aliases to configure LDAP Aliases.

Click the Add button to add a new LDAP alias search.

• Directory Server — Select a directory server to perform the search.• Search Base — Enter the starting base point to start the search from, such as

cn=users,dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.

LDAP Aliases

Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Alias Attribute — Enter the Alias Attribute that defines the alias mail addresses for a user, such as (proxyAddresses=smtp:%s@*) for Active Directory implementations.

• EMail — Enter the attribute that returns the user’s e-mail address, such as mail for Active Directory implementations.


Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the settings.

71

Directory Services

72

LDAP Mappings

LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.

Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address.

Note: LDAP Virtual Mappings have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations.

See “Virtual Mappings” on page 59 for more information on Virtual Mappings.

Select Basic Config ➝ Directory Services ➝ LDAP Mapping to configure LDAP Virtual Mappings.

Click the Add button to add a new LDAP Virtual Mapping search.

• Directory Server — Select a directory server to perform the search.

LDAP Mappings

• Search Base — Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com.

• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Incoming Address — Enter the Incoming Address attribute that defines the virtual mapping for a user, such as (proxyAddresses=smtp:%s) for Active Directory implementations.

• EMail — Enter the attribute that returns the user’s e-mail address, such as mail for Active Directory implementations.


Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to save the settings.

73

Directory Services

74

LDAP Recipients

The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient feature configured in Mail Delivery ➝ Anti-Spam ➝ Intercept. You must have Reject on Unknown Recipient enabled for this feature to work.

When a mail message is received by ePrism, this feature searches an LDAP directory for the existence of a recipient’s e-mail address. If that user address does not exist in the LDAP directory, the mail is rejected.

This feature differs from the LDAP Users lookup option which searches for a user using the imported locally-cached LDAP users database. The LDAP Recipients feature performs a direct lookup on a configured LDAP directory server for each address.

If both LDAP Users and LDAP Recipients are enabled with Reject on Unknown Recipient, the system will lookup the local and mirrored LDAP Users first, and then use the direct query to an LDAP server.

Select Basic Config ➝ Directory Services ➝ LDAP Recipients on the menu to configure your LDAP recipient lookups.

Click Add to add a new LDAP Recipients search.

LDAP Recipients

• Directory Server — Select a directory server to perform the search.Note: The directory server Bind password cannot contain a "$" character.

• Search Base — Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com.


• Query Filter — Enter the Query Filter for the LDAP Recipients lookup, such as (&(objectClass=person)(mail=%s)) for Active Directory implementations.For OpenLDAP and iPlanet, use (&(objectClass=person)(uid=%s)).

• Result Attribute — Enter the attribute that returns the user’s e-mail address, such as mail for Active Directory implementations. For OpenLDAP, and iPlanet, you can also use mail.


Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save the settings.

75

Directory Services

76

LDAP Relay

The LDAP SMTP Authenticated relay feature allows authenticated clients to use this ePrism as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this ePrism system.

These client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP relay authentication to authenticate the user to an LDAP directory server.

Configuring LDAP Authenticated SMTP Relay

1. Select Mail Delivery ➝ Mail Access on the menu.2. Enable the Permit SMTP Authenticated Relay and the LDAP Authenticated Relay check

boxes.

LDAP Relay

3. Select Basic Config ➝ Directory Services ➝ LDAP Relay on the menu.

There are two different ways to provide LDAP support for SMTP authentication: Using Bind, or querying the LDAP server directly.

Note: The Bind method will only work with Active Directory and iPlanet implementations. The Query Direct method will only work with OpenLDAP.

• Bind — The Bind method will use the User ID and password to authenticate on a successful bind. The Query Filter must specify the User ID with a %s variable, such as (sAMAccountName=%s) for Active Directory. The Result Attribute must be a User ID such as sAMAccountName. Enter corresponding values specific to your LDAP environment.For iPlanet, use uid=%s for Query Filter, and mail for Result Attribute.

• Query Directly — The Query Direct method will query the LDAP server directly to authenticate a user ID and password. The Query Filter must specify the user ID, and the Result Attribute must specify the password.For OpenLDAP, use uid=%s for Query Filter, and userPassword for Result Attribute.

For either method, the relay will be refused if the LDAP server direct query or bind attempt fails for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not responding.

Note: The directory server Bind password cannot contain a "$" character.

Select a method, and then click Add to add an entry.

Note: You can only use one method, Bind or Query Direct, for all defined LDAP servers. You cannot use both at the same time.

77

Directory Services

78

• Directory Server — Select a directory server to perform the search.• Search Base — The Search Base is derived from the Search Base setting in Basic Config ➝

Directory Services ➝ Servers. You must ensure that you complete the Search Base string with information specific to your LDAP hierarchy, such as cn=users,dc=example,dc=com.


• Query Filter — Enter the Query Filter for the LDAP lookup, such as (sAMAccountName=%s) for Active Directory implementations.

• Result Attribute — Enter the attribute that returns the user’s account, such as sAMAccountName for Active Directory implementations.


Use the Test button to perform a test of the LDAP relay configuration. Click Apply to save the settings.

LDAP Routing

LDAP RoutingLDAP mail routing allows a mail route for a recipient to be queried on a specified LDAP server. The destination mail server for that domain will be returned and the message will then be routed to that server. This is the preferred method for mail routing for organizations with a large amount of domains. Any locally defined mail routes in Mail Delivery ➝ Routing ➝ Mail Routing will be resolved before LDAP routing.

Note: LDAP routing has been tested only with iPlanet implementations but the examples provided should work with OpenLDAP depending on your LDAP schema.

Select Basic Config ➝ Directory Services ➝ LDAP Routing to configure your LDAP routing settings.

Click Add to add a new LDAP route search.

• Directory Server — Select a directory server to perform the search.• Search Base — The Search Base is derived from the Search Base setting in Basic Config ➝

Directory Services ➝ Servers. You must ensure that you complete the Search Base string with information specific to your LDAP hierarchy, such as cn=users,dc=example,dc=com.

79

Directory Services

80


• Query Filter — Enter the Query Filter that will search for the Mail Domain of a recipient, such as (&(cn=Transport Map)(uid=%s)) for OpenLDAP implementations.

• Result Attribute — Enter the attribute that returns the domain’s mail host, such as mailHost for OpenLDAP implementations.


Use the Test button to perform a test of the LDAP routing configuration. Click Apply to save the settings.

CHAPTER 5 Mail Security and Encryption

This chapter describes how to configure the mail security features of your ePrism Email Security Appliance and contains the following topics:

• “SMTP Mail Access” on page 82• “Anti-Virus” on page 85• “E-Mail Message Encryption” on page 88• “Encrypting Mail Delivery Sessions” on page 92• “SSL Certificates” on page 95

81

Mail Security and Encryption

82

SMTP Mail Access

The Mail Access screen allows you to configure features that provide security when ePrism is accepting mail during an SMTP connection.

Select Mail Delivery ➝ Mail Access to configure your SMTP mail access settings.

• Specific Access Patterns — This feature can be used to search for patterns in a message for filtering during the SMTP connection. See “Specific Access Patterns (SAP)” on page 130 for detailed information on configuring these filters.

• Pattern Based Message Filtering — Enable this option to use Pattern Based Message Filtering to reject or accept mail based upon matches in the message envelope, header, or body. See “Pattern Based Message Filtering (PBMF)” on page 110 for detailed information on configuring Pattern Based Message Filters.

• Maximum recipients per message — Set the maximum number of recipients accepted per message. A very large amount of recipients means the message is more likely to be spam or bulk mail. The default is set to 1000.

• Maximum message size — Set the maximum message size that will be accepted by ePrism. Note: When attachments are sent with most e-mail messages, the message size grows considerably due to the encoding methods used. The maximum message size should be set accordingly to accommodate attachments.

SMTP Mail Access

Maximum Unknown Recipients

• Maximum Unknown Recipients Per Message — This value determines how many unknown recipients are allowed in the message before it will be rejected by ePrism. A high number of unknown recipients indicates the message is likely spam, or a denial of service attempt.

• Maximum Unknown Recipients Reject Code — This value indicates the SMTP reject code to use when the maximum unknown recipients value is exceeded. This should be set to either 421 (temporary reject) or 554 (permanent reject).

SMTP Authenticated Relay

This feature allows authenticated clients to use ePrism as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this ePrism system.

Client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be local or they can be authenticated via LDAP.

Select Mail Delivery ➝ Mail Access on the menu to enable SMTP Authenticated Relay.

LDAP SMTP Authentication

SMTP authentication can also be performed via an LDAP directory server. Select the check box to enable LDAP Authenticated Relay, and select the link to configure. This feature can also be configured via Basic Config ➝ Directory Services ➝ LDAP Relay.

See “LDAP Relay” on page 76 for detailed information on configuring LDAP Authenticated Relay.

83


84

SMTP Banner

The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This banner contains identifying information for your mail server which can be used as information to launch attacks against ePrism.

This option allows you to customize the SMTP banner and also remove ePrism’s hostname by using the Domain only option.

Anti-Virus

Anti-VirusePrism provides an optional virus scanning service. When enabled, all messages (inbound and outbound) passing through the ePrism Email Security Appliance can be scanned for viruses. ePrism integrates the Kaspersky Anti-Virus engine which is one of the highest rated virus scanning technologies in the world. Virus scanning is tightly integrated with the mail engine for maximum efficiency.

Viruses can be selectively blocked depending on whether they are found in inbound or outbound messages, and attachments are recursively disassembled to ensure that viruses cannot be concealed. When a virus-infected message is received, it can be rejected, deleted, quarantined, or the event can be simply logged. Quarantined messages may be viewed, forwarded, downloaded, or deleted. Quarantined messages can also be automatically deleted based on age.

By default, any e-mail attachments that cannot be opened and examined by the mail scanner because of password-protection are quarantined. This feature prevents password-protected zip files that contain viruses or worms from being passed through the system.

Virus pattern files are automatically downloaded at regular intervals to ensure that they are always up to date. Notification messages can be sent to the sender, recipient, and mail administrator when an infected message is received.

Licensing Anti-Virus

Kaspersky Anti-Virus is a cost option. To enable virus scanning after the 30-day evaluation period, you must purchase and install a license for each system. See “License Management” on page 274 for more information on adding licenses.

85


86

Configuring Anti-Virus Scanning

Select Mail Delivery ➝ Anti-Virus from the menu to configure virus scanning for both inbound and outbound directions.

• Enable Kaspersky virus scanning — Enable or disable virus scanning by selecting the check box.

• Treat unopenable attachments as viruses — This option is enabled by default to classify unopenable attachments, such as password-protected or encrypted files, as viruses. This feature prevents password-protected or encrypted files that contain viruses or worms from being passed through the system.

• Action — Configure the action to be performed for both inbound and outbound mail. Possible actions include:Just log: Log the event and take no further action.Reject mail: The message is rejected with notification to the sending system.Quarantine mail: The message is placed into the administrative quarantine area.Discard mail: The message is discarded without notification to the sending system.

• Notification — A notification e-mail can be sent to the recipients and sender of a message, and also the mail system administrator. Select the required check box for both inbound and outbound mail. In the Inbound Notification and Outbound Notification text boxes, customize the content for the response message.

Anti-Virus

Updating Pattern Files

Virus pattern files must be continuously updated to ensure that you are protected from new virus threats. The frequency of virus pattern file updates can be configured from the Virus Pattern Files section.

• Update interval (mins) — Select the time interval to configure how often to check for pattern file updates. Options include 15, 30, and 60 minutes.

• Proxy — If you access the Internet through a proxy server, you must enter its hostname and port number, such as proxy.example.com:80, for updates to succeed.

• Manual Update — Pattern files can be updated manually by clicking the Get Pattern Now button.

• Status — Displays the date and time of the last update.

87


88

E-Mail Message Encryption

ePrism provides integration with external encryption servers to provide e-mail encryption and decryption functionality. E-mail encryption allows individual messages to be encrypted by a separate encryption server before being delivered to its destination by ePrism. Incoming encrypted messages can also be sent to the encryption server to be decrypted before ePrism accepts the message and delivers it to the intended recipient.

This integration allows organizations to ensure that encrypted messages are still processed by ePrism for security issues, as well as being scanned for content and policy rules.

E-mail encryption provides organizations with the ability to protect the privacy and confidentiality of their messages and also conform to any regulatory compliance policies that must ensure that certain types of data are encrypted before being sent out across the Internet.

Encryption and decryption can be performed for selected e-mail messages via filter rules on the ePrism. A message filter can be created for specific e-mail sending addresses, IP addresses and host names of specific SMTP servers, or for specific words located in the subject of a message such as "Encrypt".

Note: As mail is forwarded back and forth between ePrism and the Encryption server, all mail statistics will include this additional delivery and mail counts will be higher as a result.

Configuring ePrism Message Encryption and Decryption

ePrism can be set up to integrate with an existing encryption server using the following general steps:

1. Configure the Encryption server to integrate with ePrism.2. Create Mail Routes to the Encryption server on ePrism3. Enable Encryption and Decryption on ePrism4. Create Encryption rules on ePrism to identify messages to be encrypted.

Note: The Encryption server must be on the same network as ePrism. Ensure they are communicating properly and can see each other on the network by using a utility such as ping.

Configuring the Encryption Server

The existing Encryption server must be set up to relay all mail to the ePrism Email Security Appliance. Please see the documentation provided by your Encryption server vendor.


In general, outbound and inbound proxies or mail routes must be configured on the Encryption server to ensure messages are accepted from and passed back to ePrism after being encrypted or decrypted.

Define Mail Routes for Encryption and Decryption

Mail routes to the Encryption server must be defined for both encrypting and decrypting messages. To ensure ePrism knows where to route messages for encryption, create a mail route for the domains .encrypt_reroute and .decrypt_reroute to the address of the Encryption server.

1. Select Mail Delivery ➝ Routing ➝ Mail Routing to define mail routes.2. Enter .encrypt_reroute as the Domain, and in the Route-to field, enter the address of the

Encryption server such as 192.168.1.175.

3. Similarly, create a route for .decrypt_reroute as the Domain, and in the Route-to field, enter the address of the Encryption server such as 192.168.1.175.Note: The port and IP address may be different depending on the Encryption server configuration.

89


90

Enabling Encryption and Decryption on ePrism

1. Select Mail Delivery ➝ Encryption to configure your encryption settings.

2. Select the Active check box to enable the Encryption and Decryption action as required.3. Select an Action to perform on a message that is to be encrypted or decrypted.

Select the Redirect to action to send this message to the Encryption server for encryption or decryption using the mail route specified in the Action Data field.

4. To reroute the message to the Encryption server using the Redirect to action, the Action Data must be set to the appropriate mail route for encryption and decryption. Enter encrypt_reroute or decrypt_reroute as the action data. These mail routes must be defined in Mail Delivery ➝ Routing ➝ Mail Routing to point to the Encryption server.

5. Select optional notifications to the Recipients, Sender, or Administrator, when a message has been sent for encryption.

Defining Filter Rules for Encryption

A filter rule must be used to identify what types of messages are to be encrypted. For example, your organization may use a tag in the subject header such as "Encrypt" which can used to identify an outgoing message that must be encrypted. Specific e-mail addresses and IP addresses can also be defined to ensure certain users or servers have their e-mail encrypted.

Encryption rules can be created using either Pattern Based Message Filters (PBMF) or by using definable dictionaries with the Objectionable Content Filtering and Attachment Scanning features. The latter features allow dictionaries with specific keywords and phrases to be used to trigger the


encryption rules. See “Attachment and Content Scanning” on page 99 for detailed instructions on configuring these features.

The filter rule will examine outbound mail messages for specific patterns to redirect mail for encryption. This could be anything from a user’s e-mail address to a phrase. When setting up the filter rule, the only criterion is that the filter action is set to Encrypt or Decrypt.

To set up an encryption rule using Pattern Based Message Filters:

1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMFs) to set up filters for encryption purposes.

2. Create a simple rule that checks all outbound mail for the word "Encrypt" in the subject, and set the action to Encrypt.Note: The "Encrypt" and "Decrypt" PBMF action will only appear when Encryption and Decryption are enabled in Mail Delivery ➝ Encryption.

3. A separate filter rule must be created to allow messages arriving from the Encryption server to be relayed. This action allows ePrism to accept messages back from the Encryption server that have been encrypted and relay these messages to external networks.Create a rule to match the Client IP field to the address of the Encryption server, such as 192.168.1.175, and set the action to Relay.Note: The filter rule that allows messages to be relayed back must be of a higher priority than any Encryption rule that is created.

Similarly, you must create a PBMF rule to examine incoming messages that need to be decrypted before being delivered to the recipient.

91


92

Encrypting Mail Delivery Sessions

ePrism offers a simple mechanism for encrypting mail delivery using SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption.

A flexible policy can be implemented to allow other servers and clients to establish encrypted sessions with ePrism to send and receive mail.

The following types of traffic can be encrypted:

• Server to Server — Used to create an e-mail VPN (Virtual Private Network) and protect company e-mail over the Internet.

• Client to Server — Many e-mail clients, such as Outlook, support TLS for sending and receiving mail. This allows e-mail messages to be sent with complete confidentiality from desktop to desktop, but without the difficulties of implementing other encryption schemes.

Encryption can be enforced between particular systems, such as setting up an e-mail VPN between two ePrism Email Security Appliances at remote sites. Encryption can also be set as optional so that users who are concerned about the confidentiality of their messages on the internal network can specify encryption in their mail client when it communicates with ePrism.

ePrism supports the use of certificates to initiate the negotiation of encryption keys. ePrism can generate its own site certificates, and can also import Certificate Authority (CA) signed certificates.

See “SSL Certificates” on page 95 for more information on importing certificates.

Encrypting Mail Delivery Sessions

Configuring Mail Delivery Encryption

Select Mail Delivery ➝ SMTP Security from the menu to enable e-mail delivery encryption.

Incoming TLS Mail

• Accept TLS — Enable this option to accept SSL/TLS for incoming mail connections.• Require TLS for SMTP AUTH — This value is used to require SSL/TLS when accepting

mail for authenticated relay. See “SMTP Authenticated Relay” on page 83 for more detailed information.

• Log TLS info into Received header — Enabled this option to log TLS information (including protocol, cipher used, client and issuer common name) into the Received: message header.Note: These headers may be modified by intermediate servers and only information recorded at the final destination is reliable.

Default TLS Policy

• Offer TLS — Enable this option to offer remote mail servers the option of using SSL/TLS when sending mail.

• Enforce TLS — Enabling this option will require the validation of a CA-signed certificate when delivering mail to a remote mail server. Failure to do so will result in mail delivery failure.

93


94

Specific Site Policy

This option supports the specification of exceptions to the default settings for TLS/SSL. For example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS support.

To exempt a system, specify the IP Address or FQDN (Fully Qualified Domain Name) of the remote mail server in the Add/Update Site field. Select Don’t Use TLS from the drop-down box and click the Update button. The exempted mail server will be listed under the Specific Site Policy.

TLS options include the following:

• Don’t Use TLS — TLS Mail Delivery is never used with the specified system.• May Use TLS — Use TLS if the specified system supports it.• Enforce TLS — Deliver to the specified system only if a TLS connection with a valid CA-

signed certificate can be established. • Loose TLS — Similar to Enforce TLS but will accept a mismatch between the specified server

name and the Common Name in the certificate.

SSL Certificates

SSL CertificatesA valid SSL certificate is required to support the encryption services available on ePrism. The SSL encrypted channel from the server to the web browser (such as when using a URL that begins with HTTPS), requires a valid digital certificate. You can use self-signed certificates generated by ePrism, or import certificates purchased from commercial vendors such as Verisign.

A certificate binds a domain name to an IP address by means of the cryptographic signature of a trusted party. The web browser can warn you of invalid certificates that undermine secure, encrypted communications with a server.

The disadvantage of self-signed certificates is that web browsers will display warnings that the "company" (in this case, the ePrism Email Security Appliance) issuing the certificate is untrusted. When you purchase a commercial certificate, the browser will recognize the company that signed the certificate and will not generate these warning messages.

A web server digital certificate can only contain one domain name, such as server.example.com, and a limitation in the SSL protocol only allows one certificate per IP address. Some web browsers will display a warning message when trying to connect to any domain on the server that has a different domain name than the server specified in the single certificate. Digital certificates eventually expire and are no longer valid after a certain period of time and need to be renewed before the expiry date.

Install a commercial certificate on the ePrism Email Security Appliance as follows:

1. Select Management ➝ SSL Certificates on the menu.2. Create a new certificate using the Generate a 'self-signed' certificate button.

95


96

3. Click Apply to reboot the system to install the new certificate.4. After the reboot, the current certificate and certificate request that was signed by the on-board

Certificate Authority will be displayed. To obtain a commercial certificate, send this certificate request information to the commercial Certificate Authority (CA) of your choice (such as Verisign, Entrust, and so on) for signing. Note: Ensure that the certificate is an Apache type of certificate for a mail server.

5. When received from the CA, install the commercial certificate using the Load site certificate button.

SSL Certificate

Enter the PEM encoded certificate information from the signed SSL certificate returned by the CA by copying and pasting the appropriate text into the specified field.

Private Key

Select the Use this Private Key for SSL Certificate check box to use the supplied private key. Copy and paste the PEM encoded private key into the required field. Do not enable this option and leave the field blank if the certificate was generated by a request from this ePrism system.

Note: Generating a new self-signed certificate after you have installed a commercial certificate will overwrite the private key associated with the installed commercial certificate, making it invalid.

SSL Certificates

Intermediate Certificate

Some commercial certificates require you to upload an intermediate certificate in addition to the commercial certificate and the private key. Enter this information into the Intermediate Certificate section.

97


98

CHAPTER 6 Attachment and Content Scanning

This chapter describes how to configure the Attachment and Content scanning features of your ePrism Email Security Appliance, and contains the following topics:

• “Content Scanning Overview” on page 100• “Attachment Control” on page 101• “Attachment Content Scanning” on page 104• “Objectionable Content Filter” on page 108• “Pattern Based Message Filtering (PBMF)” on page 110• “Malformed Mail” on page 119• “Dictionaries” on page 121

99

Attachment and Content Scanning

100

Content Scanning Overview

ePrism’s extensive content management capabilities allow administrators to scan e-mail messages and attachments to ensure that inappropriate and offense material or sensitive documents are prevented from being transmitted inbound or outbound.

ePrism’s advanced attachment content scanning performs deep scanning of e-mail attachments, such as PDF and document files, for patterns of text and phrases defined in a phrase file.

These content filtering and scanning features can also be used by the policy engine to allow organizations to create different content scanning policies for different sets of users.

Select Mail Delivery ➝ Content Management on the menu to configure the content control and scanning features.

• Inbound Attachment Control — Filters inbound messages based on the type of attachment.• Outbound Attachment Control — Filters outbound messages based on the type of

attachment.• Attachment Content Scanning — Performs deep content scanning on an attachment and

filters the message based on a list of key words.Note: The advanced content scanning feature is a licensed feature.

• Objectionable Content Filtering (OCF) — The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message.

• Pattern Based Message Filtering (PBMF) — Reject or accept mail based on matches in the message envelope, header, and body.

• Malformed Mail — Scans for malformed messages in incoming mail to protect against Denial of Service (DoS) attacks.

Attachment Control

Attachment ControlAttachment filtering can be used to control a wide range of problems originating from both inbound and outbound attachments, including the following:

• Viruses — Attachments carrying viruses can be blocked.• Offensive Content — ePrism blocks the transfer of images which reduces the possibility that

an offensive picture will be transmitted to or from your company mail system.• Confidentiality — Prevents unauthorized documents from being transmitted through the

ePrism Email Security Appliance.• Loss of Productivity — Prevents your systems from being abused by employees.

Configuring Attachment Control

Select Mail Delivery ➝ Content Management ➝ Attachment Control to configure attachment filtering for inbound and outbound messages.

• Default action — This value sets the default action for attachment control for items not specifically listed in the Attachment Types list. The default is Pass, which allows all attachments. Any file types defined in the Attachment Types list will override the default setting.

• Attachment Control — Enable the feature for inbound and outbound mail.• Attachment Types — Click Edit to configure the attachment types to control.

101


102

• Action — Select an action to be performed. Options include:Just log: Log the event and take no further action.Reject mail: The message is rejected with notification to the sending system.Quarantine mail: The message is placed into the administrative quarantine area.Discard mail: The message is discarded without notification to the sending system.

• Notification — Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Administrators can customize the content for the Inbound and Outbound notification.

Editing Attachment Types

Click the Edit button to edit your attachment types. You can add file extensions (.mp3), or MIME content types (image/png). For each attachment type, choose whether you want to BLOCK or Pass the attachment.

Select the Scan check box to perform content scanning for attachments with the specified extension.

Click the Add Extension button to add a file extension/MIME type to the list.

Attachment Control

• Extension — Enter a specific attachment type extension or MIME type, such as ".mp3" or "image/png".

• Scan — Select this option to perform content scanning for attachments with the specified extension. This allows the system to scan files within an archive file (such as.zip) for forbidden attachments. The attachment will still be checked for viruses if the Scan option is deselected.If an archive file, such as.zip, contains a file type that is blocked, the archive file will be blocked, even if it is set to Pass. Disable the Scan option if you do not want to scan the content of the archive file.

103


104


ePrism’s Attachment Content Scanning features perform deep scanning of attachments, such as PDF and Microsoft document files, for patterns of text and phrases. This allows organizations to use filter rules and policy settings to scan attachments for specific content that could be considered offensive, private and confidential, or against existing compliancy rules.

There are two methods for content scanning of message attachments:

• Text and phrases are searched for in a document using a Pattern-Based Message Filter (PBMF) and an appropriate PBMF action performed if there is a match.

• ePrism will search the extracted message text for words contained in uploaded compliancy files defined via a policy and perform the configured action if there is a match.

Note: Attachment Content Scanning is a licensed feature and requires a license key to work after an initial 30 day evaluation period.

Suspicious Attachments

The following cases will result in an attachment being flagged as "suspicious". These files will be treated according to the Treat suspicious attachments as compliancy violations setting.

• Files that are larger than 1 GB• File types that are not recognized by the scanner• Files that take longer than one minute to scan• Malformed or virus-infected attachments

Configuring Attachment Content Scanning

Select Mail Delivery ➝ Content Management ➝ Attachment Scanning to configure your attachment content scanning options.

• Enable — Select the check box to enable attachment content scanning.


• Treat unopenable documents as compliancy violations — Attachments that are protected by a password or encrypted may contain text that is a compliancy violation. Enable this feature to treat unopenable documents as though they were not compliant. Note: Files over 1 GB in size will not be scanned and are classified as "suspicious".

• Phrase length — This field specifies the length of phrases used for pattern-matching checks. This number of words will be passed to the scanning engine to check if it matches any phrases in your compliancy file. Note: Long phrases will result in greater processing times. It is recommended that phrases be four words or less.

• File Types — Select the types of files to be scanned:All Supported Formats: Scans all file formats supported by the content scanner.Common Document Formats: Scans only common word processing, spreadsheet, database, presentation, text, and archive formats.Standard Document Formats: Scans only common document formats (word processing, spreadsheet, database, presentation, text, and archive files), including less common formats such as graphics and desktop publishing formats.

• Punctuation treatment — Select how the scanning engine should treat punctuation.Significant: The punctuation will be considered as part of the word or phrase it appears in.Treat as space: The punctuation will be treated as a space. For example, the phrase "This, is classified" will be treated as "This is classified". This is the default setting.Ignore: The punctuation will be completely ignored.

• Case sensitivity — Select how the scanning engine will treat case sensitivity. If Sensitive is chosen, capitalization of letters will be taken into effect. For example, the word "Classified" must appear in the phrase compliancy file with the capitalized first letter.

• Notifications — Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Enter the content for the notification message. See “Customizing Notification and Annotation Messages” on page 333 for information on variables such as %SENDER% and %RECIPIENT%.

105


106

Using Pattern Based Message Filters for Attachment Scanning

One of the methods that can be used to search for compliancy text within a file is to create a Pattern Based Message Filter (PBMF).

Create a pattern filter as follows:

1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) to define a filter for attachment scanning.

2. Click Add.

3. In the Apply To field, select whether you want to check Inbound, Outbound, or All Mail.4. In the Message Part field, select Attachment Content.

Note: Selecting Attachment Content will scan the entire e-mail message, including the header, body and any attachment for matching content.

5. In the Pattern field, enter a pattern to match against.6. Select the Action to perform on a message that contains the pattern text, such as Reject.7. Click Apply to add the filter.

Attachment Scanning via Policy Compliancy File

Attachment scanning can also be performed via Policies with a compliancy file uploaded and enabled. The compliancy file will contain a list of words and phrases that can be matched against text contained in scanned attachment files.

In the specified policy, accessed via Mail Delivery ➝ Policy, enable Attachment Scanning, and select the corresponding phrase file to be used with that policy.


Custom phrase files are uploaded via Mail Delivery ➝ Content Management ➝ Dictionaries.

See “Dictionaries” on page 121 for more detailed information on uploading custom dictionary files.

Note: The compliancy status of messages can be searched in the mail history database via Status/Reporting ➝ Reporting ➝ Mail History ➝ Advanced.

107


108

Objectionable Content Filter

The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message.

The Objectionable Content Filter provides enhanced content filtering functionality and flexibility, allowing users to restrict content of any form including objectionable words or phrases and offensive content.

The predefined lists provided are end user manageable and can be updated and customized to meet the specific needs of any organization. Rules can also be applied to both inbound and outbound messages preventing unwanted content from entering an organization and prohibiting the release of sensitive content outside an organization.

OCF words can be extracted from messages that disguise the words with certain techniques. For example, OCF will detect the word "spam", even if it is disguised as "sp@m" or "s_p_a_m" using the advanced token recognition component of the Token Analysis feature.

Select Mail Delivery ➝ Content Management ➝ Objectionable Content on the menu to configure the objectionable content filter.

• Enable OCF — Select the check box to enable OCF.• Logging — Set the type of logging to perform for OCF processing. This information will

appear in the Mail Transport log.

Objectionable Content Filter

No Logging — No OCF logging will be performed.First match only — Log the first word that was matched by the filter.All matches — Log all words that were matched by the filter.

• Phrase Files — Select the type of phrase file to use with OCF. The Weak OCF phrase file contains a small list of common objectionable words and phrases. Moderate and Strong OCF include a larger list amounts of words and phrases that are considered offensive.Organizations can create their own OCF phrase files via the Mail Delivery ➝ Content Management ➝ Dictionaries feature. This may include words and phrases specific to an organization that need to be blocked.Note: The OCF dictionaries contain content that is of a vulgar nature. The pre-defined dictionaries should be viewed with caution as they contain words and phrases that may be offensive.

• Action — Set actions for both inbound and outbound messages. The following actions can be set:Just log — Log the event and take no further action.Reject mail — The message is rejected with notification to the sending system.Quarantine mail — The message is placed into quarantine.Discard mail — The message is discarded without notification to the sending system.Encrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝ Encryption menu.Decrypt — Redirects the message to the Decryption server specified in the Mail Delivery ➝ Encryption menu.

Notifications

Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. The content for the Inbound and Outbound notification can be customized.

See “Customizing Notification and Annotation Messages” on page 333 for a full list of system variables that can be used in the notification.

109


110

Pattern Based Message Filtering (PBMF)

Pattern Based Message Filtering is the primary tool for creating filter rules on the ePrism. PBMFs are used for:

• Whitelisting and blacklisting messages• Creating content filter rules for managing e-mail messages.

An administrator can create filter rules for any aspect of an e-mail message including the message header, sender, recipient, subject, attachment content, and message body text. For example, administrators can create a simple text filter that specifies to check messages for the word "FREE" in the subject. This filter rule is helpful in correcting disadvantages in the other spam filters.

Note: Pattern Based Message Filters should only be used for augmenting anti-spam behavior by whitelisting or blacklisting.

E-mail Message Structure

The following is an example of a typical mail message:


Message Envelope

The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them.

Message Header

The message header includes the following fields:

• Received from — Indicates the final path that the message followed to get to its destination. It arrived from "mail.example.com", which delivered it to "server.example.com" to be put in the mailbox of "[email protected]."

• Received by — This indicates a previous "hop" that the message followed. In this case, the message came via "mail.example.com" which accepted the message addressed to "[email protected]".

• Delivered-To — The user to be delivered to, in this case "[email protected]".• Received from — This marks the origin of the message. Note that it is not necessarily the

same as the actual system that originated the message.• Subject — This is a free form field and displayed by a typical mail client.• To — This is a free form field and displayed by a typical mail client. It may be different from

the destination address in the Received headers or from the actual recipient.• From — This is a free form field and is displayed by a typical mail client. It may be different

from the From address in the Received headers. It is typically faked by spammers.• Message-ID — This is added by the mail server and is often faked by spammers.

Other header fields include Reply-to, Sender and so on. These fields can be forged by spammers because they do not affect how the mail is delivered.

Message Body

Following the header is the text or content of the message. This content can be formatted or encoded in many different ways, but in this example, it is displayed as plain text.

Message Attachment

Many e-mails contain attachments to the main message. ePrism has the ability to decode attachments to match text found within an attachment using a filter rule.

111


112

Configuring Pattern Based Message Filtering

Select Mail Delivery ➝ Content Management, and then select Pattern Filters (PBMF) on the menu.

Note: The pre-defined PBMF rules are provided as examples on how rules are to be created, and can be deleted if not needed without any repercussions.

Click the Add button to add a new pattern to the filter list.

Select the direction of mail for the PBMF rule in the Apply To field, such as All Mail, Inbound, or Outbound, depending on your requirements.

• All Mail — Mail destined for any domain.• Inbound mail — Any mail that is destined to a domain that the ePrism is configured to accept

mail for. This will be any domain listed in the Mail Routing table in Mail Delivery ➝ Routing ➝ Mail Routing.

• Outbound mail — Mail destined to any domain that the ePrism is not configured to accept mail (every domain other than those configured in Mail Routing.).

Note: "Trusted" mail has no bearing on the Inbound/Outbound relationship.


Select the Message Part you want to filter on. ePrism allows you to filter on the following parameters:

Message Envelope Parameters

These parameters will not be visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them.

• <<Mail Envelope>> — This parameter allows for a match on any part of the message envelope which includes the HELO, Client IP and Client Host.

• HELO — This field is easily faked, and is not recommended for use in spam control. It may be useful in whitelisting a source of mail. Example: mail.example.com.

• Client IP — This field will be accurately reported and may be reliably used for both blacklisting and whitelisting. It is the IP address of the system initiating the SMTP connection. Example: 192.168.1.200.

• Client Host — This field will be accurately reported and may be reliably used for both blacklisting and whitelisting. Example: mail.example.com.

The following envelope parameters (Envelope Addr, Envelope To and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.

• Envelope Addr — This matches on either the Envelope To or Envelope From. These fields are easily faked, and are not recommended for use in spam control. They may be useful in whitelisting a source of mail. Example: [email protected].

• Envelope To — This field is easily faked, and is not recommended for use in spam control. It may be useful in whitelisting a source of mail. Example: [email protected].

• Envelope From — This field is easily faked, and is not recommended for use in spam control. It may be useful in whitelisting a source of mail. Example: [email protected].

Message Header Parameters

Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in whitelisting certain users or legitimate source of e-mail.

• <<Mail Header>> — This parameter allows for a match on any part of the message header.• <<Recipient>> — This parameter matches the To: or CC: fields.• CC:

• From:

• Message-ID:

• Received:

• Reply-to:

113


114

• Sender:

• Subject:

• To:

There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions (described below) to specify these.

Message Body Parameters

• <<Raw Mail Body>> — This parameter allows for a match on any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content.

• <<Mail Content>> — This parameter allows for a match on the visible decoded message body.

STA (Token Analysis) Token

Bulk Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible HTML text comments, which would not be caught by a normal pattern filter. For example, Token Analysis extracts the token "viagra" from the text "vi<spam>ag<spam>ra" and "v.i.a.g.r.a.".

Attachment Scanning

Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of PBMF is used with the Attachment Content Scanning feature. See “Attachment Content Scanning” on page 104 for more information on scanning attachments.

Match Option

Matching looks for the specified text in each line. You can specify one of the following:

• Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.

• Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)

• Matches — The entire line or field must match the text.• Starts with — Looks for the text at the start of the line or field (no characters between the text

and the start of line.)• Reg Exp — Enter a regular expression to match the text.


Pattern

Enter a text pattern to search for in the message.

You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.

For example, to search for a "blank" message field, use the following regular expression:

^subject:[[:blank:]]*$

Note: Although the Regular Expression feature is supported, St. Bernard cannot help with devising or debugging Regular Expressions because they have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use.

Priority

Select a priority for the filter (High, Medium, Low). The entire message is read before making the decision. If a message matches multiple filters, the filter with the highest priority will be used.

If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest (Bypass, Reject, Discard, Quarantine, Certainly Spam, Redirect, Trust, Relay, Accept, Just log).

Note: Discard, Quarantine, and Redirect are actions available when creating a custom PBMF action in the PBMF preferences screen.

If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.

Action

When a rule has been triggered, the specified action is performed:

• Bypass — Allow this message to bypass all Intercept anti-spam processing. This action will override other PBMF actions for the same priority. Note: This action does not bypass Anti-Virus scanning.

• Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam.

• Reject — Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if Train is also selected.

• Relay — Relay is enabled for this mail. Message is trained as legitimate mail if Train is also selected.

115


116

• Accept — Mail is accepted and delivered as per normal operation. Message is trained as legitimate mail if Train is also selected.

• Certainly Spam — Mail is received, trained as spam, and then the Intercept action for "Certainly Spam" is applied.

• Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower priority PBMFs to test the effect of PBMFs without an action taking place.

• BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC e-mail address set up in the Preferences section.

• Do Not Train — Do not use the message for Token Analysis training purposes.• Configurable Actions — There are several configurable actions that can be defined by the

administrator by clicking the Preferences button. When defined, these actions will appear in this list.

• Encrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝ Encryption menu.

• Decrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝ Encryption menu.

Note: The "Relay" or "Trust" action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.

Upload and Download of PBMF Rules

You can create a list of PBMF rules and upload them together in one file. The file must contain comma or tab separated entries in the form:

[Section],[type],[pattern],[action],[sequence(priority)],[rulenumber], [direction],[Options]

For example:

to:,contains,[email protected],reject,medium,1,both,on

The Options field is used for the "Do-Not-Train" option. The value can be "on" or blank. If the field is blank, a "Reject" action will be considered "Reject+Train".

The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the PBMF file first by clicking Download File, edit it as required, and upload it using the Upload File button.


PBMF Preferences

Select the Preferences button to define configurable PBMF actions and customize notifications.

PBMF BCC Action

This is used in conjunction with the BCC PBMF action to define an e-mail address to send a blind carbon copy of the message to.

PBMF Action

Administrators can define up to six customized actions that can be used for PBMF filters. When an action has been defined and activated, it will appear in the list of actions when creating a PBMF rule.

• Active — Select the check box to activate this action.• Action Name — Enter a descriptive name for this customized action.• Action — The action can be one of the following:

Reject: The mail will not be accepted, and the connecting mail server is forced to return it.Discard: The mail will be dropped with no notification.Quarantine: The mail will be put into the administrative quarantine area. The quarantine can be accessed via Status/Reporting ➝ Quarantine on the menu.Certainly Spam: Mail is received, trained as spam, and then the Intercept action for "Certainly Spam" is applied.Redirect to: The message will be delivered to the mail address specified in the Action Data field.Accept: Mail is accepted and delivered as per normal operation.BCC: The message will be copied to the mail address specified in the Action Data field.Do Not Train: Select the check box to ensure that when this action is triggered, the message will not be trained for spam.

117


118

• Action data — For the Redirect To action, send the message to a mailbox such as [email protected]. You can also specify a domain such as spam.example.com. For BCC, enter an e-mail address to send a blind carbon copy of the message to.

• Notification — Notifications can be enabled for all recipients, the sender, and the administrator. The content of the notification message can be customized.

Malformed Mail

Malformed MailMany viruses and denial of service attacks (DoS) try to elude virus scanners by concealing themselves in malformed messages. The scan engines cannot detect the attachment and pass the complete message through to an internal server. Some mail clients try to rebuild malformed messages and may rebuild or activate a virus-infected attachment. Other types of malformed messages are designed to attack mail servers directly. Most often these types of messages are used in denial-of-service (DoS) attacks.

ePrism analyzes each message with extensive integrity checks. Malformed messages are quarantined if they cannot be processed.

Select Mail Delivery ➝ Content Management ➝ Malformed Mail on the menu to enable and configure malformed e-mail scanning.

• Enable malformed scanning — Select this option to enable scanning for malformed e-mails.• Enable NULL Character Detect — Select this option to enable null character detection.

Any messages with null characters in them (a byte value of 0) will be considered a malformed message.

• Action — Select an action to be performed. Options include:Just log: Log the event and take no further action.

119


120

Reject mail: The message is rejected with notification to the sending system.Quarantine mail: The message is placed into the administrative quarantine area.Discard mail: The message is discarded without notification to the sending system.

• Notifications — Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Enter the content for the notification message.

See “Customizing Notification and Annotation Messages” on page 333 for information on variables such as %SENDER% and %RECIPIENT%.

Dictionaries

DictionariesThe Dictionaries feature contains default and custom word and phrase dictionaries that can be used with Objectionable Content Filtering, Spam Dictionaries, and compliancy-based Attachment Content Scanning.

Each file is a simple word or phrase text file (Unix format) with one word or phrase per line, such as:

Compliancy Classified Top Secret

For example, to define a new dictionary to be used for policy compliance:

1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.

2. Click Add to add a new dictionary file.

3. Click Browse to select the file to be uploaded. Click Continue.

121


122

The file information screen displays the initial contents of the file.

Choose the name of the file, and select the type of file you are uploading. This will indicate which feature to use with this file.

• Any — This file can be used for any feature• Compliancy — This file can be used for compliancy policy attachment scanning.• OCF — This file can be used with Objectionable Content Filtering.• Spam — This file can be used with the Spam Dictionaries Intercept Anti-Spam feature.

Click Continue to finish uploading the file.

The new dictionary will now appear in the list and can be selected when using a dictionary-based feature such as policy compliancy.

CHAPTER 7 Intercept Anti-Spam

This chapter describes how to configure the Intercept Anti-Spam features of your ePrism Email Security Appliance and contains the following topics:

• “Intercept Anti-Spam Feature Overview” on page 124• “Trusted and Untrusted Mail Sources” on page 126• “Configuring Intercept Anti-Spam” on page 127• “Intercept Components” on page 129• “Intercept Advanced Features” on page 158• “Trusted Senders” on page 162• “Spam Quarantine” on page 165

123

Intercept Anti-Spam

124

Intercept Anti-Spam Feature Overview

ePrism’s Intercept Anti-Spam features have been developed to take advantage of its extensive mail control features and provides a solutions-based approach where each anti-spam feature, when enabled, provides input to the final spam score of a message. Information retrieved by all of the enabled Anti-Spam features results in a more informed decision on whether the message is in fact spam.

Thresholds can be set to take appropriate action on a message based on its score and classification, such as Certainly Spam, Probably Spam, and Maybe Spam. A different action can be set for each threshold, such as "Redirect" to a spam quarantine for messages that are classified as Certainly Spam, or "Modify Subject Header" for messages that are classified as Maybe Spam.

Administrators can use the advanced Intercept options to provide more granular control over each anti-spam Intercept component for their environment, however, the default Intercept configuration has been engineered to provide maximum protection against spam without additional configuration.

ePrism’s Intercept Anti-Spam engine includes the following components:

• Specific Access Patterns (SAP) — Filter messages based on pattern matches against the client address or header parameters such as HELO or Envelope-From and Envelope-To.

• Pattern Based Message Filtering (PBMF) — Filter messages based upon matches in upon any aspect of a mail message, including the envelope, header, body and any attachments.

• Spam Dictionaries — Filters messages based on a dictionary of typical spam words and phrases that are matched against the message.

• IP Reputation (IPR) — The IP Reputation feature provides both local and remote IP Reputation services. Local IP Reputation checks various aspects of the incoming message for issues such as unauthorized SMTP pipelining, missing headers, and mismatched identification fields. Checks for recent spam and viruses from a specific IP address can also be enabled which is used in conjunction with the Threat Prevention feature. Remote IP Reputation is provided using the BorderWare Security Network (BSN). The BSN helps to identify spam by reporting a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected, based on information collected from mail and firewall servers worldwide. This information can be used by the ePrism Email Security Appliance to reject the message, or as part of the overall anti-spam decision.

• DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts that are blacklisted. Messages can also be rejected immediately regardless of the results of other Anti-Spam processing if the client is blacklisted on an DNSBL. A configurable threshold allows administrators to specify how many DNSBLs must trigger to consider the sender as blacklisted.

• Bulk Analysis — Detects bulk mail spam by checking to see if the message was sent to a large numbers of users.

Intercept Anti-Spam Feature Overview

• Token Analysis — Detects spam based on advanced content analysis using databases of known spam and valid mail.

• Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS records to identify and validate the source of a message to determine whether a message was spoofed.

• DomainKeys — Performs a check of a sending host’s DomainKeys DNS records to identify and validate the source of a message to determine whether a message was spoofed.

User-Based Options

Other anti-spam options can be enabled on a user level to allow them to create a whitelist of known trusted senders, and also manage their own spam quarantine area:

• Trusted Senders List• Spam Quarantine

125

Intercept Anti-Spam

126

Trusted and Untrusted Mail Sources

ePrism must be properly configured for interaction with local and remote mail servers. ePrism only processes mail through the spam filters when a message originates from an "untrusted" source. Trusted sources bypass the spam controls.

There are two ways to control how sources of mail are identified and trusted:

1. The network interface the mail arrives on2. A specified IP address (or address block), server, or domain name

By default, mail that arrives on a particular network interface from the same subnet is "trusted". To change this setting, perform the following steps:

1. Select Basic Config ➝ Network on the menu.2. For the specified interface, disable Trusted Subnet.

To add a system to the filters and mark it as "Trusted", perform the following steps:

1. Select Mail Delivery ➝ Content Management ➝ Pattern Filters (PBMF) on the menu.2. Click Add.3. Select Client IP or Client Host in the From field.4. Select Matches.5. Enter the IP address or hostname of the system depending on your selection in step 3.6. Under Action, select Trust, and then click Apply to add the rule.

Configuring Intercept Anti-Spam

Configuring Intercept Anti-SpamTo enable and configure ePrism’s Intercept Anti-Spam features, select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu.

Intercept Actions

In the Intercept Actions section, administrators can assign actions for three levels of spam score thresholds. The categories are as follows:

• Certainly Spam — Any message with a score over this threshold (Default: 99) is almost guaranteed to be certainly spam. These types of messages require a strong action such as Reject Mail or Redirect To, should be taken.

• Probably Spam — Any message with a score over this threshold (Default: 90) is probably spam. This threshold indicates a message with a very high spam score, but not high enough to be Certainly Spam. These messages should be treated with a lighter action than Certainly Spam, such as Redirect To or Modify Subject Header, but should not be rejected.

• Maybe Spam — Any message with a score over this threshold (Default: 60) might be spam but should be treated with caution to prevent false positives. This threshold indicates messages which could be spam, but could also be legitimate mail. It is recommended that a light action such as Modify Subject Header or Just Log be used.

127

Intercept Anti-Spam

128

For each category you can set the following fields and actions:

• Threshold — Set the threshold for this category to the specified spam score. It is recommended that administrators leave these value at their defaults.

• Action — Specify one of the following actions: Just log: An entry is made in the log, and no other action is taken. Modify Subject Header: The text specified in the Action Data field will be inserted into the

message subject line. Add header: An "X-" mail header will be added as specified in the Action Data field. Redirect to: The message will be delivered to the mail address or server specified in the Action Data field.

Reject mail: The mail will not be accepted and the connecting mail server is forced to return it.

BCC: Send a blind carbon copy of the message to the mail address specified in the Action Data field.

• Action data — Depending on the specified action: Modify Subject Header: The specified text will be inserted into the subject line, such as [SPAM].

Redirect to: Send the message to a mailbox such as [email protected]. The message can also be redirected to a spam quarantine server such as spam.example.com.

Add header: An "X-" message header will be added with the specified text as, such as: X-Example-Header: spam.

This field can also be left blank to add a default header to be used by the Intercept Plug-in for Exchange:

For the Certainly Spam action, the added header will be: X-BTI-AntiSpamCode: certainly For the Probably Spam action, the added header will be: X-BTI-AntiSpamCode: probably For the Maybe Spam action, the added header will be: X-BTI-AntiSpamCode: maybe For no classification, the added header will be: X-BTI-AntiSpamCode: none

Anti-Spam Header

Anti-spam headers are added to all messages for diagnostic purposes and contain data on the spam processing applied to the message and its metrics. Enable this option to include the header with the message. The header output is similar to the following:

X-BTI-AntiSpam: score:99,sta:99/021,dcc:passed,dnsbl:passed,sw:off,bsn:95/passed,spf:off,dk:off,pbmf:none,ipr:1/5,trusted:no,ts:no

Intercept Components

Intercept ComponentsEach component of the Intercept Anti-Spam engine can be enabled or disabled depending on your environment. For advanced settings, selecting the feature will allow administrators to configure its advanced options.

Select the Enable check box for a specific feature, and then select the spam feature link to review or customize the default settings. When finished, click the Apply button to save the configuration.

ePrism’s Intercept components are discussed in more detail in the following sections.

Reject on Unknown Recipient

This option rejects mail if the intended recipients do not exist locally or in an LDAP directory. This option is used in conjunction with LDAP Users and the LDAP Recipients feature.

Note: If using an Active Directory server, it is recommended that the LDAP Users function be used.

ePrism will determine if a user exists as follows:

• Checks if the user is in the local database of imported LDAP Users• Performs a direct lookup on an LDAP user directory with the LDAP Recipients feature.

Configure LDAP Users and Groups and LDAP Recipients in the Basic Config ➝ Directory Services menu. See “Directory Users and Groups” on page 66 for more information on importing LDAP users for user lookups. See “LDAP Recipients” on page 74 for information on configuring the LDAP Recipients feature.

Note: You can override Reject on Unknown Recipient by using a Specific Access Pattern set to Allow Relaying or Trust.

129

Intercept Anti-Spam

130

Specific Access Patterns (SAP)

Specific Access Patterns (SAP) can be used to either accept or reject mail during an SMTP connection. These rules override all others, allowing them to be used for special whitelisting and blacklisting cases to allow e-mail where it would be otherwise blocked, or to block e-mail when it would otherwise be allowed. Specific access patterns allow an administrator to respond to local filtering requirements such as the following:

• Allowing other systems to relay mail through ePrism• Rejecting all messages from specific systems • Allowing all messages from specific systems (effectively whitelisting the mail)• Whitelist addresses that may be blacklisted by BSN or DNSBL

It is recommended that you use Pattern Based Message Filtering for anti-spam control and white/black listing. See “Pattern Based Message Filtering (PBMF)” on page 110 for more detailed information.

Note: Specific Access Patterns are enabled by default and cannot be disabled.

Configuring Specific Access Patterns

Select Mail Delivery ➝ Mail Access on the menu.

To define a Specific Access Pattern, click the Add Pattern button.


• Pattern — Enter a mail address, IP address, hostname, or domain name.• Client Access — Specify a domain, server hostname, or IP address. This item is the most

reliable and may be used to block spam as well as whitelist.Note: Only the Client Access parameter can be relied upon, since spammers can easily forge all other message properties. These parameters, however, are useful for whitelisting.

• HELO Access — Specify either a domain or server name.• Envelope-From Access — Specify a valid e-mail address.• Envelope-To Access — Specify a valid e-mail address.

Note: None of the above three options are reliable as spammers can easily fake this property.

• If Pattern Matches:

Reject: The connection will be dropped. Allow relaying: Messages from this address will be relayed and processed for spam. Trust: Messages from this address will be relayed and not processed for spam.

Matching Rules

When you specify a Specific Access Pattern rule, it can take the following forms:

• IP Address — ePrism will match the IP address such as, 192.168.1.10, or you can use a more general address form such as 192.168 that will match anything in that address space. Note: For the Client Access parameter, ePrism also supports CIDR (Classless Inter-Domain Routing) format so that administrators can specify a pattern for a network such as 192.168.0.0/24.

• Domain Name — ePrism will match the supplied domain name, such as example.com, with any subdomain such as mail.example.com, sales.mail.example.com and so on.

• Address — ePrism will match an exact e-mail address, such as [email protected], or a more general rule such as @example.com.

Pattern Based Message Filters.

Pattern Based Message Filtering is the primary tool for whitelisting and blacklisting messages. An administrator can specify that mail is rejected or whitelisted according to the contents of the message header, including the sender, recipient, subject, attachment content, and message body text.

See “Pattern Based Message Filtering (PBMF)” on page 110 for detailed information on configuring PBMFs.

131

Intercept Anti-Spam

132

Spam Dictionaries

The ePrism Email Security Appliance provides a built-in Spam Dictionaries filter. When enabled, all inbound messages passing through the ePrism Email Security Appliance are scanned for spam words and phrases that appear in the dictionary.

Messages with words or phrases in their subject or body that match the phrase list are more likely to be spam. ePrism’s Intercept Anti-Spam engine will use this information to help decide if the message is spam.

The ePrism Email Security Appliance includes a basic pre-configured spam words list that can be used for Spam Dictionary filtering. St. Bernard’s default list includes very common spam words such as "prescription" and "viagra". The full default list can be viewed and saved. Administrators can use this list to build and upload their own custom spam word list.

Note: It is recommended that administrators review this default spam words list to ensure any included words are not part of their organizations functions. For example, the word "prescription" should be removed if the company is involved with the pharmaceutical industry.

Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select Spam Dictionaries on the menu to configure the options for this feature.

• Enable Spam Dictionaries — Select the check box to enable the Spam Dictionaries feature. Message content will be checked against the spam word lists and the final result will be used by the Intercept engine to determine if the message is spam.

• Phrase file — Select the Phrase file used for anti-spam checks. This can be the Default Spam Words list provided by St. Bernard, or a custom list uploaded via Mail Delivery ➝ Content Management ➝ Dictionaries. See the following section for more information on adding a custom dictionary.

• Logging — Select the type of logging for messages that contain matched spam words and phrases. This logging information will appear in the Mail Transport logs. Choose from the following: No logging: No logging will be performed. First match only: Only the first matching word will be displayed. All matches: All matched words will be displayed.


Adding a Spam Dictionary

1. Select Mail Delivery ➝ Content Management ➝ Dictionaries on the menu to view the Default Spam Words list.

2. Select the Default Spam Words list. The Default Spam Words file contains a list of common words that are typically seen in spam messages.

3. Click Download to save and view the text file of spam words. The list contains one word or phrase per line, such as the following:

free pic free pics free picz meds medz

Administrators can use this base list to create their own dictionary of spam words by editing the text file and adding one word or phrase per line. Default words that are not required can be deleted.

133

Intercept Anti-Spam

134

To upload the new spam dictionary file:

1. Select Mail Delivery ➝ Content Management ➝ Dictionaries.

2. Click Add to add a new dictionary file.

3. Click Browse to select the file to be uploaded. Click Continue.


The file information screen displays the initial contents of the file. You can change both the name of the list and the type of dictionary.

Set the Type of file to spam. This indicates that this dictionary file can be used with the Spam Dictionaries feature.

Click Continue to finish uploading the file. The new dictionary will now appear in the list and can be selected when using Spam Dictionaries.

135

Intercept Anti-Spam

136

IP Reputation (IPR)

IP Reputation (IPR) performs reputation checks on incoming messages to help determine whether the message is coming from a known source of spam or legitimate mail. Systems that send spam have certain characteristics that can give away the nature of the sending system. Many spammers deploy scripts and use spoofed or false information when sending mail. By checking incoming connections for behavior patterns, ePrism can help to determine whether mail from an incoming system is legitimate or spam.

IP Reputation checks messages for a variety of information that may reveal discrepancies between the message’s sending host and the host listed in the message envelope and contents, and information about messages recently sent by the sending host. A message must fail four or more IP reputation checks to be classified as spam. See “Reputation Indicators” on page 139 for detailed information on configuring IPR.

BorderWare Security Network

The BorderWare Security Network (BSN) helps to identify spam by reporting behavior information for a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages, based on information collected from customer ePrism e-mail servers and global DNS Block Lists.

This information can be used by the ePrism Email Security Appliance to either reject the message immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation or numerous virus infections.

If enabled, the ePrism Email Security Appliance will ask for statistics from the BSN Domain service for the sender IP of each message received, excluding those from trusted and known networks. Using the information returned from BSN, ePrism can make a decision about whether a message is spam or not.

BSN Statistics Sharing

Statistics from your ePrism can also be shared with BSN by selecting the share statistics option. The following message count statistics and the upstream client IP are sent to the BSN network when Share Statistics is enabled on ePrism:

• Total mail• Clean mail• Spam mail• Virus mail• Unknown recipient• Known recipients• Malformed mail


Note: BSN Domain service queries use the DNS protocol on UDP port 53. BSN statistics sharing uploads to the BSN network using HTTPS on port 443. These ports must be opened up on your network firewall if ePrism is located behind the firewall.

Note the following considerations when using BSN:

• If the BSN server is not available, the DNS request times out. This may affect performance and requires monitoring for timed-out connections. Remove any servers which you do not use to prevent time-outs.

• If a message that you want to receive is blocked by BSN, add a filter to the Pattern Based Message Filtering list to "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) this message. Specific Access Patterns can also be used.

Configuring BSN Checks

Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then IP Reputation on the menu.

• Enable — When BSN is enabled, incoming messages will be checked against the spam information gathered by the BSN network.

• BSN Domain — Enter the BSN Query domain. The default (ipdns.borderware.com) is the primary BSN domain, and should not be modified.

• Share Statistics — Enable BSN information, such as spam and virus statistics for connecting client IP addresses, from this ePrism to be shared with the BSN network.Note: Port 443 must be enabled outbound to allow statistics to be uploaded to the St. Bernard BSN server (ipup.borderware.com). There are no security risks associated with sharing statistics. ePrism does not relay any private or sensitive information to the BorderWare Security Network.

137

Intercept Anti-Spam

138

BSN Connection Rejects

By default, ePrism uses BSN feedback as part of Intercept. To override this default behavior, ePrism can use BSN information for connection level rejects. When overriding the default behavior with BSN, ePrism provides the following options:

• Reject on BSN Reputation — If enabled, the ePrism Email Security Appliance will reject messages from senders whose reputation is above the configured Reputation Threshold. A reputation of "0" indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value "50".Note: BSN rejects can be overridden by creating a Specific Access Pattern for the rejected address.

• Reputation Threshold — Enter a reputation threshold over which a message will be rejected.• Reject on Infection — If enabled, the ePrism Email Security Appliance will reject messages

from senders whose infection score is above the configured Infection Threshold.• Infection Threshold — Indicates the criteria for rejecting messages based on whether the

sending host is Currently infected (received in last hour), or Recently infected (received in last day). This is setting is only valid when Reject on Infection is enabled.

• Reject Connection From Dial-ups — If enabled, the ePrism Email Security Appliance will reject messages sent directly from dial-up connections. Note: If a message is not rejected because it violates a BSN threshold, the reputation score and information about whether the sender is a dial-up can be incorporated into the overall Intercept Anti-Spam decision.

BSN rejection, infection, and dial-up log messages will include a URL similar to the following:

BSN 450: blocked by Intercept: goto http://intercept.borderware.com/lookup?ip=[client_ip]

where the client_IP is the connecting system that was rejected. Clicking the URL will open up a web page displaying BSN reputation statistics on the specified IP address.


Reputation Indicators

The following IP Reputation indicators can be enabled by the administrator. If a message fails four or more checks, the weight assigned to IP Reputation in the Intercept advanced settings will be the score used for Intercept processing.

DNS

The following checks relate to issues with DNS record lookups for the sending host:

• Missing client reverse DNS — Checks if the sending host has a PTR (address to name) record and the PTR record has a matching A (name to address) record.

• Missing sender MX — Check if the sender mail address has a DNS MX record. This check is more restrictive than the check for Unknown sender domain. If Unknown sender domain fails then this check will also fail. It is recommended that only one of the two checks be used at the same time.

• Unknown sender domain — Check if the sender mail address has a DNS A or MX record. This check is less restrictive than the check for Missing sender MX. If this check fails then Missing sender MX will also fail. It is recommended that only one of these two checks be used at the same time.

• Invalid HELO/EHLO hostname — Checks if the HELO/EHLO address is a valid hostname.

• Unknown HELO/EHLO domain — Checks if the HELO/EHLO address has a DNS A or MX record.

139

Intercept Anti-Spam

140

Client Behaviour

The following checks relate to issues with the connecting client’s SMTP connection and message information:

• Unauthorized pipelining — Check if the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This check detects bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.

• HELO/EHLO doesn’t match client — Check if the HELO/EHLO address matches the sending host address.

• Missing From header — Check if the From header is present. • Missing To header — Check if the To header is present.• Envelope sender doesn’t match From header — Check if the From header matches the

envelope sender address.

Recent Activity

The following checks will only work if Threat Prevention (configured via Mail Delivery ➝ Threat Prevention) is enabled.

• Recent spam from client — Check if the sending host recently sent spam.• Recent virus from client — Check if the sending host recently sent a virus.


DNS Block List

DNS Block Lists (DNSBL) contain the addresses of known sources of spam and are maintained by both commercial and non-commercial organizations. The DNSBL mechanism is DNS-based resulting in a lookup on the specified DNSBL server for every server that attempts to connect to ePrism.

The weight assigned to DNS Block Lists in the Intercept advanced settings will be the score used by Intercept processing when a DNSBL is triggered for a message.

Note the following considerations when using DNSBL:

• If the DNSBL server is not available the DNS request will time out. This may affect performance and requires monitoring for timed-out connections. Remove any servers which you do not use to prevent time-outs.

• If a message that you want to receive is blocked by a DNSBL, add a filter to the Pattern Based Message Filtering list to "Trust" (to accept and train as legitimate mail) or "Accept" (to just accept without training) this message. Specific Access Patterns can also be used.

Configuring DNSBL

Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then select DNS Block List to configure its options.

• Enable DNSBLs — Select this check box to enable DNSBL.• Check Relays — The Check Relays setting deals with spammers who are relaying their

messages, usually illegally, through an intermediate server. The information about the originating server is carried in the headers of the message which is checked by ePrism against the DNSBL. It is recommended that this option be left at the default value of "0".

141

Intercept Anti-Spam

142

• Exclude Relays — This option defines how many received headers to exclude from DNSBL checks, starting from the earliest. Some ISPs include the originating dial-up IP as the first relay point, which can result in legitimate mail being blocked by DNSBLs that block dial-ups. It is recommended to set this value to "1" or "0". Use "1" if any of the DNSBL servers utilized include dynamic IP addresses (such as dial-up). If the DNSBL service does not include dial-ups, set this to "0" to ensure mail originating from webmail systems are not rejected.Note: This option needs to be enabled if ePrism is behind another MTA or mail gateway.

• Reject on DNSBL — Enable the check box to Reject mail from blacklisted clients regardless of other message processing.Caution: Reject on DNSBL will reject the message at SMTP connection time regardless of other Intercept processing. Caution should be used when enabling this feature.

• DNSBL Reject Threshold — The number of blacklists to trigger before rejecting based on DNSBL. If this value is set to "2", the server must appear on at least two DNSBLs before being rejected.

DNSBL Domains

Click Edit to modify the list of your DNSBL domain serves. Click Update when finished.

Note: The default DNSBL servers supplied will cover most cases and should not be changed without careful consideration.


Bulk Analysis

Bulk Analysis utilizes a set of servers that maintain databases of message checksums derived from numeric values that uniquely identify a message. Mail users and ISPs all over the world submit checksums of all messages received. The database records how many of each message is submitted. If requested, the Bulk Analysis server can return a count of how many instances of a message have been received. ePrism uses this count to determine the disposition of a message.

A Bulk Analysis server receives no mail, address, headers, or any similar information, but only the cryptographically secure checksums of such information. A Bulk Analysis server cannot determine the text or other information that corresponds to the checksums it receives. It only acts as a clearinghouse of counts of checksums computed by clients. This Bulk Analysis provides a simple but very effective way to successfully identify spam and control its disposition while updating its database with new spam message types.

The weight assigned to Bulk Analysis in the Intercept advanced settings will be the score used by Intercept Processing if the message is considered bulk.

Note: You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery.

Bulk Analysis Considerations

When implementing Bulk Analysis, consider the following:

• Educate your user community about this tool and request them to submit mailing lists and other bulk mail sources that need to be whitelisted. This step is crucial if Bulk Analysis and Token Analysis are to work properly.

• Set your Intercept spam dispositions so that users can recognize that a mail has been mistakenly identified as spam. This will allow users to report back false positives for whitelisting. The Modify Subject Header disposition is well suited to this task.

143

Intercept Anti-Spam

144

Configuring Bulk Analysis

Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Bulk Analysis to configure its options.

Threshold Settings

The threshold is used to determine what should happen to mail when it has been classified.

• If bulk exceeds — Bulk Analysis returns a number showing how many times the message has been identified. This can be zero (unique and therefore not bulk) or another number, such as 1352, indicating that the message has been reported as bulk this many times.It may also return the value "many". This is a special Bulk Analysis value returned when Bulk Analysis has seen a certain message in such volumes and in such a frequency that it is most certainly considered "bulk".For Bulk Analysis to be useful, you need to specify a threshold that will trigger an action. It is recommended that you enter either "many" or a value of 50 or 100.Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and sent in. It is recommended that you leave the default settings. These settings effectively counter the efforts of spammers to randomize message content and evade detection as bulk. Results of the various counts can be viewed in the transport logs.Click the Advanced button to reveal additional settings such as From, ID, and IP. The selected checksums must be supported by the Bulk Analysis server to work properly and it is recommended that you use the default settings. These additional settings should be used with caution, as they may increase the risk of false positives.


• Bulk Analysis Warning Threshold — The threshold for the expected Bulk Analysis successful response rate, as a percentage of total number of Bulk Analysis queries performed. If the successful response rate falls below this value, an alarm will be generated. It is acceptable to have some value of loss depending on network connectivity. This feature is used to determine whether communication between ePrism and the Bulk Analysis network is occurring properly.

Bulk Analysis Servers

Click Edit in the Bulk Analysis Servers section to configure your server settings, if required.

Note: The default Bulk Analysis server supplied will cover most cases and should not be changed without careful consideration.

Note: You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery.

Bulk Analysis Trusted and Blocked Entry List

Administrators can create exceptions to bulk classifications by using the Trusted and Blocked List. In many cases, it may be easier to specify such exceptions using Pattern Based Message Filters, in which case the mail bypasses all anti-spam settings. It is recommended that Pattern Based Message Filters be used for creating exceptions. The Bulk Analysis trusted and blocked entry list feature is useful for removing legitimate bulk mail, such as mailing lists, from consideration as bulk while letting it be scanned by Intercept for other spam characteristics.

Click Edit to add entries to the Trusted and Block Entry lists.

145

Intercept Anti-Spam

146

Token Analysis

Token Analysis is a sophisticated method of identifying spam based on statistical analysis of mail content. Simple text matches can lead to false positives because a word or phrase can have many meanings depending on the context. Token Analysis provides a way to accurately measure how likely any particular message is to be spam without having to specify every word and phrase.

Token Analysis achieves this by deriving a measure of a word or phrase contributing to the likelihood of a message being spam. This is based on the relative frequency of words and phrases in a large number of spam messages. From this analysis, it creates a table of "discriminators" (words associated with spam) and associated measures of how likely a message is spam.

When a new incoming message is received, Token Analysis analyzes the message, extracts the discriminators (words and phrases), finds their measures from the table, and aggregates these measures to produce a spam metric for the message. This spam metric is the score assigned by Token Analysis to be used in the Intercept Anti-Spam decision.

Token Analysis has a built-in weighting mechanism that assigns a value between 0 and 99 to indicate whether a message is spam. A message with a low metric (closer to 0) is considered to be legitimate, while a message with a high metric (closer to 99) is considered to be spam. Token Analysis uses three sources of data to build its run-time database:

• The initial tables supplied by St. Bernard based on analysis of known spam. • Tables derived from an analysis of local legitimate mail. This is referred to as "local learning" or

"training".• Training provided by spam from PBMF Spam, Bulk Analysis, DNSBL, SPF, and DomainKeys

Intercept components.

How Token Analysis Works

Consider the following simple message:

---------------------------------------------------------------

Subject: Get rich quick!!!!

Click on http://getrichquick.com to earn millions!!!!!

---------------------------------------------------------------

Token Analysis will break the message down into the following tokens:

[Get] [rich] [quick!!!] [Click] [on] [http:// getrichquick.com] [to] [earn] [millions!!!!!]


Each token is looked up in the database and a spam metric is retrieved. The token "Click" has a high metric of 91, whereas the word "to" is neutral (indicating neither spam nor legitimate.) These metrics are aggregated using statistical methods to give the overall score for the message of 98.

Mail messages with a spam metric of 90 or greater are very likely to be spam. Lower values (50-60) indicate possible spam, while very low values (20-25) are unlikely to be spam. These spam metrics are the score assigned by Token Analysis as part of the final Intercept Anti-Spam decision.

Configuring Token Analysis

Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Token Analysis to configure its properties.

When enabled, Token Analysis will always run in training mode and analyze all local mail. Local mail is assumed to be not spam and the frequency of the words found in this mail may therefore be used to modify the values supplied by St. Bernard’s master list. For example, a mortgage company may use the word "refinance" quite frequently in its regular mail. The likelihood of this word suggesting spam would therefore be reduced.

Token Analysis Modes

• Training Only — Token Analysis will analyze local mail but will NOT classify incoming mail.• Scanning and Training — Token Analysis will analyze local mail AND will classify incoming

mail.

147

Intercept Anti-Spam

148

Rebuild Database

Click the Rebuild Database button to rebuild the Token Analysis database. The run-time engine is built and rebuilt at 12 hour intervals using several sources such as the supplied spam data, trained spam from other Intercept features, and local training. Since the database is not built for the first time until 12 hours after installation, you can use this option to immediately rebuild the Token Analysis database.

Delete Training

Click the Delete Training button to remove all training material. You should delete all training material if your ePrism system has been misconfigured and starts to treat "trusted" mail as "untrusted" or vice versa.

Token Analysis Advanced Options

Click the Advanced button to reveal additional Token Analysis options. These options are for advanced configuration only, and it is highly recommended that the default values be used. Modifications to the default values may decrease Token Analysis accuracy and should be used with care.

Neutral Words

Neutral words are words that may or may not indicate spam. For example, a mortgage company may want to build a neutral word list that includes "refinance" or "mortgage" because these words show up quite frequently in spam mail. By adding them to the neutral word list, the likelihood of this word suggesting spam would therefore be reduced to a neutral value.

• Default Neutral Words — Select the check box to enable the default neutral words list. This list helps prevent pollution of the Token Analysis database. It is recommended that you leave this option enabled.

• Uploaded Neutral Words — Enables use of the uploaded neutral words list.


Upload a file using the Upload Neutral Words button. The file must be in text format, and contain a list of neutral words with one word per line. Uploading a new list will replace the previous neutral words list.

Note: The system will automatically rebuild the Token Analysis database during the upload of a neutral words list. This process may take some time to complete.

Token Analysis and Languages

The Token Analysis spam database is based on English language spam. As a result, it may not be initially responsive to spam created in other languages. The ability to learn means that it can readily adapt to other languages. Ensure that Bulk Analysis is enabled because all mail identified as "bulk" by Bulk Analysis will be used by Token Analysis to train as spam. Assuming that some of these bulk messages are in the local language, Token Analysis will build a database that reflects that language.

Token Analysis will train on local legitimate mail from the moment the system is started. This will help properly characterize the local language use by building up a database of good words to help prevent mail messages from being classified as spam.

To train ePrism with known local language spam mail, it is recommended that you set up rules to use the "Certainly Spam" action in Pattern Based Message Filters (PBMF). Messages specified as "spam" will be forwarded to Token Analysis and will increase its database of local language words.

Japanese, Chinese, and Korean Language

Token Analysis can alter the its processing behavior for Japanese, Chinese, and Korean language messages to ensure they are not automatically classified as spam. These include the following character sets:

• Japanese major character sets — ISO-2022-JP, EUC-JP, Shift-JIS• Chinese major character sets — GB2312, HZ-GB-2312, BIG5, GB7589, GB7590,

GB8565.2-88, GB12052, GB/T12345, GB/T13131, GB/T13132, GB/T13000.1, ISO-2022-CN, ISO-2022-CN-EXT

• Korean major character sets — KS C 5601 (KS C 5601-1987), EUC-KR, ISO-2022-KR

For each character set, select how Token Analysis will process the message:

• Default — All content is processed by Token Analysis. If you receive legitimate mail in these languages, this may result in false positives.

• No Token Analysis Scan — Token Analysis scanning will be turned off for all messages containing Japanese, Chinese, and Korean language characters.

• Lenient Token Analysis Scan — Token Analysis scanning will be turned off for only the parts of the message containing Japanese, Chinese, and Korean language characters. The rest of

149

Intercept Anti-Spam

150

the message will be processed normally. If there are 20 or fewer tokens in the message of non-Japanese, Chinese, and Korean characters, the Token Analysis scan will be skipped for that message.

Diagnostics

• Enable X-STA Headers — This setting inserts X-STA (Token Analysis) headers into all messages. These are not visible to the user (although they can be filtered in most mail clients), but can be used to gather information on why mail is processed in a particular way.The following headers will be inserted: X-STA-Metric — The "score" assigned by Token Analysis, such as 95, which would indicate a spam message.

X-STA-NotSpam — Indicates the words with the highest non-spam value found in the message.

X-STA-Spam — Indicates the words with the highest spam value found in the message.• Enable Monitoring — Select the check box to enable the monitoring of messages received by

the specified e-mail address.• Monitor email for — Enter an e-mail address that you would like to monitor.• Copy to — Copy messages and the Token Analysis diagnostic to this e-mail address.

Token Analysis Training

The following sections allow you to define advanced parameters for Token Analysis training, such as legitimate and spam mail training settings.


Legitimate Mail Settings

The following settings are advanced options for the handling of legitimate mail:

• Local Training — Enable this option to train mail from local users (on the trusted network) as valid mail.

• Local Limit — Enter the maximum number of messages from local users that can be used for Token Analysis training. When the limit is reached, older training messages are deleted as new messages arrive.

• Local Threshold — Set the threshold for messages from local users to be used for training. If the Token Analysis classification for the message is greater than or equal to the specified number, the message will be used for training.

• Source Weighting % — For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database supplied by St. Bernard represents well selected data, and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail from the trusted network.Default — Enter a percentage for the weight of the St. Bernard maintained Token Analysis database of valid mail.Uploaded — Enter the weight of locally uploaded valid mail. Legitimate mail can be uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective.Trusted-net — Enter the weight of mail from trusted networks that are automatically trained as valid mail.

Note: When uploading mail, it is recommended that you set the weighting to 60% for Default, 20% for Upload, and 20% for Trusted. Significant changes to the source weighting may decrease Token Analysis accuracy.

Spam Settings

The following settings are advanced options for the handling of spam mail:

• Bulk Analysis Training — Select the check box to enable the training of mail marked as "bulk" by Bulk Analysis as spam.

• Spam Limit — Enter the maximum number of spam messages used for training. • Spam Training Threshold — Set the threshold for spam messages to be used for training.

If the Token Analysis classification for the message is less than or equal to the specified number, the message will be used for training.

• Source Weighting — For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database supplied by St. Bernard represents well selected data and is therefore highly weighted, compared to uploaded spam mail or bulk mail from Bulk Analysis.

151

Intercept Anti-Spam

152

Default — Enter a percentage for the weight of the St. Bernard maintained Token Analysis database of spam mail.Uploaded — Enter the weight of locally uploaded spam mail. Spam mail can be uploaded by clicking the Upload Spam Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective.Bulk Analysis — Enter the weight of mail marked as "bulk" by Bulk Analysis that is automatically trained as spam.

Note: When uploading mail, it is recommended to set the weighting to 60% for Default, 20% for Upload, and 20% for Bulk. Significant changes to the source weighting may decrease Token Analysis accuracy.

Dictionary Spam Count

Recent changes to the way that spammers compose their messages can reduce the effectiveness of the Token Analysis filter. By introducing large numbers of normal words into their spam messages, they can hide their content because the normal words outweigh the spam words and result in a low spam count. More aggressive settings may result in more false positives. ePrism counters this in two ways:

1. All words in the ePrism dictionary are now assigned a base level of how likely they are to be spam. In a normal message, this increased level will not result in a false positive, since the overall count is low. In a spam message, the result is different; the normal words will not counteract the spam content, and the message is correctly identified as spam.

2. Training on local mail now works to reduce this base level closer to zero. This further reduces the likelihood of a false positive.

The Dictionary Count is set to one "1" by default. This should be sufficient for most situations. It is recommended that you only change the default value if the following conditions occur:

• If there are too many false positives and this is not alleviated by training, then the Dictionary Count should be set to zero "0", disabling this feature.

• If too much spam is passing then the Dictionary Count can be increased. Try increasing the value to ten "10". If this results in too many false positives, reduce it to five "5".

Note: This setting should only be considered for modification if other measures (training, threshold changes, uploading spam and/or legitimate mail) have been tried and have not provided the desired result.


Troubleshooting Token Analysis

Token Analysis is a very effective anti-spam tool and provides the mail administrator with a variety of options to finely tune this feature for their particular environment. With these advanced controls, there is a greater chance of creating a configuration that may result in excessive false positives (mail marked as spam when they are legitimate) or false negatives (mail not marked as spam when they are spam.)

The following are some considerations when troubleshooting issues with Token Analysis:

• For excessive false positives:— Ensure that the system has gone through a cycle of training.— Ensure that any mailing lists that the organization sends out are whitelisted (via PBMF) as "accept".— Check for tokens that may be words used by the organization for their regular business. For example, a financing company would want the words "mortgage" or "refinance" to be allowed as legitimate tokens.

• For excessive false negatives:— If Bulk Analysis is enabled, ensure that it is working properly and it is using Token Analysis for training.— Check that any mailing lists received by the users are whitelisted (via PBMF) as "accept".

153

Intercept Anti-Spam

154

Sender Policy Framework (SPF)

Sender Policy Framework is a sender authentication technology that prevents spammers from spoofing mail headers and impersonating a legitimate e-mail user or domain to prevent phishing attacks. Unsuspecting users may reply to these seemingly legitimate addresses with personal and confidential information.

SPF provides a means for authenticating the source of an e-mail by querying the sending domain’s DNS records. The SPF protocol allows server administrators to describe their e-mail servers in their DNS records. By comparing the headers of the e-mail with the SPF value, the receiving host can verify that the e-mail is originating from the legitimate mail server for that domain. This prevents spammers from sending forged e-mails.

ePrism’s SPF actions only apply to incoming mail messages that have failed an SPF check (the e-mail message does not match the corresponding published SPF record.) If a specific mail server does not have an existing SPF record then the message is processed normally. It is possible, however, that administrators may misconfigure their DNS SPF records, resulting in false positives and legitimate hosts being blocked from sending you mail.

The weight assigned to SPF in the Intercept advanced settings will be the score used by Intercept Processing if the message fails an SPF check.

SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a mechanism to prevent forged e-mails rather than an anti-spam measure. It is dependent on network administrators publishing their legitimate e-mail servers in their DNS records and ensuring these records are properly configured. St. Bernard encourages customers that use SPF in their DNS infrastructure to review their own SPF records to ensure they are accurate.

Select Mail Delivery ➝ Anti-Spam ➝ Intercept and then select SPF on the menu to configure Sender Policy Framework settings.

• Enable SPF — Select the check box to enable SPF verification.• Strip incoming SPF headers — This option removes any "Received-SPF" header from

incoming messages. Spammers may attach their own forged SPF headers to create the impression that the e-mail is from a legitimate source

• Add outgoing SPF header — This option adds an SPF header to the outgoing message.


DomainKeys

DomainKeys is another sender authentication technology used to prevent spammers from spoofing mail headers and launching phishing attacks. This is done by authenticating the source of an e-mail message by querying the sending domain’s DNS records. The DomainKeys protocol allows server administrators to add a digital signature to their outgoing messages that can be validated via DNS.

The domain owner generates a public and private key pair to use for signing all outgoing messages. The public key is published in their DNS records and the private key is used to sign outbound messages. By verifying the signature in the headers of the e-mail using the public key, the receiving host can verify that the e-mail is originating from the legitimate mail server for that domain. This prevents spammers from sending forged e-mails.

ePrism’s DomainKeys actions only apply to incoming mail messages that have failed a DomainKeys check (such as the e-mail message does not match the corresponding published DomainKeys record.) If a specific mail server does not have an existing DomainKeys record then the message is processed normally. It is possible, however, that administrators may misconfigure their DNS DomainKeys records, resulting in false positives and legitimate hosts being blocked from sending you mail.

The weight assigned to DomainKeys in the Intercept advanced settings will be the score used by Intercept processing if the message fails a DomainKeys check.

For more information about DomainKeys, see http://antispam.yahoo.com/domainkeys.

155

Intercept Anti-Spam

156

Select Mail Delivery ➝ Anti-Spam, and then select DomainKeys on the menu to configure DomainKeys settings.

The message will be considered spam if any of the following checks are true:

• No Signature When Required — Consider the message as spam when there is no signature, even if the sender says they sign all messages.

• No Signature When Not Required — Consider the message as spam when there is no signature and the sender says they may not sign all messages.

• Invalid Signature — Consider the message as spam when the signature is invalid. • Key Revoked — Consider the message as spam when the key used to sign the message is no

longer valid. • Invalid Message Syntax — Consider the message as spam when the signature cannot be

checked because the message has invalid syntax. • No Key — Consider the message as spam when the sending domain did not provide a key for

the selector specified in the message.• Bad Key — Consider the message as spam when the sending domain provided an unusable key.• Temporary DNS Error — Consider the message as spam when the sender’s key could not be

obtained due to a temporary DNS error.

Sender Testing DomainKeys

These checks can also be performed for messages from senders who are testing their DomainKeys implementation by inserting a test flag into their DomainKeys DNS records. It is recommended that you use the default settings which permit more lenient checks to be performed against these test messages.


DomainKeys Log Messages

The response codes for DomainKeys processing will appear in the Mail Transport logs as follows:

0 - Pass 1 - Neutral 2 - Fail 3 - Soft Fail 4 - Temporary Error 5 - Permanent Error

The logs will also indicate which DomainKeys check caused the error:

DomainKeys: [email protected], result=permerror(bad key)

157

Intercept Anti-Spam

158

Intercept Advanced Features

Click the Advanced button to reveal advanced Intercept Anti-Spam features that can be enabled and configured by the administrator.

Advanced Intercept Components

The following additional Intercept Components appear when the Advanced button is selected.

• Reject on unknown sender domain — Rejects mail when the sender’s mail address does not appear in the DNS as an A or MX record. This option applies to "untrusted" mail only.

• Reject on missing sender MX — Rejects mail when the sender’s mail address has no DNS MX record.

• Reject on non FQDN sender — Rejects mail when the client MAIL FROM command is not in the form of an FQDN (Fully Qualified Domain Name) such as mail.example.com. This option applies to "untrusted" mail only.

• Reject on unauth pipelining — Rejects mail when SMTP commands are sent ahead of the message even though the SMTP server supports pipelining. This option blocks mail from bulk mail software that uses SMTP command pipelining improperly to speed up deliveries.

• Reject on missing addresses — Reject mail when no recipients (To:) or sender (From:) were specified in the message headers. These fields are the optional To: and From: fields, not the corresponding Envelope fields.

• Reject on missing reverse DNS — Reject mail from a host when the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. Note: Many servers on the Internet do not have valid Reverse DNS records. Setting this option may result in rejecting mail from legitimate sources. It is recommended that you do not enable this option.

Note: These options are similar to those available in IP Reputation, but these options will reject if a single match is found, while IPR provides a score if a cross-section of four or more matches are found.


Intercept Decision Strategy

The Intercept Decision Strategy allows administrators to alter the way in which Intercept processes messages for spam.

• Highest Score — The Highest Score method will use the maximum score derived from all the scans that were processed. For example, if Bulk Analysis, IP Reputation, and DNS Block List are enabled, and DNS Block List results in the highest contributing score for all the scans, then that score will be used.Note: To achieve similar results to the Anti-Spam behaviour of previous versions of ePrism, set the decision strategy to Highest Score and set all component weights to 100.

• Sum of Weights — The message is initially classified by taking the maximum score of Token Analysis. The weight of any other enabled components with a spam score is then added. Note: The component weights should be adjusted to be lower than their default settings when using this decision strategy.

• Heuristic 1 — Components are divided into objective and subjective categories. Objective components are DNSBL, IP Reputation, BSN Dial-up, Bulk Analysis, SPF, and DomainKeys. Subjective components are Spam Dictionaries, Token Analysis, and BSN reputation. The message is classified initially by combining the subjective scores, and the classification is then adjusted by combining the objective scores.

• Heuristic 2 — This strategy is similar to the Heuristic 1 strategy except that the component accuracies for the objective components are not used and the number of spam indications is considered.

• Statistical — Scans are processed independently and the resulting score represents the probability that a message is spam based on statistical computation of the results using a mathematical process.

159

Intercept Anti-Spam

160

• Bayesian — Scans are processed independently and the resulting score represents the probability that a message is spam based on Bayesian computation of the results.

Intercept Component Weights

Administrators can customize the Intercept engine by configuring the weights for each Intercept component that will help determine the final spam score for a message. These values represent the scores that will be used if that component is triggered.

For example, if a mail message triggers a DNS Block List, the spam score contribution for that message will be the defined weight, such as 80. If the message also triggers a classification by Bulk Analysis, the Bulk Analysis weight, such as 75, will be added also.

Note: Token Analysis contributes its own unique score between 0 and 99 and cannot be assigned a configurable weight.

The final result of these scores will be decided by your selected Decision Strategy, such as Highest Score or Sum of Weights.

Valid weights for each component are from 0 to 100.Set the weight to "0" if you want that feature to have no bearing on the final spam score of a message.

Set this value to "100" if you want this component to have a strong weight on the final spam score of a message.

Note: The default accuracies are recommended by St. Bernard, and any modifications to these percentages should be performed with careful consideration.

• Spam Dictionaries — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. A list of accurate spam words should be configured with a weight close to100. More general word lists should be configured with lower weights.


• IP Reputation — This value is used when a message fails four or more reputation checks. A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam.

• DNS Block List — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. The DNS Block List should generally have a weight between 60 and 80.

• BorderWare Security Network Dial-up — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. BorderWare Security Network Dial-up should generally have a weight between 60 and 80.

• Bulk Analysis — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. Bulk Analysis should generally have a weight between 70 and 80.

• SPF — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. SPF should generally have a weight of 50.

• DomainKeys — A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. DomainKeys should generally have a weight of 90.

Click the Reset button to return the weights to the default values.

161

Intercept Anti-Spam

162

Trusted Senders

The Trusted Senders List allows users to create their own lists of users who they want to receive mail from to prevent them from being blocked by ePrism’s spam filters. Users can utilize the WebMail/ePrism Mail Client interface to create their own Trusted Sender’s List based on a sender’s e-mail address. Trusted Senders can also be added directly via the Spam Quarantine summary e-mail.

Note: If the message is rejected for reasons other than spam, such as viruses or attachment controls, the Trusted Senders List will have no effect.

The Trusted Senders List overrides the following actions:

• Modify Subject Header• Add Header• Redirect

The following rules also apply for the Trusted Senders List:

• A Reject action will reject the message regardless of the settings in the Trusted Senders List. • If the action is set to Just Log or BCC, the trusted message will pass through, but will still be

logged or BCC’d by ePrism. • PBMF spam actions set to Medium or High priority cannot be whitelisted, allowing

administrators to ensure that a strong security policy is enforced.• The Trusted Senders List cannot whitelist items rejected by the administrator during the SMTP

connection such as BSN and DNSBL checks.

Enabling Trusted Senders

The Trusted Senders List must be enabled globally by the administrator to allow users to configure their own trusted senders.

Enable the Trusted Senders List globally as follows:

1. Select Mail Delivery ➝ Anti-Spam ➝ Trusted Senders.2. Select the Permit Trusted Senders List check box to enable the feature globally for all users. 3. Configure the domain part of the e-mail address appended to local user names.

Trusted Senders

WebMail access must enabled on a network interface in Basic Config ➝ Network to allow users to login to ePrism via ePrism Mail Client/WebMail to manage their Trusted Senders List.

In User Accounts ➝ Secure WebMail, you must also enable the Trusted Senders controls for the end user when they login to the ePrism Mail Client/WebMail interface.

163

Intercept Anti-Spam

164

Adding Trusted Senders

To create their own Trusted Senders List, the end user can login to their ePrism ePrism Mail Client/WebMail account, and select Trusted Senders from the left menu.

Note: Users do not need a local account on the system. Logins can be authenticated via RADIUS or LDAP to an authentication server such as Active Directory. The user’s Trusted Senders List is saved locally on the system. See “Remote Accounts and Directory Authentication” on page 178 for more detailed information on setting up user authentication.

The Trusted Senders List is based on a sender’s e-mail address. Enter an e-mail address and click the Add button.

Trusted Senders can also be added directly via the Spam Quarantine summary e-mail.

Spam Quarantine

Spam QuarantineThe Spam Quarantine is used to redirect spam mail into a local storage area for each individual user or to a single user. This allows users to view and manage their own quarantined spam by giving them the ability to view, release the message to their inbox, or delete the message.

Spam Quarantine summary notifications can be sent to users notifying them of existing mail in their quarantine. The e-mail notification itself can contain links to take action on messages without having to login to the quarantine.

To quarantine mail, the administrator must set the action for an Intercept spam level, such as "Certainly Spam", to Redirect To, and set the action data to the FQDN (Fully qualified domain name) of the ePrism system (to host the quarantine on the current system) or another ePrism running the spam quarantine feature.

Note: The Spam Quarantine must be enabled on the destination system if you choose to quarantine mail on a separate ePrism.

Local Spam Quarantine Account

To access quarantined mail, a local account must exist for each user. This account can be created locally, or you can use the LDAP Mirrored Users feature to import user accounts from an LDAP compatible directory (such as Active Directory) and mirror them on the local system.

See “Directory Users and Groups” on page 66 for more information on importing and mirroring LDAP user accounts.

165

Intercept Anti-Spam

166

Configuring the Spam Quarantine

Select Mail Delivery ➝ Anti-Spam ➝ Spam Quarantine on the menu.

• Enable Spam Quarantine — Select the check box to enable the spam quarantine.• Expiry Period — Select an expiry period for mail in each quarantine folder. Any mail

quarantined for longer than the specified value will be deleted.• Folder Size Limit — Set a value, in megabytes, to limit the amount of stored quarantined mail

in each quarantine folder.• Enable Summary Email — Select the check box to enable a summary e-mail notification that

alerts users to mail that has been placed in their quarantine folder.Note: Notifications can only be sent to accounts the ePrism is aware of such as local accounts or LDAP mirrored user accounts.

• Limit # of message headers sent — Specify the maximum number of headers to be sent in the notification message. Set to "0" for all message headers to be sent.

• Remember # of past summary keys — Enter the amount of days that users are allowed to access previously sent spam summaries. The default is 8. Note: When doing spam summaries every 12 hours, a value of 8 would result in only the last four days of spam summaries being accessible.

• Notification Domain — Enter the domain for which notifications are sent to. This is typically the Fully Qualified Domain Name of the e-mail server. Note: The Spam Quarantine only supports one domain.

• Notification Days — Select the specific days to send the summary. • Notification Times — Select the time of day to send the summary notifications.

Spam Quarantine

• Spam Folder — Indicate the Spam Folder name. This must be an RFC821 compliant mail box name. This folder will appear in a user’s mailbox when they have received quarantined spam.

• Mail Subject — Enter a subject for the notification e-mail. • Allow Trusting Senders — Inserts a link in the notification summary to allow the user to add

the sender to their Trusted Senders List.• Allow reading messages — Inserts a link in the notification summary to allow the user to

read the original message.• Allow releasing of email — Inserts a link in the notification summary to allow the user to

release it to their inbox. • Mail subject — Enter the subject of spam summary notification message. ePrism system

variables can be used in the subject. See “Customizing Notification and Annotation Messages” on page 333.

Note: Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored user accounts.

Setting Spam Redirect Options

To quarantine spam mail to the Spam Quarantine, you must set the Intercept action to Redirect to and set the action data to the FQDN of the spam quarantine server.

To quarantine mail to the spam quarantine, use the following procedure:

1. Go to Mail Delivery ➝ Anti-Spam ➝ Intercept.2. Set the Action for the spam level (such as "Certainly Spam") to Redirect to.3. Set the Action data to the FQDN of the spam quarantine (either this ePrism, or another ePrism

system running the quarantine) such as spam.example.com.

167

Intercept Anti-Spam

168

Accessing Quarantined Spam

The quarantined spam folder can be viewed using the ePrism Mail Client/WebMail interface. Users can log in to their local or mirrored account on ePrism and view their own quarantine folder.

If you do not require or do not want the end users to log in locally to ePrism to retrieve these messages, they can simply use the linked actions contained in the spam quarantine summary notification to manage quarantined messages.

Note: WebMail access must be enabled on a network interface in Basic Config ➝ Network to allow users to log into ePrism locally or use the linked actions in the spam quarantine summary notification.

Users can also use IMAP to access the quarantine folders. You must enable IMAP globally and on your trusted network interfaces as required. This allows users to connect to the system via IMAP and move spam messages out of the quarantine into their own folders.

Accessing the Quarantine Folder via IMAP

To enable access to the quarantine folder via IMAP:

1. Select User Accounts ➝ POP3 and IMAP to enable IMAP globally.2. Select Basic Config ➝ Network to enable IMAP on a specific network interface.3. Connect from a client using IMAP to view the "spam_quarantine" folder.

To retrieve false positives (messages that are not spam) from the quarantine, configure the client e-mail application with two separate accounts, one for their normal account, and one for the spam quarantine. With this configuration you can drag and drop message from the quarantine to your mail account.

Enabling WebMail and Spam Quarantine Access

In Basic Config ➝ Network, enable the WebMail check box for a specific network interface to allow users to login to WebMail.

Spam Quarantine

In User Accounts ➝ Secure WebMail, enable the Personal Quarantine Controls option to provide users with the spam quarantine controls in the ePrism Mail Client/WebMail interface.

Accessing the Quarantine folder using ePrism Mail Client/WebMail

To access the quarantine folder via ePrism Mail Client/WebMail:

1. Log into your ePrism WebMail account.2. Select Spam Quarantine from the left menu.

Click the Release link to release the message back into your inbox.

Click the Trusted Sender link to automatically add the sender to your Trusted Sender List.

169

Intercept Anti-Spam

170

Spam Quarantine in a Cluster

You can run the Spam Quarantine in a clustered environment, but there are additional steps that need to be performed for this feature to work correctly.

• The Spam Quarantine should be enabled on the master Cluster Console only. The cluster will automatically synchronize the configuration with the other cluster members.

• You must set your Intercept options to use an action of Redirect To, and set the action data to a hostname that will be used specifically for the Cluster Console’s network interface. For example, set your redirect action to redirect.example.com.

• On the Cluster Console, go to Mail Delivery ➝ Routing ➝ Mail Routing, and create a mail route for redirect.example.com to point to the IP address of the network interface on the Cluster Console that communicates with the other cluster members. This mail route will be automatically propagated to the other cluster member systems.

• On the Cluster Console, create a Specific Access Pattern rule set to an action of "Trust" for the Client IP of the network interface of the cluster members that communicate with the Cluster Console. This will ensure messages being redirected from the member system will be trusted.

• If you are running Token Analysis, create a Pattern Based Message Filter rule on the Cluster Console set to the action of "Do Not Train" for the Client IP of the network interface of the cluster members that communicate with the Cluster Console. This prevents the message from being trained when it is sent to the master Cluster Console for the spam quarantine.

CHAPTER 8 User Accounts and Remote Authentication

This chapter describes how to setup and administer local and remote user accounts and POP/IMAP access on your ePrism Email Security Appliance, and contains the following topics:

• “POP3 and IMAP Access” on page 172• “Local User Mailboxes” on page 173• “Mirror Accounts” on page 175• “Strong Authentication” on page 176• “Remote Accounts and Directory Authentication” on page 178• “Relocated Users” on page 181• “Vacation Notification” on page 182• “Tiered Administration” on page 185

171

User Accounts and Remote Authentication

172

POP3 and IMAP Access

ePrism fully supports local user mailboxes. Mail is delivered to ePrism mailboxes after the same processing that applies to all other destinations. Users can use any POP or IMAP-based mail client (such as Outlook, Netscape, Eudora, and so on) to download their messages. Users can also be configured to access these mailboxes using the ePrism Mail Client.

Note: It is recommended that you use the secure versions of POP and IMAP to ensure passwords are not transmitted in clear text.

Select User Accounts ➝ POP3 and IMAP on the menu to enable or disable POP and/or IMAP mailboxes.

To complete the procedure, you must also enable POP3 and IMAP access (and their secure versions) on your network interfaces via the Basic Config ➝ Network menu.

Local User Mailboxes

Local User MailboxesSelect User Accounts ➝ Local Accounts on the menu to add new users and configure local user mail profile settings.

Click the Add a New User button to begin the new user configuration:

• User ID — Enter an RFC821 compliant mail box name for the user. • Forward email to — Enter an optional address to forward all mail to.• Set and Confirm Password — Enter and confirm the user’s password. The user should

change this password the first time they log in.• Strong Authentication — Select a strong authentication method, if required. Strong

authentication is explained in more detail in the next section.• Disk Space Quota — Enter an optional user disk space quota in megabytes (MB). Enter a

value of "0" for no quota.• Accessible IMAP/ePrism Mail Client Servers — Select the available IMAP and ePrism mail

client servers that this user can access.

173


174

Upload and Download User Lists

You can upload lists of users using comma or tab separated text files. You can specify the login ID, password, e-mail address, and disk quota in megabytes. Use the following format:

[login],[password],[e-mail address],[quota]

For example,

user1,ajg7rY,[email protected],0

The file (user.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the user list file first by clicking File Download, editing it as required, and then uploading it using the File Upload button.

Mailbox Options

Click the Options button to set the maximum mailbox size (in bytes) for all local mailboxes. Set this value to 0 to disable the limit.

Note: The value must not be smaller than the Maximum message size limit set in Mail Delivery ➝ Mail Access. If you set this value to 0, users will be able to send any size of message.

Mirror Accounts

Mirror AccountsLDAP user accounts can be imported from an LDAP directory server and mirrored on the local ePrism system. This allows you to create local accounts based on the LDAP account to allow these users to login locally for the Spam Quarantine feature.

Note: These mirror accounts are not local accounts that can accept mail, they are only used for the Spam Quarantine feature.

See “Directory Users and Groups” on page 66 for more detailed information on creating mirror accounts.

If you have imported LDAP user accounts via Basic Config ➝ Directory Services ➝ Users and Groups, a new option will appear in the Local Accounts menu called Mirror Accounts that displays all mirrored user accounts.

You can remove selected individual user’s mirror accounts or remove all of them by clicking the Remove All button.

Note: When using the Remove All button, users are removed as a background process and if you have many pages of users, it may take several minutes for this operation to complete.

175


176


By default, user authentication is based on UserID and password. ePrism also supports strong authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware token devices provide an additional authentication key that must be entered in addition to the UserID and password.

You can select a strong authentication type in the Strong Authentication drop-down menu of the user’s profile.

CRYPTOCard

The CRYPTOCard option is supported by a local authentication server and requires no external system for authentication. When CRYPTOCard is selected, you will be prompted to program the card at that time using the token configuration wizard.

Note: Only manually programmable CryptoCard RB-1 tokens are supported.

SafeWord

SafeWord Platinum and Gold tokens are supported by a local authentication server, and require no external system for authentication. When SafeWord is selected, you will be prompted to program the card at that time using the token configuration wizard.

Note: Only manually programmable SafeWord tokens are supported.


SecurID

To configure RSA SecurID, you must set up the system as a valid client on the ACE Server, and create an sdconf.rec (ACE Agent version 4.x) file and upload it to ePrism.

Note: Although newer ACE servers are supported, the sdconf.rec file must be for version 4.x of the ACE Agent. Versions greater than 4.x generate a different format of this file.

Select User Accounts ➝ SecurID on the menu to configure SecurID.

Click the Browse button to find and load a sdconf.rec file. Click Upload when finished.

After enabled SecureID via User Accounts ➝ SecurID, it must also be enabled for a network interface in the Basic Config ➝ Network screen.

Note: Ensure that ePrism’s domain name is listed in your DNS server. SecurID authentication may not work properly if a DNS record does not exist.

177


178

Remote Accounts and Directory Authentication

Directory authentication allows users to be authenticated without having a local ePrism account. When an unknown user logs in, ePrism will send the UserID and password to the specified LDAP or RADIUS server. If the user is authenticated, ePrism will log them in and provide access to the specified server or servers.

LDAP and RADIUS are widely used, and provide a convenient way of allowing access to internal mail servers or web mail servers such as Outlook Web Access. Users who login locally to an Exchange server based on an Active Directory identity can use the same identity to use Outlook Web Access with ePrism’s Secure WebMail service.

Note: If both LDAP and RADIUS services are defined, the system will try to authenticate via RADIUS first, and then LDAP if the RADIUS authentication fails.

Configuring Directory Authentication

Select User Accounts ➝ Remote Auth from the menu to configure LDAP and RADIUS authentication.

If you want to use LDAP for authentication, click the New button in the LDAP Sources section to define a new LDAP source.

Remote Accounts and Directory Authentication

• Directory Server — Select a configured LDAP directory server for authentication.• Search Base — Enter the starting base point to start the search from, such as

cn=users,dc=example,dc=com. • Scope — Enter the scope of the search such as Subtree, One Level, or Base.

Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object.Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Query Filter — Enter a specific query filter to search for a user in your LDAP directory hierarchy. For Active Directory implementations, use (ObjectClass=user).

• Timeout — The maximum interval, in seconds, to wait for the search to complete.• Account name attribute — Enter the account name result attribute that identifies a user’s

login or account name, such as sAMAccountName for Active Directory implementations.

Note: You will need to enter the appropriate Query Filter and Account name attribute for your particular LDAP infrastructure if you use another LDAP service such as OpenLDAP and iPlanet.

179


180

RADIUS Authentication

Click the New button in the Radius Servers to configure a RADIUS server for authentication.

• Server — Enter the FQDN or IP address of the RADIUS server.• Shared Secret — Enter the shared secret for the RADIUS server. A shared secret is a text

string that acts as a password between a RADIUS server and client. Choose a secure shared secret of at least 8 characters in length, and include a mixture of upper and lowercase alphabetic characters, numbers, and special characters such as the "@" symbol.Note: When you add a RADIUS server, the administrator of the RADIUS server must also list this ePrism Email Security Appliance as a client using the same shared secret. All listed RADIUS servers must contain the same users and credentials.

• Timeout — Enter a timeout value to contact the RADIUS server.• Retry — Enter the retry interval to contact the RADIUS server.

The server "This ePrism Email Security Appliance" will only be made accessible for mirror users. See “Directory Users and Groups” on page 66 for more information on settings up mirrored accounts.

The other servers listed in the Accessible Servers option are configured via User Accounts ➝ Secure WebMail. See “Secure WebMail” on page 188 for more detailed information on configuring this feature.

Relocated Users

Relocated UsersUse the Relocated Users screen to return information to the sender of a message on how to reach users that no longer have an account on the ePrism system. A full domain can also be specified if the address has changed for a large number of users.

Select User Accounts ➝ Relocated Users on the menu to configure the relocation information.

Click the Add button to add a new relocated user.

Enter a user or domain name in the User field, such as user, [email protected], or @example.com to specify an entire domain.

In the "User has moved to…" field, enter any appropriate contact information for the relocated user, such as their new e-mail address, street address, or phone number.

181


182

Vacation Notification

When a user will be out of the office, they can enable Vacation Notification which sends an automated e-mail reply to incoming messages. The reply message is fully configurable, allowing a user to personalize the vacation notification message.

Note: Vacation Notifications are processed after mail aliases and mappings. You must create notifications for a specific end user and not for an alias or mapping.

The process for configuring Vacation Notification includes the following steps:

1. The administrator enables Vacation Notification globally.2. Individual settings can be configured as follows:

— The administrator configures Vacation Notification for the user via User Accounts.— The user configures their own Vacation Notification via ePrism Mail Client/WebMail.

Select User Accounts ➝ Vacations from the menu to enable Vacation Notification globally.

• Enable Vacation Notification — Enable or disable the service globally for all users. • Domain Part of Email Address — Enter the domain name to be appended to local user

names. This value will be used for all local users.• Interval Before Re-sending — The number of days after a previous notification was sent to

send another reply if a new e-mail arrives from the original sender.

Vacation Notification

Default Vacation Notification Profile

Enter the subject and contents for the default notification message. Users will be able to change the subject and message from their own user profile.

Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary notifications for non-local users.

Click on an e-mail address to edit the user’s vacation notification settings.

From this screen, an administrator can configure the notification settings, including the address that incoming mail will receive a vacation response from.

183


184

User Vacation Notification Profile

An administrator can configure vacation notifications for individual users via their user profile in the User Accounts menu. Users can configure their own Vacation Notification settings in their profile via ePrism Mail Client.

To configure Vacation Notification:

1. Login to ePrism Mail Client and select User Profile on the menu.2. Set the Vacation Start Date by selecting the required date on the left calendar. 3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out

automatically during this time.4. Modify the default subject and contents of the response message.5. Click Save User Profile.

Note: Vacation notifications are not sent to e-mails marked as "bulk" such as mailing lists and system generated messages. Notifications are also not sent to messages identified as spam.

Tiered Administration

Tiered AdministrationTiered Administration allows an administrator to assign additional administrative access permissions on a per-user basis. For example, the administrator can designate another user as an alternate administrator by selecting the Full Admin option in their user profile.

To enable administrator permissions, select a user profile from the User Accounts ➝ Local Accounts menu. Enable each administrative option as required for that user by selecting the corresponding check box.

Note: WebMail/ePrism Mail Client access must be enabled on the network interface that will be used by tiered administration users. This is set in the Basic Config ➝ Network screen.

To distribute administrative functions, the administrator can configure more selective permissions to authorize a user only for certain tasks such as administering users and reports, configuring anti-spam filter patterns, or viewing the e-mail database.

• Full Admin — The user has administrative privileges equivalent to the admin user.• Administer Aliases — The user can add, edit, remove, upload and download aliases (not

including LDAP aliases.)• Administer Filter Patterns — The user can add, edit, remove, upload and download Pattern

Based Message Filters and Specific Access Patterns.• Administer Mail Queue — The user can administer mail queues.• Administer Quarantine — The user can view, delete, and send quarantined files.• Administer Reports — The user can view, configure and generate reports, and view system

activity.• Administer Users — The user can add, edit, and relocate user mailboxes (except the Full

Admin users), including uploading and downloading user lists. User vacation notifications can also be configured.

• Administer Vacations — The user can edit local user’s vacation notification settings and other global vacation parameters.

• Mail History — The user can view the e-mail history database.

185


186

• View Activity — The user can view the Activity page and start and stop mail services. Individual e-mails can only be viewed if View Email Database is also enabled.

• View System Logs — The user can view all logs.

Granting full or partial admin access to one or more user accounts allows actions taken by administrators to be logged because they have an identifiable UserID that can be tracked by the system.

Note: A user with Full Admin privileges cannot modify the profile of the Admin user. They can, however, edit other users with Full Admin privileges.

Logging In With Tiered Admin Privileges

When tiered administrative privileges have been assigned to a user, they can access them via the ePrism Mail Client interface by logging in locally to ePrism.

Select the type of feature you want to administer via the top-left drop down menu.

CHAPTER 9 Secure WebMail and ePrism Mail Client

This chapter describes how to setup Secure WebMail and the ePrism Mail Client on your ePrism Email Security Appliance, and contains the following topics:

• “Secure WebMail” on page 188• “ePrism Mail Client” on page 192

187

Secure WebMail and ePrism Mail Client

188

Secure WebMail

The Secure WebMail feature provides a highly secure mechanism for accessing webmail services such as Microsoft OWA (Outlook Web Access), Lotus iNotes, and IMAP servers. Webmail services provide an attractive, easy to use remote interface for users to access their mail server mailboxes remotely via a web browser.

As these webmail services are accessible from the Internet, they present a number of security challenges. The Secure WebMail feature is designed to support the use of webmail services while protecting Webmail servers from Internet attacks. The connection is managed using a full application proxy. ePrism completely recreates all HTTP/HTTPS requests made by the external client to the internal webmail server.

Configuring Secure WebMail and ePrism Mail Client

Select Basic Config ➝ Network, and then select the ePrism Mail Client check box to enable access on a network interface.

Select User Accounts ➝ Secure WebMail to configure Secure WebMail and ePrism Mail Client options.

Secure WebMail

Access Types

The following options enable controls in the WebMail interface for features such as the Spam Quarantine, Trusted Senders, and administrative access.

• Administrative Access — Enables access to administrative functions if the user has administrative privileges, such as via Tiered Administration.

• Local Mail — Enables access to IMAP servers on the local network.• Proxy Mail — Enable proxy mail access to other IMAP servers.• Personal Quarantine Controls — Enables the Spam Quarantine controls. The Spam

Quarantine must be enabled globally via Mail Delivery ➝ Anti-Spam ➝ Spam Quarantine.• Trusted Senders — Enables the Trusted Senders List controls. Trusted Senders must be

enabled globally via Mail Delivery ➝ Anti-Spam ➝ Trusted Senders.

For organizations that only want to use local mailboxes for the Spam Quarantine controls or Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while enabling Personal Quarantine Controls and Trusted Senders. This displays only those functions to the end user when they log into the ePrism Mail Client/WebMail account. Personal Quarantine and Trusted Senders can be disabled if you are only using the Spam Quarantine summary e-mail for these features and users do not need to login locally.

Caution: At least one of these options must be enabled to allow WebMail access on a specified interface in Basic Config ➝ Network. If all of these access options are disabled, the WebMail access option on an interface will be disabled.

189


190

Servers

Webmail servers must be running one of the following: IMAP, Outlook Web Access (OWA), or Lotus iNotes.

• Cached server passwords — This option, when enabled, will keep a copy of the user’s password until they explicitly log out. If a user switches servers, they will not need to re-enter their password.

• Share cookies between servers — Enable this option to ensure that when a user moves from server to server or is redirected to another server, the user’s session cookies are also passed along.

• Upload Maximum File Size — Enter the maximum file size allowed in megabytes.

Click the Add Server button to add an internal server to be accessed.

• Address — Enter the IP address, hostname, or URL of the server. Add users to this server by selecting the corresponding check box for that user.

• Label — Enter an optional label to describe this server.• Users who may access this server — Select the users who will be able to access this server.• Automatic Server Login — Select this option to try the user’s WebMail ID/Login first before

prompting for an ID and password. Leave this option disabled to force a login prompt for each

Secure WebMail

new server. This option enables single login capabilities to allow users to login to ePrism and their WebMail server with only one login.Note: This option should be disabled if the server is set to expire passwords after three failed attempts.

• Use Most Recent — Select this option to try the most recently used credentials first when changing servers. Note: This option only applies to users with more than one accessible WebMail server.

• Force Compatibility — Select this option to ensure support for Outlook Web Access 2000 and limited support for OWA 2003.

• Make Invisible — Use this option to make the server invisible to users in the Secure WebMail server drop-down list.

• Keep Alive — Specify the frequency to send keep-alive messages to the WebMail server to keep the client connection alive.

191


192

ePrism Mail Client

ePrism Mail Client is the native webmail client for the ePrism Email Security Appliance. Using ePrism Mail Client, you can access local mailboxes, IMAP Servers, administrative access, the Spam Quarantine, and the Trusted Senders List.

From a web browser, enter the hostname or IP address of the ePrism system running ePrism Mail Client. Login with your local user ID and password. (The login can also be authenticated using LDAP or RADIUS.)

When successfully logged in, the ePrism Mail Client interface will be displayed.

Configuring ePrism Mail Client Options

In the User Accounts ➝ Secure Webmail screen, you can configure popup options, the sent mailbox folder, and other ePrism Mail Client features in the ePrism Mail Client Options section.

Note: To see popup windows, your web browser must have popups enabled.

• New Mail Popup — Enable a popup window for new mail notifications.

ePrism Mail Client

• Minimize Popups — Minimize the use of new popup browser windows by using the main frame.

• Enable Inline HTML-mail Viewing — Enables the viewing of HTML mail. For security reasons, any scripts and fetches for external objects are filtered out.

• Save Sent Mail — Enables saving of sent mail in the user’s mailbox.• Sent Mail-box — The name of the sent mail folder if enabled.• Editable From — Enables a user to edit the From: field when composing mail.

193


194

CHAPTER 10 Policy Management

This chapter describes how to use and configure Policy controls for users, groups, and domains, and contains the following topics:

• “Policy Overview” on page 196• “Creating Policies” on page 199• “Domain Policies” on page 201• “Group Policies” on page 203• “User Policies” on page 208• “Managing Policies” on page 210• “Policy Diagnostics” on page 211

195

Policy Management

196

Policy Overview

ePrism’s Policy controls allow specific mail security features to be customized and applied to different e-mail domains, user groups, or individual users.

The features that can be used with Policy controls include the following:

• Anti-Virus• Attachment Control and Scanning• Annotations• Objectionable Content Filter• Attachment Content Scanning• Intercept Anti-Spam

Policy controls enable granular settings to be applied for each specific domain, group, or user. For example, Intercept Anti-Spam settings can be enabled for specific domains, while turned off for other domains. Each Anti-Spam action can be customized to configure one domain to reject spam messages, while another domain can be configured to modify the subject header of a spam message. Spam thresholds and Intercept component weights can also be customized for different domains, groups, and user addresses.

Anti-Virus and Attachment Control actions for inbound and outbound mail can also be specifically defined for the requirements of each domain, group, or user. For example, you can enable inbound and outbound Anti-Virus and Attachment Control checks for some domains, while only checking inbound mail for other domains.

Policy Hierarchy

There are four types of policies that can apply to a user: the Domain Policy, Group Policy, User Policy, and Default Policy. Recipients can belong to multiple policies, for example, the recipient [email protected] may have a user-based policy for [email protected], and a policy based on the domain example.com.

The final policy for the recipient will be the merging of any existing policies for that user, with conflicting settings resolved in the following order of precedence:

1. User policy ([email protected]) 2. Group policy (Sales)3. Domain policy (example.com)4. Default policy

Policy Overview

For example:

If User, Domain, and Default policies are defined and enabled, and the Anti-Virus feature is defined and enabled in only the Domain policy but undefined in the other policies, Anti-Virus will be enabled. To override this Domain policy for a user, you would have to define the Anti-Virus feature as disabled in the User Policy.

Multiple Group Policies

In cases where a user belongs to multiple groups, the group order takes precedence. In the Group Policy configuration screen, administrators can order the list of groups into an order of priority.

For example:

• A user belongs to Group1 and Group2• Group 1 Policy is set to a higher priority then Group 2 Policy• Group 1 Policy has Token Analysis enabled and defined• Group 2 Policy has Token Analysis disabled and defined

The final result is that the user’s e-mail will be scanned by Token Analysis.

Note: Groups policies are not merged as they are with user and domain policies. If a user belongs to more than one group, only the first group policy in the specified group ordering is applied.

PBMF Priority

When using PBMFs with policies, there may be situations with conflicting priorities for global PBMFs and policy PBMFs. When processing PBMFs, ePrism makes the following decisions:

1. The Priority of all actions are taken into consideration. If there is only one "High" priority action, that filter will be used.

2. For PBMFs with the same Priority, policies are resolved in the following order:• User Policy• Group Policy• Domain Policy• Default Policy/Global

3. For the same Priority and same Policy, actions are resolved in the following order:• Bypass• Reject• Discard• Quarantine

197

Policy Management

198

• Certainly Spam• Redirect• Trust• Relay• Accept• Just Log

When creating Pattern Based Message Filters (PBMFs) in policies, certain message parts such as Envelope-to and Envelope-from, Client IP, and Host, are not available. These PBMFs can cause actions to trigger before the recipients are known, such as on a connecting client IP address, and therefore are not available for use in Policies.

Note: BCC and Do Not Train actions will not prevent lower priority actions from being triggered. For example, a BCC action at "High" priority in the global PBMF list and an Accept action at "Medium" priority in a policy will result in an Accept and the BCC option.

Creating Policies

Creating PoliciesThe following sections describe how to enable and define policies. The general steps are as follows:

1. Define Global ePrism settings2. Define the Default Policy3. Add and Define New Domain, Group, and User Policies

Define Global Settings

Before creating your specific domain and user policies, it is recommended that administrators define globally their default ePrism settings for Anti-Virus, Attachment Control, Anti-Spam features, and so on, before defining more granular policies based on these global settings.

These settings will be inherited by the Default policy which is the policy used by all users that do not belong to a specific policy.

Note: If you disable a feature globally, it cannot be enabled by a policy. The feature will be completely disabled, regardless of how a policy is configured.

Define Default Policy

The predefined Default policy will be the policy used by all users if they do not specifically belong to another policy.

Note: The Default policy cannot be deleted. The policy name "Default" is a reserved word specifically to be used as the Default policy for users that are not defined to a specific policy.

Select Mail Delivery ➝ Policy ➝ Policy Definition to configure the Default and other customized policies.

Select the Default Policy to customize its settings.

199

Policy Management

200

To modify any aspect of the Default policy, select the Define check box beside the specific policy item, and then modify the item as required.

For example, if the global Anti-Virus settings are set to "Quarantine" outbound viruses globally, but you want to use "Reject Mail" instead for the Default policy, select "Reject Mail" in the Outbound Viruses action and select the corresponding Define check box.

Alternately, for example. if Anti-Virus is enabled globally, but you want to disable it for a specific policy, ensure the Kaspersky Anti-Virus scanning check box is not enabled, and select the corresponding Define check box.

Note: To modify any policy feature, the Define check box must also be selected. This is done by default when enabling a feature.

When the Default Policy has been customized, you can now define policies for Domains, Users, and Groups.

Domain Policies

Domain PoliciesWhen global settings and the Default Policy settings have been defined, more granular policy settings can be configured by creating policies for specific domains, groups, and users.

Domain policies can be created to enable different policies for different domains in an organization. For example, administrators might require that different domains need separate annotations (such as a legal disclaimer) appended to their messages.

Create a policy definition for this domain as follows:

1. Select Mail Delivery ➝ Policy ➝ Policy Definition to configure customized policies.2. Click the Add Policy button.

3. Enter a descriptive name for this domain policy, such as example.com.4. Select the Enable check box to enable this policy.5. Go to the Annotations section of the policy.

6. Select the Enable check box and the Define check box to enable annotations for this domain policy.

7. Select the Define check box for the Annotation "Edit" field, and then click Edit to customize the annotation for this domain.

8. Customize the annotation and click Apply, and then click Return to Policy.

201

Policy Management

202

9. Click Apply to save the example.com domain policy.10. Select Mail Delivery ➝ Policy ➝ Domain Policy to add the example.com domain.

11. Select the example.com policy in the Policy drop-down list.12. Enter the domain that this policy will apply to, such as:

example.com

Use a leading "." to indicate subdomains of the specified domain, such as: .example.com

This will match a.example.com, b.example.com, c.d.example.com, but not example.com.13. Click Add to add the domain to the Domain Policy list.

Uploading and Downloading Domain Policy Lists

A list of domains and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[Domain],[policy name]

For example:

example.com,Domain1

The file (domain_policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Group Policies

Group PoliciesPolicies can be customized for user’s who belong to specific group. For example, a Sales group might have different attachment content scanning policies than users in the Development group. Group policies are also useful for providing different annotations or anti-spam features for each user group.

Group membership information must be imported from an LDAP directory. Click the LDAP Import button which will take you to the Directory Users and Groups screen where LDAP users and group names can be imported. A Directory Server must be set up before you can import users and groups.

See “Directory Users and Groups” on page 66 for more detailed information on setting up directory services for group imports.

When you have set up your Directory Users and groups configuration, click Apply.

203

Policy Management

204

Click the Import Now button which will import users and their corresponding group memberships from an LDAP directory. When the import is completed, the group list will appear in your Group Policy screen. Schedules imports can set up by clicking the Import Settings button.

Any imported groups will now be displayed in the Assigned Group Policies screen.

New imported groups will display "New" as their policy category, indicating that the group has just been imported and currently has no policy. This allows administrators to quickly see new groups that have been imported by configuring the Select View field to "New".

These new groups can then either be assigned the "Default" policy, an existing configured policy, or be set as "Unassigned". Groups configured as "New" or "Unassigned" do not have an active policy.

Note: A reimport of groups will change all previously "New" groups to "Unassigned".

Group Policies

Rescan User List

Click the Rescan User List button to rescan the list of groups since the last import to ensure they appear in this screen for Group Policy purposes.

Re-Ordering Groups

Group policies are applied in the order listed if the user belongs to more than one group. For example, in the case of annotations, the annotation for a user belonging to multiple groups will be their first group listed in the group order.

Groups can be reordered for priority by clicking the Re-Order Groups button.

A list of "Assigned" groups (groups assigned to a policy) will be displayed. Select a group to be moved, and then click the Up or Down buttons to move the group up and down the list order. Groups can be moved immediately to the top or bottom of the list using the Top and Bottom buttons.

When finished the re-ordering of groups, click the Apply button.

205

Policy Management

206

Assigning Group Policies

Policies can now be assigned to each group by selecting a specific policy from the drop-down box. In this example, we have created a Group1 policy that we will apply to specific groups.

In this example, the Canada, India, and Japan groups have been configured to use the Group1 policy. When you are finished setting the policies for the required groups, ensure the groups that have been modified are selected, and then click the Apply link.

Uploading Group Policy Lists

A list of groups and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[group],[policy name]

For example:

sales,salesgroup

The file (group_policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Group Policies

Orphaned Groups

Orphaned LDAP groups are groups that have been deleted from the LDAP directory but still exist in ePrism’s local group list. Any policies configured for these orphaned groups will not be processed.

Click the Delete Orphans button to remove these groups from ePrism’s group policy screen.

207

Policy Management

208

User Policies

Policies can be customized for individual user addresses. The User policy will take precedence over Domain and Group policies, and are useful for creating individual exceptions to these policies.

In the following example, a user policy will be created with customized anti-virus settings.

Configure a user policy as follows:

1. Select Mail Delivery ➝ Policy ➝ Policy Definition.2. Click the Add Policy button.3. Enter a descriptive name for this policy, such as User Policy.4. Select the Enable check box to enable this policy.

5. Go to the Anti-Virus section of the policy.6. Select Kaspersky Virus Scanning and ensure the Define check box is checked.7. Customize the actions and notifications for inbound and outbound virus scanning.8. When finished, click Apply to save this policy.9. Select Mail Delivery ➝ Policy ➝ User Policy to add a user address.

User Policies

10. Select the User Policy created in the previous steps in the Policy drop-down list.11. Enter the user address, such as [email protected] in the Email field.12. Click Add to add the user address to the User Policy list.

Uploading and Downloading User Address Lists

A list of users can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[email],[policy name]

For example:

[email protected],User Policy

The file (email_policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the user file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

209

Policy Management

210

Managing Policies

When several domain, group, and user policies have been created and customized, they can be managed from the Mail Delivery ➝ Policy ➝ Policy Definition screen.

The Enabled field indicates if a policy is on and active or turned off.

Each individual policy can be edited by clicking on its corresponding name.

To delete policies, select the corresponding check box of the policies you want to delete, then click the Remove button.

Enable Verbose Logging

The Enable Verbose Logging feature enables additional logging information in the Mail Transport log file for policies. Click the Enable Verbose Logging button to enable this feature.

The mail log can be viewed via Status/Logs ➝ System Logs ➝ Mail Transport.

The message displayed will contain information similar to the following:

policy_recipient=<[email protected]>,policy_user=<[email protected]> (remote=F), domain_policy=<2:Antispam enabled>, group_policy=<0:>, group_name=<>, user_policy=<4:OCF enabled> default_policy=<1:Default>

Policy Diagnostics

Policy DiagnosticsThe Policy Diagnostics screen allows administrators to test their policy structure to ensure that the final result for a specific user is the desired result. There are several policies that can apply to a single user, including domain policies, user policies, group policies, and the default policy.

By entering the user’s e-mail address in the diagnostic screen, the final result of each policy feature will be displayed, including information on which policies were overridden by another policy with higher priority.

Select Mail Delivery ➝ Policy ➝ Policy Diagnostic on the menu to configure and run policy diagnostics.

• Sender — Enter an sender address for this test if you are testing an outbound message. This field can be left blank to indicate any sender for inbound mail.

• Recipient — Enter the test recipient for the policy. The final result displayed during the diagnostics will be the final policy result for this specific user.

• Direction — Select a direction for the message to determine policy results when the message is inbound or outbound.

• Trusted — Select whether the message is considered to be from a trusted or untrusted source.

Click Lookup to start the policy diagnostics.

211

Policy Management

212

The Policy Diagnostic summary screen provides the administrator with a detailed analysis of how the various active policies combine to determine the final disposition of mail messages. The Policy Diagnostics table displays the ePrism features that can be configured on a per-policy basis.

Each column displays the contributions to the disposition of the message by each policy (User, Group, Domain, and Default).

For each feature, an "X" indicates the defined policy was used to determine the final result. Any policies that were overridden by the applied policy are indicated by an "_". An empty column indicates that a matching policy was not found by the policy resolution engine.

At the end of each feature row, the final result of the policy is indicated such as "Disabled" for Kaspersky Anti-Virus.

Note: As policies are initialized with reasonable defaults and those values may match the overall default setting, it can appear that a particular policy has been overridden when in fact there is no apparent configuration responsible for this. For example, the default setting for attachment scanning is 'disabled'. If a user policy is defined, but attachment scanning is not part of that definition and nothing else overrides the default then it will appear that the contribution has come from the user policy.

CHAPTER 11 Threat Prevention

This chapter describes how to configure ePrism’s Threat Prevention features to detect and automatically respond to security threats, and contains the following topics:

• “Threat Prevention Overview” on page 214• “Configuring Threat Prevention” on page 215• “Static Address Lists” on page 217• “Dynamic Address Lists” on page 219• “F5 Blocking” on page 222• “Cisco Blocking” on page 226• “Threat Prevention Status” on page 229

213

Threat Prevention

214

Threat Prevention Overview

ePrism provides a threat prevention feature to detect and mitigate incoming threats. By default, ePrism can recognize the following threats:

• Directory harvesting• Denial of Service attacks• Connections from blacklisted addresses• Connections originating from addresses that send spam• Connections originating from addresses that send viruses

Historical information about connecting IP addresses and how they behave are retained, allowing a configurable set of actions including accept/reject that will be determined at connection time based on current and historical data.

This information can also be pushed to a perimeter F5 BIG-IP or Cisco device that can be configured to rate limit, throttle or block a given IP address for a period of time before it reaches ePrism.

How Threat Prevention Works

The Threat Prevention feature performs the following tasks.

• Determines the threat level of connecting IP addresses and retains historical statistics about that address

• Acts on the connection’s IP address based on its connection history

The Threat Prevention feature is contacted at several stages of mail delivery for a specific client IP address:

1. At connection request time, the history for the IP address is provided to the rules script that determines if the connection should be allowed/rejected, and how to further classify the address into a specific data group.

2. After early mail scanning, the number of known and unknown recipients and DNSBL results are added to the history of the connecting address.

3. After full mail scanning, the results of Anti-Virus, Anti-Spam, and Malformed message scanning are recorded in the history of the address.

4. Prior to connection, an F5 or Cisco device (if configured) may block an IP address before it reaches ePrism if it is configured to push threat prevention information to the device.

Configuring Threat Prevention

Configuring Threat PreventionA Connection Rules script is run each time a client tries to connect to ePrism. This configurable script determines whether to accept or reject a connection based on its threat prevention history.

This script performs an evaluation of the connection and drives the reject/accept decision for the threat prevention feature. The script is also responsible for moving IP addresses into appropriate data groups.

Select Mail Delivery ➝ Threat Prevention on the menu to configure ePrism’s threat prevention features.

ePrism Email Security Appliance implements connection rule checking by using a scripting language to drive the decision making process. The script can reject or accept mail given various statistics available at the time of client connection. The listed default rules are processed in order.

• Description — A description for the rule.• Condition — Condition statement to execute.• List — Defines which list to insert the IP address.• Action — Action to take if the condition is "True", such as Accept or Reject.• Reject Code — Reply code to send to the connecting client. For Reject, this is 450 (temporary)

or 550 (permanent). For Accept, the reply code is set to 220. • Move — Select the arrows to modify the ordering of the connection rules.

215

Threat Prevention

216

Click Add Rule to add a new connection rule.

This rules are fully configurable, and the system will check the script when saved to ensure there are no syntax or execution errors. When you are finished with your changes, click the Apply button. The results of the script test will be shown, including existing syntax errors.

Click the Advanced button to see the entire connection rules script based on the configured rules.

Resetting to Factory Defaults

Press the Reset to Defaults button to replace all existing rules with the factory default set of rules.

Static Address Lists

Static Address ListsStatic IP/CIDR address lists are used to define specific groups of IP addresses that affect Threat Prevention processing. When a client connects, the connection rules script will look up the client’s IP address in the existing Static Address Lists and perform any defined actions for that list. This allows you to whitelist, blacklist, or provide additional classification for a specific IP address or subnet.

For example, if the address is listed in the blacklist, the connection rules script will reject the message. Addresses in the peers or mynetworks list will be exempted from some of the checks because they are known sources or internal networks of your organization.

It is critical that administrators add any non-routable networks used locally to the internal address list and ensure any networks under an organization’s control or friendly networks are listed in the mynetworks and peers list respectively. This prevents any local addresses from being affected by Threat Prevention processing.

Select Mail Delivery ➝ Threat Prevention ➝ Static Lists to define your static address lists.

Several default lists are available as follows:

• blacklist — List of any IP addresses or networks from which you will never want to receive e-mail.

• internal — List of internal non-routable IP addresses from which you will always accept mail, such as the 192.168.0.0 network.

• mynetworks — A list of networks and subnets that are under your organization’s control from which you will always accept mail.

• peers — A list of special sites such as peer ISP networks from which you will always accept mail.

217

Threat Prevention

218

Click the Add button to add a new IP list.

Enter a name and description for this address list, and then enter one of the following address types:

• Single IP address, such as 192.168.1.25.• Subnet in CIDR format (such as 192.168.0.1/24)• Class A, B, or C subnet with trailing octets removed (such as 192.168)

Enter a comment that can be used to further describe the addresses in this list.

When finished, click the Add button to add the new list.

Uploading and Downloading Addresses

A list of addresses can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[address],[description]

For example:

192.168.0.0/16,non-routable

The file (ipcidr.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Dynamic Address Lists

Dynamic Address ListsThe Threat Prevention feature can place IP addresses into Dynamic Address lists for a specified period of time and set the response to connection requests for clients falling into these groups. These dynamic lists can be configured to provide a specific action (such as 450 temporary reject or 550 permanent reject) and a time period to execute that action.

Dynamic lists differ from Static lists because their contents are always changing based on the latest threat prevention data. Static lists are used by the administrator to define whitelists and blacklists based on addresses specific to their organization. Dynamic lists build their data from the history of connecting addresses and assign specific rules and actions to these addresses based on that history.

IP addresses are added to these lists by the Threat Prevention connection rules script if they match a specific behavior. For example, messages from an IP address that indicate harvesting of e-mail addresses will be put into the harvesters list.

When that same IP address tries to connect again after being added to the list, it will be rejected with a configured reject code for the list if it is configured with the reject action. For example, the harvesters list will reject with code "550 denied due to too many unknown recipients". No further statistics will be gathered on that IP address during this early reject period and further Threat Prevention rules will not be applied. An IP address can be released from a dynamic list after a configurable period of time. Dynamic lists can contain tens of thousands of IP addresses.

Dynamic lists with an action of "Just Log" will pass the request on to the rules processing script. The rules script can then specify its own reject or accept action.If the rules script specifies an accept action, further statistics will be gathered as the mail is received and processed.

The dynamic lists defined on ePrism can also be pushed to an F5 or Cisco edge device. If this feature is configured, any IP addresses that are added to a Dynamic list by the connection rules script will be pushed to an F5 or Cisco device and added to a group list of the same name. This allows the edge device to process further connections from the IP address and to act accordingly without the connection reaching ePrism.

219

Threat Prevention

220

Configuring Dynamic Lists

Select Mail Delivery ➝ Threat Prevention ➝ Dynamic Lists to configure your threat prevention dynamic lists.

There are five predefined dynamic lists:

• blacklisted — Addresses that have been blacklisted.• harvesters — Addresses known to be involved in e-mail address directory harvesting.• infected — Addresses known to send virus-infected messages. • spammers — Addresses known to send large amounts of spam.• tarpit — Group used to temporarily reject connections to slow down incoming connections

from an address.

Select a group to edit its properties, or click the Add button to add a new group.

Dynamic Address Lists

• Name — Enter a descriptive name for this list. If you are pushing data to an F5 or Cisco device, this list name must match the group name configured on the device.

• Description — Enter a description of this list.• Action — Action to take if a connection IP is listed in this group. Choices are Reject Mail, or Just

Log.• Reject Code — If the selected action is Reject Mail, reply to the connection request with this

reject code. Choose between 450 (temporary) or 550 (permanent).• Reject Message — Enter the reason provided to the client for rejecting the connection. This

message is only used if the action is set to Reject Mail.• Entry Duration — Enter the duration (in seconds) for an IP to remain in this list after it has

been placed into this group by a connection rule.• Maximum Entries — If the entry is not rejected, only allow this many address entries at once.

This value may range from 1 to 100000. Set to "0" for unlimited.• Push to Cisco Devices — Select the check box to push data to all configured Cisco devices.

The list name must be identical to the group name defined on the Cisco device.Note: Only one dynamic list can be assigned to push information to a Cisco device.

• Push to F5 Devices — Select the check box to push data to all configured F5 devices. The Group name must be identical to the group name defined on the F5 device

221

Threat Prevention

222

F5 Blocking

Administrators can push ePrism’s Threat Prevention information to an existing F5 device. The F5 device can then be configured to rate limit, throttle, or block a given IP address.

The dynamic lists defined with ePrism’s Threat Prevention feature can be used to populate data groups on the F5 with the same name. For examples, IP addresses already defined into a spammers group can be pushed to the same group name on the F5 device allowing it to manage the response to these addresses. The F5 device will then be responsible for acting on those IP addresses. When an item is removed from a Threat Prevention dynamic list, it is automatically removed from the F5 data group.

Administrators must then configure iRules on the F5 device to act on the data groups as appropriate. The Threat Prevention feature will not automatically create iRules on the F5 device.

Note: The F5 device must be version 9.0.5 or greater.

Select Mail Delivery ➝ Threat Prevention ➝ F5 Blocking to define your F5 devices.

Click Add to add a new F5 device.

• Name — Enter a descriptive name to refer to this specific F5 device.• URL — Enter the full URL for the F5 device, such as https://10.10.5.200.

F5 Blocking

• User Name — Enter a valid user name to log into the F5 device.• Password — A corresponding password for the user name entered above.

Click the Test button to test your connection and login parameters on the F5 device.

Enabling Data Transfer to F5 Device

ePrism’s Threat Prevention feature can be configured to push items from its own defined dynamic lists to F5 data groups of the same name on one or more F5 devices.

To enable data to be pushed to F5, ensure that each Dynamic list defined on ePrism in Mail Delivery ➝ Threat Prevention ➝ Dynamic Lists has the Push to F5 Devices check box enabled.

Configuring F5 Data Groups

The Dynamic list names defined on ePrism must be manually created on the F5 devices. These groups are not automatically created via the Threat Prevention feature.

Caution: On the F5 device, you must create the groups using external file address data groups, not address groups. External file address groups can be updated frequently with many IP addresses without affecting F5 performance.

To create groups on the F5 device:

1. Log in to the F5 administration interface. 2. Select Local Traffic ➝ iRules, and then click the Data Group list tab. 3. Click Create, and then enter the same group name as the data group defined in ePrism’s Threat

Prevention feature.

223

Threat Prevention

224

4. Select External file (not Address), and a subset of options will appear.5. Enter the group name and select Address in the File Contents list.

6. Click Finished. 7. Repeat the steps for each data group required. This procedure must be repeated on each F5

device.8. Create an iRule for the data group. An iRule for the default set of data groups provided with

Threat Prevention would be similar to the following:

when CLIENT_ACCEPTED {

if {[matchclass [IP::remote_addr] equals $::harvesters] } { TCP::respond "550 Message Rejected - Too many unknown recipients\r\n" drop }

if {[matchclass [IP::remote_addr] equals $::spammers] } { TCP::respond "550 Message Rejected - Too much spam\r\n" drop }

if {[matchclass [IP::remote_addr] equals $::blacklisted] } { TCP::respond "550 Message Rejected - client blacklisted\r\n" drop }

if {[matchclass [IP::remote_addr] equals $::infected] } { TCP::respond "550 Message Rejected - Infected\r\n" drop } if {[matchclass [IP::remote_addr] equals $::tarpit] } { pool slow_rateclass } }

F5 Blocking

9. Create any rate shaping classes, virtual hosts, pools, and so on, as necessary for normal configuration of an MTA. In the previous example, a pool called slow_rateclass is required that would be configured with rate shaping to allow a limited rate of traffic.

10. Click the Test button in the Mail Delivery ➝ Threat Prevention ➝ F5 Blocking menu to verify that you have configured the F5 device correctly in the Threat Prevention feature.ePrism will attempt to list the contents of the F5 data group. If successful, the list of IP addresses which have been pushed to the F5 device will be displayed. The test feature will not interrupt mail delivery or communications with the F5 and can be used at any time.

Note: In version 9.0.5 of F5, you cannot view the contents of external file data groups from the F5 web interface. Use the Test button in ePrism’s Threat Prevention menu to view the contents of external file data groups.

ePrism and F5 Integration Notes

Note the following considerations when integrating ePrism and an F5 device:

• The Threat Prevention feature updates continuously but also synchronizes with each F5 Data Group once an hour to ensure there are no discrepancies.

• If the F5 device does not contain a data group, Threat Prevention will attempt to synchronize with it indefinitely, once every second. It will report the warning once every 30 seconds in the mail logs for this condition.

• If there is a loss of communications between ePrism and the F5 device, the Threat Prevention feature will retry the connection to the F5 up to ten times.

• When using F5 integration with an ePrism cluster, only the master Cluster Console’s data groups will get pushed to the F5 device.

225

Threat Prevention

226

Cisco Blocking

Administrators can push Threat Prevention information to an existing Cisco edge device. ePrism can update the Cisco device with information from one Dynamic Address List. The Cisco device can then be configured to block a given IP address by adding it to an appropriate IP named ACL (Access Control List). When an item is removed from ePrism’s Threat Prevention list, it is automatically removed from the Cisco IP access list.

Note: ePrism utilizes the IP named access control list feature to forward information to the Cisco device. Cisco IOS version 11.2 or later is required for ePrism and Cisco integration.

Select Mail Delivery ➝ Threat Prevention ➝ Cisco Blocking to define your Cisco devices.

Click the Add button to add a new Cisco device.

• Name — Enter a descriptive name to refer to this specific Cisco device.• URL — Enter the full telnet URL for the Cisco device, such as telnet://192.168.1.175.• User Name — Enter a valid user name to log into the Cisco device.• Password — A corresponding password for the user name entered above.

Cisco Blocking

Enabling Data Transfer to a Cisco Device

ePrism’s Threat Prevention feature can be configured to push items from a defined Dynamic Address List to an IP access list on a Cisco device.

To enable data to be pushed to the Cisco device, select a Dynamic list defined on ePrism in Mail Delivery ➝ Threat Prevention ➝ Dynamic Lists, and ensure the Push to Cisco Devices check box enabled.

Note: When using Cisco integration with an ePrism cluster, only the master Cluster Console’s data groups will get pushed to the Cisco device.

Only one dynamic list can be assigned to the Cisco device. It is recommended that the blacklisted list be used to block blacklisted clients at the Cisco device.

Caution: Ensure that the Maximum Entries value is customized to the capabilities of your Cisco device. Large values may overrun a smaller load Cisco device that can only handle a certain amount of access list entries.

227

Threat Prevention

228

Cisco Device Configuration

Configure the Cisco device as follows to integrate with ePrism’s Threat Prevention feature:

1. Log in to the Cisco device with the enable privilege.2. Change to configure mode:

#configure terminal

3. Change to interface mode:

# interface FastEthernet x/y (where x and y are ethernet device)

4. Attach the IP access group to the ePrism Dynamic Address list:

# ip access-group <aceess_list_name> in

5. Exit from the config-if mode:

# exit

6. Perform the same steps for each Cisco interface as required.

Threat Prevention Status

Threat Prevention StatusThe Threat Prevention Status screen displays the current state of the threat prevention feature and provides information on the current number of items in each specified list, such as the number of addresses listed as "spammers".

Select Status/Reporting ➝ Threat Prevention Status from the menu to view the current threat status.

A summary of the entire threat prevention database is displayed, including the following:

• Number of IPs in the Threat Prevention database• Number of open connections and open connections in a DNSBL• The number of items in each defined data group, such as tarpit, harvesters, spammers, infected, and

blacklisted.

Administrators can search for the state of a specific IP address by entering it in the search field and clicking the right-arrow button.

A new table will appear for that specific IP address displaying statistics on the number of messages from that IP address during a time period, and the types of messages received.

To reset the status data, click Reset Threat Prevention History.

229

Threat Prevention

230

CHAPTER 12 HALO (High Availability and Load Optimization)

This chapter describes the high availability and load optimization features of the ePrism Email Security Appliance, and contains the following topics:

• “HALO Overview” on page 232• “Configuring Clustering” on page 234• “Cluster Management” on page 240• “Configuring the F5 Load Balancer” on page 244• “Queue Replication” on page 245

231


232

HALO Overview

HALO (High Availability Load Optimization), is the fail-safe clustering architecture for high availability for the ePrism Email Security Appliance. HALO enables two or more ePrism systems to act as a single logical unit for processing a mail stream while providing load balancing and high availability benefits.

HALO ensures that mail messages are never lost due to security vulnerabilities or individual system failures. The clustering architecture is illustrated in the following diagram.

Cluster Management

The ePrism systems participating in the cluster will be grouped together by connecting a network interface to a separate network called the Cluster Network. The ePrism systems will communicate clustering information with each other via this network. Systems can also be added or removed from clusters without interruption to mail services. It is recommended that all systems in the cluster should be running on the same platform (such as M-3000), and that the cluster network be separated from the main production network.

One system is configured to be the Cluster Console which is the "master" system where all cluster administration and configuration will be performed. When an ePrism system is added to the cluster, its configuration will automatically be synchronized with the Cluster Console. Any changes to the configuration on the Cluster Console will also be replicated to every cluster member.

The ePrism cluster will be treated as a logical unit for processing mail and system configuration.

HALO Overview

Load Balancing

Although the ePrism cluster will be treated as one system, e-mail is processed independently by each cluster member and requires the use of a load balancing system to distribute mail flow between the systems in the cluster.

Load Balancing via DNS

A DNS round-robin technique can be used to distribute incoming SMTP connections via DNS to the systems in the cluster, as shown in the following example MX records:

example.com IN MX 10 mail1.example.com


Priority can be given to specific servers by configuring different priority values, as follows:



Using a Load Balancer

You can also use a hardware load balancing device, such as the F5 BIG-IP, Cisco, or other similar load balancer. The load balancer is configured to send the mail stream to systems in a cluster. If one of the systems fails, the load balancer will distribute the load between the remaining systems.

The load balancer can be configured to distribute the mail stream connections intelligently across all systems in the cluster, using techniques such as round-robin, and distribution by system load and availability.

233


234

Configuring Clustering

The following sections describe how to install and configure a cluster. In these examples, a cluster of two systems is described. The procedure requires the following steps:

1. Hardware and Licensing — Ensure all systems are of the same hardware and have the same software versions and are properly licensed. This includes the ePrism license, the Stateful Failover license, and any other options. Ensure the member cluster systems are new installations with no changes to the default configuration. When they are connected to the cluster, they will receive their configuration from the Cluster Console.

2. Cluster Network Configuration — Configure a network interface on each system for clustering. Note: Using an M1000 (which only has two network cards) in a clustering scenario requires that it be deployed internally using a single interface model so that the second network card can be used for clustering.

3. Create the cluster — From the Cluster Console system, create the cluster.4. Add Cluster members — From the Cluster Console, add the cluster member systems.

Step 1: Hardware and Licensing

All cluster members, including the Cluster Console, should be the same level of hardware (such as an M3000), and be running the same version of software and update patches.

All cluster members must also have all the same additional features (such as Kaspersky Anti-Virus) installed and licensed before integration into the cluster. Member systems should be new installations with no changes to the default configuration except for additional licensed options.

Caution: It is critical that the cluster member systems be new installations with no changes to the default configuration except for licensed options, networking, and HALO settings.

Step 2: Cluster Network Configuration

The following instructions describe how to configure the network settings for two ePrism systems in a cluster.

1. Connect an unused network interface from each ePrism to a common network switch, or connect each interface with a crossover network cable. This will form the "cluster network", a control network where clustering information will be passed back and forth between the ePrism systems that form the cluster. Note: For security reasons, this network should be isolated on its own and not be connected to the main network. For a cluster of two systems, a crossover network cable can be connected between the selected interfaces providing a secure connection without the need for a switch.

2. On each ePrism system, go to the Basic Config ➝ Network screen.


3. On the network interface that you want to use for clustering, ensure that the Trusted Subnet and Admin Login check boxes are enabled.

4. In the Clustering section of the Network settings screen, select the Enable Clustering check box and choose the network interface that is connected to the cluster control network.

235


236

Step 3: Creating the Cluster

The following instructions describe how to create the cluster and initialize the Cluster Console system.

1. Select HALO ➝ Cluster Administration on the menu. Before continuing, ensure that this is the system that you want to be the Cluster Console system.

2. Click the Configure button to start the cluster configuration process.3. The system will prompt you for information on setting up the cluster. First, you must enter the

admin user and password for the system that will be configured as the Cluster Console.

Click the Add or Update Member button to add the system as the Cluster Console, and then click Close to finish.


4. The Cluster Management console is then displayed.

Step 4: Adding Cluster Members

The following instructions describe how to add other systems to the cluster.

Caution: It is critical that any additions or deletions from the cluster configuration be performed with only a single administrator logged in. If any changes to the configuration of the Cluster Console are performed during a cluster configuration change, there is a risk that initialization of a member will not process correctly.

1. Add cluster members by clicking the Add/Remove button in the Cluster Management console.

2. Enter the Cluster Member hostname or IP Address, an optional name for the system, and the Admin login ID and password. Click the Add or Update Member button to add the system.

3. When systems are added to a cluster, the configuration of the Cluster Console system is replicated automatically to the new cluster member. This process will take some time to

237


238

complete, and the Cluster Management screen will indicate that the cluster member is initializing.

Caution: It is critical that no other configuration changes are made to the Cluster Member or Cluster Console while the member is initializing.

When a system is added to the cluster, the configuration of the Cluster Console is replicated to the new node with the following exceptions:

• Unique networking settings such as host name and IP address, and network interface specific settings• Local users and any WebMail related information• Any reporting related information• Centralized management information• Token analysis databases• Vacation notification related information is only partially replicated

4. When the initialization of the member is complete, the Cluster Management console will appear, displaying both the Cluster Console and the new cluster member.


Troubleshooting Cluster Initialization

The following table describes common issues that occur when configuring a cluster.

TABLE 1. Troubleshooting Cluster Initialization

Issue Solution

Blank 'Address' field when setting up the cluster console

The interface has not been correctly initialized.

Go to Basic Config ➝ Network and scroll down to the Clustering section. Select the Cluster Interface, click Update, and reboot.

Connection check fails The interface on the Console may not be configured correctly.

The target cluster member machine is not running or the interface on the target node is not configured correctly.

The hardware or software of the cluster sub-net may not be configured correctly.

Very slow to display the initialization screen in the console window for a new cluster member

Check the cluster subnet between the Console and the target cluster member.

Try clicking the Refresh now button on the Console screen.

239


240

Cluster Management

The Cluster Management screen is accessed on the Cluster Console via HALO ➝ Cluster Administration, displaying mail processing statistics for each individual cluster member. All cluster management and configuration must be performed from the Cluster Console system. Any configuration changes made to the Cluster Console are automatically replicated to the cluster member servers.

Cluster Commands

The following commands can be performed for the entire cluster or for individual cluster member systems:

• Queues — Select the appropriate button to Run, Stop, and Flush the mail queues.• Send — You can Enable or Disable the sending of mail from the cluster or specified system.• Receive — You can Enable or Disable the receiving of mail for the cluster or specified system.

Activate/Deactivate Members

When member systems are added to a cluster, they are assigned an active state to process mail for the cluster. If you need to take this system out of the cluster for maintenance purposes, the system can be temporarily deactivated from the cluster by using the Deactivate button. A deactivated cluster member is still monitored, and can process mail, but its configuration will not be synchronized with the Cluster Console. The state of the e-mail queue is not changed when a cluster member is deactivated.

Cluster Management

The Cluster Console itself cannot be deactivated. To perform maintenance on the Cluster Console, you must deactivate all cluster members individually. This effectively deactivates the entire cluster. When your maintenance is completed, reactivate each cluster member.

To reactivate a disabled cluster member, click the Activate button. Activating a cluster member will synchronize its configuration information by comparing the last time of replication and update the system with the configuration from the Cluster Console. A complete resynchronization will be required if the replication times do not exactly match.

A cluster member will be deactivated automatically if the Cluster Console is unable to communicate with it, and an alarm will be issued when this occurs. E-mail processing is not affected by this deactivation.

Start-Up Configuration

Click the Configure button to select an action to perform when a cluster member system restarts.

• Wait for Console — The cluster member, after a restart, will wait until it contacts the Cluster Console system and synchronize before processing mail. The system will try to contact the console for five minutes before starting without synchronization.

• Start immediately — The cluster member will start immediately without contacting and synchronizing its configuration with the Cluster Console system.

241


242

Cluster Activity

When a cluster is activated, a new Cluster Activity option appears on the Activity menu, and provides an activity screen displaying the combined activity of all cluster members. To see the activity for just the current system, use the Activity option from the menu.

Cluster Reporting

ePrism reports can be generated for a single system or for all systems in a cluster. The e-mail database can also be searched on a single system or on the entire cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message. See “Viewing and Generating Reports” on page 250 for more information on cluster reporting.

Configuring a New Cluster Console

If you need to assign the Cluster Console role to another system in the cluster, you must log in to the cluster member you would like to use as the Cluster Console and reconfigure the cluster from the HALO ➝ Cluster Administration menu. This will essentially deactivate the entire cluster, and you must add the cluster members again to the cluster once the new Cluster Console is initialized.

Backup and Restore

You should configure the backup for a cluster member with a unique backup directory for each cluster system, including the Cluster Console. Separate backup directories are required to ensure that backups do not inadvertently overwrite the backup from another cluster system.

Restoring from a backup is primarily intended for product recovery after a re-installation or software upgrade. Restoring clustered systems can potentially cause problems with cluster configuration and communication, and it is recommended that you use the following procedures when restoring a member of a cluster system.

See “Backup and Restore” on page 279 for more detailed information on the backup and restore process.

Restoring a Cluster Member

Use the following procedure to perform a restore on a cluster member system (not the Cluster Console):

1. From the Cluster Console, remove the member system from the cluster.2. Disconnect the member system from the cluster network via the network cable.3. Perform the restore procedure, but only restore Quarantined mail, SSL Certificates, Token

Analysis, and Reporting Data (optional). The member will automatically synchronize the rest of its configuration with the Cluster Console when it is reintegrated with the cluster.

Cluster Management

4. When the system is restored, disable clustering on the cluster network interface in Basic Config ➝ Network. Click the Update button but do not reboot.

5. Re-enable clustering on the network interface. Ensure that the specified interface is the one connected to the cluster network. Click the Update button but do not reboot.

6. Connect the member system’s network cable to the cluster network.7. From the Cluster Console, add the system back into the cluster.

Restoring the Cluster Console

On each cluster member system, (not the Cluster Console) clear the cluster configuration as follows:

1. Disable clustering on the cluster network interface of each cluster member in Basic Config ➝ Network. Click the Update button but do not reboot. Re-enable clustering on the network interface. Ensure that the specified interface is the one connected to the cluster network. Click the Update button but do not reboot.

2. Disconnect the Cluster Console from the cluster network via the network cable.3. On the Cluster Console, perform a full restore of all configuration items.4. When the restore is complete, go to the cluster configuration screen in HALO ➝ Cluster

Administration, and remove all cluster members from the cluster.5. Reconnect the Cluster Console to the cluster network.6. Reconfigure the cluster and add the other systems as cluster members.

Trusted Senders List and Spam Quarantine with a Cluster

The Trusted Senders List and Spam Quarantine can be used in a clustering environment. Please note the following when using these features in a Cluster.

• Trusted Senders List — This feature should only be enabled on the master Cluster Console system. The cluster will automatically synchronize the configuration with the other cluster members.

• Spam Quarantine — This feature should only be enabled on the master Cluster Console system. The cluster will automatically synchronize the configuration with the other cluster members. You must set up your Intercept Redirect To actions with a hostname dedicated to the cluster interface on the Cluster Console system. See “Spam Quarantine” on page 165 for detailed information on setting up the Spam Quarantine in a clustered environment.

243


244

Configuring the F5 Load Balancer

As part of ePrism’s clustering solution, you can use the F5 BIG-IP F5 iControl load balancer to control traffic to your clustered systems. ePrism includes a configuration screen where you can configure the BIG-IP load balancer via the iControl administrative connection.

This integration allows you to configure and communicate the ePrism cluster system nodes directly to the BIG-IP device. Information on message and traffic load can be communicated directly with the load balancer resulting in intelligent failover decisions.

Note: See the BIG-IP documentation for more information on configuring the load balancer. Load balancing integration only works with version of F5 previous to version 9. It is recommended that the load balancing integration be performed on the F5 device itself rather than on ePrism.

Select HALO ➝ F5 Integration from the menu to configure the BIG-IP load balancer.

Click the Config button to setup a new F5 configuration.

• BIG-IP Enabled — Select the check box to enable management of the BIG-IP load balancer with iControl.

• BIG-IP IP Address — Specify the IP address of the BIG-IP system used for iControl administrative access.

• Login — Enter the login ID used to configure the load balancer.• Password — Enter the password for the login ID above.• Pool — Specify the name of the load balancing pool used for mail flow for the ePrism cluster.

Queue Replication

Queue ReplicationThe Queue Replication feature enables mail queue replication and stateful failover between two ePrism systems. In the event that the primary owner of a mail queue is unavailable, the mirror system can take ownership of the mirrored mail queue for delivery.

Without queue replication, a system with received and queued messages that have not been delivered may result in lost mail if that system suddenly fails. In large environments, this could translate into hundreds or thousands of messages.

Queue replication actively copies any queued mail to the mirror system, ensuring that if one system should fail or be taken offline, the mirror system can take ownership of the queued mail and deliver it. If the source system successfully delivers the message, the copy of the message on the mirror server is automatically removed.

In the following diagram, system A and system B are configured to be mirrors of each other’s mail queues.

When a message is received by system A, it is queued locally and a copy of the message is also immediately sent over the failover connection to the mirror queue on system B.

If system A fails, administrators can login to system B and take ownership of the queued mail to deliver it. Messages are exchanged between the systems to ensure that the mirrored mail queues are properly synchronized, preventing duplicate messages from being delivered when a failed system has come back online.

245


246

Licensing

HALO Queue Replication must be licensed to use it beyond the evaluation period. See “License Management” on page 274 for more information on licensing optional components.

Configuring Queue Replication

Select HALO ➝ Queue Replication from the menu to configure this feature’s options.

• Enable Queue Replication — Select the check box to enable queue replication on this system. Replication must be enabled on both the source and mirror hosts in the Basic Config ➝ Network screen.

• Replication Timeout —Specify the time, in seconds, to contact the host system before timing out.

• Replicate to Host — The mail queues are automatically updated when a message is first received, and the queues are also synchronized at regular intervals. Press this button to replicate the queue to the mirror host system immediately.

• Mirrored Messages — This value indicates the current amount of queued mail that is mirrored on this ePrism.

• Purge Mirrored Messages — Select this button to delete any mail messages in the local mirror queue. These are the files that are mirrored for another host server.

• Deliver Mirrored Messages — Select this button to take ownership and process the mail that is mirrored for another source system. If the server is still alive, importing and processing the mirror queue may result in duplicate messages being delivered.Caution: Do not press this button unless you are certain that the source system is unable to deliver mail.

• Review Mirrored Messages — Select this button to review any mail in the local mirror queue that is mirrored for another source server.

Queue Replication

Queue Replication Interface

You must also enable queue replication on a network interface on both the host and client server.

Select Basic Config ➝ Network from the menu, and then scroll down to the Queue Replication section.

Note: These options only appear in the Network settings screen after Queue Replication is enabled.

• Enable Replication — Select the check box to enable queue replication on this system.• Replication Host — Specify the IP address of the system that will be backing up mail for this

ePrism.• Replication Client — Specify the IP address of the system that will be backing up its mail

queue to this ePrism.• Replication I/F — Select the network interface to use for queue replication. This network

interface should be connected to a secure network. It is recommended that queue replication and clustering functions be run together on their own dedicated subnet.Note: If you are backing up and restoring configuration information to a different system than the original and queue replication is enabled, you will have to reconfigure Queue Replication to ensure that it will work properly.

247


248

Importing and Processing Mirrored Messages

If you have two systems that are mirroring each other’s mail queues and one of those systems fails, you must go to the mirror server and import the mirrored mail to ensure that it is processing and delivered.

Import the mirrored messages as follows:

1. Ensure that the host server is unavailable. Before importing any mirrored mail, you must ensure that the host server is not processing mail. If you import and process the mirrored mail on the mirror server, this may result in duplicate messages if the host server starts functioning again.

2. On the mirror server, select HALO ➝ Queue Replication from the menu.

3. You may wish to view the current mirrored my mail by clicking the Review button.4. Click the Deliver button. This ePrism will take ownership of any queued mail mirrored from

the source server, and process and deliver it.

CHAPTER 13 Reporting

This chapter describes the reporting features of the ePrism Email Security Appliance and contains the following topics:

• “Viewing and Generating Reports” on page 250• “Viewing the Mail History Database” on page 260• “Viewing the System History Database” on page 262• “Report Configuration” on page 264

249

Reporting

250

Viewing and Generating Reports

ePrism’s reporting functionality provides a comprehensive range of informative reports for the ePrism Email Security Appliance, including:

• Traffic Summary• System Health• Top Mailbox Disk Users• WebMail Usage• POP and IMAP Access• Bulk Analysis and DNSBL Lookup Performance• Spam Statistics• Virus Reports• Recipient Reports

The reports are derived from information written to the various systems logs which is then stored in the database. Reports are stored on the system for online viewing, and can also be e-mailed automatically to specified users. Reports can be generated on demand and at scheduled times. Reports can also be filtered to provide reporting on only mail domains, user groups, or specific hosts.

Administrators can specify which data is to be included in each report, how it is to be displayed, the order of data, and the number of entries to report, such as "Top 10 Disk Space Users".

Reports can be generated in four different formats: HTML, PDF, CSV (comma separated output) and Postscript format.


Reporting Menu

To generate and view reports, select Status/Reporting ➝ Reporting ➝ Reports.

To view a previously generated report, click on the report name. To configure a report, click on the Configure button beside the corresponding report name. Click Generate to immediately generate the specified report.

Viewing Reports

To view a report, click on the report name, such as Full Report.

251

Reporting

252

Reports that have been previously generated are listed here. Click on an HTML report name, such as rep1.html, to view the contents within the current browser window. Click on the Finished At time to view it in a popup window. Click on other formats to save the report to your workstation.

The following illustrates the types of charts and graphs available from the full report.


Configuring Reports

Click the Configure button beside a specific report name to configure that report, or click Add New Report Type to start a new report.

General Report Configuration Parameters

• Report Title — Title to display at the top of the report.• Email To (HTML, CSV, PDF, PS) — Specify an e-mail address, such as

[email protected]. Use a comma-separated list if you wish to distribute the report to multiple users, or assign an alias.

• Paper Size — For PDF and PS formats, select the paper size, such as Letter, A4, or Legal.• Describe fields in report — Select this option to include a short description of each field in

the report.• Hosts — If you are running a clustered system, select the specific host you want the report to

apply to. When running reports in a clustered system, if you select "All" hosts in the report, it will generate a report for each host individually, and then merge the results into one report.

• Filters — Select a filter, if any, to use with this report. Filters are created from the Status/Reporting ➝ Reporting ➝ Report Filters menu.

253

Reporting

254

Automatic Report Generation

Configure and generate automatic reports from the Report Generation section of the configuration screen.

• Enable Auto Generate — Select this check box to automatically generate reports.• Auto Generate Report at — Select the time to generate the report.• Auto Generate on Week Days… — Choose the days of the week to generate the report.• ...and/or Day(s) of Month — Choose specific days of the month to generate the report.• Timespan Covered — Select the timespan covered for this report.• Timespan Ends at… — Select the end of the timespan. It is recommended to set the timespan

end time a few hours prior to report generation to allow all deferred mail to be finalized.• ...Timespan Offset (Days Ago) — Select the number of days to offset the timespan. This

amount of time is subtracted before setting the timespan.

Click the Generate Now button to generate a report on demand using the specified settings. This will also automatically e-mail the report to the specified address.

To generate a report daily at 2.00am for the previous day (up to 11:00pm):

Auto Generate Report at: 02:00 Auto Generate on Week Days: All Timespan covered: 1 day Timespan ends at: 23:00 Timespan offset: 0 days

To generate weekly reports on Sunday at 4:00am for the period ending Friday 11:00pm:

Auto Generate Report at: 04:00 Auto Generate on Week Days: Sunday Timespan covered: 1 week Timespan ends at: 23:00 Timespan offset: 1 day ago


Report Fields

The Fields section allows you to choose which fields or items of information to include in the report. The fields provided are static and the standard reports use fields pre-selected from this list to satisfy certain requirements. You can include or exclude fields to any one of the reports as required.

Columns

• Field ID — This is the ePrism name for this item.• Title in Report — Designate a title to appear in the report.• Order — The higher the value, the higher the field will appear in the report. Any number can

be chosen to position the fields as needed.• Page Break — Choose between no, before, after, and both, to configure page breaks. This option

only applies to PDF and PS format reports.• Limit — Set a limit for the number of items in a field. For example, enter "10" in the top

viruses field to create a "Top Ten Virus List".

255

Reporting

256

Field Descriptions

The following table describes the fields that appear in the report. Brief descriptions of each field can be included in the report by configuring it in the general report parameters.

TABLE 1. Reporting Field Descriptions

Field Description

System name The system host name, such as ePrism.example.com.

Date time Date and time of report generation.

Version ePrism software revision.

Timespan Period covered by report.

Uptime How long the ePrism system has been running since the last reboot.

Filter summary A summary of the filters applied to this report.

Head comment Freeform comment that you may enter.

Traffic blocking A table showing the number of messages caught by each method over the preceding hour, day, week, month, and report timespan.

Blocking pie chart A pie chart of the same data as the right hand column of Traffic Blocking (timespan).

Total traffic Received Graphs of the number of messages received per hour over the reporting period (timespan).

Total traffic sent Graphs of the number of messages sent per hour over the reporting period (timespan).

Total received message size Total message size of incoming messages per hour.

Total sent out message size Total message size of outgoing messages per hour.

Trust traffic A table showing the number of messages classified as "trusted" and "untrusted" and their disposition over the reporting period.

Processing time The average time a message waits between initial handshake and disposition, including DNSBL/Bulk Analysis lookups if any. Messages that are deferred are not included.

Spam metrics Graph of the number of messages per Token Analysis assigned spam metric (0 - 100).

Top virus List of the top viruses found.

Recent virus list List of the most recent viruses found.

Top PBMFs List of the top pattern based message filters.

Top forbidden attachments List of the top forbidden attachments caught by attachment control.

Recent forbidden attachments List of the most recent forbidden attachments caught by attachment control.

Top compliancy List of the most common detected compliancy violations.

Top word match List of spam word and OCF word matches.


Spam Summary Lists the number of messages classified as certainly spam, probably spam, and maybe spam

Anti-Spam Intercept Breakdown Spam messages listed by Intercept component.

Disk usage Shows disk usage by partition.

Disk load Graph of average disk load (MB/s) over the reporting period.

CPU load Graph of average CPU load (number of waiting processes) over the reporting period.

NIC load Graph for each active network interface load (Bytes/hour) for the reporting period.

Swap usage Swap file usage.

Paging Paging usage.

Top mailbox sizes Lists the top users based on the size of their mailboxes in MB.

ePrism Mail Client The number of ePrism Mail Client logins and failed attempts per hour. This does not include "admin" logins.

POP Graph showing the number of POP logins and login failures per hour over the reporting period.

IMAP Graph showing the number of IMAP logins and login failures per hour over the reporting period.

Active mail queue Graph showing number of queued messages (as sampled every 5 minutes) over the reporting period.

Deferred mail queue Graph showing maximum number of messages (as sampled every 5 minutes) in the deferred queue over the reporting period.

Top senders The top sender (judged by envelope from, not header from) during the report timespan, sorted by number of messages. If the title contains one or more comma characters, the list will be restricted to those senders which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed.

Top sending hosts The top sending host names (in FQDN format) during the report timespan, sorted by number of messages. If the title contains one or more comma characters, the list will be restricted to those sender FQDNs which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed.

Top recipients The top recipients during the report timespan, sorted by number of messages. The sum of the message sizes is also listed. If the title contains one or more comma characters, the list will be restricted to those recipients which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed.

Bulk Analysis Servers Graph showing the average round trip, in seconds, to the preferred Bulk Analysis server over the reporting period.


Field Description

257

Reporting

258

Language Support

Any text field in the report configuration can use Western (ISO-8859-1) text. For extended characters (such as accented letters), configure your browser for Western (ISO-8859-1) and set the character set encoding in Basic Config ➝ Web Server. You can then use your language specific keyboard or copy and paste ISO-8859 text into the report configuration fields.

Creating Report Filters

You can create custom filters to apply when generating reports. When a filter is selected in the report configuration editor, the applicable report fields are restricted to those values that include any string in the supplied list. You can filter by mail domain, user groups, and specific hosts. Filters for specific viruses, encryption, and attachments types can also be created.

Field values can be separated by a space or by starting a new line. Leave a field blank for no filtering. Wildcard characters can be used for domains and e-mail addresses, such as:

*@example.com joe@*.example.com fred@*example*

DNSBL Servers Graph showing the round trip, in seconds, to the DNSBL servers over the reporting period. The value is averaged over all enabled DNSBL servers.

Policy summary A summary of policy actions over certain time periods.

Recipient traffic blocking Traffic blocked by recipients due to policies and their actions.

Connection summary Lists the number of connections refused based on features such IP reputation, Threat Prevention, DNSBL, and BSN.

End comment Comment text.

Extra comment Extra comment text.


Field Description


Select Status/Reporting ➝ Reporting ➝ Report Filters to create and edit report filters.

You can filter on the following fields:

• Sender domain or e-mail address • Recipient domain or e-mail address• Sending host name or IP• Encryption from Sender• Encryption to Recipient• Sender groups• Recipient groups• Virus• Forbidden Attachment

Note: When a filter is created, it will appear in a dropdown list in the report configuration settings. Select the filter to apply it to the report.

259

Reporting

260

Viewing the Mail History Database

Every message that passes through ePrism generates a database entry that records information about how it was processed, including a detailed journal identifying the results of the mail processing.

Select Status/Reporting ➝ Reporting ➝ Mail History to view the e-mail database.

Columns

• QueueID — Identifies the message in the database.• Time Received — Time when the message was received by ePrism.• Subject — Contents of the message subject header field.• Prior — If a message is forwarded because of alias expansion, bounced, vacation notification,

and so on, a new message in the queue will be created. The QueueID number in the Prior column links to the original message.

• Journal — Shows how the message was processed, including its disposition.• Auth — Shows SMTP authentication information, if enabled.

Search

Search for specific message details using the following search fields:

• Search — Select the specific part of the message you want to search on, such as "sender" or "subject".

• For — Enter a search string. Use a blank field to match any string.

Viewing the Mail History Database

Advanced Search

Select the Advanced button to perform an advanced search of the e-mail database.

• Search — Select the specific part of the message you want to search on, such as "sender" or "subject". Use the "and" fields to select an additional message part and search string.

• Date — You can select a time frame to search for received, disposed, or deferred mail.• Status — Select a message status to search for, such as "malformed", or "virus".• Hosts — In a clustered system, you can specify a specific host to perform the search on.• Max — Enter the maximum number of results (up to 10,000) returned in the search.• Regex — Select this option to define a search using a regular expression.

After performing a search, you can enter more criteria and use the Refine button to search only within the previous results.

Displaying Message Details

Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any, are listed in the Message Disposition section.

261

Reporting

262

Viewing the System History Database

Select Status/Reporting ➝ Reporting ➝ System History to view the system database. The system database is a record of system events, such as login failures and disk space usage.

Search

Enter any text to search for an event. You can specify the type of message to narrow the search. Leave the text area blank to list by event type.

Columns

• Event# — Identifies the event in the database.• End Time — Time when the event is complete.• Type — The type of event.• Device, User — The device or user in the event.• Text — Associated text for the event.• #1, #2, #3 — Parameters of the event. These are specific to each event type.

Event Types

The following table describes the event types that can appear in the system database.

TABLE 2. System Database Event Types

Event Type Abbreviation Description Parameters

Admin Actions adm Shows administrative functions that have been performed

AV Updates avup The time of the last update, its success or failure, and the name of the new pattern file

CPU Load cpuld The load average for the past 1, 5, and 15 minutes

Number of processes waiting for CPU. A very busy system may have 50 or more

Viewing the System History Database

DCC Preferred dccpref The round trip time to preferred Bulk Analysis server

Name of preferred server

Disk I/O diskio MB per second transfer, KB per transfer, transfers per second for a disk

Disk Usage du Amount of used and total available disk space for each disk slice

IMAP I/O impio This shows each IMAP based transfer of e-mail messages

IMAP Logins implin This shows each successful IMAP authentication. If the connection used SSL, the string "ssl" follows in a separate column. Note: IMAP transfers smaller than 50 bytes are not recorded

UserID and IP address

IMAP Failures impfail Shows the number of IMAP login failures.


Logins login A single web based login UserID and IP address

Logouts logout A single web based logout (not including timed-out sessions)


Login failures lifail Login failure UserID and IP address

Network I/O nic Amount of data in and out of network card

Paging page This shows the swap paging activity (pages in/out) over 5 seconds

POP I/O popio This shows each POP based transfer of e-mail messages

Number of e-mails and bytes transferred in POP session

POP Logins poplin This shows each successful POP authentication. If the connection used SSL, the string "ssl" follows the IP address


POP Failures popfail This shows each POP authentication failure. If the connection used SSL, the string "ssl" follows the IP address


Queue Sizes que Number of messages in active and deferred queues

Active queue size in bytes, deferred queue size in bytes

DNSBL Response rbldns Average round time to DNSBL server with minimum and maximum values

DNSBL server

Swap usage swap This shows the swap usage, and total swap space available

Used and available swap space in megabytes

TABLE 2. System Database Event Types

Event Type Abbreviation Description Parameters

263

Reporting

264

Report Configuration

Select Status/Reporting ➝ Reporting ➝ Configure to configure the maximum time e-mail summaries, system event summaries, and reports are kept on the system, including the maximum number that are retained.

E-mail summaries, system events, and reports are included in backups. Each e-mail summary is about 1,000 bytes in size. For performance reasons, such as backup/restores and searches, it is recommended to set the e-mail message limits no longer than is required, such as 250,000 messages for an M1000, 500,000 messages for an M3000 and so on.

The e-mail message history is trimmed to the expiry date and number limit, whichever is smaller. System events occupy less than 2 MB per day, and a setting of 3 months is reasonable.

The system purges old data every day after 12:00am, and also within a few minutes of saving the settings in this menu. The data is rolled out depending on the date/time and number constraints, whichever is less.

Note: Reports will not be generated while the data is being purged.

Report Configuration

Disabling Reporting

The reporting database is populated with information that is obtained by interpreting the system log files. You have the option of disabling reporting which results in no new information being saved in the reporting database. Note that all log files are still saved but the reporting engine will not analyze and interpret them for reports.

Disabling reporting is not recommended, and should only be used if the system is extremely overloaded, or if you are testing performance levels.

Click the Advanced button on the Status/Reporting ➝ Reporting ➝ Configure screen to reveal an option for disabling the reporting function.

Note: Software upgrades or system restores will re-enable reporting, if disabled.

SQL Logging

For long term storage, you can save all reporting database changes and download the data in SQL format. Click the Enable SQL logging button to start a SQL log.

This log can be accessed via Status/Reporting ➝ System Logs ➝ Reporting SQL where they can be examined and downloaded, and then imported to SQL database.

265

Reporting

266

CHAPTER 14 System Management

This chapter describes the tools used to administer the ePrism Email Security Appliance and contains the following topics:

• “System Status and Utilities” on page 268• “Mail Queue Management” on page 271• “Quarantine Management” on page 272• “License Management” on page 274• “Software Updates” on page 276• “Security Connection” on page 277• “Reboot and Shutdown” on page 278• “Backup and Restore” on page 279• “Centralized Management” on page 288• “Problem Reporting” on page 293

267

System Management

268

System Status and Utilities

The Status/Reporting ➝ Status & Utility screen provides the following information:

• A snapshot of the system status, including information on uptime, load average, amount of swap space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus pattern file status.

• Controls to start and stop the mail systems and flush the mail queues.• Diagnostic tools such as a Hostname Lookup function, SMTP Probe, Ping, and Traceroute utilities

that are useful for resolving mail and networking problems.• System hardware configuration information.

System Status

From the System Status screen, you can view a number of system statistics such as the total system Uptime, load average, the amount of used swap and disk partition space, RAID status, NTP server status, and Anti-Virus pattern update status.

System Status and Utilities

Utility Functions

The Utility Functions allow you to control the following system services:

• Stop/Start Mail Services — You can stop or start all mail services by clicking on the Stop/Start Mail System Control option.

• Disable/Enable Sending and Receiving — Alternately, you can also enable or disable only the Receiving or Sending of mail by clicking the appropriate button. This is useful if you only want to stop the processing of mail in one direction. For example, you may want to turn off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to receive incoming mail.

• Flush Mail Queue — The Flush button is used to reprocess any queued mail in the system. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems, and reprocessing the mail queue will only add additional load to the system.

Diagnostics

The Diagnostics section contains networking and SMTP utilities to help troubleshoot network and mail delivery issues.

See “Network and Mail Diagnostics” on page 318 for more detailed information on using these diagnostic tools for troubleshooting.

• Hostname Lookup — Allows you to verify host name resolution by looking up a host on a DNS name server.

• SMTP Probe — Allows you to send a test e-mail to a remote SMTP server.• Ping — Ensures network connectivity via ICMP ping • Traceroute — Ensures routing connectivity by tracing the routes of network data from source

to destination server.

269

System Management

270

Current Admin and WebMail Users

The Current Admin and WebMail Users section allows you to see who is logged in via the web admin interface or through a ePrism Email Client session.

Note: If you are using Clustering, an admin login may show up several times on the list because of additional RPC calls related to clustering communications. In these cases you will see the Remote IP address as the other ePrism systems.

Configuration Information

The Configuration Information section shows you important system information such as the current version of the system software, the time it was installed, and licensing and hardware information.

Mail Queue Management

Mail Queue ManagementThe Status/Reporting ➝ Mail Queue screen contains information on mail waiting to be delivered. You can search for a specific mail message using the search function. Messages that appear to be undeliverable can be removed by selecting them and then clicking the Remove link.

Any mail messages in the mail queue can be processed out of the queue by clicking the Flush Mail Queue button. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems and reprocessing the mail queue will only add additional load to the system.

Note: The Remove All button is used specifically with the search function. You must enter a search pattern to use with this button. To delete all mail messages in the queue, enter "@" in the search field, and then click Remove All.

Display Options

The following options can be appended to the URL of the Mail Queue screen:

• ?limit=n — Sets the total number of items that will be listed to the specified number. The default is 2000.

• ?ipp=n — Sets the number of items per page.• ?order=asc — Sorts items by oldest date first to the most recent.

Note: If the query URL already contains a "?" argument, you must use the "&" instead to add options to the query.

To set the total number of items to be displayed to 100, use the following URL:

https://eprism.example.com/ADMIN/mailqueue.spl?limit=100

Use the "&" symbol instead if an "?" option already exists:

https://eprism.example.com/ADMIN/mailqueue.spl?action=submit&limit=100

271

System Management

272

Quarantine Management

Select Status/Reporting ➝ Quarantine to manage the Quarantine folder. This folder contains messages that have been blocked because of a virus, malformed message, or an illegal attachment. You can view the details of a message by clicking on its ID number, or delete the message from quarantine by clicking the Delete button.

Quarantined messages can also be released from the quarantine and delivered to their original destination by clicking the Release button.

Use the search field to look for specific messages within the quarantine. For example, you could search for the name of a specific virus so that any quarantined messages infected with that specific virus will be displayed.

Note: The Delete All and Release All buttons are used specifically with the search function. You must enter a specific search pattern before using these controls. It is recommended that you use the Expiry Options button to clear the quarantine area of all messages beyond a certain date.

Display Options

The following options can be appended to the URL of the Quarantined Mail screen:

• ?limit=n — Sets the total number of items that will be listed to the specified number. The default is 2000.

• ?ipp=n — Sets the number of items per page.• ?order=asc — Sorts items by oldest date first to the most recent.

Note: If the query URL already contains a "?" argument, you must use the "&" instead to add options to the query.

To set the total number of items to be displayed to 100, use the following URL:

https://eprism.example.com/ADMIN/quarantine.spl?limit=100

Quarantine Management

Use the "&" symbol instead if an "?" option already exists:

https://eprism.example.com/ADMIN/quarantine.spl?action=submit&limit=100

Set Quarantine Expiry

Click the Set Expiry button to configure the expiry settings. An expiry term can be set so that quarantined messages will be deleted after a certain period of time. You can use this feature to flush all messages from the quarantine area on a regular basis.

• Expire automatically — Enable this feature to expire messages automatically.• Days — Enter how many days to keep a quarantined message before deleting it.• Disk usage (percentage) — Enter a percentage of disk usage that can be used by the

quarantine area. If the quarantine area grows beyond this size, messages will be expired.Note: The disk partition used by the quarantine is the /var partition.

Click Update to enable the settings for new quarantined messages. Click Update and Expire Now to apply the settings to all messages in the quarantine area.

To delete all messages in the quarantine, set the Days value to "0", and then click Update and Expire Now.

273

System Management

274

License Management

The ePrism Email Security Appliance initially starts in evaluation mode which can be used for 30 days. After that time, ePrism stops accepting new mail. Incoming mail will receive an SMTP failure message explaining that no mail is being accepted because the evaluation period has elapsed. Existing mail in the queue will still be delivered, and mail in mailboxes will still be accessible to POP3/IMAP and ePrism Mail Client users.

License ePrism automatically as follows:

1. Ensure that the system can access the Internet so it can connect to the St. Bernard License server.

2. Select Management ➝ License Management on the menu.

3. Click the Obtain Activation Key button. A new web browser window will open up and display the St. Bernard licensing activation screen.

4. Enter the System ID as listed on the License Management screen.5. Enter the license serial number from the License Pack. (This is not the hardware serial number

of the system.)6. Enter the hardware serial number which is located on the ePrism system hardware.7. Click Submit to obtain an Activation key.

License Management

To activate licenses:

1. On ePrism, select Management ➝ License Management on the menu.2. Click the Manual Activation button.3. Enter the Serial Number and Activation Key, and then click Next to activate the license.

Optional Product Licenses

The following products must be licensed separately. If these options are enabled, they will run in evaluation mode for 30 days. Use the same licensing procedure described previously to add these optional licenses.

• Kaspersky Anti-Virus• HALO Stateful Failover Option• Advanced Content Scanning

275

System Management

276

Software Updates

It is important to keep your ePrism software updated with the latest patches and upgrades. A key aspect of good security is responding quickly to new attacks and exposures by updating the system software when updates are available.

Updates are supplied in special files provided by St. Bernard. These updates can be delivered or retrieved using a variety of methods, including e-mail, FTP, or from St. Bernard’s support servers. The Security Connection, if enabled, will download any patches automatically. Security Connection is discussed in more detail in the next section.

Note: St. Bernard recommends that you backup the current system before performing an update. See “Backup and Restore” on page 279 for detailed information on the backup and restore procedure.

Select Management ➝ Software Updates on the menu to load and apply software updates.

The Software Updates screen shows updates that are Available Updates (loaded onto ePrism, but not applied) and Installed Updates (applied and active.) You can install an available update, or uninstall a previously installed update.

When these software update files are downloaded to your local system, they can be installed by clicking Browse, navigating to the downloaded file, and then clicking Upload.

After applying any updates, you must restart the system.

Security Connection

Security ConnectionThe Security Connection is a service running on ePrism that polls St. Bernard’s support servers for new updates, security alerts, and other important information. When new information and updates are received, an e-mail notification can be sent to the administrator. It is recommended that you enable this service.

Note: For security purposes, all Security Connection files are encrypted and contain an MD5-based digital signature which is verified after decrypting the file.

• Enabled — Select to enable Security Connection.• Frequency — Specify how often to run the Security Connection service. Choices are daily,

weekly, and monthly.• Auto Download — Enable this option to allow software updates to be downloaded

automatically. The updates will not be automatically installed. They must be installed via Management ➝ Software Updates.

• Display Alerts — Enable this option to display any alert messages on the system console.• Send Email — Enable this option to send an e-mail notification to the address specified below.• Notification Mail Address — Specify an e-mail address to receive messages from Security

Connection.• Support Contract — You must enter a valid Support Contract number. This information is

supplied with your license key at the time of purchase.

Click Update to save your Security Connection configuration.

Click the Connect Now button to run Security Connection immediately.

277

System Management

278

Reboot and Shutdown

The ePrism Email Security Appliance can be safely rebooted or shut down from this menu. Before shutting down, remove any media from the floppy and CD-ROM drives.

Click Reboot now to shutdown the system and reboot.

Click Shutdown now to shutdown the system completely.

See “Restoring ePrism to Factory Default Settings” on page 329 for detailed information on restarting ePrism and restoring it to factory default settings.

Backup and Restore

Backup and RestoreePrism can backup all data, including the database, quarantined items, mail queues, user mail directories, uploaded user lists, SSL certificates, reports, and system configuration data.

The ePrism Email Security Appliance supports three backup methods:

• Local tape drive (if available) • FTP server• Local disk (using browser download to a workstation)

The restore feature can restore any backup items individually. The ePrism system should be backed up before performing any type of software upgrade or update.

Note: Restoring a clustered system requires a different procedure than outlined in the next section. See the Cluster Management section starting on page 197 for more information on backing up and restoring clustered systems.

Restore Considerations

The backup and restore function is primarily intended for product recovery after a re-installation or upgrade, and it is strongly recommended that all data be restored during a system recovery rather than individually. As the size of the reporting database can be quite large, you should restore the reporting database separately after the restoration of the basic system.

Note: You must always restore the system data first before restoring the reporting database.

279

System Management

280

Starting a Backup

You can perform backups on demand, or you can schedule a tape or FTP backup once per day via the Management ➝ Backup & Restore ➝ Daily Backup menu.

Select Management ➝ Backup & Restore on the menu to start a backup.

Select the required type of backup and click the Next >> button.

Local Disk (Direct Backup) Options

The following options are for backing up to the local disk:

• Encrypt backup — Select this option to store the backup file in encrypted form.• Backup system configuration — Select this option to backup all system configuration data,

including mailboxes, Token Analysis data, licenses and keys. This option must be enabled if you need to restore system functionality.

• Backup reporting data — Select this option to include reports, e-mail history, and system event data in the backup.

Backup and Restore

Note: Backing up reporting data can drastically increase the size of the backup file, resulting in a much longer backup time. Use scheduled FTP backups to prevent your browser from timing out when this type of backup is taking place.

When you have set your options, click Next >> to continue.

Verify that your options are correct, and then click Create backup now to start the backup. The system will prompt you for a location to download the file (backup.gz). The backup file is saved in a gzip compressed archive.

FTP Backup Options

The following options are for backing up to an FTP server:

• Encrypt backup — Select this option to store the backup file in encrypted form.

281

System Management

282

• Backup system configuration — Select this option to backup all system configuration data, including mailboxes, Token Analysis data, licenses and keys. This option must be enabled if you need to restore system functionality.

• Backup reporting data — Select this option to include reports, e-mail history, and system event data in the backup.

• FTP server — Enter the host name or IP address of the destination FTP server.• Username — Enter the username for the FTP server.• Password — Enter the password for the FTP server.• Directory — Enter the directory on the FTP server for the backup files.• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.

When you have set your options, click Next >> to continue.

Verify that your options are correct, and then click Create backup now to start the backup. You can also click Create scheduled backup which will take you to the Daily Backup menu to create a scheduled FTP backup.

Backup and Restore

Daily Scheduled Backup

You can schedule an automatic FTP or tape backup to be performed every day at a specified time.

Select Management ➝ Backup & Restore ➝ Daily Backup on the menu to configure automatic daily backups.

• Tape Backup — Select the check box to enable daily tape backups (if available.)• FTP Backup — Select the check box to enable daily FTP backups. You must configure the

FTP backup settings separately using the Management ➝ Backup & Restore screen.• Start Time — Set the start time for the backup in 24-hour format using the syntax HH:MM, such

as 02:00 for 2:00AM.

Caution: Mail History, System Event History, and Reports cannot be backed up if the daily backup runs between 12AM and 12:30AM. This is the time period when the reporting database is processing its rollout information.

FTP Backup Naming Conventions

The naming convention for FTP backups is time stamped as follows:

MX-DATAx.YYMMDDHHMM

Example:

MX-DATA0.0505152245

This indicates that the backup file is from May 15th, 2005 at 10:45PM. When purging old backup files during routine maintenance, ensure that you examine the timestamps before deleting them.

283

System Management

284

Restoring from Backup

Select the required type of restore and click the Next >> button.

Restore from Local Disk Options

Enter the local filename that contains your server’s backup data, or click Browse to select the file from the local drive directory listing. Click Next >> to upload and restore the backup file.

Backup and Restore

FTP Restore Options

Enter the following information to restore from an FTP server:

• FTP server — Enter the host name or IP address of the FTP server where the backup file is stored.

• Username — Enter the username for the FTP server.• Password — Enter the password for the FTP server.• Directory — Enter the directory on the FTP server for the backup files.• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.

Click Next >> to connect with the FTP server and restore the backup file.

285

System Management

286

Restore Options

When the backup file has been successfully retrieved, you can choose which aspects of the system you want to restore. When finished selecting the restore items, click Restore Now.

Note: If you are restoring reporting data separately, it must be performed after the restoration of the main system information.

You can view the current status of the restore process in the Status section of the Management ➝ Backup & Restore menu.

When the restore is complete, you should review and edit your network configuration in the Basic Config ➝ Network screen as required, and click Apply to reboot. This ensures that all restored network settings have been applied.

Caution: If you modified the networking information during the system installation process and then performed a restore, your new networking information may be overwritten by the restored data. Ensure that your network settings are correct before updating and rebooting the system.

Backup and Restore

Backup and Restore Errors

The following table describes the types of errors that can occur when restoring a backup file:

TABLE 1. Backup and Restore Error Codes

Error Code Description

0 No error

1 Form data missing

2 MIME data missing boundary

3 Invalid form data

4 Unsupported encoding method

5 Unsupported header in MIME data

6 File open error

7 Filename not specified

8 Error writing file

9 Data is incomplete

287

System Management

288

Centralized Management

The Centralized Management feature allows you to administer multiple ePrism Email Security Appliances from a single management console. Centralized Management allows you to perform many routine administrative tasks across all ePrism systems configured in the same management group.

Centralized Management is used to monitor and administer multiple ePrism systems, including the ability to copy configuration items such as mail routes, aliases and mappings, RADIUS and LDAP settings, and so on, to other systems in the management group.

Note: All management group communications are authenticated and transmitted using HTTPS.

You can perform the following functions from the Centralized Management console:

• Start and Stop mail services• Monitor mail queues• View statistics of incoming and outgoing mail• Copy configuration settings to other ePrism systems• Perform backups

Centralized Management and Clustering

Centralized Management is very different from ePrism’s HALO Clustering features. Centralized Management is intended for managing multiple ePrism systems with different configurations, while Clustering is used to monitor and manage multiple systems with identical configurations for redundancy and load balancing purposes.

See “HALO (High Availability and Load Optimization)” on page 231 for more detailed information on cluster management.


Configuring Centralized Management

Use the following procedure to initialize and configure Centralized Management.

1. Select Basic Config ➝ Network from the menu.2. Ensure that Admin Login access is enabled for the specific network interface that will be

communicating with the management group.

3. Select Management ➝ Centralized Management to configure Centralized Management. The initialization screen will appear indicating that there are no management groups configured.

4. To create a management group, click Configure. You will need to enter the login and password of the admin user.

5. Add new members to the management group by clicking the Members button.

289

System Management

290

6. Enter the group member’s hostname or IP address, an optional name, and the Admin user’s login and password. Click Add or Update Member. Once added, click the Close button.The group member will now appear in the main management console screen.

Note: If the address of a member server changes, the original entry must be removed before adding a new entry with the new address.

Changing the Centralized Management Console

To change the address of the console you are using, click Edit, enter your new settings, and then click Add or Update Member. You cannot delete the console you are using from the management group.


Using the Management Console

From the Centralized Management Console, you can perform a variety of administrative functions.

Group Commands

The following commands are applied to the entire management group:

• Centralized Management Command — From the drop-down box you can select a specific function to execute across all members of the management group. The options include Refresh, Stop All Queues, Run (Start) All Queues, and Backup.

• Select Auto Refresh — Select the time, in seconds, for automatic refresh of settings and statistics for group members. Select Disable if you do not require Auto Refresh.

Member System Commands

The following commands are only applied to the specified group member:

• Start and Stop Services — You can start and stop services for each management group member. The current status is also displayed.

• Connect — Connect directly to the specified member and open its administration screen.• Backup — Backup the member server via FTP.

Note: Each group member must have its FTP backup configured individually before this function will work from the console.

• Copy Configuration — Copy the selected settings from the management console to the selected member. Each member can be configured individually to receive only certain settings by selecting the check box of each configuration item.

291

System Management

292

Click Save to save your selected settings on the management console screen.

Copy Configuration

To copy configuration items from the Centralized Management Console to the group members, select which items to copy, and then click the Copy button. Click Save to save your settings.

The following configuration settings can be replicated:

• Attachment Control — All items, including Attachment Types, are added to the selected group member.

• Mail Aliases — All mail aliases will be added to the selected group member.• Virtual Mappings — All virtual mappings will be added to the selected group member.• Mail Mapping — All mail mappings will be added to the selected group member.• Mail Routing — All mail routes will be added to the selected group member.• Mail Access/Filtering — Message size and patterns settings will be added to the selected

group member.• Relocated Users — The list of relocated users on a group member will be replaced by those

from the management console.• Pattern Based Filtering — All anti-spam Pattern Based Filtering settings except the default

settings will be added to the selected group member.• RADIUS/LDAP — All RADIUS and LDAP configuration settings will be added to the

selected group member.

Note: The mail queue will be temporarily stopped during the replication process.

Problem Reporting

Problem ReportingProblem reporting allows you to send important configuration and logging information to St. Bernard Technical Support for help with troubleshooting system issues. This feature should be used in conjunction with an existing support request with technical support.

Select Status/Reporting ➝ Problem Reporting to configure your troubleshooting configuration information.

• Send To — Enter an e-mail address to send the reports. The default is St. Bernard Technical Support, but you can also put in your own e-mail address so that you can view them before sending them to St. Bernard.

• Mail Log — Sends the latest daily mail server log.• Mail Configuration — Sends your current mail configuration file.• Mail Queue Stats — Sends a snapshot of the latest current mail queue statistics.• System Messages — Sends the latest daily system message log.• System Configuration — Sends an XML version of the system configuration.

Click Apply to save the information in the form, and click Send Now to send the information to the configured e-mail address.

293

System Management

294

CHAPTER 15 Monitoring System Activity

This chapter describes how to monitor ePrism’s system activity and message processing, and contains the following topics:

• “Activity Screen” on page 296• “System Log Files” on page 298• “Offloading Log Files” on page 301• “SNMP (Simple Network Management Protocol)” on page 303• “Alarms” on page 306

295

Monitoring System Activity

296

Activity Screen

The Activity screen provides a variety of system information and utilities all on one screen, including:

• Mail service stop and start• Mail queue statistics• Queue Activity• System uptime and CPU load• Message status and final actions

The following describes the queue statistics columns:

• Arrived — The total number of messages processed by ePrism (messages accepted). These include messages that were spam, viruses, attachment control, and so on.

• Sent — The total number of messages sent by ePrism, including mailer daemon mail, quarantine notifications, mail delivery delay notifications, local mail, alarms, reports, and so on. If a message has multiple recipients, each delivered recipient will be added to the total.

• Spam — The total number of messages considered spam by the Intercept engine.• Reject — The total number of messages rejected because of client hostname/address

restrictions, SAP rejects, DNSBLs, and PMBFs with reject action.• Virus — The total number of messages that contained a virus.

Activity Screen

• Clean — The total number of messages that were accepted for delivery inbound and outbound by ePrism and passed all security and spam filters.

Show Recipients/Senders

Click the Show Recipients button to show all recipients for a message if there are multiple recipients. If there is only one recipient for a message, the message will display the same way in Show Senders and Show Recipients view.

If there are multiple recipients for a message, the Show Senders view will display a "+" sign in front of the message. Use this button to expand the message to see all the recipients. This is useful for seeing the actions and dispositions of a message for each recipient if they belong to different scanning policies.

Cluster Activity

In a clustered system, an additional Cluster Activity screen is displayed that shows the combined activity for all clustered systems.

297


298

System Log Files

Select Status/Reporting ➝ System Logs on the menu to access the system log files.

Click View in the Current Log column to view the most recent log file.

Click View in the Time Index column to see a list of all log files available on the system in chronological order including the current log file, old log files (rolled out) and archived (zipped).

The Mail Transport log is the most important log to monitor because it contains a record of all mail processed by ePrism. See “Examining Log Files” on page 312 for more information on interpreting the mail transport logs.

Other logs include:

• Authentication — Contains messages from POP, IMAP, and WebMail logins.• HTTP Access — A log of access to the web server.• HTTPS Access — A log of SSL web server access.• HTTP Errors — Contains error messages from the web server.• HTTPS Engine — Contains messages for the web server encryption engine.• Messages — Contains system messages, including file uploads.• Kernel — A log of kernel generated messages.

Note: It is possible that you may receive errors in the kernel logs regarding partition slices. If you your system is installed with a manufacturer’s diagnostics partition, this is the cause of the error and does not indicate a critical condition.

• Reporting SQL (when enabled) — This option only appears when SQL logging is enabled in Status/Reporting ➝ Reporting ➝ Configure. The logs can be downloaded in SQL format from this screen.

System Log Files

Viewing and Searching Log Files

Search for a particular search string by entering a value in the Search field and then clicking the arrow button.

The following features can be used to help refine log searches:

• For logical "and" and "or" searches, use the keywords "and", "or", and "not".• Use \and or \or to search for the actual words such as "and" and "or".• Use a preceding / to search using Unix-style regular expressions.

You can also download the log to a text file by using the Download button. You can then import this file into a log analysis application for offline processing.

Advanced Search

Click the Advanced Search link to perform advanced searches for all the log files for a specific log type.

299


300

• Logs to Search — Select the log to perform the advanced search in.• Search Archived — Select the check box to search all current and archived log files.• Search All Dates — Select the check box to the entire time span. The Date/Time fields below

will be greyed out if this option is selected.• Date/Time from — Enter a beginning date and time to search from.• Date/Time to — Enter the end date and time to search to.• Pattern — Enter a pattern to search for in the logs.

Click the Search button when you are ready to begin the advanced log search.

Configuring a Syslog Host

All of ePrism’s log files can be forwarded to a syslog server which is a host that collects and stores log files from many sources.

The syslog files can then be analyzed by a separate logging and reporting program.

You can define a syslog host in the Basic Config ➝ Network screen.

Offloading Log Files

Offloading Log FilesIn environments with large mail throughput requirements, ePrism’s log files, such as mail transport log information, may grow very quickly. When a certain amount of log files have been generated, ePrism can automatically compress older files to save disk space.

For backup purposes and offline reporting, ePrism can copy log and reporting files to another system at regular intervals using FTP or SCP file copy utilities. This allows administrators to backup the log files to a separate host for analysis and storage. When enabled, the offload will occur each time a log file is rolled over and for the time period specified in the offload date and time.

Note: The Offload (Reporting) section is used for organizations requiring a separate reporting server where logs will be forwarded to for reporting purposes.

Select Status/Reporting ➝ Server Logs ➝ Rollout & Offload on the menu to configure your rollout and offload settings.

Rollout (Keep Uncompressed)

Configure the number of local uncompressed files to keep on ePrism in the Keep uncompressed field. When log files are rolled over, ePrism will keep this amount of files uncompressed on the hard drive. When this value is reached, the files will then be compressed to save disk space (oldest first). Leave this field blank to leave all log files uncompressed.

301


302

Offload (Backup)

• Offload — Select the check box to enable offloading of rollout log files.• Copy application — Select the program (FTP or SCP) to use for copy rollout files. These

applications must be enabled on the destination host.• Port — TCP port to be used by the copy application. If this field is left blank, default port

values will be used.• Host — Enter the host to copy rollout data to using the specified method.• Folder — Select a folder to copy the rollout data to. • Construct Filename — Select an identifier for the file name, such as a sequential number

(maillog.1) or a timestamp (maillog.200501010000).• User — Username to use to log in to the destination host.• Password — Corresponding password for the specified username.• Compress — Select the check box to enable gzip compression of the rollout files.

Click the Update button when finished.

Click the Offload now button to begin offloading files immediately.

Click the Offload Again button to reset the information of Offloaded files. This will force an offload of all files (even those offloaded before) again.You must click Offload Now, or wait for the next scheduled offload (when a log file has rolled over, or every hour) to start the offloading process after clicking Offload Again.

SNMP (Simple Network Management Protocol)

SNMP (Simple Network Management Protocol)Simple Network Management Protocol (SNMP) is the standard protocol for network management. When enabled on ePrism, this feature allows standard SNMP monitoring tools, such as HP Openview, Tivoli, BMC Patrol and CA Unicenter, to connect to the SNMP agent running on ePrism and extract real-time system information.

The information available from the SNMP agent is organized into objects which are described by the MIB (Management Information Base) files. The information available includes disk, memory, and CPU statistics, mail queue information, and statistics on the number of spam or virus-infected e-mails. An SNMP trap can be sent when the system reboots.

See “SNMP MIBS” on page 343 for detailed information on the objects available in ePrism’s MIB files.

The SNMP agent service is installed and running by default, but it must be enabled specifically for each interface in the Basic Config ➝ Network screen. It is strongly advised that the agent only be configured for the internal (trusted) network.

303


304

Configuring SNMP

Select Basic Config ➝ SNMP Configuration on the menu to configure SNMP.

• Send Trap on Reboot — Enable the check box to send a trap message to your SNMP trap host whenever the system reboots.

• System Contact — (Required) Enter the e-mail address of the contact person for this system.• System Location — (Required) Enter the location of the system.• Read-Only Community — By default, ePrism does not allow read/write access to the SNMP

agent. For read access, you must set up a read-only community string on both the agent, and your SNMP management application for authentication. It is recommended that you change the default community string "public" to a more secure value. Note: The community string is case sensitive.

Permitted Clients

To allow access to ePrism’s SNMP agent, you must specifically add the client system to the list of SNMP Permitted Clients. The clients can be specified using a host name, IP address, or network address (192.168.138.0/24). Typically, you will enter the address of your SNMP management station, such as an HP Openview system. Click Add to add the permitted client.

SNMP (Simple Network Management Protocol)

Trap Hosts

A trap host is an SNMP management station that will be receiving system traps from ePrism. ePrism will send an SNMP trap when the system is rebooted.

Enter a list of hosts that will receive trap messages. The hosts can be specified using a host name or IP address. Click Add to add the trap host.

MIB Files

The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files must be imported into your SNMP management program. The MIB file contains a list of objects representing the information that can be extracted from the system’s SNMP agent.

See “SNMP MIBS” on page 343 for detailed information on the contents of the St. Bernard ePrism Email Security Appliance MIB files.

305


306

Alarms

ePrism implements a variety of system alarms to notify the administrator of exceptional system conditions. Alarms are currently generated from the HALO, LDAP, and Backup subsystems. For example, you can receive an alarm notification if the daily FTP backup fails, or if communication is lost with a cluster member. Errors with LDAP user imports will also trigger an alarm.

You can select the type of alarm notifications to receive, such as Critical, Serious, and Warning events.

These notifications can be sent via:

• E-mail• Console Alert• Activity Screen Alert

The following example shows an alarm appearing on the Activity screen. You must click Acknowledge to remove the alarm notification.

Alarms

Configuring Alarms

Select Basic Config ➝ Alarms on the menu to configure your alarms and notifications.

• Send Escalation Mail — Select the types of alarms that will trigger an e-mail to be sent to the Escalation Mail Address specified below.

• Send Alarm Mail — Select the types of alarms that will trigger an e-mail to be sent to the Alarm Mail Address specified below. Note: You must have a valid e-mail specified in the Email Addresses section for the alarm e-mail to be sent.

• Alert to Console — Select the types of alarms that will display an alert on the system console screen.

• Alert to Activity Page — Select the types of alarms that will display an alert on the main activity screen.

• Escalation Mail Address — Enter an e-mail address to send escalation messages to.• Alarm Mail Address — Enter an e-mail address to send alarm messages to.

Note: It is recommended that you use SNMP for monitoring of system resources such as disk space and memory usage. See “SNMP (Simple Network Management Protocol)” on page 303 for more information.

307


308

CHAPTER 16 Troubleshooting Mail Delivery

This chapter describes procedures for troubleshooting mail delivery problems and contains the following topics:

• “Troubleshooting Mail Delivery” on page 310• “Troubleshooting Tools” on page 311• “Examining Log Files” on page 312• “Network and Mail Diagnostics” on page 318• “Troubleshooting Content Issues” on page 323

309

Troubleshooting Mail Delivery

310


When experiencing mail delivery problems, the first step is to examine if the problem is affecting only incoming mail, outgoing, or both. For example, if you are receiving mail, but not sending outgoing mail, it is certain that your Internet connection is working properly, or you would not be receiving mail. In this scenario, you may have issues with the Firewall blocking your outbound SMTP connections, or some other problem preventing mail delivery.

Problems affecting both inbound and outbound delivery include the following scenarios:

• Network infrastructure and Communications — The most common scenario in which you are not receiving or sending mail is if your Internet connection is down. This can include upstream communications with your ISP, your connection to the Internet, or your external router. You should also check your internal network infrastructure to ensure you can contact ePrism from your router or firewall.

• DNS — If your DNS is not working or configured properly, mail will not be forwarded to your ePrism or you will not be able to lookup external mail sites. Check the DNS service itself to see if it is running, and check your DNS records for any misconfiguration for your mail services. Ensure that your MX records are setup properly to indicate the ePrism system.

• Firewall — If you are having issues with your Firewall or if it is misconfigured, it may inadvertently block mail access to and from ePrism. For example, SMTP port 25 must be opened between the Internet and ePrism and internally to allow inbound and outbound mail connections.

• Internal Mail Systems — You may be receiving incoming mail to the ePrism, but mail is not being forwarded to the appropriate internal mail servers. Also, outgoing mail from the internal servers may not be forwarded to ePrism for delivery. In these scenarios, examine your internal mail server to ensure it is working properly. Check communications between the two systems to ensure there are no network, DNS, or routing issues. Also check that your internal servers are configured to send outgoing mail to ePrism.

• External Mail Systems — If you have a large amount of mail to a particular destination, and that mail server is currently down, these messages will queue up in the deferred mail queue to be retried after a period of time. You can view the Mail Transport logs to see the relevant messages that may indicate why you cannot connect to that particular mail server. The server could be down, too busy, or not currently accepting connections.

Troubleshooting Tools

Troubleshooting ToolsThe following sections describe the built-in tools that can be used on the ePrism system to help troubleshoot mail delivery problems.

Monitoring the Activity Screen

On ePrism’s main Activity screen, you will be able to quickly examine if there are any issues with mail delivery.

Examine the following items:

• Check the mail queue activity to view the number of Queued, Deferred, and Total messages in the mail queue. This is a quick indicator of how your mail is processing. Click the Refresh button frequently to ensure that the mail queues are not building up too high.

• In the Mail Received Recently portion of the activity screen, check the timestamps of your most recent incoming and outgoing mail. If no mail has been processed in a certain period of time, this may indicate that the inbound, outbound, or both mail directions are not working.

• Check the statistics for your mail queues. You may notice mail system latency if you are receiving a lot of virus, spam, or message rejects.

311


312

Examining Log Files

Examine the system log files in the Status/Reporting ➝ System Logs screen.

The Mail Transport log is the most important, as it provides a detailed description of each message that passes through the system.

The start of a single message log entry begins with a smtpd "connect" message, and ends with the "disconnect" message. To ensure that you are looking at the entries for a specific message, check the message ID (such as 757D197A9L in the previous example) for each log entry to ensure they are for the same message.

A summary of the actions for this message are included in the log, for example:

Note: Only the first recipient is logged in the overall message summary when more than one recipient is found within a message.

Examining Log Files

Interpreting Text Log Files

Log files can be downloaded as a text file to allow you to analyze the logs offline. When interpreting Mail Transport log files from the text version, the final message summary appears as a special analysis string. The analysis string contains a list of action codes that are created by the logging engine to create the message summary in the log.

For example, the following analysis string is interpreted as follows:

analysis=F000FFF000FFT000F000TFT001000TF--5000000000055F1F-FF00000000F000FFF00000000F5F

The following table describes each character in the analysis string:

TABLE 1. Analysis Code Descriptions

Analysis Code Description Possible Values

T Token Analysis scanned? (True)

T - True, F - False

099 Token Analysis Metric (99) 3 digit numeric value

F Bulk Analysis Scanned? (False)

T - True, F - False

F Bulk Analysis result? (False) T - True, F - False

F DNSBL Scanned? (False) T - True, F - False

000 Number of DNSBL Rejects 3 digit numeric value

F n/a n/a

F n/a n/a

T Kaspersky AV Scanned? (True)

T - True, F - False

000 Number of Viruses 3 digit numeric value

F McAfee AV Scanned? T - True, F - False

000 Viruses detected (0) 3 digit numeric value

T Malformed Message Scanned? (True)

T - True, F - False

F Malformed message? (False) T - True, F - False

T Attachment Control scanned? (True)

T - True, F - False

001 Inbound Attachments blocked (1)

3 digit numeric value

000 Outbound Attachments blocked (0)


T PBMF Scanned? (True) T - True, F - False

F PBMF triggered? (False) T - True, F - False

313


314

- PBMF Action (no match) D - Reject A - Accept V - Valid S - Spam T - Trust R - Relay B - BCC I - Do Not Train - None

- PBMF Rule Type (no match) S - System G - Group P - Personal - None

5 PBMF Priority (5 - high) 0 - low, 3 - medium, 5 - high

0000000 PBMF Filter number (PBMF filter number)

This is the number of the filter in your list of PBMFs.

000 PBMF Options See Table 2 "PBMF Options Description"

5 PBMF "no train" rule rank (5)


5 PBMF "BCC" rule rank (5) 1 digit numeric value

F SPF scanned? T True, F - False

1 SPF result Pass = 0 None = 1 Fail = 2,3 Error = 4 Neutral = 5 Unknown = 6 Unknown SPF Mechanism = 7

F Message Affirmation scanned?

T - True, F - False

- Message Affirmation result Q - Quarantine

d - Discard Mail L - Just Log D - Reject - None

F OCF Scanned T - True, F - False

F OCF Result T - True, F - False

0000 IP Reputation checks performed bitmap (none)

4 digit numeric value. This field is only decodable via the ePrism logs display.

0000 IP Reputation checks failed bitmap (none)

4 digit numeric value. This field is only decodable via the ePrism logs display.

F Attachment Content Scanned (false)

T - True, F - False

000 Attachment Content Scanning matches (0)




Examining Log Files

The following table describes the analysis code for PBMF Options:

F Spam Dictionary scanned (false)

T True, F - False

F Spam Dictionary matched (false)

T True, F - False

F BSN scanned (false) T True, F - False

00000000 BSN result bitmap (none) 8 digit numeric value. This field is only decodable via the ePrism logs display.

F DomainKeys scanned (false) T True, F - False

5 DomainKeys result (permanent error)

0 - Pass 1 - Neutral 2 - Fail 3 - Soft Fail 4 - Temporary Error 5 - Permanent Error

F DomainKeys spam (false) T True, F - False

TABLE 2. PBMF Options Code Description

Code Description

000 None

001 Do Not Train

002 Notify Admin

003 Notify Admin + Do Not Train

004 Notify Sender

005 Notify Sender + Do Not Train

006 Notify Sender + Notify Admin

007 Notify Sender + Notify Admin + Do Not Train

008 Notify Recipient

009 Notify Recipient + Do Not Train

010 Notify Recipient + Notify Admin

011 Notify Recipient + Notify Admin + Do Not Train

012 Notify Recipient + Notify Sender

013 Notify Recipient + Notify Sender + Do Not Train

014 Notify Recipient + Notify Sender + Notify Admin

015 Notify Recipient + Notify Sender + Notify Admin + Do Not Train

016 BCC

017 BCC + Do Not Train



315


316

018 BCC + Notify Admin

019 BCC + Notify Admin + Do Not Train

020 BCC + Notify Sender

021 BCC + Notify Sender + Do Not Train

022 BCC + Notify Sender + Notify Admin

023 BCC + Notify Sender + Notify Admin + Do Not Train

024 BCC + Notify Recipient

025 BCC + Notify Recipient + Do Not Train

026 BCC + Notify Recipient + Notify Admin

027 BCC + Notify Recipient + Notify Admin + Do Not Train

028 BCC + Notify Recipient + Notify Sender

029 BCC + Notify Recipient + Notify Sender + Do Not Train

030 BCC + Notify Recipient + Notify Sender + Notify Admin

031 BCC + Notify Recipient + Notify Sender + Notify Admin + Do Not Train

032 Do Not Quarantine

033 Do Not Quarantine + Do Not Train

034 Do Not Quarantine + Notify Admin

035 Do Not Quarantine + Notify Admin + Do Not Train

036 Do Not Quarantine + Notify Sender

037 Do Not Quarantine + Notify Sender + Do Not Train

038 Do Not Quarantine + Notify Sender + Notify Admin

039 Do Not Quarantine + Notify Sender + Notify Admin + Do Not Train

040 Do Not Quarantine + Notify Recipient

041 Do Not Quarantine + Notify Recipient + Do Not Train

042 Do Not Quarantine + Notify Recipient + Notify Admin

043 Do Not Quarantine + Notify Recipient + Notify Admin + Do Not Train

044 Do Not Quarantine + Notify Recipient + Notify Sender

045 Do Not Quarantine + Notify Recipient + Notify Sender + Do Not Train

046 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin

047 Do Not Quarantine + Notify Recipient + Notify Sender + Notify Admin + Do Not Train

048 Do Not Quarantine + BCC

049 Do Not Quarantine + BCC + Do Not Train

050 Do Not Quarantine + BCC + Notify Admin

051 Do Not Quarantine + BCC + Notify Admin + Do Not Train

052 Do Not Quarantine + BCC + Notify Sender

053 Do Not Quarantine + BCC + Notify Sender + Do Not Train

054 Do Not Quarantine + BCC + Notify Sender + Notify Admin

055 Do Not Quarantine + BCC + Notify Sender + Notify Admin + Do Not Train


Code Description

Examining Log Files

056 Do Not Quarantine + BCC + Notify Recipient

057 Do Not Quarantine + BCC + Notify Recipient + Do Not Train

058 Do Not Quarantine + BCC + Notify Recipient + Notify Admin

059 Do Not Quarantine + BCC + Notify Recipient + Notify Admin + Do Not Train

060 Do Not Quarantine + BCC + Notify Recipient + Notify Sender

061 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Do Not Train

062 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin

063 Do Not Quarantine + BCC + Notify Recipient + Notify Sender + Notify Admin + Do Not Train


Code Description

317


318

Network and Mail Diagnostics

In the Status/Reporting ➝ Status & Utility screen there are mail tools and networking diagnostic tools such as Hostname Lookups, SMTP Probe, Ping, and Traceroute, to help you troubleshoot possible networking problems and connectivity issues with other mail servers.

Flush Mail Queue

From the Status/Reporting ➝ Status & Utility screen, and also the main Activity screen, there is a button that can be used to flush and reprocess all queued mail. You should only use this utility if you have a high amount of deferred mail that you would like to try and deliver. In environments with a high amount of deferred mail, this process can take a very long time.

If the deferred mail queue continues to grow, there are other problems that are preventing the delivery of mail and the Flush button should not be used again.

Note: This button should only be clicked once because it will reprocess all queued mail.


Hostname Lookup

The Hostname Lookup utility is used to perform DNS host lookups. This ensures that hostnames are being properly resolved by the DNS server.

Enter the FQDN (Fully Qualified Domain Name) of the host you would like to lookup on a name server, such as mx.example.com. In the Query Type field, select the type of DNS record, such as a typical "A" name host record, or "MX" for a mail server lookup.

Click the Lookup button when ready to test. The name server should provide you with the IP address for the name you entered. If the result displayed shows "Unknown host", then the name you entered is not listed in the DNS records.

If the name server cannot be contacted, check your DNS configuration in Basic Config ➝ Network. To ensure you have network connectivity use the ping and traceroute commands in the Status & Utility screen to ensure you have a connection to the network and to the DNS server.

319


320

SMTP Probe

The SMTP (Simple Mail Transport Protocol) Probe is used to test e-mail connectivity with a remote SMTP server. This allows you to verify that the SMTP server is responding to connection requests and returning a valid response.

In the SMTP Probe screen, you must enter the destination SMTP server, the envelope header fields for the sender and recipient (MAIL FROM and RCPT TO), the HELO identifier, and the message data.

Click the Send Message button to send the test message to the destination SMTP server. The server should come back with a response.

• SMTP Server — Enter the domain name or IP address of the destination SMTP server that you want to test.

• Envelope-from (MAIL FROM) — The MAIL FROM part of the e-mail message identifies the sender. Enter an e-mail address indicating the sender of the message.

• Envelope-to (RCPT TO) — The RCPT TO part of the e-mail message identifies the recipient of the e-mail. Enter an e-mail address indicating the intended recipient of the message.

• HELO — The HELO parameter is used to identify the SMTP Client to the SMTP Server. You can enter any value here, but the sending domain name of the server is usually specified.

• Message to Send (DATA Command) — This contains the actual test message data. You can enter an optional subject to ensure a blank subject field is not sent.


The response field will show the result of the SMTP diagnostic probe, including the response for each SMTP command sent:

Sending mail...

<<< 220 ESMTP Postfix (2.1.0) HELO example.com <<< 250 mail.example.com MAIL FROM:[email protected] <<< 250 Ok RCPT TO:[email protected] <<< 250 Ok DATA <<< 354 End data with <CR><LF>.<CR><LF> sending /tmp/smtpdata . <<< 250 Ok: queued as F130F33EA6 QUIT <<< 221 Bye

Ping Utility

The ping utility sends ICMP packets to a host and the listens for a return packet. From ePrism, this utility can be used to ping hosts both on the internal and external networks. You should also try to ping the firewall, DNS server, and external router as well as the ePrism from these locations to ensure you have connectivity. For more detailed information on routing connectivity between the two hosts, use the traceroute utility.

Click the Ping button on the Status & Utility screen to test connectivity. Enter the IP address or hostname of the system you want to test connectivity to and then click the Ping button.

321


322

Traceroute Utility

Traceroute is used to see the routing steps between two hosts. If you are losing connectivity somewhere in between ePrism and a receiving host, you can use traceroute to see where exactly the packet is losing its connection.

The traceroute utility will show each network "hop" as it passes through each router to its destination. If you are experiencing routing issues, you will be able to see in the trace where exactly the communication is failing.

Click the Traceroute button on the Status & Utility screen to trace the route to the specified host.

Enter the IP address or hostname of the system you want to trace the route to, and then click the Traceroute button. Use Reset to reset the display.

Troubleshooting Content Issues

Troubleshooting Content IssuesIf the mail has been delivered to ePrism successfully, it will undergo security processing before delivery to its final destination. Many of the security tools used by ePrism, such as Intercept anti-spam, content filtering, anti-virus scanning, attachment control, and so on, will cause the message to be rejected, discarded, and quarantined, without the message being delivered to the recipient’s mail box.

These tools can often be misconfigured allowing legitimate messages to be incorrectly rejected or quarantined. If you find that certain mail messages are being blocked when they should not be, check the following:

• Is there a Specific Access Pattern or Pattern Based Message Filter rule that applies to the message?

• Is the attachment type or content filtered via Attachment Control or Attachment scanning?• Are any of the Intercept Anti-Spam features blocking the message?• Do words from the Objectionable Content Filter (OCF) or Spam Dictionaries appear in the

message?• Is the message over the maximum size limit?• Does the user belong to a policy that may block the message?

Mail History Database

Every message that passes through ePrism generates a database entry that records information about how it was processed, filtered, quarantined, and so on. To see how the message was handled by ePrism, you can check the Mail History Database to see the disposition of the message.

Using this information, you can find out which security process is blocking the message, and then check the configuration and rules to ensure that they are set properly.

Select Status/Reporting ➝ Reporting ➝ Mail History to view processed messages. Examine the Journal column for full information on how a message was processed and its final disposition.

323


324

Displaying Message Details

Click on a QueueID number to view the details of a message. Dispositions and the final Intercept score, if any, are listed below the details table in the Message Disposition section.

APPENDIX A Using the ePrism System Console

The ePrism system console provides a limited subset of administrative tasks and is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the web browser administration interface.

When accessing the system console, you will be prompted for the UserID and Password for the administrative user. When accessing the console for the first time after installation, the default settings are admin for the UserID, and admin for the Password. The password can be changed from the browser administration interface.

Activity Screen

The console Activity screen provides you with basic activity and statistics information for this ePrism system.

325

Using the ePrism System Console

326

Press any key to log into the console using the admin login.

Admin Menu

The Admin menu contains the following functions:

• Exit — Exits the console.• Hardware Information — Displays the processor type, available memory, and network

interface information.• Configure Interfaces — Modify the host and domain name, IP address, Gateway, DNS and

NTP servers for all network interfaces.• Security Connection — Enables automatic updates from St. Bernard.• Shutdown — Shutdown ePrism.• Reboot — Shutdown and restart ePrism.• Switch to Text Mode — Switch from graphical mode to text mode.

Diagnostics Menu

The Diagnostics menu contains the following functions:

• Activity Display — Displays CPU usage, network traffic and mail message activity.• Ping — Allows you to test network connectivity to other systems via the ping utility. An IP

address or host name can be used.• Traceroute — Displays the routing steps between your ePrism system and a destination host.• Reset Network Interface — Resets network interfaces. This function is useful for correcting

connection issues.• Display Disk Usage — Displays the amount of used and available disk space.• Display System Processes — Displays information on processes running on the system.

Repair Menu

The Repair menu contains the following functions:

• Reset SSL Certificates — Sets certificate information back to the factory defaults. Any uploaded certificates or private keys will be lost.

• Delete Strong Authentication for Admin — Removes strong authentication for the admin user login to allow you to use the console password.

Misc Menu

The Miscellaneous menu contains the following functions:

• Set Time and Date — Sets the time and date for the system.• Set Time Zone — Sets your local time zone settings.• Configure UPS — Configure the link to an Uninterruptible Power Supply (UPS) for automatic

shutdown in the event of a power failure.• Configure Web Admin — Modify the ports used to access the ePrism web browser

administration interface.• Configure Serial Console — Configure a serial port for using the console over a serial

connection. You must set your terminal program to the following values to use ePrism’s serial console:VT100 Emulation Baud Rate: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: Hardware

• Color Settings — Sets the colors for the console.

327

Using the ePrism System Console

328

APPENDIX B Restoring ePrism to Factory Default Settings

ePrism can be returned to its factory defaults at any time. You may need to re-initialize the system if unrecoverable disk errors are found, or if you wish to perform a full restore.

Caution! This procedure should only be used after consultation with St. Bernard technical support. You will lose ALL your configuration data and stored mail if you have not performed a backup.

Re-initialize the system as follows:

1. Select Management ➝ Reboot and Shutdown on the menu.2. Click the Reboot button, and the system will reboot.3. When the system restarts, go to the system console and press F1 "Restore" to restore the

system to factory defaults. Note: Press "r" to reinstall if you upgraded to 6.0 from a previous version and are using an older boot menu.

4. Press Enter to select graphics mode when prompted.5. An informational screen will appear. Select OK to continue.6. Select a keyboard type.7. Select Auto (to auto partition you drives) or Custom and press Enter. Select OK to confirm.8. Select OK at the information screen: "You can install from CDROM…".9. Use the arrow keys to select Hard Drive from the options and press Enter.10. When the procedure is complete, an information message will appear: "St. Bernard’s software

has now been loaded….".11. Select OK and the system will restart.

329

Restoring ePrism to Factory Default Settings

330

The system will now be restarted with the factory default configuration. Proceed with the installation and configuration of the system. See the ePrism Installation Guide for detailed information on the install procedure.

APPENDIX C Message Processing Order

The following list describes the full order in which incoming e-mails are processed by ePrism:

SMTP Connection Checks

• Reject on Threat Prevention• Reject on unauth SMTP pipelining• Reject on expired ePrism license• Reject on Specific Access Pattern (SAP) HELO• Reject on Specific Access Pattern (SAP) Envelope-To• Reject on Specific Access Pattern (SAP) Envelope-From• Reject on Specific Access Pattern (SAP) Client IP• Reject on DNS Block List (DNSBL)• Reject on BorderWare Security Network (BSN) reputation• Reject on BorderWare Security Network (BSN) infected• Reject on BorderWare Security Network (BSN) dial-up

At this point, and local and trusted networks skip any remaining "Reject" checks.

• Reject on unknown sender domain• Reject on missing reverse DNS• Reject on missing sender MX• Reject on non-FQDN sender• Reject on unknown recipient• Reject on missing addresses• Reject if number of recipients exceeds maximum

331

Message Processing Order

332

• Reject if message size exceeds maximum

Message Checks

• Very Malformed• Anti-Virus• Pattern Based Message Filter (PBMF) Bypass (This action skips remaining checks)• Malformed messages• Attachment Control• Message Affirmation• Objectionable Content Filter (OCF)• Pattern Based Message Filter (PBMF) (High priority)• Pattern Based Message Filter (PBMF) (Medium priority)• Personal Whitelisting• Pattern Based Message Filter (PBMF) (Low priority)• Attachment Content Scanning• SAP (Trusted and Allow)• Trusted Network

Anti-Spam Processing

• Sender Policy Framework (SPF)• DomainKeys• Bulk Analysis• DNS Block List (DNSBL)• IP Reputation• Spam Dictionaries• BorderWare Security Network (BSN) Reputation• BorderWare Security Network (BSN) Dial-up• Token Analysis

Message Mappings and Routing

• Mail Mappings• Virtual Mappings• Relocated Users• Mail Aliases• Mail Routing• Mail Delivery to its final destination

APPENDIX D Customizing Notification and Annotation Messages

You can use variables to customize the content of notifications and annotations. ePrism will substitute your local settings for the variables at the time the message is sent. The following variables are available:

TABLE 1. ePrism System Variables

Variable Value Example

%PROGRAM% or %PRODUCT%

St. Bernard ePrism Email Security Appliance

%HOSTNAME% Hostname entered on the Network Settings screen

mail.example.com

%POSTMASTER_MAIL_ADDR%

E-mail address of the admin user [email protected]

%DELAY_WARN_TIME% In Delivery Settings - Time before Delay Warning

4 hours

%MAX_QUEUE_TIME% In Delivery Settings - Maximum Time in Mail Queue

5 days

%S_YOU% (%SENDER%) "you" Mail address of sender [email protected]

%R_YOU% (%RECIPIENT%) "you" Mail address of recipient [email protected]

%SPAM_FOLDER% The name of the spam folder for the user spam quarantine

spam_quarantine

%SPAM_EXPIRY% The number of days before quarantined spam is expired

30

%SPAM_MESSAGES% The information for a spam message (Date,From,Subject)

05/27/04, [email protected], File for you

%DISPN% Disposition or Action quarantined

%WEBMAIL_URL% The URL of the configured WebMail server

http://owa.example.com/exchange/

333

Customizing Notification and Annotation Messages

334

Note: These variables cannot be used with the SMTP Banner and SMTP Content Reject message.

%NUMSPAM% Number of spam messages in the spam folder.

20

%NUMSPAMSTAT% Number of spam messages and bytes used in the spam folder.

20,10000

TABLE 1. ePrism System Variables

Variable Value Example

APPENDIX E Performance Tuning

There are several factors that can affect the performance of your ePrism system:

• Network bandwidth• Number of allowed SMTP connections• Usage of background processes such as Reporting and ePrism Mail Client• Internet unpredictability: Mail can often arrive in bursts of activity, with only a few messages

arriving one minute, and several hundred the next. In the event of a network outage, such as a failed router, the amount of queued mail that arrives after the router is back online can be very large.

• Internet performance: SMTP clients can be very slow at connecting, and the connection may be disconnected before it is complete.

• The time to process a message is also affected by the size of the e-mail and its attachments. • Amount of system resources (Processing power, RAM, and disk space)

These factors must be carefully considered when tuning a system for optimal performance. If an ePrism system is optimized for throughput to handle high mail loads, other aspects of the system may suffer from increased latency issues, such as reporting, ePrism Mail Client/ePrism Mail Client access, and the possibility of dropped connections by clients who cannot connect to a busy system. Similarly, allocating too many resources to resolve latency issues will affect mail throughput performance.

Caution! Modifying certain parameters may affect the performance of other aspects of the system, and it is recommended that you only change these settings to resolve specific performance issues with guidance from St. Bernard Technical Support. Do NOT experiment with these settings, as you may render your system unusable.

335

Performance Tuning

336

Setting Default Performance SettingsWhen ePrism is installed and initialized, you must select the default profile for your system, such as an "M3000 with mail scanning only", or an "M3000 with ePrism Mail Client".

You may need to change your settings if you enable or disable the use of the ePrism Mail Client after your initial installation.

Select Basic Config ➝ Performance on the menu to configure your Performance tuning settings.

Advanced Settings

Advanced SettingsClick the Advanced button if you need to adjust any of the individual parameters to create a custom setting.

337

Performance Tuning

338

Maximum Number of Processes

This parameter specifies the maximum number of concurrent processes that implement mail services. This setting limits the number of connections accepted by smtpd, and the number of outgoing SMTP connections. If this number is set too large, you may run out of swap space.

Maximum Number of Parallel Deliveries

This parameter specifies the maximum number of outgoing SMTP connections to the same destination. This setting helps limit the number of outgoing connections. The value must be less than the maximum number of processes, or performance will be degraded.

TABLE 1. Maximum Number of Processes

System Recommended Value Description

M1000 50 (default) This is the default setting and should not be modified. Set this parameter to 40 if using ePrism Mail Client.

M2000 200 This is the default setting and should not be modified. Set this parameter to 150 if using ePrism Mail Client.

M3000 300 This is the default setting and should not be modified. Set this parameter to 200 if using ePrism Mail Client.

TABLE 2. Maximum Number of Parallel Deliveries


M1000 4 (default) This is the default setting and should not be modified.

M2000 10 You should only increase this value if you are having problems delivering enough mail to the internal server

M3000 10

Advanced Settings

Maximum Number of Mail Scanners

This parameter specifies the maximum number of mail scanners that can run simultaneously. This setting limits the overall mail processing and memory footprint. Setting this value too high or too low may result in reduced performance. Valid settings are from 2 - 20.

Raise Priority of Heavy Weight Processes

Increasing the priority of heavyweight processes can increase performance and ePrism Mail Client response times, but it can reduce the processing resources for other mail processes if it is set too high. Valid settings are from a default priority of 0 to a maximum priority of 20.

Number of Heavy Weight Processes

This parameter specifies the maximum number of heavy weight mail scanning processes that can be run simultaneously.

Valid settings are from 1 (Default) - 6 (maximum processes).

Setting a value greater than 2 will not improve performance, and changing this value from the default setting is not recommended.

TABLE 3. Maximum Number of Mail Scanners



M2000 6 Increase this value to a maximum of 8 only if performance is an issue.

M3000 6 Increase this value to a maximum of 10 only if performance is an issue.

TABLE 4. Raise Priority of Heavy Weight Processes



M2000 5 Only change this from the default value if ePrism Mail Client is not being used, and you need to devote more resources to message handling.

M3000 10 Set this value to 5 if using ePrism Mail Client and/or performance is not an issue.

339

Performance Tuning

340

Number of DB Proxies

This parameter specifies the maximum number of database proxies that can be used by the mail scanning processes. This value is relative to the Maximum Number of Processes setting, and should be increased in conjunction with the number of maximum processes.

Valid settings are from 2 (Default) - 12 (maximum processes), however, setting this value above 8 will result in diminishing performance returns.

SMTP Connect Timeout

This SMTP parameter specifies the amount of time, in seconds, for an SMTP client to complete a TCP connection before the connection is dropped. This value defines how long ePrism will wait for a response before timing out. The default is 0, but there is an overall system timeout of 5 minutes for SMTP connections. Increasing this value may help with sites which have a slow Internet connection.

SMTP HELO Timeout

This SMTP parameter specifies the amount of time, in seconds, for receiving the SMTP greeting banner before we drop the connection. The default is 300 seconds, which means that ePrism will wait 5 minutes to receive the initial SMTP HELO message before timing out. Using a lower timeout value may increase performance by freeing up more connections. Increasing this value may help with sites which have a slow Internet connection.

SMTPD Timeout

This SMTP parameter specifies the amount of time, in seconds, to send an SMTP server response and to receive an SMTP client request before dropping the connection. The default is 300 seconds. When ePrism connects to another mail server to deliver mail, it will drop the connection if it takes more than 5 minutes to receive a response. A lower value may increase performance by freeing up connections. Increasing this value may help with sites which have a slow Internet connection.

TABLE 5. Number of DB Proxies



M2000 4 If increasing number of processes above 50, then set to 6.

M3000 8 If increasing number of processes above 150, then set to 10.

Advanced Settings

SMTPD Minimum Receive Rate

The minimum rate, in bytes per second, at which a client must send data. The limit will be enforced after the SMTPD minimum receive rate interval has elapsed. Set this to a higher value when excessively slow clients are tying up system resources. A value of 0 indicates no minimum rate. Default is 0.

SMTPD Receive Rate Interval

The time interval, in seconds, which must elapse before the SMTPD minimum receive rate restriction is enforced for a newly connected client. Set this to a higher value to give clients longer to establish an acceptable data flow rate. A value of 0 means that the limit is enforced immediately. Default is 0.

SMTP Tarpit Time

The amount of time, in seconds, to wait before replying to an SMTP client with a 4xx or 5xx error message (such as the message content was rejected.) The default is 5 seconds. A lower value may increase performance by freeing up connections. A higher value may deter senders from sending invalid content such as spam and viruses.

Service Throttle Time

The amount of time, in seconds, to wait before re-starting a Postfix service that exits unexpectedly. The default is 60 seconds, and must be 1 second at minimum.

Size of Temporary Files Filesystem

Specify the size of the /tmp filesystem at system startup. This setting affects the maximum size of attachments that may be scanned, and should only be used if you are having problems with scanning large files. If you increase this setting beyond the amount of physical RAM, system performance will be degraded due to excessive swapping. You must monitor your system performance if this setting is used.

Size of Shared Memory block allocated to Database

Specify the size of the shared memory block to make available to the database. Increasing this value increases the speed of database operations at the cost of having less memory available for other purposes. Increase this value if you are increasing the number of messages that will be stored in the e-mail database.

Note: If you change the size of the temp file system or shared memory block, the system will need to be restarted before these settings takes effect.

341

Performance Tuning

342

APPENDIX F SNMP MIBS

The following sections describe the statistics available from ePrism’s SNMP MIBS. The MIB files can be downloaded from Basic Config ➝ SNMP Configuration and clicking the Download MIBS button.

Note: The MIB files are based on SNMP version 2 and are backwards compatible with version 1.

MIB Files SummaryThe following sections contain a summary of the MIB file entries. The raw MIB files are listed at the end of this appendix.

Memory Usage and Reporting

TABLE 1. Memory Usage and Reporting

Object Description

memTotalSwap Total Swap Size configured for the host

memAvailSwap Available Swap Space on the host

memTotalReal Total Real/Physical Memory Size on the host

memAvailReal Available Real/Physical Memory Space on the host

memTotalSwapTXT Total virtual memory used by text

memAvailSwapTXT Active virtual memory used by text

memTotalRealTXT Total Real/Physical Memory Size used by text

343

SNMP MIBS

344

Disk Information

memAvailRealTXT Active Real/Physical Memory Space used by text

memTotalFree Total Available Memory on the host

memMinimumSwap Minimum amount of free swap required to be free

memShared Total Shared Memory

memBuffer Total Buffered Memory

memCached Total Cached Memory

memSwapError Error flag indicating very little swap space left

memSwapErrorMsg Error message describing the Error Flag condi-tion

TABLE 2. Disk Information

Object Description

dskIndex Integer reference number (row number) for the disk MIB.

dskPath Path where the disk is mounted.

dskDevice Path of the device for the partition

dskMinimum Minimum space required on the disk (in kBytes) before errors are triggered.

dskMinPercent Percentage of minimum space required on the disk before errors are triggered.

dskTotal Total size of the disk/partition (kBytes)

dskAvail Available space on the disk

dskUsed Used space on the disk

dskPercent Percentage of space used on disk

dskPercentNode Percentage of inodes used on disk

dskErrorFlag Error flag signaling that the disk or partition is under the minimum required space configured for it.

dskErrorMsg A text description providing a warning and the space left on the disk.

TABLE 1. Memory Usage and Reporting

Object Description

MIB Files Summary

System Statistics

The SNMP agent only implements the following statistics that are supported by the kernel. Not all of the following objects will be available.

TABLE 3. System Statistics

Object Description

ssIndex Reference Index for each observed system sta-tistic

ssErrorName The list of system statistic names being counted

ssSwapIn Amount of memory swapped in from disk (KB/s)

ssSwapOut Amount of memory swapped to disk (KB/s)

TABLE 4. System Statistics If Supported by Kernel

Object Description

ssCpuRawUser User CPU time

ssCpuRawNice Nice CPU time

ssCpuRawSystem System CPU time

ssCpuRawIdle Idle CPU time

ssCpuRawWait IOwait CPU time

ssCpuRawKernel Kernel CPU time

ssCpuRawInterrupt Interrupt level CPU time

ssIORawSent Number of requests sent to a block device

ssIORawReceived Number of interrupts processed

ssRawInterrupts Number of requests received from a block device

ssRawContexts Number of context switches

345

SNMP MIBS

346

Alarm Objects

Mail System Objects

Current Mail Data

Historical Mail Data

Traps

ePrism will send a SNMP trap on a system reboot

TABLE 5. Alarm Objects

Object Description

alTriggerAlarm The flag to trigger an alarm

alLastChange The time value when the alarm condition occurs

alName A textual string containing the name of the alarm

alRemoteIpAddr Source IP address

alDestPort Destination port number

alAlarm The alarm trap

TABLE 6. Current Mail Data

Object Description

queuedMessages The number of queued mail messages.

deferredMessages The number of deferred mail messages.

totalMessages The total number of mail messages.

TABLE 7. Historical Mail Data

Object Description

mailIndex The value of this object uniquely identifies each mail stats entry.

mailInterval Time interval pertaining to the data in this sequence.

mailRcvd Number of received messages for this interval.

mailSent Number of sent messages for this interval.

mailSpam Number of spam messages for this interval.

mailReject Number of rejected messages for this interval.

mailVirus Number of messages identified as containing a virus for this interval.

mailClean Number of clean messages for this interval.

MIB Files

MIB FilesBorderware-FW-MIB DEFINITIONS ::= BEGIN

IMPORTS

MODULE-COMPLIANCE, OBJECT-GROUP

FROM SNMPv2-CONF

OBJECT-TYPE, NOTIFICATION-TYPE,

MODULE-IDENTITY, OBJECT-IDENTITY,

Integer32, enterprises, IpAddress

FROM SNMPv2-SMI

TEXTUAL-CONVENTION, DisplayString, DateAndTime

FROM SNMPv2-TC

bwProducts

FROM Borderware-MIB;

bwFirewall MODULE-IDENTITY

LAST-UPDATED "200404110000Z"

ORGANIZATION "Borderware Technology Inc."

CONTACT-INFO

"[email protected] "

DESCRIPTION

"The private Borderware SNMP extensions."

REVISION "200404110000Z"

DESCRIPTION

"Draft. "

::= { bwProducts 1 }

-- Current mib entries -----------------------------------------

bwFirewallConformance OBJECT IDENTIFIER ::= { bwFirewall 3 }

-- OID values assigned in the bwFirewall branch ----------------

bwAlarm OBJECT-IDENTITY

STATUS current

DESCRIPTION

347

SNMP MIBS

348

"The entry for alarm objects."

::= { bwFirewall 100 }

alTriggerAlarm OBJECT-TYPE

SYNTAX Integer32 (0..1)

MAX-ACCESS read-write

STATUS current

DESCRIPTION

"The flag to trigger an alarm."

::= { bwAlarm 1 }

alLastChange OBJECT-TYPE

SYNTAX DateAndTime

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"The time value when the alarm condition occurs."

::= { bwAlarm 4 }

-- Removed interface name from implementation

-- alInterface OBJECT-TYPE

-- SYNTAX DisplayString (SIZE (0..255))

-- MAX-ACCESS read-only

-- STATUS current

-- DESCRIPTION

-- "A textual string containing name of the

-- interface."

-- ::= { bwAlarm 7 }

alName OBJECT-TYPE

SYNTAX DisplayString (SIZE (0..255))


STATUS current

DESCRIPTION

"A textual string containing name of the alarm."

MIB Files

::= { bwAlarm 9 }

alRemoteIpAddr OBJECT-TYPE

SYNTAX IpAddress


STATUS current

DESCRIPTION

"A source IP address."

::= { bwAlarm 10 }

alDestPort OBJECT-TYPE

SYNTAX Integer32 (0..65535)


STATUS current

DESCRIPTION

"Destination port number."

::= { bwAlarm 15 }

-- definition of trap triggered by the alarm condition.

alAlarm NOTIFICATION-TYPE

OBJECTS {

alLastChange,

alName,

alRemoteIpAddr,

alDestPort

}

STATUS current

DESCRIPTION

"A trap."

::= { bwAlarm 50 }

-- Conformance information --------------------------------------------

bwFirewallCompliances OBJECT IDENTIFIER ::= { bwFirewallConformance 1 }

bwFirewallGroups OBJECT IDENTIFIER ::= { bwFirewallConformance 2 }

-- Compliance statements ----------------------------------------------

349

SNMP MIBS

350

bwFirewallCompliance MODULE-COMPLIANCE

STATUS current

DESCRIPTION "The compliance statement for SNMP entities which

implement the Borderware-FW-MIB. "

MODULE -- this module

MANDATORY-GROUPS { bwAlarmGroup }

::= { bwFirewallCompliances 1 }

bwAlarmGroup OBJECT-GROUP

OBJECTS {

alTriggerAlarm,

alLastChange,

alName,

alRemoteIpAddr,

alDestPort

}

STATUS current

DESCRIPTION "A collection of objects providing for remote

monitoring. "

::= { bwFirewallGroups 1 }

END

Borderware-MIB DEFINITIONS ::= BEGIN

IMPORTS


FROM SNMPv2-CONF

OBJECT-TYPE, NOTIFICATION-TYPE,

MODULE-IDENTITY, OBJECT-IDENTITY,

Counter32, Integer32, Opaque, enterprises, IpAddress

FROM SNMPv2-SMI

TEXTUAL-CONVENTION, DisplayString, DateAndTime

FROM SNMPv2-TC;

Borderware MODULE-IDENTITY

MIB Files



CONTACT-INFO


DESCRIPTION

"The private Borderware SNMP extensions."

REVISION "200211070000Z"

DESCRIPTION

"Draft."

::= { enterprises 8673 }

-- Current mib entries -----------------------------------------

bwProducts OBJECT IDENTIFIER ::= { Borderware 1 }

bwProductId OBJECT IDENTIFIER ::= { bwProducts 2 }

-- ObjectId

bwFirewallServer7 OBJECT IDENTIFIER ::= { bwProductId 1 }

-- Current core mib table entries:

-- memory OBJECT IDENTIFIER ::= { ucdavis 4 }

-- diskTable OBJECT IDENTIFIER ::= { ucdavis 9 }

-- systemStats OBJECT IDENTIFIER ::= { ucdavis 11 }

--

-- Define the Float Textual Convention

-- This definition was written by David Perkins.

--

Float ::= TEXTUAL-CONVENTION

STATUS current

DESCRIPTION

"A single precision floating-point number. The semantics

and encoding are identical for type 'single' defined in

IEEE Standard for Binary Floating-Point,

ANSI/IEEE Std 754-1985.

The value is restricted to the BER serialization of

351

SNMP MIBS

352

the following ASN.1 type:

FLOATTYPE ::= [120] IMPLICIT FloatType

(note: the value 120 is the sum of '30'h and '48'h)

The BER serialization of the length for values of

this type must use the definite length, short

encoding form.

For example, the BER serialization of value 123

of type FLOATTYPE is '9f780442f60000'h. (The tag

is '9f78'h; the length is '04'h; and the value is

'42f60000'h.) The BER serialization of value

'9f780442f60000'h of data type Opaque is

'44079f780442f60000'h. (The tag is '44'h; the length

is '07'h; and the value is '9f780442f60000'h."

SYNTAX Opaque (SIZE (7))

--

-- Memory usage/watch reporting.

--

bwSysMemory OBJECT IDENTIFIER ::= { Borderware 4 }

memIndex OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Bogus Index. This should always return the integer 0."

::= { bwSysMemory 1 }

memErrorName OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Bogus Name. This should always return the string 'swap'."

MIB Files


memTotalSwap OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Swap Size configured for the host."


memAvailSwap OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Available Swap Space on the host."


memTotalReal OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Real/Physical Memory Size on the host."


memAvailReal OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Available Real/Physical Memory Space on the host."


memTotalSwapTXT OBJECT-TYPE

SYNTAXInteger32

353

SNMP MIBS

354

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total virtual memory used by text."


memAvailSwapTXT OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Active virtual memory used by text."


memTotalRealTXT OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Real/Physical Memory Size used by text."


memAvailRealTXT OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Active Real/Physical Memory Space used by text."


memTotalFree OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

MIB Files

"Total Available Memory on the host"


memMinimumSwap OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Minimum amount of free swap required to be free

or else memErrorSwap is set to 1 and an error string is

returned memSwapErrorMsg."


memShared OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Shared Memory"


memBuffer OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Buffered Memory"


memCached OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total Cached Memory"

355

SNMP MIBS

356


memSwapError OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Error flag. 1 indicates very little swap space left"


memSwapErrorMsg OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Error message describing the Error Flag condition"


dskTable OBJECT-TYPE

SYNTAXSEQUENCE OF DskEntry

MAX-ACCESSnot-accessible

STATUScurrent

DESCRIPTION

"Disk watching information. Partions to be watched

are configured by the snmpd.conf file of the agent."

::= { Borderware 9 }

dskEntry OBJECT-TYPE

SYNTAX DskEntry

MAX-ACCESS not-accessible

STATUS current

DESCRIPTION

"An entry containing a disk and its statistics."

INDEX { dskIndex }

MIB Files

::= { dskTable 1 }

DskEntry ::= SEQUENCE {

dskIndexInteger32,

dskPathDisplayString,

dskDeviceDisplayString,

dskMinimumInteger32,

dskMinPercentInteger32,

dskTotalInteger32,

dskAvailInteger32,

dskUsedInteger32,

dskPercentInteger32,

dskPercentNodeInteger32,

dskErrorFlagInteger32,

dskErrorMsgDisplayString

}

dskIndex OBJECT-TYPE

SYNTAXInteger32 (0..65535)

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Integer reference number (row number) for the disk mib."

::= { dskEntry 1 }

dskPath OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Path where the disk is mounted."

::= { dskEntry 2 }

dskDevice OBJECT-TYPE

SYNTAXDisplayString

357

SNMP MIBS

358

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Path of the device for the partition"

::= { dskEntry 3 }

dskMinimum OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Minimum space required on the disk (in kBytes) before the

errors are triggered. Either this or dskMinPercent is

configured via the agent's snmpd.conf file."

::= { dskEntry 4 }

dskMinPercent OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Percentage of minimum space required on the disk before the

errors are triggered. Either this or dskMinimum is

configured via the agent's snmpd.conf file."

::= { dskEntry 5 }

dskTotal OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Total size of the disk/partion (kBytes)"

::= { dskEntry 6 }

dskAvail OBJECT-TYPE

MIB Files

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Available space on the disk"

::= { dskEntry 7 }

dskUsed OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Used space on the disk"

::= { dskEntry 8 }

dskPercent OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Percentage of space used on disk"

::= { dskEntry 9 }

dskPercentNode OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Percentage of inodes used on disk"

::= { dskEntry 10 }

dskErrorFlag OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

359

SNMP MIBS

360

DESCRIPTION

"Error flag signaling that the disk or partition is under

the minimum required space configured for it."

::= { dskEntry 100 }

dskErrorMsg OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"A text description providing a warning and the space left

on the disk."

::= { dskEntry 101 }

systemStats OBJECT IDENTIFIER ::= { Borderware 11 }

ssIndex OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Reference Index for each observed systemStat (1)."

::= { systemStats 1 }

ssErrorName OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"The list of systemStats names (vmstat) we're Counting."


ssSwapIn OBJECT-TYPE

SYNTAXInteger32

MIB Files

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Amount of memory swapped in from disk (kB/s)."


ssSwapOut OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Amount of memory swapped to disk (kB/s)."


ssIOSent OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"Blocks sent to a block device (blocks/s). Deprecated, replaced by

the ssIORawSent object"


ssIOReceive OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"Blocks received from a block device (blocks/s). Deprecated, replaced by

the ssIORawReceived object"


ssSysInterrupts OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

361

SNMP MIBS

362

STATUSdeprecated

DESCRIPTION

"The number of interrupts per second, including the clock.

Deprecated, replaced by ssRawInterrupts"


ssSysContext OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"The number of context switches per second.

Deprecated, replaced by ssRawContext"


ssCpuUser OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"percentages of user CPU time. Deprecated, replaced by the ssCpuRawUser

object"


ssCpuSystem OBJECT-TYPE

SYNTAXInteger32

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"percentages of system CPU time. Deprecated, replaced by of the

ssCpuRawSystem object"


ssCpuIdle OBJECT-TYPE

SYNTAXInteger32

MIB Files

MAX-ACCESSread-only

STATUSdeprecated

DESCRIPTION

"percentages of idle CPU time. Deprecated, replaced by of the

ssCpuRawIdle object"


-- The agent only implements those of the following counters that the

-- kernel supports! Don't expect all to be present.

ssCpuRawUser OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"user CPU time."


ssCpuRawNice OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"nice CPU time."


ssCpuRawSystem OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"system CPU time."


ssCpuRawIdle OBJECT-TYPE

SYNTAX Counter32

363

SNMP MIBS

364


STATUS current

DESCRIPTION

"idle CPU time."


ssCpuRawWait OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"iowait CPU time. This is primarily a SysV thingie"


ssCpuRawKernel OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"kernel CPU time."


ssCpuRawInterrupt OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"interruptlevel CPU time. This is primarily a BSD thingie"


ssIORawSent OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

MIB Files

"Number of requests sent to a block device"


ssIORawReceived OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"Number of interrupts processed"


ssRawInterrupts OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"Number of requests received from a block device"


ssRawContexts OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"Number of context switches"


END

Borderware-SMG-MIB DEFINITIONS ::= BEGIN

IMPORTS


FROM SNMPv2-CONF

OBJECT-TYPE, OBJECT-IDENTITY, MODULE-IDENTITY,

Counter32, Integer32

FROM SNMPv2-SMI

365

SNMP MIBS

366

DisplayString

FROM SNMPv2-TC

Borderware, bwProducts, bwProductId

FROM Borderware-MIB;

bwMailFirewall MODULE-IDENTITY



CONTACT-INFO


DESCRIPTION

"The private Borderware Mail Firewall SNMP extensions."

REVISION "200405260000Z"

DESCRIPTION

"Draft. "

::= { bwProducts 11 }

bwMailFirewall4 OBJECT IDENTIFIER ::= { bwProductId 11 }

bwMailFirewallConformance OBJECT IDENTIFIER ::= { bwMailFirewall 3 }

-- Conformance information --------------------------------------------

bwMailFirewallCompliances OBJECT IDENTIFIER ::= { bwMailFirewallConformance 1 }

bwMailFirewallGroups OBJECT IDENTIFIER ::= { bwMailFirewallConformance 2 }

-- Compliance statements ----------------------------------------------

bwMailFirewallCompliance MODULE-COMPLIANCE

STATUS current

DESCRIPTION "The compliance statement for SNMP entities which

implement the Borderware-SMG-MIB. "

MODULE -- this module

MANDATORY-GROUPS { bwMessagesGroup }

::= { bwMailFirewallCompliances 1 }

MIB Files

-- Group declarations --------------------------------------------------

bwMessagesGroup OBJECT-GROUP

OBJECTS {

queuedMessages,

deferredMessages,

totalMessages

}

STATUS current


monitoring of current condition of mail handler. "

::= { bwMailFirewallGroups 1 }

bwMailStatsGroup OBJECT-GROUP

OBJECTS {

mailInterval,

mailRcvd,

mailSent,

mailSpam,

mailReject,

mailVirus,

mailClean

}

STATUS current


monitoring of historical condition of mail handler. "

::= { bwMailFirewallGroups 2 }

-- Table definitions -----------------------------------------------------

mailTable OBJECT-GROUP

OBJECTS {

bwMailStatsGroup,

bwMessagesGroup

}

367

SNMP MIBS

368

STATUScurrent

DESCRIPTION

"Complete mail activity summary."

::= { bwMailFirewall 10 }

mailEntry OBJECT-TYPE

SYNTAX SEQUENCE OF MailEntry

MAX-ACCESS not-accessible

STATUS current

DESCRIPTION

"An entry containing mail statistics."

INDEX { mailInterval }

::= { mailTable 1 }

MailEntry ::= SEQUENCE {

mailIntervalDisplayString,

mailRcvdCounter32,

mailSentCounter32,

mailSpam Counter32,

mailReject Counter32,

mailVirusCounter32,

mailCleanCounter32

}

mailStatus OBJECT-IDENTITY

STATUS current

DESCRIPTION

"The entry for current stats on MTA"

::= { mailTable 2 }

-- The current data ----------------------------------------------------

queuedMessages OBJECT-TYPE

SYNTAX Counter32


STATUS current

MIB Files

DESCRIPTION

"The number of queued mail messages."

::= { mailStatus 1 }

deferredMessages OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"The number of deferred mail messages."

::= { mailStatus 2 }

totalMessages OBJECT-TYPE

SYNTAX Counter32


STATUS current

DESCRIPTION

"The total number of mail messages."

::= { mailStatus 3}

-- The historical data -------------------------------------------------

mailInterval OBJECT-TYPE

SYNTAXDisplayString

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Time interval pertaining to the data in this sequence."

::= { mailEntry 1 }

mailRcvd OBJECT-TYPE

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of received messages for this interval."

369

SNMP MIBS

370

::= { mailEntry 2 }

mailSent OBJECT-TYPE

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of sent messages for this interval."

::= { mailEntry 3 }

mailSpam OBJECT-TYPE

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of spam messages for this interval."

::= { mailEntry 4 }

mailReject OBJECT-TYPE

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of rejected messages for this interval"

::= { mailEntry 5 }

mailVirus OBJECT-TYPE

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of messages identified as containig a

virus for this interval."

::= { mailEntry 6 }

mailClean OBJECT-TYPE

MIB OID Values

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

DESCRIPTION

"Number of clean messages for this interval."

::= { mailEntry 7 }

END

MIB OID ValuesThe following describes the SNMP MIB OID values:

.1.3.6.1.4.1.8673 ->

.1.1.100.1.0 = bwProducts.bwFirewall.bwAlarm.alTriggerAlarm.0 = INTEGER: 0

.1.1.100.4.0 = bwProducts.bwFirewall.bwAlarm.alLastChange.0 = STRING: 0-1-1,0:0:0.0

.1.1.100.9.0 = bwProducts.bwFirewall.bwAlarm.alName.0 = STRING: None

.1.1.100.10.0 = bwProducts.bwFirewall.bwAlarm.alRemoteIpAddr.0 = IpAddress: 0.0.0.0

.1.1.100.15.0 = bwProducts.bwFirewall.bwAlarm.alDestPort.0 = INTEGER: 0

.1.11.10.1.1.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.1 = STRING: Hour

.1.11.10.1.1.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.2 = STRING: Day

.1.11.10.1.1.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.3 = STRING: Week

.1.11.10.1.2.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.1 = Counter32: 5



.1.11.10.1.3.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.1 = Counter32: 7



.1.11.10.1.4.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.1 = Counter32: 0



.1.11.10.1.5.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.1 = Counter32: 0

371

SNMP MIBS

372



.1.11.10.1.6.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.1 = Counter32: 0



.1.11.10.1.7.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.1 = Counter32: 0



.1.11.10.2.1 = bwProducts.bwMailFirewall.mailTable.mailStatus.queuedMessages = Counter32: 0

.1.11.10.2.2 = bwProducts.bwMailFirewall.mailTable.mailStatus.deferredMessages = Counter32: 0

.1.11.10.2.3 = bwProducts.bwMailFirewall.mailTable.mailStatus.totalMessages = Counter32: 0

.4.1.0 = bwSysMemory.memIndex.0 = INTEGER: 0

.4.2.0 = bwSysMemory.memErrorName.0 = STRING: swap

.4.3.0 = bwSysMemory.memTotalSwap.0 = INTEGER: 262016

.4.4.0 = bwSysMemory.memAvailSwap.0 = INTEGER: 260928

.4.5.0 = bwSysMemory.memTotalReal.0 = INTEGER: 104264

.4.6.0 = bwSysMemory.memAvailReal.0 = INTEGER: 46684

.4.11.0 = bwSysMemory.memTotalFree.0 = INTEGER: 46696

.4.12.0 = bwSysMemory.memMinimumSwap.0 = INTEGER: 16000

.4.13.0 = bwSysMemory.memShared.0 = INTEGER: 29000

.4.14.0 = bwSysMemory.memBuffer.0 = INTEGER: 22640

.4.15.0 = bwSysMemory.memCached.0 = INTEGER: 12

.4.100.0 = bwSysMemory.memSwapError.0 = INTEGER: 0

.4.101.0 = bwSysMemory.memSwapErrorMsg.0 = STRING:

.9.1.1.1 = dskTable.dskEntry.dskIndex.1 = INTEGER: 1




.9.1.2.1 = dskTable.dskEntry.dskPath.1 = STRING: /server/mail

.9.1.2.2 = dskTable.dskEntry.dskPath.2 = STRING: /server/ftp/log

.9.1.2.3 = dskTable.dskEntry.dskPath.3 = STRING: /var

MIB OID Values

.9.1.2.4 = dskTable.dskEntry.dskPath.4 = STRING: /backup

.9.1.3.1 = dskTable.dskEntry.dskDevice.1 = STRING: /dev/ad0s2e

.9.1.3.2 = dskTable.dskEntry.dskDevice.2 = STRING: /dev/ad0s2d

.9.1.3.3 = dskTable.dskEntry.dskDevice.3 = STRING: /dev/ad0s2f

.9.1.3.4 = dskTable.dskEntry.dskDevice.4 = STRING: /dev/ad0s2g

.9.1.4.1 = dskTable.dskEntry.dskMinimum.1 = INTEGER: -1




.9.1.5.1 = dskTable.dskEntry.dskMinPercent.1 = INTEGER: 10




.9.1.6.1 = dskTable.dskEntry.dskTotal.1 = INTEGER: 2834414




.9.1.7.1 = dskTable.dskEntry.dskAvail.1 = INTEGER: 2607590




.9.1.8.1 = dskTable.dskEntry.dskUsed.1 = INTEGER: 72




.9.1.9.1 = dskTable.dskEntry.dskPercent.1 = INTEGER: 0




.9.1.100.1 = dskTable.dskEntry.dskErrorFlag.1 = INTEGER: 0


373

SNMP MIBS

374



.9.1.101.1 = dskTable.dskEntry.dskErrorMsg.1 = STRING:




.11.1.0 = systemStats.ssIndex.0 = INTEGER: 1

.11.2.0 = systemStats.ssErrorName.0 = STRING: systemStats

.11.3.0 = systemStats.ssSwapIn.0 = INTEGER: 0

.11.4.0 = systemStats.ssSwapOut.0 = INTEGER: 0

.11.7.0 = systemStats.ssSysInterrupts.0 = INTEGER: 233

.11.8.0 = systemStats.ssSysContext.0 = INTEGER: 49

.11.9.0 = systemStats.ssCpuUser.0 = INTEGER: 1

.11.10.0 = systemStats.ssCpuSystem.0 = INTEGER: 7

.11.11.0 = systemStats.ssCpuIdle.0 = INTEGER: 91

.11.50.0 = systemStats.ssCpuRawUser.0 = Counter32: 483

.11.51.0 = systemStats.ssCpuRawNice.0 = Counter32: 0

.11.52.0 = systemStats.ssCpuRawSystem.0 = Counter32: 2859

.11.53.0 = systemStats.ssCpuRawIdle.0 = Counter32: 20860

.11.55.0 = systemStats.ssCpuRawKernel.0 = Counter32: 2752

.11.56.0 = systemStats.ssCpuRawInterrupt.0 = Counter32: 107

.11.59.0 = systemStats.ssRawInterrupts.0 = Counter32: 47574

.11.60.0 = systemStats.ssRawContexts.0 = Counter32: 10795

APPENDIX G Third Party Copyrights and Licenses

Apache

Apache License

Version 2.0, January 2004

http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

375

Third Party Copyrights and Licenses

376

"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:

(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a

"NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions.

Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act

377


378

only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

Curl, Libcurl

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.

All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

Cyrus-SASL

CMU libsasl Tim Martin Rob Earhart

Copyright (c) 2000 Carnegie Mellon University. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software without prior written permission. For permission or any other legal details, please contact Office of Technology Transfer Carnegie

Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395 [email protected]

4. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

DCC

Distributed Checksum Clearinghouse

Copyright (c) 2004 by Rhyolite Software

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Copyright (c) 1987, 1993, 1994

The Regents of the University of California. All rights reserved.

File

Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. Software written by Ian F. Darwin and others; maintained 1994-1999 Christos Zoulas.

This software is not subject to any export provision of the United States Department of Commerce, and may be exported to any country or planet.


1. Redistributions of source code must retain the above copyright notice immediately at the beginning of the file, without modification, this list of conditions, and the following disclaimer.

379


380


3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

This product includes software developed by Ian F. Darwin and others.

4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

FreeBSD

Copyright 1994-2004 The FreeBSD Project. All rights reserved.


Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of the FreeBSD Project.

FreeType

The FreeType Project LICENSE 2000-Feb-08 Copyright 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg

Introduction ============

The FreeType Project is distributed in several archive packages; some of them may contain, in addition to the FreeType font engine, various tools and contributions which rely on, or relate to, the FreeType Project.

This license applies to all files found in such packages, and which do not fall under their own explicit license. The license affects thus the FreeType font engine, the test programs, documentation and makefiles, at the very least.

This license was inspired by the BSD, Artistic, and IJG (Independent JPEG Group) licenses, which all encourage inclusion and use of free software in commercial and freeware products alike. As a consequence, its main points are that:

* We don't promise that this software works. However, we will be interested in any kind of bug reports. (às is' distribution)

* You can use this software for whatever you want, in parts or full form, without having to pay us. (`royalty-free' usage)

* You may not pretend that you wrote this software. If you use it, or only parts of it, in a program, you must acknowledge somewhere in your documentation that you have used the FreeType code. (`credits')

We specifically permit and encourage the inclusion of this software, with or without modifications, in commercial products. We disclaim all warranties covering The FreeType Project and assume no liability related to The FreeType Project.

Legal Terms ===========

Definitions --------------

Throughout this license, the terms `package', `FreeType Project', and `FreeType archive' refer to the set of files originally distributed by the authors (David Turner, Robert Wilhelm, and Werner Lemberg) as the `FreeType Project', be they named as alpha, beta or final release.

'You' refers to the licensee, or person using the project, where ùsing' is a generic term including compiling the project's source code as well as linking it to form a `program' or èxecutable'. This program is referred to as à program using the FreeType engine'.

This license applies to all files distributed in the original FreeType Project, including all source code, binaries and documentation, unless otherwise

381


382

stated in the file in its original, unmodified form as distributed in the original archive.

If you are unsure whether or not a particular file is covered by this license, you must contact us to verify this.

The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg. All rights reserved except as specified below.

1. No Warranty --------------

THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO USE, OF THE FREETYPE PROJECT.

2. Redistribution -----------------

This license grants a worldwide, royalty-free, perpetual and irrevocable right and license to use, execute, perform, compile, display, copy, create derivative works of, distribute and sublicense the FreeType Project (in both source and object code forms) and derivative works thereof for any purpose; and to authorize others to exercise some or all of the rights granted herein, subject to the following conditions:

* Redistribution of source code must retain this license file (`LICENSE.TXT') unaltered; any additions, deletions or changes to the original files must be clearly indicated in accompanying documentation. The copyright notices of the unaltered, original files must be preserved in all copies of source files.

* Redistribution in binary form must provide a disclaimer that states that the software is based in part of the work of the FreeType Team, in the distribution documentation. We also encourage you to put an URL to the FreeType web page in your documentation, though this isn't mandatory.

These conditions apply to any software derived from or based on the FreeType Project, not just the unmodified files. If you use our work, you must acknowledge us. However, no fee need be paid to us.

3. Advertising --------------

Neither the FreeType authors and contributors nor you shall use the name of the other for commercial, advertising, or promotional purposes without specific prior written permission.

We suggest, but do not require, that you use one or more of the following phrases to refer to this software in your documentation or advertising materials: ̀ FreeType Project', `FreeType Engine', `FreeType library', or `FreeType Distribution'.

As you have not signed this license, you are not required to accept it. However, as the FreeType Project is copyrighted material, only this license, or another one contracted with the authors, grants you the right to use, distribute,

and modify it. Therefore, by using, distributing, or modifying the FreeType Project, you indicate that you understand and accept all the terms of this license.

4. Contacts -----------

There are two mailing lists related to FreeType:

* [email protected]

Discusses general use and applications of FreeType, as well as future and wanted additions to the library and distribution. If you are looking for support, start in this list if you haven't found anything to help you in the documentation.

* [email protected]

Discusses bugs, as well as engine internals, design issues, specific licenses, porting, etc.

* http://www.freetype.org

Holds the current FreeType web page, which will allow you to download our latest development version and read online documentation.

You can also contact us individually at:

David Turner <[email protected]> Robert Wilhelm <[email protected]> Werner Lemberg <[email protected]>

GD Graphics Library

Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health.

Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002, 2003, 2004 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002, 2003, 2004 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002, 2003, 2004 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002, 2003, 2004 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, 2003, 2004, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.

Portions relating to GIF compression copyright 1989 by Jef Poskanzer and David Rowley, with modifications for thread safety by Thomas Boutell.

383


384

Portions relating to GIF decompression copyright 1990, 1991, 1993 by David Koblas, with modifications for thread safety by Thomas Boutell.

Portions relating to WBMP copyright 2000, 2001, 2002, 2003, 2004 Maurice Szmurlo and Johan Van den Brande.

Portions relating to GIF animations copyright 2004 Jaakko Hyvätti ([email protected])

Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.

This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation.

This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.

Although their code does not appear in the current release, the authors also wish to thank Hutchison Avenue Software Corporation for their prior contributions.

Info-ZIP

Copyright (c) 1990-2003 Info-ZIP. All rights reserved.

For the purposes of this copyright and license, "Info-ZIP" is defined as the following set of individuals:

Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jean-loup Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase, Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, Sergio Monesi, Keith Owens, George Petrov, Greg Roelofs, Kai Uwe Rommel, Steve Salisbury, Dave Smith, Christian Spieler, Antoine Verheijen, Paul von Behren, Rich Wales, Mike White

This software is provided "as is," without warranty of any kind, express or implied. In no event shall Info-ZIP or its contributors be held liable for any direct, indirect, incidental, special or consequential damages arising out of the use of or inability to use this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. Redistributions of source code must retain the above copyright notice, definition, disclaimer, and this list of conditions.

2. Redistributions in binary form (compiled executables) must reproduce the above copyright notice, definition, disclaimer, and this list of conditions in documentation and/or other materials provided with the distribution. The sole exception to this condition is redistribution of a standard UnZipSFX binary (including SFXWiz) as part of a self-extracting archive; that is permitted without inclusion of this license, as long as the normal SFX banner has not been removed from the binary or disabled.

3. Altered versions--including, but not limited to, ports to new operating systems, existing ports with new graphical interfaces, and dynamic, shared, or static library versions--must be plainly marked as such and must not be misrepresented as being the original source. Such altered versions also must not be misrepresented as being Info-ZIP releases--including, but not limited to, labeling of the altered versions with the names "Info-ZIP" (or any variation thereof, including, but not limited to, different capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the explicit permission of Info-ZIP. Such altered versions are further prohibited from misrepresentative use of the ip-Bugs or Info-ZIP e-mail addresses or of the Info-ZIP URL(s).

4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and binary releases.

JPEG

The authors make NO WARRANTY or representation, either express or implied, with respect to this software, its quality, accuracy, merchantability, or fitness for a particular purpose. This software is provided "AS IS", and you, its user, assume the entire risk as to its quality and accuracy.

This software is copyright (C) 1991-1998, Thomas G. Lane.

All Rights Reserved except as specified below.

Permission is hereby granted to use, copy, modify, and distribute this software (or portions thereof) for any purpose, without fee, subject to these conditions:

(1) If any part of the source code for this software is distributed, then this README file must be included, with this copyright and no-warranty notice unaltered; and any additions, deletions, or changes to the original files must be clearly indicated in accompanying documentation.

(2) If only executable code is distributed, then the accompanying documentation must state that "this software is based in part on the work of the Independent JPEG Group".

(3) Permission for use of this software is granted only if the user accepts full responsibility for any undesirable consequences; the authors accept NO LIABILITY for damages of any kind.

These conditions apply to any software derived from or based on the IJG code, not just to the unmodified library. If you use our work, you ought to acknowledge us.

385


386

Permission is NOT granted for the use of any IJG author's name or company name in advertising or publicity relating to this software or products derived from it. This software may be referred to only as "the Independent JPEG Group's software".

We specifically permit and encourage the use of this software as the basis of commercial products, provided that all warranty or liability claims are assumed by the product vendor.

Libspf

The libspf Software License, Version 1.0

Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved.




THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

ModSSL

Copyright (c) 1998-2004 Ralf S. Engelschall. All rights reserved.




3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project http://www.modssl.org/)."

4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without prior written permission of Ralf S. Engelschall.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http://www.modssl.org/)."

THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Mpack

(C) Copyright 1993,1994 by Carnegie Mellon University

All Rights Reserved.

Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Carnegie Mellon University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Portions of this software are derived from code written by Bell Communications Research, Inc. (Bellcore) and by RSA Data Security, Inc. and bear similar copyrights and disclaimers of warranty.

387


388

NTP

Copyright (c) David L. Mills 1992-2004

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation, and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty.

OpenLDAP

The OpenLDAP Public License

Version 2.8, 17 August 2003

Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:

1. Redistributions in source form must retain copyright statements and notices,

2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and

3. Redistributions must contain a verbatim copy of this document.

The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.

OpenSSH

The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a licence more free than that.

OpenSSH contains no GPL code.

1) Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland All rights reserved

As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".

However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose (the GNU license being the most restrictive); see below for details.

Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".

The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any responsibility on your behalf.

NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY

FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE

389


390

OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.

Cryptographic attack detector for ssh - source code

Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that this copyright notice is retained.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.

Ariel Futoransky <[email protected]> <http://www.core-sdi.com>

3) ssh-keyscan was contributed by David Mazieres under a BSD-style license. Copyright 1995, 1996 by David Mazieres <[email protected]>.

Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact.

4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:

@version 3.0 (December 2000) Optimised ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <[email protected]> @author Antoon Bosselaers <[email protected]> @author Paulo Barreto <[email protected]>

This code is hereby placed in the public domain.

THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original Berkeley code.

Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:



3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:

Markus Friedl Theo de Raadt Niels Provos Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson




THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

391


392

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

OpenSSL

Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.




3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be use to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

PAM

Redistribution and use in source and binary forms of Linux-PAM, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain any existing copyright notice, and this entire permission notice in its entirety, including the disclaimer of warranties.

2. Redistributions in binary form must reproduce all prior and current copyright notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name of any author may not be used to endorse or promote products derived from this software without their specific prior written permission.

ALTERNATIVELY, this product may be distributed under the terms of the GNU General Public License, in which case the provisions of the GNU GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential conflict between the GNU GPL and the restrictions contained in a BSD-style copyright.)

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PHP

The PHP License, version 3.0 Copyright (c) 1999 - 2002 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:



3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate

393


394

that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PostgreSQL

Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group

Portions Copyright (c) 1994, The Regents of the University of California

Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.

IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

AAccess Control via Mail Mappings 58Active Directory 23Active Directory LDAP Results Limit 63Activity screen 296, 311Adding a Spam Dictionary 133Admin Login 44Admin User 36Advanced Content Scanning 14Advanced SMTP Settings 52Alarms 306Analysis Code Descriptions 313Annotations 51Anti-Spam Header 128Anti-Virus 85Attachment Content Scanning 100, 104Attachment Control 28, 100, 101Attachment Types 101Authentication 20Authentication log 298

BBackup

Errors 287FTP 281Local Disk 280Naming Conventions 283

BCC (Blind Carbon Copy) 50BorderPost 20, 192BorderWare Security Network (BSN) 136

Statistics Sharing 136Bulk Analysis 19, 124, 143

Servers 145

CCached server passwords 190Centralized Management 288

Console 291Copy Configuration 292

Certificate 95Certificate Authority (CA) 96Chinese character set 149Clustering 45, 232

Activity 242, 297Adding Cluster Members 237Administration 240Backup and Restore 242Configuration 234Console 232Interface 45Network Configuration 234Reporting 242Troubleshooting Cluster Initialization 239

Compliancy 106, 121Configuration Information 270Configuring Spam Controls 127Content Reject Message 52Content Scanning 100, 104Copy Configuration 292CRYPTOCard 20, 36, 176

395

396

Current Admin and WebMail Users 270Customization 40Customizing Notification and Annotation Messages 333

DDaily Backup 283Default Logo 40Default Mail Relay 50Default policy 199Default Spam Words 133Delete Strong Authentication for Admin 326Deliver mail to local users 15Delivery Settings 49Delivery Warning 51Diagnostics 269Dictionaries 121Dictionary Spam Count 152Directory Authentication 178Directory Groups 66Directory Servers 64Directory Services 64Directory Users 66Disabling Reporting 265Disk Space Quota 173DMZ (Demilitarized Zone) 25DNS 43DNS Block List (DNSBL) 19, 124, 141

Domains 142Rejects 142

Domain policies 201DomainKeys 13, 19, 125, 155

EEnable NULL Character Detect 119Enable Sending and Receiving 269Encryption 21, 88, 92Envelope sender doesn’t match From header 140Escalation Mail 307ESMTP (Extended SMTP) 52

FF5 Load Balancer 244Factory Default Settings 329Flush Mail Queue 269, 318

GGateway 43Group policies 203

HHALO (High Availability and Load Optimization) 21, 232HELO 52, 111, 113, 131HELO/EHLO doesn’t match client 140Hostname Lookup 269, 319

IIMAP 21, 172Inbound Attachment Control 100Intercept 12, 19, 124

Advanced Features 158Component Weights 160

Decision Strategy 159Internationalization 24Invalid HELO/EHLO hostname 139IP Reputation (IPR) 12, 19, 124, 136iPlanet 23

JJapanese character set 149

KKeepOpen 47Kernel Log 298Korean character set 149

LLarge MTU 44LDAP (Lightweight Directory Access Protocol) 23, 62LDAP Aliases 56, 70LDAP Recipients 74, 129LDAP Routing 79LDAP SMTP Authenticated relay 76LDAP SMTP Authentication 83LDAP Users 129LDAP Virtual Mappings 60, 72Load Balancing 22

Using DNS 233Local Accounts 173Log Files 298, 312Log Rollout and Offload 15Log TLS info into Received header 93Login page title 40

MMail Access 82Mail Aliases 30, 55Mail History 260, 323Mail Mappings 29, 57Mail Queue Management 271Mail Routing 30, 47Mail Transport log 313MAILER-DAEMON 49Malformed messages 19, 100, 119Masquerade Addresses 50Maximum mailbox size 174Maximum message size 28, 82Maximum Number of Mail Scanners 339Maximum Number of Parallel Deliveries 338Maximum Number of Processes 338Maximum number of recipients 28Maximum original message text in bounces 15, 49Maximum recipients per message 82Maximum time in mail queue 49Maximum time in queue for bounces 15, 49Maximum Unknown Recipients 83Maximum Unknown Recipients Per Message 83Maximum Unknown Recipients Reject Code 83Message Body 111Message Disposition 261, 324Message Encryption 13, 88Message Envelope 111

397

398

Message Processing Order 331Messages Log 298MIB (Management Information Base) 303, 305MIB OID Values 371MIME (Multipurpose Internet Mail Extensions) 18Mirror Accounts 69, 175Missing client reverse DNS 139Missing From header 140Missing sender MX 139Missing To header 140MTU 44Multiple Recipient Reject Mode 15, 53

NNetwork Interfaces 43Network Settings 42Neutral Words 148NTP (Network Time Protocol) 43Number of Database Proxies 340Number of Heavy Weight Processes 339

OOCF (Objectionable Content Filter) 28, 100, 108OpenLDAP 23Optional Product Licenses 275Outbound Attachment Control 100

PPattern Based Message Filtering (PBMF) 19, 82, 100, 106, 124, 131

Action 117BCC Action 117Preferences 117Priority 115

Performance Tuning 335Personal Quarantine Controls 189Ping 269, 321, 326Policy 14, 22, 196

Diagnostics 211hierarchy 196Verbose Logging 210

POP3 21, 172Problem Reporting 293

QQuarantine Expiry 273Quarantine Management 272Queue replication 22, 245

Interface 247

RRADIUS 180Raise Priority of Heavy Weight Processes 339Raw Mail Body 114Reboot 278, 326Received Header 16, 54Reject Connection From Dial-ups 138Reject on BSN 28Reject on BSN Reputation 138Reject on DNSBL 28, 142Reject on expired ePrism license 27Reject on Infection 138

Reject on missing addresses 28, 158Reject on missing reverse DNS 28, 158Reject on missing sender MX 28, 158Reject on non FQDN sender 28, 158Reject on Threat Prevention 27Reject on unauth pipelining 27, 158Reject on unknown recipient 28, 129Reject on unknown sender domain 28, 158Relocated Users 30, 181Remote Authentication 178Re-Ordering Groups 205Replication Client 247Replication Host 247Reporting SQL Log 298Reports 250

Automatic Report Generation 254Configuration 264Disabling 265Fields 255Filters 258Generating 251Viewing 251

Require TLS for SMTP AUTH 93Rescan User List 205Reset Network Interface 326Reset SSL Certificates 326Respond to Ping 44Restore

Errors 287FTP 285Local Disk 284

Restoring a Cluster Member 242Restoring from Backup 284Restoring the Cluster Console 243RFC 1323 44RFC 1644 44Rollout and Offload 301

SSafeWord 20, 36, 176Searching Log Files 299Secure WebMail 20, 188SecurID 20, 36, 177Security Connection 24, 277, 326Send EHLO 16, 53Sender Policy Framework (SPF) 19, 125, 154Serial Console 327Service Throttle Time 341Show Recipients 297Shutdown 278, 326Size of Shared Memory block 341Size of Temporary Files Filesystem 341SMTP 21SMTP Authenticated Relay 83SMTP Banner 84SMTP Connect Timeout 340SMTP HELO Timeout 340SMTP Notification 53SMTP Pipelining 52SMTP port 16SMTP Probe 269, 320

399

400

SMTP Security 93SMTP Tarpit Time 341SMTPD Minimum Receive Rate 341SMTPD Receive Rate Interval 341SMTPD Timeout 340SNMP (Simple Network Management Protocol) 23, 44, 303

Community string 304MIBS 343Permitted Clients 304Trap Hosts 305

Software Updates 276Spam Dictionaries 13, 19, 124, 132Spam Quarantine 20, 125, 165, 243

in a Cluster 170Specific Access Patterns (SAP) 19, 27, 82, 124, 130SQL Logging 265SSL (Secure Socket Layer) 92SSL Certificates 95Static Routes 46Status & Utility 268Stop and Start Mail Services 269Strip Received Headers 50Strong Authentication 36, 173, 176Support Access 45Supported web browsers 32Syslog 300Syslog Host 43System Console 35, 325System event types 262System History 262System Logs 298, 312

Advanced Search 299System Status 268

TTCP extensions 44Threat Prevention 13, 214Tiered Administration 37, 185Time before delay warning 49Time to retain undeliverable notice mail 49TLS (Transport Layer Security) 21, 92Token Analysis 19, 125, 146

Advanced Options 148Delete Training 148Token 114Training 150Troubleshooting 153

Traceroute 269, 322, 326Treat unopenable attachments as viruses 86Troubleshooting Content Issues 323Troubleshooting Mail Delivery 310Troubleshooting Tools 311Trusted and Untrusted Mail 126Trusted Senders List 20, 125, 162, 189, 243Trusted Subnet 44, 126

UUnauthorized pipelining 140Unknown HELO/EHLO domain 139Unknown sender domain 139UPS 327

User policy 208

VVacation Notification 182Very Malformed Mail 54Virtual Mappings 30, 59Virus pattern files 87

WWeb Server Options 39

XX-STA Header 150

401

eprism email security appliance user guide

Documents