getting started guide v.2.5

IBM Lotus Protector for Mail Security

Getting Started GuideVersion 2.5

GI11-9222-02

��

Copyright statement© Copyright IBM Corporation 2006, 2009.

U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

Publication Date: December 2009

Trademarks and disclaimer

IBM® and the IBM logo are trademarks or registered trademarks of International BusinessMachines Corporation in the United States, other countries, or both. If these and other IBMtrademarked terms are marked on their first occurrence in this information with a trademarksymbol (® or ™) these symbols indicate U.S. registered or common law trademarks owned byIBM at the time this information was published. Such trademarks may also be registered orcommon law trademarks in other countries. A current list of IBM trademarks is available onthe Web at http://www.ibm.com/legal/copytrade.shtml

Microsoft®, Windows®, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

Java™ and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. inthe United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

Disclaimer: THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS PROVIDEDFOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THECOMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THISDOCUMENTATION, IT IS PROVIDED ″AS IS″ WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’SCURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BYIBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGESARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS DOCUMENTATIONOR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THISDOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATINGANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS ORLICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLELICENSE AGREEMENT GOVERNING THE USE OF IBM SOFTWARE.

© Copyright IBM Corp. 2006, 2009 iii

iv Lotus Protector for Mail Security: Getting Started

Contents

Trademarks and disclaimer . . . . . . iii

About this publication . . . . . . . . viiRelated publications . . . . . . . . . viiiTechnical support contacts . . . . . . . ix

Chapter 1. About Lotus Protector for MailSecurity . . . . . . . . . . . . . 1Overview . . . . . . . . . . . . . 2Deploying Lotus Protector for Mail Security. . 4

Chapter 2. Installing Lotus Protector forMail Security on hardware . . . . . . . 9System requirements . . . . . . . . . 10Using the Lotus Protector for Mail SecurityInstall DVD . . . . . . . . . . . . 12Completing initial hardware configurationwith the Setup Assistant . . . . . . . . 13

Testing basic network settings . . . . . . 15Verifying network connectivity and SMTPsettings . . . . . . . . . . . . . 16Reinstalling Lotus Protector for Mail Security 17

Chapter 3. Installing Lotus Protector forMail Security on a virtual machine. . . . 19System requirements . . . . . . . . . 20Installing the VMX file . . . . . . . . 23Completing initial virtual machineconfiguration with the Setup Assistant . . . 24Testing basic network settings . . . . . . 27Verifying network connectivity and SMTPsettings . . . . . . . . . . . . . 28

Index . . . . . . . . . . . . . . 31

© Copyright IBM Corp. 2006, 2009 v

vi Lotus Protector for Mail Security: Getting Started

About this publication

This section describes the audience for this guide, identifies related publications, and providescontact information.

Audience

Users of this guide should have fundamental knowledge of applying mail security bestpractices, configuring SMTP services, and if needed, running applications on VMware.

Topics

“Related publications” on page viii

“Technical support contacts” on page ix

© Copyright IBM Corp. 2006, 2009 vii

Related publications

Use this topic to help you access information about Lotus® Protector for Mail Security.

Publications

The following documents are available for downloading from the IBM Lotus® Protector forMail Security Web site at http://www.ibm.com/software/lotus/products/protector/mailsecurity/.v IBM Lotus® Protector for Mail Security Quick Start Guide Version 2.5

v IBM Lotus® Protector for Mail Security Release Notes Version 2.5

v IBM Lotus® Protector for Mail Security Getting Started Guide Version 2.5

v IBM Lotus® Protector for Mail Security Administrator Guide Version 2.5

License agreement

For licensing information about IBM Lotus Protector, view the IBM Licensing Agreement siteat http://www.ibm.com/software/sla/sladb.nsf/search.

viii Lotus Protector for Mail Security: Getting Started

http://www.ibm.com/software/lotus/products/protector/mailsecurity/


http://www.ibm.com/software/sla/sladb.nsf/search

Technical support contacts

IBM provides technical support through its Web site and by e-mail message or telephone.

The IBM Lotus Support site

The IBM Lotus Support Web page at http://www.ibm.com/software/lotus/products/protector/mailsecurity/ provides direct access to online user documentation, current versionslistings, detailed product literature, white papers, and the Technical Support Knowledgebase.

Hours of support

The following table provides hours for Technical Support at the Americas and other locations:

Table 1. Hours of technical support

Location Hours

Americas 24 hours a day

All other locations Monday through Friday, 9:00 A.M. to 6:00 P.M.during their local time, excluding IBM publishedholidaysNote: If your local support office is locatedoutside the Americas, you may call or send ane-mail to the Americas office for help duringoff-hours.

Contact information

For contact information, go to the IBM Lotus Support Web page at http://www.ibm.com/services/us/iss/support/.

About this publication ix



http://www.ibm.com/services/us/iss/support/

http://www.ibm.com/services/us/iss/support/

x Lotus Protector for Mail Security: Getting Started

Chapter 1. About Lotus Protector for Mail Security

This chapter contains introductory information about Lotus Protector for Mail Security.

Topics

“Overview” on page 2

“Deploying Lotus Protector for Mail Security” on page 4

© Copyright IBM Corp. 2006, 2009 1

Overview

Lotus Protector for Mail Security is a key element in the IBM protection platform providingend-to-end coverage of an organization’s network, with leading solutions to securitychallenges that threaten key endpoints, servers, networks, and gateways.

Spam analysis modules

Lotus Protector for Mail Security uses more than 20 analysis modules for custom scanning ofe-mail messages at many different levels. These modules provide the following types ofprotection:v Controls content that leaves your networkv Keeps offensive and personal content out of e-mail messages through predefined keyword

searches and individual configurable keyword searchesv Prevents phishing attempts with an analysis module that helps guard employees against

e-mail messages that targets their personal informationv Detects malicious URLs through a URL filter module supported by a large URL filter

databasev Inspects e-mail attachments with a virus protection system that takes preemptive action

against suspicious code even before it is publicly knownv Supports global business scope with Unicode analysis, allowing for the analysis of e-mail

content in a wide variety of character sets, including double-byte characters

Content filtering

Lotus Protector for Mail Security utilizes content filtering powered by vulnerability-basedresearch conducted by the IBM X-Force® research and development team.

The Content Filter Database provides URLs and classification of Web pages, including spamsignatures for all known spams (gathered by spam collectors and other sources). IBM ISSGlobal Data Center delivers updates daily to help you respond to changing spam tactics andthreats.

Intrusion prevention

Lotus Protector for Mail Security uses intrusion prevention technology that protects devicesand mail servers from attacks, such as denial of service attacks, directory harvest attacks, andbuffer overflow attacks.

The Intrusion Prevention Module is powered by IBM X-Force and features the IBM X-ForceVirtual Patch® technology that protects systems against attack during the interval betweendiscovery of a vulnerability and the manual application of a security patch.

2 Lotus Protector for Mail Security: Getting Started

Rules-based policies

Lotus Protector for Mail Security uses rules-based policies that enable custom spam filtering,define who (sender and recipient), when (time frames), analysis modules to use, and one ofmore than ten actions to take against e-mail messages.

Predefined reporting

Lotus Protector for Mail Security includes predefined reports that provide details about thecurrent status of the system, such as traffic flow, the top senders and internal recipients ofspam-based e-mail messages, and the current mail security policy in place.

Integration with Lotus Domino® and Notes® (version 8.5.1 or later)

You can now use the spam protection features of Lotus Protector for Mail Security from theNotes 8.5.1 (or later) client. The Domino Administrator must specify settings in the DominoAdministrator desktop policy to enable this feature. See the IBM Lotus® Protector for MailSecurity Administrator Guide Version 2.5 for detailed instructions.

Chapter 1. About Lotus Protector for Mail Security 3

Deploying Lotus Protector for Mail Security

The Administrator who sets up Lotus Protector for Mail Security must make sure all incomingSMTP traffic is routed through Lotus Protector for Mail Security before the traffic is deliveredto internal mail servers.

This topic explains methods that are used for Internet mail exchange and how these methodsaffect or relate to setting up Lotus Protector for Mail Security. You should read thisinformation if you are not familiar with Internet mail exchanger deployments andconfiguration.

Fast path: If you are only interested in how MX records affect your setup of Lotus Protectorfor Mail Security, go to the paragraphs labeled Fast path for a brief explanation of thatsection.

DNS MX records

When an e-mail message is sent through the Internet, the sender of the e-mail message mustdetermine the receiving host name responsible for processing e-mail messages for a domain,which is the domain part of an e-mail address (for example, ibm.com in [email protected]). In orderto determine the receiving host name, the sender queries the recipient’s DNS server for MaileXchanger records (MX records) belonging to the domain found in the domain part of therecipient’s e-mail address. This record typically points to a fully qualified host name (forexample, server1.ibm.com) that resolves to an actual IP address (known as an A record).

MX records contain an attribute known as an MX preference. An MX preference is used by thesender to determine the priority of a mail server, in case there are multiple hosts responsiblefor a single domain. By default, the sending host will choose the mail server with the lowestMX preference value (indicating the lowest cost like metric in IP routes) and will fail over toanother referenced host with the lowest preference. If two or more MX records have anidentical preference value, the sender might choose a mail server at random (depending onthe implementation of the sending server). Identical preferences for several MX record entriesis commonly used to distribute load among multiple servers.

Table 2. DNS MX record configuration with failover and load distribution example

Responsible mail exchangers MX preference

server1.ibm.com 10

server2.ibm.com 20

server3.ibm.com 20

For example, assume the MX records for ibm.com are configured like the values shown inTable 2. A sending SMTP server will first try to deliver an e-mail message for [email protected] toserver1.ibm.com. If the sending SMTP server is not able to connect to server1.ibm.com, it willchoose to deliver the message, at random, to either server2.ibm.com or server3.ibm.com.


Fast path: Sending SMTP servers need to know where to deliver e-mail messages for yourdomains. Make sure you have set up MX records for all of your domains. Depending on yourdeployment scenario (see the section on Inbound SMTP traffic), these MX records shouldpoint to a host name (A record) that in turn points to a public IP address owned by LotusProtector for Mail Security.

Note: DNS population can take up to three days on the Internet. If you need to change DNSentries for your environment, make sure you can reroute SMTP traffic to obsolete IP addresseson Lotus Protector for Mail Security during this time.

Inbound SMTP traffic

When a sending host tries to deliver an e-mail message to a destination SMTP server, asspecified by DNS MX records, it tries to establish a connection with the destination host. Bydesign, an e-mail message is not always delivered directly to its destination by the sendingserver. The sending server might deliver the e-mail message to another SMTP server instead,which is then responsible for delivering the e-mail message. This method is known as relaying;an SMTP server that allows relaying is called an SMTP relay.

Lotus Protector for Mail Security acts as an SMTP relay when it allows sending hosts to relaye-mail messages to your users. Unlike other SMTP relays, Lotus Protector for Mail Securitydoes not store and forward e-mail messages to internal mail servers. Instead, it storesincoming e-mail messages locally until those messages have been analyzed and processed.When an e-mail message has been analyzed, delivery of the e-mail message is either allowedor declined, depending on your policy rules. If delivery of an e-mail messages is allowed,Lotus Protector for Mail Security will relay the e-mail message to internal SMTP serverswhere users connect to access their e-mail accounts.

Most often, Lotus Protector for Mail Security is deployed to receive incoming e-mail messagesdirectly from the Internet, meaning SMTP traffic (on the IP layer) is routed to Lotus Protectorfor Mail Security by a gateway or firewall.


However, in some scenarios it might be useful or necessary for you to relay incoming e-mailmessages through other SMTP servers before passing the messages to Lotus Protector for MailSecurity (for example, in cases where you need to perform additional analysis or tocompensate for strong peaks in e-mail traffic or network constraints).

Fast path: From a deployment perspective, make sure that all e-mail messages from theInternet can be relayed to Lotus Protector for Mail Security. You might need to adjust firewallrules for SMTP traffic (by default, TCP port 25), add appropriate forwarding rules at yourSMTP relays, or reconfigure other preceding devices.

Important: Lotus Protector for Mail Security works as an SMTP relay. It does not analyze datastreams on your network and cannot forward or route IP traffic because it is not a gateway.E-mail messages must be relayed via Lotus Protector for Mail Security; inline deployment isnot a deployment option for Lotus Protector for Mail Security.

Outbound SMTP traffic

You can also use Lotus Protector for Mail Security to handle outbound SMTP traffic in whichit analyzes and relays e-mail messages that are leaving your environment. For example, youcan use Lotus Protector for Mail Security to prevent confidential data from leaving yourenvironment by e-mail message, to enforce encrypted delivery of confidential data, to relaye-mail messages to other SMTP servers in case of network constraints, or to generate statisticson outbound traffic.

As mentioned in the section on DNS MX Records, SMTP servers need to determine where todeliver e-mail messages to a specific domain. In general, SMTP servers try to deliver e-mailmessages using DNS resolution and by communicating directly to one of the specified servers.


You can also configure SMTP servers to relay all e-mail messages (or only a subset of e-mailmessages to configured domains) to other SMTP relays, which in turn are responsible fordelivering those e-mail messages. You set up this behavior by adding forwarding rules to theconfiguration of the SMTP server.

Fast path: If you want to set up Lotus Protector for Mail Security to act as an outbound relay,you will need to add forwarding rules to your internal mail servers that allow them to relayoutgoing e-mail messages to Lotus Protector for Mail Security. Because of the built-inanti-relay check, you must add the internal mail servers as relay hosts for Lotus Protector forMail Security, in order for Lotus Protector for Mail Security to accept e-mail messages to anydomain from these hosts. Choose whether Lotus Protector for Mail Security should delivere-mail messages directly using DNS resolution or if outgoing e-mail messages should beforwarded to other SMTP relays that in turn will take care of delivery.

Note: Lotus Protector for Mail Security will automatically fall back to DNS resolution fordomains that do not have a forwarding rule.


Chapter 2. Installing Lotus Protector for Mail Security onhardware

This chapter provides procedures on installing the hardware version of Lotus Protector forMail Security.

Topics

“System requirements” on page 10

“Using the Lotus Protector for Mail Security Install DVD” on page 12

“Completing initial hardware configuration with the Setup Assistant” on page 13

“Testing basic network settings” on page 15

“Verifying network connectivity and SMTP settings” on page 16

“Reinstalling Lotus Protector for Mail Security” on page 17


System requirements

Before you install Lotus Protector for Mail Security on the recommended certified hardware,make sure your system meets the requirements listed in this section.

Installation checklist

Verify that you have the necessary items for installing Lotus Protector for Mail Security onhardware:

Table 3. Hardware installation checklist

Recommended certified hardware models (see the list on http://www.ibm.com/software/lotus/products/protector/mailsecurity/systemrequirements.html)

Two power connector cables

Physical Ethernet connection to a switch

Internet Explorer version 7 or later or Mozilla Firefox version 2 or later

For each Lotus Protector for Mail Security system, request the following network names and addresses:

v Static IP address with an appropriate subnet mask

v DNS name

v Default gateway IP address

Routing firewall rules

Make sure these ports are available so that Lotus Protector for Mail Security has access to theservices it needs:

Table 4. Routing firewall rules

Service Port number Description

Lotus Protector for Mail Security to Internet

HTTPS TCP 443 Enables Lotus Protector for Mail Security to receive updates (contentfilter database, firmware, intrusion prevention signatures, antivirussignatures).

SMTP TCP 25(inbound andoutbound)

Enables SMTP access to the Internet for outgoing mail relay.

Optional:DNS serverto server TCP53 to Internet

TCP 53 Enables Lotus Protector for Mail Security to receive IP reputationupdates.

DNS UDP 53 Enables Lotus Protector for Mail Security access to provider orinternal/DMZ DNS server.

Lotus Protector for Mail Security to internal network


http://www.ibm.com/software/lotus/products/protector/mailsecurity/systemrequirements.html

http://www.ibm.com/software/lotus/products/protector/mailsecurity/systemrequirements.html

Table 4. Routing firewall rules (continued)



Enables SMTP access to all internal mail servers and load balancers thatLotus Protector for Mail Security is relaying mail to.

LDAP TCP 389 Enables Lotus Protector for Mail Security access to Domino LDAP orany other LDAP server that provides internal/user group SMTP addressinformation.

NTP UDP 123 Enables Lotus Protector for Mail Security access to an availableNTP/Time server.

Lotus Protector for Mail Security from management network

HTTPS TCP 443 Enables access to Lotus Protector for Mail Security.

SSH TCP 22 Enables an SSH client (for example, PuTTY) to connect to LotusProtector for Mail Security from a command line.

SNMP UDP 161 Enables access to the SNMP agent of Lotus Protector for Mail Securityin order to collect data about its current status using SNMP Get.

DatabaseAccess

TCP 5432 Enables the clients of a Mail Security cluster to access the database ofthe central appliance.

Attention: Make sure this option is enabled before creating or joininga Mail Security cluster.

ClusterCommuni-cations

TCP 4990 Enables members of a Mail Security cluster to communicate with thishost.


Lotus Protector for Mail Security from a user network or HTTPS proxy server

End UserInterfaceaccess

TCP 4443 Enables access to a Web interface where recipients of e-mail messagescan release quarantined e-mail messages from message storages andmanage their block lists and allow lists.

Disabling Java caching

There are issues with Java caching that need to be eliminated in order to use Lotus ProtectorManager (the Web-based management interface for Lotus Protector for Mail Security). Toavoid Java errors when loading or using Lotus Protector Manager, you should disable Javacaching.

To disable Java caching:1. From the Windows Start menu, click Settings → Control Panel → Java.2. From the Java Control Panel, click the General tab, and then click the Settings button in

the Temporary Internet Files section.

Chapter 2. Installing Lotus Protector for Mail Security on hardware 11

3. In the Temporary File Settings window, clear the Keep temporary files on my computercheck box.

4. Click OK, and then click OK again.

Using the Lotus Protector for Mail Security Install DVD

Use the following procedure to install the Lotus Protector for Mail Security operating systemon the recommended certified hardware.

Before you begin

Make sure your system meets all the requirements listed in the System Requirements topic forinstalling Lotus Protector for Mail Security.

Procedure1. Set up the system that will be hosting Lotus Protector for Mail Security in a secure

location.2. Connect a keyboard and a computer monitor to the system on which you are installing the

Lotus Protector for Mail Security software.3. Insert the Lotus Protector for Mail Security Install DVD.4. Turn on the hardware model and wait until it fully boots. The installer loads the operating

system. When the installation is finished, Lotus Protector for Mail Security automaticallyreboots. Let Lotus Protector for Mail Security complete the boot process withoutinterruption.

5. When Lotus Protector for Mail Security has rebooted, the unconfigured.appliance loginprompt appears. You can log in with the default user and password of admin/admin.

6. Open a Web browser and connect to the system using https://192.168.123.123.

What to do next

You are now ready to use the Setup Assistant to complete the installation process.


Completing initial hardware configuration with the Setup Assistant

The Setup Assistant is the program you use to configure initial Lotus Protector for MailSecurity network settings. After you complete the initial setup process, use Lotus ProtectorManager (the Web-based management interface for Lotus Protector for Mail Security) tochange and manage these settings.

Procedure1. At the unconfigured login prompt, type the following login credentials, and then press

ENTER:v Username = adminv Password = admin

2. Click Start, and then press ENTER.3. Follow the on-screen instructions to complete the Setup Assistant.

Table 5. Configuration tasks using the Setup Assistant

Tab Task

SLA Agree to the Software License Agreement.

EAR Agree to the Export Administration Regulations.

ConfigMethod

Choose whether to set up Lotus Protector for Mail Security using the Setup Assistantor using Lotus Protector Manager, the Web-based management interface.

LicenseNumber

Enter your License Number (or an IBM Customer Number) for Lotus Protector forMail Security.Important: You will not be able to update the antispam or antivirus modules without avalid license.

Passwords Set the following required passwords for Lotus Protector for Mail Security access:

v Root: This password is used to log on to Lotus Protector for Mail Security directly(console) or to log on using SSH.

v Administrative: This password is used to connect to the management console usingthe Web browser.

Network Provide a fully qualified domain name for Lotus Protector for Mail Security as in thefollowing example: appliance.example.com

Configure the ETH1 interface to use a static IP address or configure it to obtain a setupusing DHCP.

This interface is used to send traffic to subnets that are not physically attached to LotusProtector for Mail Security from the configured default gateway (for example, fromETH0).Note: You can set additional network routes later from the Lotus Protector Manager.


Table 5. Configuration tasks using the Setup Assistant (continued)

Tab Task

SMTP Provide the root domain for Lotus Protector for Mail Security that should be used inrelaying e-mail messages from Lotus Protector for Mail Security (in the message’sheader). It is recommended that you use the host name of the system. Additionally,you should configure recipients of error notifications from the SMTP service and e-mailaddresses.

Receiving E-mails: Set up Lotus Protector for Mail Security to receive incoming e-mailmessages:

v Local Domains: Specify a list of domains for which Lotus Protector for Mail Securityshould accept, analyze, and forward e-mail messages to the given internal SMTPserver.

v Relay Hosts: Specify a list of the IP addresses or the subnets of hosts that areallowed to relay e-mail messages from Lotus Protector for Mail Security.

Note: Lotus Protector for Mail Security will not accept e-mail messages for domainsthat are not given in the list of local domains from any host, unless this host isspecified as a relay host.

Sending E-mails: Choose how the SMTP service should determine the next SMTPserver to which an e-mail message should be relayed:

v DNS Resolution: Determines the destination SMTP server by looking up DNS MXrecords.

v Forward: Relays outgoing e-mail messages to specific domains to an SMTP server asconfigured in the list.Note: If the SMTP service cannot find a configured relay for a specific domain, itwill automatically fall back to DNS Resolution for this domain.Reference: For a more advanced setup (for example, load balancing or usingwildcard characters) see the IBM Lotus® Protector for Mail Security Administrator GuideVersion 2.5.

Alerts Configure Lotus Protector for Mail Security to alert you by sending e-mail messages toa specified address in case one of the selected events occurs:

v Mail security events

v System errors

v System warnings

v System information

Specify another SMTP relay to make sure alerts are delivered under all circumstances.

Time Set up the time zone Lotus Protector for Mail Security should use and configure thecurrent time and date of the system.

To synchronize the system time with a network time server, you must enable theNetwork Time Protocol (NTP) and provide the IP address or host name of the networkserver.


Testing basic network settings

Run these commands from a command line to test whether you have configured the LotusProtector for Mail Security IP addresses and the default gateway correctly during the SetupAssistant process.

Note: Make sure you are logged in as the root user on the console.

Verifying IP address configuration

Use the following command to check whether the appropriate IP addresses are configuredcorrectly:

#ifconfig

Verifying the default route and gateway address

Use the following command to check whether the default route and the gateway address areconfigured correctly:

#netstat -rn 0.0.0.0 gw x.x.x.x

Ping the default gateway (x.x.x.x) to check for a response.

Verifying IP addresses for DNS servers

Use the following command to check if the DNS servers resolve to an IP address:

#ping www.yourcompany.com

Note: If you need to make additional changes to network settings, log in as the admin userusing SSH or on the console.


Verifying network connectivity and SMTP settings

You can send a test e-mail message over the network to make sure Lotus Protector for MailSecurity is connected and configured correctly.

Procedure1. Log on to Lotus Protector Manager (the Web-based management interface for Lotus

Protector for Mail Security).2. If you did not configure the SMTP relay settings from the network configuration tab in the

Setup Assistant, click SMTP → Configuration in the navigation pane to configure thosesettings now.

3. Configure an e-mail client to send e-mail messages through Lotus Protector for MailSecurity in order to verify network connectivity and the SMTP settings.

4. Send a test message to your mailbox on the internal mail server and another message toan external e-mail account (for example, a Web-based e-mail account). If each e-mailmessage arrives in its Inbox, then Lotus Protector for Mail Security is working properly.You can now send inbound and outbound e-mail messages using Lotus Protector for MailSecurity.

5. Click Mail Security → Policy in the navigation pane to configure a mail security policy.6. Enable the last rule in the sample policy (″MyMail (For testing purposes: Check for

occurrence of ″MyMail″ in Subject)).7. Click Save Changes.8. Send two new test e-mail messages, as described in Step 4, using ″MYMAIL″ in the Subject

field.If the test does not work as expected, verify that the:v E-mail message was actually sent through Lotus Protector for Mail Security (RECEIVED

header)v Lotus Protector for Mail Security is able to send e-mail messages to internal mail servers

and to mail servers on the Internet


Reinstalling Lotus Protector for Mail Security

The Recovery CD included in the Lotus Protector for Mail Security packaging contains theoperating system software for Lotus Protector for Mail Security that was installed on the CDat the factory. You can reinstall the software from this CD on Lotus Protector for Mail Security.

About this task

Reinstalling Lotus Protector for Mail Security means erasing all data from the system andreturning it to its factory state. Only perform this procedure under the guidance of IBMTechnical Support.

CAUTION: Reinstalling Lotus Protector for Mail Security firmware clears the currentconfiguration settings for Lotus Protector for Mail Security and all data stored on LotusProtector for Mail Security.

Procedure1. Connect a computer monitor to the system on which you are running Lotus Protector for

Mail Security.2. Boot the Recovery CD.3. At the prompt, type reinstall, and then press ENTER. The installer reloads the operating

system. When the reinstallation is finished, Lotus Protector for Mail Security automaticallyreboots. Let Lotus Protector for Mail Security complete the boot process withoutinterruption.

4. When Lotus Protector for Mail Security has rebooted, the unconfigured.appliance loginprompt appears. You can log in with the default user and password of admin/admin andconfigure Lotus Protector for Mail Security using the Configuration Menu.

Resultsv Overwrites software configuration changes you have made since you first installed Lotus

Protector for Mail Securityv Restores the original, default login credentials for the user name and password

(admin/admin)


Chapter 3. Installing Lotus Protector for Mail Security on avirtual machine

This chapter provides procedures on installing a virtual version of Lotus Protector for MailSecurity.

Topics

“System requirements” on page 20

“Installing the VMX file” on page 23

“Completing initial virtual machine configuration with the Setup Assistant” on page 24

“Testing basic network settings” on page 27

“Verifying network connectivity and SMTP settings” on page 28


System requirements

Before you install Lotus Protector for Mail Security on a virtual machine, make sure yoursystem meets the requirements listed in this section.

Processor

500 MHz or faster (Intel® or AMD)

Platform

Runs as installed software on a VMware workstation under the following operating systems:v Windows 2000, XP, or 2003v Red Hat Enterprise Linux® 2.4 or 2.6

Important: If you need to install updates or make changes to the host computer that isrunning Lotus Protector for Mail Security, make sure you shut down Lotus Protector for MailSecurity first before you restart the host computer.

VMware guest OS support

Lotus Protector for Mail Security can run as virtual machines on the following VMwareplatforms:v VMware Server 1.0.2 or laterv VMware ESX 3.x or later (VMware vCenter Converter required to run natively on VMware

ESX)v VMware Player 1.0.3 or laterv VMware Workstation 5.5 or later

Important: Make sure you connect the computer that is running VMware to anuninterruptible power supply in order to prevent database or file system corruptions in caseof a power outage.

Host requirements

VMware is configured to use the following system resources:v 2 GB RAM (512 MB required for each virtual instance)v 100 MB hard disk spacev Two (2) network interfaces:

– 1 Host-only interface– 1 Bridged network interface


Routing firewall rules

Make sure these ports are available so that Lotus Protector for Mail Security has access to theservices it needs:

Table 6. Routing firewall rules


Lotus Protector for Mail Security to Internet

HTTPS TCP 443 Enables Lotus Protector for Mail Security to receive updates (contentfilter database, appliance firmware, intrusion prevention signatures,antivirus signatures).


Enables SMTP access to the Internet for outgoing mail relay.

Optional:DNS serverto server TCP53 to Internet

TCP 53 Enables Lotus Protector for Mail Security to receive IP reputationupdates.

DNS UDP 53 Enables Lotus Protector for Mail Security access to provider orinternal/DMZ DNS server.

Lotus Protector for Mail Security to internal network


Enables SMTP access to all internal mail servers and load balancers thatLotus Protector for Mail Security is relaying mail to.

LDAP TCP 389 Enables Lotus Protector for Mail Security access to Domino LDAP orany other LDAP server that provides internal/user group SMTP addressinformation.

NTP UDP 123 Enables Lotus Protector for Mail Security access to an availableNTP/Time server.

Lotus Protector for Mail Security from management network

HTTPS TCP 443 Enables access to Lotus Protector for Mail Security.

SSH TCP 22 Enables an SSH client (for example, PuTTY) to connect to LotusProtector for Mail Security from a command line.

SNMP UDP 161 Enables access to the SNMP agent of Lotus Protector for Mail Securityin order to collect data about its current status using SNMP Get.

DatabaseAccess

TCP 5432 Enables the clients of a Mail Security cluster to access the database ofthe central appliance.


Chapter 3. Installing Lotus Protector for Mail Security on a virtual machine 21

Table 6. Routing firewall rules (continued)


ClusterCommuni-cations

TCP 4990 Enables members of a Mail Security cluster to communicate with thishost.


Lotus Protector for Mail Security from user network or HTTPS proxy server

End UserInterfaceaccess

TCP 4443 Enables access to a Web interface where recipients of e-mail messagescan release quarantined e-mail messages from message storages andmanage their block lists and allow lists.

Disabling Java caching

There are issues with Java caching that need to be eliminated in order to use Lotus ProtectorManager (the Web-based management interface for Lotus Protector for Mail Security). Toavoid Java errors when loading or using Lotus Protector Manager, you should disable Javacaching.

To disable Java caching:1. From the Windows Start menu, click Settings → Control Panel → Java.2. From the Java Control Panel, go to the Temporary Internet Files section and click the

Settings button.3. In the Temporary File Settings window, clear the Keep temporary files on my computer

check box.4. Click OK, and then click OK again.


Installing the VMX file

The VMX file is the primary configuration file for a virtual machine. Use the followingprocedure to install the VMX file for Lotus Protector for Mail Security.

Procedure1. Extract the contents of the file onto the target computer that is running the VMware

Workstation.

Important: If you are using Linux to run the VMware Workstation/Server/Player, makesure you have the right permissions for files and folders.

Note: The disk file can only reach a maximum of 30 GB. Make sure you have at least 30GB of free disk space available on the partition where you are extracting the files.

If the partition contains less than 30 GB of free disk space, you can start and configure theVMware image, however, after the disk image exceeds the available disk space (such as,when the quarantine folders become larger in size), the computer will stop working.

2. Start the VMware Workstation.3. Click File → Open.4. Select the folder containing the VMX file for the appliance.5. For quick access to the VMware image, click File → Add to Favorites to add the file to

your Favorites list.6. Start the virtual Lotus Protector for Mail Security by selecting the Start this virtual

machine command.7. If prompted to create a new unique identifier (UUID), select Create, and then click OK.

After you start the virtual Lotus Protector for Mail Security, the Login prompt appears.

Important: By default, Lotus Protector for Mail Security is configured with two networkinterfaces: Host-only and Bridged.

The first interface (ETH0) is connected to the Host-only network interface for the VMwareWorkstation, while the second interface (ETH1) is connected to the Bridged networkinterface for the VMware Workstation.

If you only want to use one interface, you should use the Bridged (ETH1) networkinterface. If you want to change network interfaces, click VM → Settings, and then clickthe Hardware tab.

What to do next

You are now ready to use the Setup Assistant to complete the installation process.


Completing initial virtual machine configuration with the Setup Assistant

The Setup Assistant is the program you use to configure initial Lotus Protector for MailSecurity network settings. After you complete the initial setup process, use the Lotus ProtectorManager (the Web-based management interface for Lotus Protector for Mail Security) tochange and manage these settings.

Procedure1. To connect to Lotus Protector for Mail Security using a Web browser (https://

192.168.123.123), change the network interface from Host-only to Bridged.The default IP address for the Host-only network adapter is 192.168.123.123/255.255.255.0. Your VMware Workstation must be in the same network (for example,192.168.123.200/255.255.255.0).If you change the network interface from Host-only to Bridged, make sure the IP address192.168.123.123/255.255.255.0 is not being used by another computer.

2. At the unconfigured login prompt, type the following login credentials, and then pressENTER:v Username = adminv Password = adminIf you want to change the IP address for the Host-only network adapter, you must use theadmin user name/password credentials when you are prompted at the console. The SetupAssistant starts automatically. When the Setup Assistant is finished, you must change thenetwork interface back to Bridged in order to access it.

3. Follow the on-screen instructions to complete the Setup Assistant.

Table 7. Configuration tasks using the Setup Assistant

Tab Task

SLA Agree to the Software License Agreement.

EAR Agree to the Export Administration Regulations.

ConfigMethod

Choose whether to set up Lotus Protector for Mail Security using the Setup Assistant orusing Lotus Protector Manager, the Web-based management interface.

LicenseNumber

Enter your License Number (or IBM Customer Number) for Lotus Protector for MailSecurity.Important: You will not be able to update the antispam or antivirus modules without avalid license.

Passwords Set the following required passwords for Lotus Protector for Mail Security access:

v Root: This password is used to log on to Lotus Protector for Mail Security directly(console) or to log on using SSH.

v Administrative: This password is used to connect to the management console usingthe Web browser.



Tab Task

Network Provide a fully qualified domain name for Lotus Protector for Mail Security as in thefollowing example: appliance.example.com

Configure the ETH1 interface to use a static IP address or configure it to obtain a setupusing DHCP.

This interface is used to send traffic to subnets that are not physically attached to LotusProtector for Mail Security from the configured default gateway (for example, fromETH0). It is configured as Bridged in the VMware Workstation, and is assigned to thephysical network adapter.Note: You can set additional network routes later from the Lotus Protector Manager.

SMTP Provide the root domain for Lotus Protector for Mail Security that should be used inrelaying e-mail messages from Lotus Protector for Mail Security (in the message’sheader). It is recommended that you use the host name of the system. Additionally, youshould configure recipients of error notifications from the SMTP service and e-mailaddresses.

Receiving E-mails: Set up Lotus Protector for Mail Security to receive incoming e-mailmessages:

v Local Domains: Specify a list of domains for which Lotus Protector for Mail Securityshould accept, analyze, and forward e-mail messages to the given internal SMTPserver.

v Relay Hosts: Specify a list of the IP addresses or subnets of hosts that are allowed torelay e-mail messages from Lotus Protector for Mail Security.

Note: Lotus Protector for Mail Security will not accept e-mail messages for domainsthat are not given in the list of local domains from any host, unless this host is specifiedas a relay host.

Sending E-mails: Choose how the SMTP service should determine the next SMTPserver to which an e-mail message should be relayed:

v DNS Resolution: Determines the destination SMTP server by looking up DNS MXrecords.

v Forward: Relays outgoing e-mail messages to specific domains to an SMTP server asconfigured in the list.Note: If the SMTP service cannot find a configured relay for a specific domain, itwill automatically fall back to DNS Resolution for this domain.Reference: For a more advanced setup (for example, load balancing or usingwildcard characters) see the IBM Lotus® Protector for Mail Security Administrator GuideVersion 2.5.



Tab Task

Alerts Configure Lotus Protector for Mail Security to alert you by sending e-mail messages toa specified address in case one of the selected events occurs:

v Mail security events

v System errors

v System warnings

v System information

Specify another SMTP relay to make sure alerts are delivered under all circumstances.

Time Set up the time zone Lotus Protector for Mail Security should use and configure thecurrent time and date of the system.

To synchronize the system time with a network time server, you must enable theNetwork Time Protocol (NTP) and provide the IP address or host name of the networkserver.


Testing basic network settings

Run these commands from a command line to test whether you have configured the LotusProtector for Mail Security IP addresses and the default gateway correctly during the SetupAssistant process.

Note: Make sure you are logged in as the root user on the console.

Verifying IP address configuration

Use the following command to check whether the appropriate IP addresses are configuredcorrectly:

#ifconfig

Verifying the default route and gateway address

Use the following command to check whether the default route and the gateway address areconfigured correctly:

#netstat -rn 0.0.0.0 gw x.x.x.x

Ping the default gateway (x.x.x.x) to check for a response.

Verifying IP addresses for DNS servers

Use the following command to check if the DNS servers resolve to an IP address:

#ping www.yourcompany.com

Note: If you need to make additional changes to network settings, log in as the admin userusing SSH or on the console.


Verifying network connectivity and SMTP settings

You can send a test e-mail message over the network to make sure Lotus Protector for MailSecurity is connected and configured correctly.

Procedure1. Log on to Lotus Protector Manager (the Web-based management interface for Lotus

Protector for Mail Security).2. If you did not configure the SMTP relay settings from the network configuration tab in

the Setup Assistant, click SMTP → Configuration in the navigation pane to configurethose settings now.

3. Configure an e-mail client on your VMware host computer to send e-mail messagesthrough Lotus Protector for Mail Security in order to verify network connectivity and theSMTP settings.

4. Send a test e-mail message to your mailbox on the internal mail server and anothermessage to an external e-mail account (for example, a Web-based e-mail account). If eache-mail message arrives in its Inbox, then Lotus Protector for Mail Security is workingproperly. You can now send inbound and outbound e-mail messages using LotusProtector for Mail Security.

5. Click Mail Security → Policy in the navigation to configure a mail security policy.6. Click the plus sign to open details for the Signature Virus Check (Performs signature

based virus check) rule.7. Right-click the object My Domains, and then select Edit recipients: ″My Domains″.8. Select the check box to activate the object, and then edit the domains to reflect your

environment (replacing *@example.com).9. Click OK.

10. Enable the last rule in the sample policy (″MyMail (For testing purposes: Check foroccurrence of ″MyMail″ in Subject)).

11. Click Save Changes.12. Send two new test e-mail messages, as described in Step 4, using ″MYMAIL″ in the Subject

field.If the e-mail message that is sent to your Inbox from the internal server displays ″FoundMYMAIL in MYMAIL″ as its subject, and the e-mail message that is sent to the external mailserver has an unchanged subject, you have configured the object ″MYMAIL″ correctly foryour domain and the rule system works correctly.Every mail with the string ″MYMAIL″ in the Subject field will be tagged ″Found MYMAIL inMYMAIL″.If the test does not work as expected, verify that the:v E-mail message was actually sent through Lotus Protector for Mail Security (RECEIVED

header)v Rule is active and was sent to a domain in the My Domains Who object


v Lotus Protector for Mail Security is able to send e-mail messages to internal mailservers and to mail servers on the Internet


Index

AAdministrative password 13, 24alerts 14, 26antispam key 13, 24antivirus key 13, 24

BBridged 23, 24, 25

Cconfiguration tasks 13, 24

Ddate, setting 14, 26default gateway 13, 25DNS MX records 4documentation viiidocumentation web site viiiDomino administrator 3

Ffirewall rules 10, 21forwarding rules 7

Ggetting started

hardware installation 9VMware installation 19

Hhardware installation 9hardware installation checklist 10hardware, installing 10Host-only 23, 24

default IP address 24

IIBM license agreement viiiIBM Lotus

technical support ixWeb site ix

inbound SMTP 4Install DVD 12

JJava cache 11, 22Java caching

disabling 11, 22

Llicensing agreement viiiLotus Notes 3Lotus Protector for Mail Security 13

configuration tasks 13, 24configuring alerts 14, 26incoming e-mail 14, 25initial configuration 24license number 13, 24outgoing e-mail 14, 25setting date 14, 26setting time 14, 26

Mmail security events 14, 26MX preference 4MX record 4MYMAIL policy 16, 28

NNotes client 3

Ooutbound SMTP 4

Ppreface vii

Rreceiving e-mails 14, 25Recovery CD 17relay hosts IP address 14, 25root domain 14, 25Root password 13, 24

Ssending e-mails 14, 25Setup Assistant 13, 24SMTP

routing traffic 4SMTP notification e-mail

addresses 14, 25SMTP relay 5SMTP settings 14, 25

configuring 14, 25spam signatures 13, 24system events 14, 26system notifications 14, 26

Ttechnical support

IBM Lotus ixtime, setting 14, 26

VVMware configuration 20VMware installation 19, 23VMX file 23

WWeb site

IBM Lotus ix


��

Printed in USA

GI11-9222-02

getting started guide v.2.5

Documents