7
USER GUIDE
for IronPort Appliances
COPYRIGHT
Copyright © 2006 by IronPort Systems™, Inc. All rights reserved.
Part Number: 421-0200
Revision Date: July 1, 2006
The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, Virus Outbreak
Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarks or registered
trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and Probe Network are trademarks or
registered trademarks of Symantec Incorporated. All other trademarks, service marks, trade names, or company names
referenced herein are used for identification only and are the property of their respective owners.
This publication and the information contained herein is furnished “AS IS” and is subject to change without notice.
Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPort Systems, Inc.,
assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind with respect to this
publication, and expressly disclaims any and all warranties of merchantability, fitness for particular purposes and non-
infringement of third-party rights.
Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions of software license
agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National Research Initiatives, Inc., Zope
Corporation, and other third party contributors, and all such terms and conditions are incorporated in IronPort license
agreements.
The full text of these agreements can be found here:
https://support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html. Portions of the software within IronPort AsyncOS is
based upon the RRDtool with the express written consent of Tobi Oetiker. Portions of this document are reproduced with
permission of Dell Computer Corporation. Portions of this document are reproduced with permission of Symantec
Incorporated. Portions of this document are reproduced with permission of Sophos Plc.
Brightmail Anti-Spam is protected under U.S. Patent No. 6,052,709.
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Before you Read this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Topics Discussed in the Advanced User Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Topics Discussed in the CLI User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Typographic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Contacting IronPort Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
IronPort Welcomes Your Comments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
IronPort Product Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What’s New in This Release: AsyncOS 4.7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
New Feature: IronPort Bounce Verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enhanced: IronPort Spam Quarantine — Localized End User Interface . . . . . . . . . . . . . . . . . . . . . 5
Enhanced: Feature Keys Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Enhanced: Web Based Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enhanced LDAP Features: LDAP Connection Pooling, Separate LDAP Binds for SMTP Authentica-
tion, and LDAP Envelope From: Attribute Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Enhanced: Network Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Enhanced: DNS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Enhanced: DSN Warnings Now Sent on Down Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enhanced: Centralized Management Inverse Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enhanced: Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Web-based Graphical User Interface (GUI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Command Line Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
General Purpose CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
iii
IRONPORT ASYNCOS 4.7 USER GUIDE
iv
Bounce Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
v
IRONPORT ASYNCOS 4.7 USER GUIDE
9. Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Anti-Spam Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Enabling Anti-Spam Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Anti-Spam Scanning Engine Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Anti-Spam Scanning and Messages Generated by the IronPort Appliance . . . . . . . . . . . . . . . . 219
IronPort Anti-Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
IronPort Anti-Spam and CASE: an Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Enabling IronPort Anti-Spam and Configuring Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring IronPort Anti-Spam Rule Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configuring Per-Recipient Policies for IronPort Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Positive and Suspect Spam Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Positively Identified versus Suspected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Headers Added by IronPort Anti-Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Reporting Incorrectly Classified Messages to IronPort Systems . . . . . . . . . . . . . . . . . . . . . . . . . 232
Testing IronPort Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Symantec Brightmail Anti-Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Symantec Brightmail Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Enabling Symantec Brightmail Anti-Spam and Configuring Global Settings . . . . . . . . . . . . . . . 237
Configuring Symantec Brightmail Actions Per Recipient. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Positively Identified versus Suspected Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Headers Added by Symantec Brightmail Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Flow Diagram for Anti-Spam Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Symantec Brightmail Quarantine Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
vi
Testing Symantec Brightmail Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Incoming Relays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
The Incoming Relays Feature: Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Message Headers and Incoming Relays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring the Incoming Relays Feature (GUI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Incoming Relays and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
vii
IRONPORT ASYNCOS 4.7 USER GUIDE
The Virus Outbreak Filters Feature and the Outbreak Quarantine . . . . . . . . . . . . . . . . . . . . . . 314
Monitoring Virus Outbreak Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Troubleshooting The Virus Outbreak Filters Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
The Virus Outbreak Filters Feature, Attachments, and the Email Pipeline . . . . . . . . . . . . . . . . . 319
viii
System Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
ix
IRONPORT ASYNCOS 4.7 USER GUIDE
x
Changing the System Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Configuring Domain Name System (DNS) Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Configuring TCP/IP Traffic Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Changing the admin User’s Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Service Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
The Service Updates Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Editing Update Settings (GUI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
System Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
The Time Zone Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Editing Time Settings (GUI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Managing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Managing Configuration Files via the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
CLI Commands for Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Managing Secure Shell (SSH) Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Remote SSH Command Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
xi
IRONPORT ASYNCOS 4.7 USER GUIDE
D. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
xii
List of Command Line Interface Examples
commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
systemsetup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
mailconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
sbstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
antivirusstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
antivirusupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
localeconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
interfaceconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
suspend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
resetconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
upgradeconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
whoami . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
last . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
sethostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
showconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
mailconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
saveconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
loadconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
sshconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498
sshconfig -> setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
xiii
IRONPORT ASYNCOS 4.7 USER GUIDE
xiv
List of Figures
xv
IRONPORT ASYNCOS 4.7 USER GUIDE
xvi
Figure 5-36 Listing Matching Entries in the Exception Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Figure 5-37 Bypassing Receiving Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Figure 5-38 The Recipient Access Table Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Figure 5-39 Adding RAT Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Figure 5-40 Changing the Order of RAT Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Figure 5-41 Exporting RAT Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Figure 5-42 Exporting RAT Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Figure 5-43 Editing the RAT for a Public Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Figure 5-44 Public and Private Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Figure 6-1 System Overview Section of the Mail Flow Monitor’s Overview Page. . . . . . . . . . . . . . . .142
Figure 6-2 Incoming Mail Overview Section of the Mail Flow Monitor’s Overview Page. . . . . . . . . .144
Figure 6-3 Row Highlighting on the Advanced View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Figure 6-4 Sender Details Section of the Mail Flow Monitor’s Overview Page . . . . . . . . . . . . . . . . . .148
Figure 6-5 Custom Reports via the Incoming Mail Details Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Figure 6-6 Incoming Mail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Figure 6-7 Network Owner Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Figure 6-8 Domain Profile Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Figure 6-9 IP Address Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Figure 6-10 Mail Flow Monitor Example: Screen 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Figure 6-11 Mail Flow Monitor Example: Screen 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Figure 6-12 Mail Flow Monitor Example: Screen 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Figure 7-1 Email Security Manager Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Figure 7-2 Message Splintering in the Email Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Figure 7-3 Summary of Email Security Manager Policies in the GUI . . . . . . . . . . . . . . . . . . . . . . . . .169
Figure 7-4 Content Filtering Lists for Incoming Mail and Outgoing Mail Policy Tables. . . . . . . . . . . .170
Figure 7-5 Content Filter Conditions in GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Figure 7-6 Content Filter Actions in GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Figure 7-7 Incoming Mail Policies Page: Defaults for a Brand New Appliance. . . . . . . . . . . . . . . . . .178
Figure 7-8 Security Services Not Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Figure 7-9 Anti-Spam Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Figure 7-10 Defining Users for a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Figure 7-11 Newly Added Policy — Sales Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
xvii
IRONPORT ASYNCOS 4.7 USER GUIDE
xviii
Figure 9-5 Security Services -> Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Figure 9-6 IronPort Anti-Spam Global Settings: Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Figure 9-7 IronPort Anti-Spam Global Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Figure 9-8 Service Updates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Figure 9-9 Edit Service Updates Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Figure 9-10 Rules Updates Section of Security Services -> Anti-Spam Page: GUI. . . . . . . . . . . . . . . . .226
Figure 9-11 Mail Policies - Anti-Spam Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Figure 9-12 IronPort Anti-Spam Settings for a Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Figure 9-13 Symantec Brightmail Anti-Spam Global Settings: Editing. . . . . . . . . . . . . . . . . . . . . . . . . .239
Figure 9-14 Symantec Brightmail Anti-Spam Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Figure 9-15 Downloading Symantec Brightmail Rules from a proxy server to the appliance . . . . . . . .243
Figure 9-16 Rules Updates Section of Security Services -> Anti-Spam Page: GUI. . . . . . . . . . . . . . . . .243
Figure 9-17 Mail Policies - Anti-Spam Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Figure 9-18 Brightmail Anti-Spam Settings for a Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Figure 9-19 Flow Diagram for Anti-Spam Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Figure 9-20 Symantec Brightmail Anti-Spam Quarantine Queue System Architecture . . . . . . . . . . . . .252
Figure 9-21 Quarantine Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Figure 9-22 Mail Relayed by MX/MTA — Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Figure 9-23 Mail Relayed by MX/MTA — Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Figure 9-24 Mail Relayed by MX/MTA — Variable Number of Hops . . . . . . . . . . . . . . . . . . . . . . . . . .270
Figure 9-25 A Configured Incoming Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Figure 9-26 Incoming Relays Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Figure 9-27 Add Relay Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Figure 10-1 Sophos Anti-Virus Global Settings: Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Figure 10-2 Sophos Anti-Virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Figure 10-3 Obtaining New Sophos Virus Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Figure 10-4 Manually Checking for Sophos Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Figure 10-5 Options for Handling Messages Scanned for Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Figure 10-6 Anti-Virus Settings for a Mail Policy (not default) - 1 of 2 . . . . . . . . . . . . . . . . . . . . . . . . .294
Figure 10-7 Anti-Virus Settings for a Mail Policy (not default) - 2 of 2 . . . . . . . . . . . . . . . . . . . . . . . . .295
Figure 10-8 Flow Diagram for Anti-Virus Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Figure 11-1 Detection: Multiple Methods, More Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
xix
IRONPORT ASYNCOS 4.7 USER GUIDE
xx
Figure 15-2 Editing a System Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Figure 15-3 Deleting a System Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Figure 15-4 Confirming a System Quarantine Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Figure 15-5 Local Quarantines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Figure 15-6 Viewing the List of Messages in a Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Figure 15-7 Quarantined Message Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Figure 15-8 Scan for Viruses Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Figure 15-9 Searching Quarantines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Figure 15-10 Searching Quarantines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Figure 15-11 Searching Quarantines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Figure 15-12 Enabling the Local IronPort Spam Quarantine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Figure 15-13 The “Delete All” Link on the Local Quarantines Page . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Figure 15-14 Editing the IronPort Spam Quarantine Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Figure 15-15 Editing IronPort Spam Quarantine Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387
Figure 15-16 Examples of LDAP Authentication Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Figure 15-17 Configuring Spam Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Figure 15-18 Editing Administrative Users for the IronPort Spam Quarantine. . . . . . . . . . . . . . . . . . . . .392
Figure 15-19 Adding an External End User Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Figure 15-20 Removing an External IronPort Spam Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Figure 15-21 Enabling the IronPort Spam Quarantine on the Management Interface . . . . . . . . . . . . . . .395
Figure 15-22 Modifying a Mail Policy to Send Spam to the IronPort Spam Quarantine . . . . . . . . . . . . .396
Figure 15-23 Sending Positively Identified Spam to the IronPort Spam Quarantine . . . . . . . . . . . . . . . .397
Figure 15-24 IronPort Spam Quarantine Search Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Figure 15-25 Delete All Messages Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Figure 16-1 Domain Keys Work Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Figure 16-2 Add Domain Profile Page — Signing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Figure 16-3 Generate DNS Text Record Link on Domain Profiles Page . . . . . . . . . . . . . . . . . . . . . . . .409
Figure 16-4 View Public Key Link on Signing Keys Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Figure 16-5 Enabling DomainKeys Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Figure 16-6 Add Domain Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Figure 16-7 Export Signing Keys Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Figure 16-8 The DNS Text Record Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
xxi
IRONPORT ASYNCOS 4.7 USER GUIDE
xxii
Figure 18-23 The Edit Update Settings Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
Figure 18-24 The Time Zone Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Figure 18-25 The Edit Time Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Figure 18-26 Current Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Figure 18-27 Loading a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Figure 18-28 Resetting the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Figure 20-1 Typical Network Configuration Incorporating the IronPort M-Series Appliance. . . . . . . . .514
Figure 20-2 Logging in to the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Figure 20-3 Setting the Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Figure 20-4 System and Network Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Figure 20-5 Reviewing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .522
Figure 20-6 The IronPort M-Series Appliance Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . .524
Figure 20-7 Spam Quarantine Settings on the IronPort M-Series Appliance . . . . . . . . . . . . . . . . . . . . .525
Figure 20-8 Mapping M-Series Quarantine Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526
Figure A-1 IP Interfaces Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Figure A-2 Add IP Interface Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Figure A-3 Edit IP Interface Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
Figure A-4 Pin Numbers for the Serial Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
xxiii
IRONPORT ASYNCOS 4.7 USER GUIDE
xxiv
List of Tables
xxv
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 6-1: Time Ranges Defined in the Mail Flow Monitor Feature. . . . . . . . . . . . . . . . . . . . . . . . . . 145
Table 6-2: Example Calculations for Percent Change in Recipients Received . . . . . . . . . . . . . . . . . . 151
Table 7-1: Policy Matching Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Table 7-2: Content Filter Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Table 7-3: Content Filter Non-Final Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Table 7-4: Content Filter Final Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Table 7-5: Aggressive and Conservative Email Security Manager Settings . . . . . . . . . . . . . . . . . . . . . 190
Table 8-1: Recommended Phased Approach to Implementing Reputation Filtering using the SBRS. . 209
Table 8-2: Suggested Mail Flow Policies for Implementing the SBRS. . . . . . . . . . . . . . . . . . . . . . . . . 212
Table 9-1: Common Example Configurations of Positively Identified and Suspected Spam . . . . . . . . 231
Table 9-2: Common Example Configurations of Positively Identified and Suspected Spam . . . . . . . . 249
Table 9-3: Minimum Hardware Requirements for Installing Symantec Brightmail Quarantine . . . . . 255
Table 9-4: Suggested Quarantine Deployment Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 9-5: Storage Requirements for Symantec Brightmail Quarantine . . . . . . . . . . . . . . . . . . . . . . . 256
Table 9-6: LDAP Server and Mail Server Compatibility for Symantec Brightmail Quarantine . . . . . . 257
Table 9-7: TCP/IP Ports Used by Quarantine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Table 9-8: A Series of Received: Headers (Path A Example 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Table 9-9: A Series of Received: Headers (Path A Example 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Table 10-1: Default Subject Line Text for Anti-Virus Subject Line Modification . . . . . . . . . . . . . . . . . 290
Table 10-2: Default Notifications for Anti-Virus Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Table 10-3: Common Anti-Virus Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 11-1: Virus Threat Level Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Table 11-2: Example Rules for an Outbreak Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 11-3: Fallback Rules and Threat Level Scores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Table 12-1: Statistics Shared Per IronPort Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 12-2: Statistics Shared Per IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Table 13-1: Message Filter Rules for Content Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Table 13-2: Example Dictionary Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Table 13-3: Anti-Virus Notification Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Table 14-1: Report Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
xxvi
Table 14-2: Incoming Mail Overview Report Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Table 14-3: System Summary Report Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Table 15-1: Space Available for Quarantines on IronPort Appliances . . . . . . . . . . . . . . . . . . . . . . . . .369
Table 15-2: Notifications per Address/Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Table 17-1: Input for the Trace page and trace Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Table 17-2: Output of the trace Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Table 18-1: User Types Listing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Table 18-2: Listing of Possible Anti-Spam Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471
Table 18-3: Listing of Possible Anti-Virus Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .471
Table 18-4: Listing of Possible Directory Harvest Attack Prevention Alerts. . . . . . . . . . . . . . . . . . . . . .472
Table 18-5: Listing of Possible Hardware Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Table 18-6: Listing of Possible IronPort Spam Quarantine Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Table 18-7: Listing of Possible System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Table 18-8: Listing of Possible Virus Outbreak Filter Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
Table 18-9: Example of DNS Servers, Priorities, and Timeout Intervals . . . . . . . . . . . . . . . . . . . . . . . .479
Table 19-1: AsyncOS Features Included in the C300D Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Table 19-2: IPMM: Reserved Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Table 20-1: System Setup Worksheet: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Table A-1: Services Enabled by Default on IP Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Table A-2: IP Interface Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Table A-3: Directories available for access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532
Table A-4: Serial Port Pin Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Table C-1: Firewall Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541
xxvii
IRONPORT ASYNCOS 4.7 USER GUIDE
xxviii
Preface
The IronPort AsyncOS 4.7 User Guide provides instructions for setting up, administering, and
monitoring the IronPort Messaging Gateway™ appliance. These instructions are designed for
an experienced system administrator with knowledge of networking and email
administration.
BE FO R E Y O U R E A D T H IS B O OK
Read the IronPort QuickStart Guide and any product notes that were shipped with your
appliance. This guide assumes that you have unpacked, physically installed into a rack
cabinet, and powered-up the appliance.
Note
Note — If you have already cabled your appliance to your network, ensure that the default IP
address for the IronPort appliance does not conflict with other IP addresses on your network.
The IP address pre-configured on the Management port (on IronPort X1000/X1000T, C60/600,
and C30/300/300D appliances) or the Data 1 port (on IronPort C10/100 appliances) is
192.168.42.42. See Chapter 3, ”Setup and Installation”,” and Appendix B, “Assigning
Network and IP Addresses,” for more information about assigning IP addresses to the IronPort
appliance. If you are configuring an IronPort M-Series appliance, please see “The IronPort
M-Series Security Management Appliance” on page 513.
Documentation Set
The AsyncOS User Guide has been divided into three separate books — this book, the IronPort
AsyncOS CLI Reference Guide, and the IronPort AsyncOS Advanced User Guide.
Occasionally, this book will refer to the other guides for additional information on topics.
HO W T HI S B O OK I S O RG A N IZ E D
Chapter 1, “Introduction,” provides an introduction to the IronPort appliance and defines its
key features and role in the enterprise network. New features of the current release are
described.
Chapter 2, “Overview,” introduces the IronPort AsyncOS™ operating system and
administration of the IronPort appliance through its web-based graphical user interface (GUI)
xxix
IRONPORT ASYNCOS 4.7 USER GUIDE
and command line interface (CLI). Conventions for using the CLI are described. This chapter
also contains an overview of general purpose CLI commands.
Chapter 3, “Setup and Installation,” describes the options for connecting to the IronPort
appliance, including network planning, and initial system setup and configuration of the
IronPort AsyncOS operating system (for IronPort M-Series appliances, see Chapter 20.
Chapter 4, “Understanding the Email Pipeline,” provides an overview of the Email Pipeline —
the process or flow that email follows as it is processed by the IronPort appliance — and a
brief description of each feature that comprise the pipeline. The brief description also
includes a link to the chapter or book containing a detailed explanation of the feature.
Chapter 5, “Configuring the Gateway to Receive Email,” describes the process for tailoring the
configuration of your Enterprise Email Gateway. This chapter introduces the concepts of
interfaces, listeners, and the Host Access Table (HAT) — which together comprise the
architecture that makes receiving email and the Mail Flow Monitor feature possible.
Chapter 6, “Using Mail Flow Monitor,” describes the Mail Flow Monitor feature: a powerful,
web-based console that provides complete visibility into all inbound email traffic for your
enterprise.
Chapter 7, “Email Security Manager,” describes Email Security Manager, the single,
comprehensive dashboard to manage all email security services and applications on IronPort
appliances. Email Security Manager allows you to manage the Virus Outbreak Filters feature,
Anti-Spam, Anti-Virus, and email content policies — on a per-recipient or per-sender basis,
through distinct inbound and outbound policies.
Chapter 8, “Reputation Filtering,” provides an overview of how SenderBase Reputation
Service scores are used to control incoming mail based on the reputation of the message
sender.
Chapter 9, “Anti-Spam,” describes the unique, two-layer approach to fighting spam with the
SenderBase Reputation Filters and Symantec Brightmail Anti-Spam features integrated into the
IronPort appliance.
Chapter 10, “Anti-Virus,” explains the Sophos Anti-Virus scanning feature integrated into the
IronPort appliance.
Chapter 11, “The Virus Outbreak Filters Feature,” explains how IronPort’s Virus Outbreak
Filters act proactively to provide a critical first layer of defense against new outbreaks. By
detecting new outbreaks in real-time and dynamically responding to prevent suspicious traffic
from entering the network, IronPort’s Virus Outbreak Filters offer protection until new
signature updates are deployed.
Chapter 12, “SenderBase Network Participation,” describes how to share data from your
appliance with the SenderBase Network.
Chapter 13, “Text Resources,” details creating text resources such as content dictionaries,
notification templates, and footers for use in various other components of AsyncOS.
xxx
Chapter 14, “Reporting,” describes how the appliance can be configured to generate and
email periodic reports to a given set of users.
Chapter 15, “Quarantines,” describes the special queues or repositories used to hold and
process messages. Messages in quarantines can be delivered or deleted, based on how you
configure the quarantine. This includes the IronPort Spam quarantine.
Chapter 16, “DomainKeys,” details the process of configuring and enabling Domain Keys
signing on your IronPort appliance.
Chapter 17, “Other Tasks in the GUI,” describes typical administration commands for
managing and monitoring the IronPort appliance through the Graphical User Interface (GUI).
Chapter 18, “System Administration,” describes typical administration commands for
managing and monitoring the IronPort appliance, including: working with feature keys,
upgrading AsyncOS, and performing routine system maintenance, such as setting the system
time, changing the administrator password, and taking the system offline. This chapter also
describes how to configure the network operation of the IronPort appliance, including DNS,
interface, routing, and hostname settings. Finally, this chapter describes working with users,
and alerts.
Chapter 19, “Enabling Your C300D Appliance,” describes the IronPort C300D appliance.
Chapter 20, “The IronPort M-Series Security Management Appliance,” describes the IronPort
M-Series appliances.
Appendix A, “Accessing the Appliance,” describes how to access the IronPort appliance to
send and retrieve files from IronPort appliance.
Appendix B, “Assigning Network and IP Addresses,” describes general rules on networks and
IP address assignments and presents some strategies for connecting the IronPort appliance
within an enterprise network infrastructure.
Appendix C, “Firewall Information,” describes the possible ports that may need to be opened
for proper operation of the IronPort appliance behind a security firewall.
Appendix D is a glossary of terms used within this guide.
xxxi
IRONPORT ASYNCOS 4.7 USER GUIDE
purposes of verifying recipients to accept (including group membership), mail routing and
address rewriting. masquerading headers, and supporting for SMTP authentication.
Chapter 4, “Policy Enforcement,” describes how to use Message Filters to define rules for
handling email, including the flexibility for manipulating the content of messages through the
attachment filtering, message footer stamping, and content dictionaries features.
Chapter 5, “Managing and Monitoring via the CLI,” describes the commands available in the
CLI available to you as you monitor the mail flow through the gateway.
Chapter 6, “Logging,” addresses the logging and log subscription functionality of the IronPort
appliance.
Chapter 7, “Centralized Management” describes the centralized management feature, which
allows you to manage and configure multiple appliances. The centralized management
feature provides increased reliability, flexibility, and scalability within your network, allowing
you to manage globally while complying with local policies.
Chapter 8, “Testing and Troubleshooting,” describes the process of creating “black hole”
listeners for testing the system performance and troubleshooting configuration problems.
xxxii
TY P OG RA P HI C C ONVE NT IO N S
AaBbCc123 Book titles, new words or Read the IronPort QuickStart Guide.
terms, words to be
emphasized. Command line The IronPort appliance must be able to uniquely select an
variable; replace with a real interface to send an outgoing packet.
name or value.
Before you begin, please reset your
password to a new value.
Old password: ironport
New password: your_new_password
Retype new password: your_new_password
CO N TA CT IN G I R ON POR T C U ST OM E R S UP P O R T
You can request our support by phone, email or online 24 hours a day, 7 days a week.
During our office hours (24 hours per day, Monday through Friday excluding US holidays),
one of our engineers will contact you within an hour of your request.
To report a critical issue that requires urgent assistance outside of our office hours, please call
us immediately at the numbers below.
U.S. Toll-free:1 (877) 641-IRON (4766)
U.S. and International:1 (650) 989-6533
Web:http://support.ironport.com
I R O NPO R T WE L C O M E S YO U R C O M M E N T S
We are interested in improving our documentation and welcome your comments and
suggestions. You can email your comments to us at:
docfeedback@ironport.com.
xxxiii
IRONPORT ASYNCOS 4.7 USER GUIDE
Please include the following part number in the subject of your email: 421-0201.
xxxiv
1
CHAPTER
Introduction
CHAPTER 1: INTRODUCTION 1
IRONPORT ASYNCOS 4.7 USER GUIDE
IR O NPO R T P RO D UC T O VE R VI EW
The IronPort Messaging Gateway™ appliance is a high-performance appliance designed to
meet the email infrastructure needs of the most demanding enterprise networks. The IronPort
appliance eliminates spam and viruses, enforces corporate policy, secures the network
perimeter, and reduces the Total Cost of Ownership (TCO) of enterprise email infrastructure.
IronPort Systems combines hardware, a hardened operating system, application, and
supporting services to produce a purpose-built, rack-mount server appliance dedicated for
enterprise messaging.
The IronPort AsyncOS™ 4.7 operating system integrates several intelligent features into the
IronPort appliance:
• Anti-Spam at the gateway, through the unique, multi-layer approach of SenderBase
Reputation Filters and both IronPort and Symantec Brightmail Anti-Spam integration.
• Anti-Virus at the gateway with the Sophos Anti-Virus scanning engine, the industry's
highest performance virus protection with unique denial of service prevention.
• Virus Outbreak Filters™, IronPort’s unique, preventive protection against new virus
outbreaks that can quarantine dangerous messages until new Anti-Virus updates are
applied, reducing the window of vulnerability to new virus outbreaks.
• Spam Quarantine either on-box or off, providing end user access to quarantined spam
and suspected spam.
• Domain Keys signing of outgoing mail.
• Email Security Manager, a single, comprehensive dashboard to manage all email security
services and applications on the appliance. Email Security Manager can enforce email
security based on user groups, allowing you to manage IronPort Reputation Filters, Virus
Outbreak Filters, Anti-Spam, Anti-Virus, and email content policies through distinct
inbound and outbound policies.
• On-box Quarantine areas to hold messages that violate email policies. Quarantines
seamlessly interact with the Virus Outbreak Filters feature.
• Mail Flow Monitoring of all inbound and outbound email that provides complete
visibility into all email traffic for your enterprise.
• Access control for inbound senders, based upon the sender’s IP address, IP address range,
or domain.
• Extensive message filtering technology allows you to enforce corporate policy and act on
specific messages as they enter or leave your corporate infrastructure. Filter rules identify
messages based on message or attachment content, information about the network,
message envelope, message headers, or message body. Filter actions allow messages to be
dropped, bounced, archived, blind carbon copied, or altered, or to generate notifications.
• Message encryption via secure SMTP over Transport Layer Security ensures messages
travelling between your corporate infrastructure and other trusted hosts are encrypted.
2
IRONPORT PRODUCT OVERVIEW
• Virtual Gateway™ technology allows the IronPort appliance to function as several email
gateways within a single server, which allows you to partition email from different sources
or campaigns to be sent over separate IP addresses. This ensures that deliverability issues
affecting one IP address do not impact others.
The AsyncOS 4.7 operating system is the latest version of the IronPort proprietary operating
system that has been highly optimized for the task of Internet messaging. AsyncOS is a
“hardened” operating system: all unnecessary services have been removed, which increases
security and optimizes system performance. IronPort stackless threading technology
eliminates allocation of a dedicated memory stack to each task, which increases concurrency
and stability of the MTA. The custom I/O-driven scheduler is optimized for massively
concurrent I/O events required by the email gateway versus the preemptive time slicing of the
CPU in traditional operating systems. AsyncFS, the file system underlying AsyncOS, is
optimized for millions of small files and ensures data recoverability in the case of system
failure.
The AsyncOS operating system supports RFC 2821 compliant Simple Mail Transfer Protocol
(SMTP) to accept and deliver messages. The IronPort appliance is designed to be easy to
configure and manage. Most reporting, monitoring, and configuration commands are
available through both the web-based graphical user interface (GUI) via HTTP or HTTPS. In
addition, an interactive Command Line Interface (CLI) which you access from a Secure Shell
(SSH), telnet, or direct serial connection is provided for the system. The IronPort appliance
also features a robust logging capability, allowing you to configure log subscriptions spanning
the functionality of the entire system and reducing the time spent finding the information you
need.
CHAPTER 1: INTRODUCTION 3
IRONPORT ASYNCOS 4.7 USER GUIDE
W H A T ’S N EW I N T H I S R E L E A S E : A S Y N C O S 4 .7
Note
Note — When delivering non-bounce mail to your own internal mail server (Exchange, etc.),
you should disable IronPort Bounce Validation tagging for that internal domain.
4
ENHANCED: IRONPORT SPAM QUARANTINE — LOCALIZED END USER INTERFACE
CHAPTER 1: INTRODUCTION 5
IRONPORT ASYNCOS 4.7 USER GUIDE
Destination Controls
The Destination Controls page is used to add entries to the destination controls table. This is
similar to and replaces the old setgoodtable functionality from earlier versions of
AsyncOS.
Using the Destination Controls feature (Mail Policies -> Destination Controls in the GUI, or
the destconfig command in the CLI), you can control:
Rate Limiting
• Connections: number of simultaneous connections to remote hosts the appliance will
attempt to open
• Recipients: number of recipients the appliance will send to a given remote host in a given
time period
6
ENHANCED: WEB BASED INTERFACE
• Limits: how to apply the limits you have specified on a per-destination and per appliance
hostname basis
TLS
• Whether TLS connections to remote hosts will be accepted, allowed, or required
Bounce Verification
• Whether or not to perform address tagging via IronPort Bounce Verification (see “New
Feature: IronPort Bounce Verification” on page 4)
Bounce Profile
• Which bounce profile should be used by the appliance for a given remote host (the
default bounce profile is set via the Network -> Bounce Profiles page)
You can also control the default settings for unspecified domains.
For more information about Destination Controls, see the Configuring Routing and Delivery
chapter in the IronPort AsyncOS Advanced User Guide.
Bounce Profiles
Use the Network -> Bounce Profiles page (or the bounceconfig command) to create and
manage bounce profiles for your IronPort appliance. This controls how your appliance acts
when sending out bounce messages.
Return Addresses
You can configure the From: header address (this is not the Envelope Sender) for mail
generated by AsyncOS for the following circumstances:
• Anti-Virus notifications
• Bounces
• Notifications (notify() and notify-copy() filter actions)
• Quarantine notifications (and “Send Copy” in quarantine management)
You can specify the display, user, and domain names of the From: address. You can also
choose to use the Virtual Gateway domain for the domain name.
Use the Return Addresses page available on the System Administration tab in the GUI, or use
the addressconfig command via the CLI. See “Configuring the From: Address for Various
Generated Messages” on page 464.
Reboot/Shutdown
AsyncOS 4.7.0 now supports rebooting and shutting down of the IronPort appliance via the
System Administration -> Shutdown/Reboot page. See “Shutting Down the IronPort
Appliance” on page 444 for more information.
CHAPTER 1: INTRODUCTION 7
IRONPORT ASYNCOS 4.7 USER GUIDE
Password
Users can now change their own passwords via the Change Password link at the top of the
GUI:
Figure 1-1 Change Password Link
Enhanced LDAP Features: LDAP Connection Pooling, Separate LDAP Binds for SMTP
Authentication, and LDAP Envelope From: Attribute Support
• AsyncOS also supports LDAP binds for SMTP Authentication.
• Now SMTP Auth can be performed with ActiveDirectory. These connections are available
as part of the pool of LDAP connections. AsyncOS can now send multiple LDAP
connections to a server, to increase concurrency of LDAP requests.
• AsyncOS also now supports the {f} token for LDAP queries, typically used to specify the
Envelope From: address.
See the LDAP chapter in the IronPort AsyncOS Advanced User Guide for more information.
mail3.example.com> diagnostic
8
ENHANCED: DSN WARNINGS NOW SENT ON DOWN HOST
Use the special keyword USEDNS to tell the appliance to do MX lookups to determine next
hops for specific domains. This is useful when you need to route mail for subdomains to a
specific host. For example, if mail to example.com is to be sent to the company’s
Exchange server, you might have something similar to the following SMTP route:
example.com exchange.example.com
However, for mail to various subdomains (foo.example.com), add an SMTP route that
looks like this:
.example.com USEDNS
• Disable reverse DNS lookups on inbound connections (globally).
You can disable the reverse DNS lookup timeout globally across all listeners by entering
‘0’ as the number of seconds when configuring the Wait Before Timing out Reverse DNS
Lookups setting on the Network -> DNS page. If the value is set to 0 seconds, the reverse
DNS lookup is not attempted, and instead the standard timeout response is returned
immediately.
• DNS configuration may now be split to use two different caching servers.
AsyncOS now supports “splitting” DNS servers when not using the Internet’s DNS servers.
If you are using your own internal server, you can also specify exception domains and
associated DNS servers.
CHAPTER 1: INTRODUCTION 9
IRONPORT ASYNCOS 4.7 USER GUIDE
10
2
CHAPTER
Overview
This chapter introduces the IronPort AsyncOS operating system and administration of the
IronPort appliance through both the web-based Graphical User Interface (GUI) and
Command Line Interface (CLI). Conventions for using each interface are described. This
chapter also contains general-purpose CLI commands. This chapter contains the following
sections:
• “Web-based Graphical User Interface (GUI)” on page 12
• “Command Line Interface (CLI)” on page 18
C H A P T E R 2 : O V E R V I E W 11
IRONPORT ASYNCOS 4.7 USER GUIDE
WE B -B A S E D G RA P HI C A L U S E R I NT E R F A CE ( G U I)
The graphical user interface (GUI) is the web-based alternative to the command line interface
(CLI) for system monitoring and configuration. The GUI enables you to monitor the system
using a simple web-based interface without having to learn the IronPort AsyncOS command
syntax.
The GUI contains most of the functionality you need to configure and monitor the system.
However, not all CLI commands are available in the GUI; some features are only available
through the CLI. Many of the tasks listed throughout this book demonstrate how to
accomplish a task from the GUI (when possible) first, followed by the CLI commands to
accomplish the same task.
In the following chapters, you will learn how to use the GUI to:
• access the System Setup Wizard to perform the initial installation and configuration of the
IronPort appliance.
• access Email Security Manager to enforce email security based on user groups, allowing
you to manage IronPort Reputation Filters, Virus Outbreak Filters, Anti-Spam, Anti-Virus,
and email content filtering policies through distinct inbound and outbound policies.
• use the Mail Flow Monitor feature to monitor inbound and outbound message flow.
• edit the Host Access Table (HAT) for a listener, customizing your own sender groups
(updating whitelists, blacklists, and greylists) and tailoring mail flow policies by querying
for a sender’s reputation, including the SenderBase Reputation Score (SBRS).
• create and manage dictionaries, footers, and other text resources.
• manage quarantine areas, including viewing the contents of individual quarantined
messages.
• configure a local or external IronPort Spam quarantine.
• create, view, and run existing and customized reports.
• monitor the status of the outgoing mail (delivery) queue, “drilling down” on individual
queues for specific recipient domains.
• configure Domain Keys signing of outbound mail.
• configure global settings for IronPort Anti-Spam, Symantec Brightmail Anti-Spam, Sophos
Anti-Virus, Virus Outbreak Filters, and SenderBase Network Participation.
• test configuration changes using the Trace feature.
• browse configuration settings of the entire cluster, if the Centralized Management feature
has been enabled.
• view status through XML pages, or access XML status information programmatically.
12
WEB-BASED GRAPHICAL USER INTERFACE (GUI)
Browser Requirements
To access the GUI, your browser must support and be enabled to accept JavaScript and
cookies, and it must be able to render HTML pages containing Cascading Style Sheets (CSS).
Specifically:
• Firefox 1.0 and later
• Windows XP: IE 6.02 and later
• Mozilla 1.76 and later
• Netscape 7.1 and later
• Mac OS X: Safari 1.2 and later
Your session will automatically time out after 30 minutes of inactivity.
Please note that when accessing the GUI, do not use multiple browser windows or tabs
simultaneously to make changes to the IronPort appliance. Doing so will cause unexpected
behavior and is not supported.
Note
Note — The GUI is accessible using recent versions of most Internet browsers. By default, the
system ships with HTTP enabled on the Management interface (for IronPort C60/600, C30/
300, X1000, and M600/1000 appliances) or Data 1 (IronPort C10/100) interface. (For more
information, see “Enabling the GUI on an Interface” on page 419.)
To access the GUI on a brand new system, access the following URL:
http://192.168.42.42
When the login page is displayed, log in to the system using the default username and
password:
Factory Default Username and Password
• Username: admin
• Password: ironport
For example:
C H A P T E R 2 : O V E R V I E W 13
IRONPORT ASYNCOS 4.7 USER GUIDE
On brand new (not upgraded from previous releases of AsyncOS) systems, you will
automatically be redirected to the System Setup Wizard.
During the initial system setup, you choose IP addresses for interfaces and whether to run
HTTP and/or HTTPS services for those interfaces. When HTTP and/or HTTPS services have
been enabled for an interface, you can use any supporting browser to view the GUI by
entering the IP address or hostname of the IP interface as a URL in the location field (“address
bar”) of the browser. For example:
http://192.168.1.1 or
https://192.168.1.1 or
http://mail3.example.com or
https://mail3.example.com
Note
Note — If HTTPS has been enabled for an interface (and HTTP requests are not being
redirected to the secure service), remember to access the GUI using the “https://” prefix.
Logging In
All users accessing the GUI must log in. Type your username and password, and then click
Login to access the GUI. You must use a supported web browser (see “Browser Requirements”
on page 13). You can log in with the admin account or with a specific user account you have
created. (For more information, see “Adding Additional Users” on page 460.)
After you have logged in, the Monitor -> Incoming Mail Overview page is displayed.
Note
Note — Online help for the GUI is available from every page within the GUI. Click the Help
link at the top right of the page to access the online help.
14
WEB-BASED GRAPHICAL USER INTERFACE (GUI)
You navigate among sections of the interface by clicking links on the tab headings for each
main section or tab (Monitor, Mail Policies, Security Services, Network, and System
Administration). Within each section are sub-sections and “subpages” that further group
information and activities. For example, the Security Services section contains the Anti-Spam
sub-section and several subpages. The Anti-Spam subsection groups two subpages: IronPort
(the default page for this tab) and Symantec Brightmail. The other subpages include:
Anti-Virus, Virus Outbreak Filters, SenderBase, and Service Updates. Accordingly, when
referring to specific pages in the GUI, the documentation uses the tab name, followed by an
arrow and then the page name. For example, Security Services -> SenderBase.
Monitor Tab Subpages
The subpages in the Monitor section contain pages for the Mail Flow Monitor feature
(Overview, Incoming Mail, Outgoing Mail delivery queue monitoring, System Overview),
System Status, Local and External Quarantines, and Scheduled Reports features.
Mail Policies Tab Subpages
The Mail Policies section contains pages for the Email Security Manager feature (including
Mail Policies and Content Filters), the Host Access Table (HAT) and Recipient Access Table
(RAT) configuration, Destination Controls, Bounce Validation, Domain Keys, Text Resources,
and Dictionaries. The Destination Controls and Bounce Validation pages are new to the GUI
in this release.
Security Services Tab Subpages
The Security Services section contains pages to set global settings for the Anti-Spam,
Anti-Virus, Virus Outbreak Filters, and SenderBase Network Participation features.
Network Tab Subpages
The Network section contains pages for creating and managing IP interfaces, Listeners, SMTP
Routes, DNS, Routing, Bounce Profiles, SMTP Authentication, and Incoming Relays. The
Bounce Profiles page is new to the GUI in this release.
System Administration Tab Subpages
The System Administration section contains pages for the Trace, Alerting, User Management,
LDAP, Log Subscription, Return Addresses, System Time, Technical Support, Configuration
File management, Feature Keys, Shutdown/Reboot, Upgrades, and System Setup Wizard
features. The Return Addresses and Shutdown/Reboot pages are new to the GUI in this
release.
Centralized Management
If you have the Centralized Management feature and have enabled a cluster, you can browse
machines in the cluster, create, delete, copy, and move settings among clusters, groups, and
machines (that is, perform the equivalent of the clustermode and clusterset commands)
from within the GUI.
C H A P T E R 2 : O V E R V I E W 15
IRONPORT ASYNCOS 4.7 USER GUIDE
For more information, see “Administering a Cluster from the GUI” in the IronPort AsyncOS
Advanced User Guide.
Clicking the Commit Changes... button displays a page where you can add a comment and
commit the changes, abandon all changes made since the most recent commit (the equivalent
of the clear command in the CLI; see “Clearing Configuration Changes” on page 22), or
cancel.
16
WEB-BASED GRAPHICAL USER INTERFACE (GUI)
C H A P T E R 2 : O V E R V I E W 17
IRONPORT ASYNCOS 4.7 USER GUIDE
CO M M A ND L IN E IN T E R FA C E ( C L I)
The IronPort AsyncOS Command Line Interface is an interactive interface designed to allow
you to configure and monitor the IronPort appliance. The commands are invoked by entering
the command name with or without any arguments. If you enter the command without
arguments, the command prompts you for the required information.
The Command Line Interface is accessible via SSH or Telnet on IP interfaces that have been
configured with these services enabled, or via terminal emulation software on the serial port.
By factory default, SSH and Telnet are configured on the Management port. Use the
interfaceconfig command described in “Configuring the Gateway to Receive Email” on
page 73 to disable these services.
For more information about specific CLI commands, see the IronPort AsyncOS CLI Reference
Guide.
Command Prompt
The top-level command prompt consists of the fully qualified hostname, followed by the
greater than (>) symbol, followed by a space. For example:
mail3.example.com>
If the appliance has been configured as part of a cluster with the Centralized Management
feature, the prompt in the CLI changes to indicate the current mode. For example:
or
See “Centralized Management” in the AsyncOS Advanced User Guide for more information.
When running commands, the CLI requires input from you. When the CLI is expecting input
from you, the command prompt shows the default input enclosed in square brackets ([])
followed by the greater than (>) symbol. When there is no default input, the command-
prompt brackets are empty.
For example:
(Ex: "mail3.example.com"):
[]> mail3.example.com
18
COMMAND LINE INTERFACE CONVENTIONS
When there is a default setting, the setting is displayed within the command-prompt brackets.
For example:
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[1]> 1
When a default setting is shown, typing Return is equivalent to typing the default:
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[1]> (type Return)
Command Syntax
When operating in the interactive mode, the CLI command syntax consists of single
commands with no white spaces and no arguments or parameters. For example:
mail3.example.com> systemsetup
Select Lists
When you are presented with multiple choices for input, some commands use numbered
lists. Enter the number of the selection at the prompt.
For example:
Log level:
1. Error
2. Warning
3. Information
4. Debug
5. Trace
[3]> 3
Yes/No Queries
When given a yes or no option, the question is posed with a default in brackets. You may
answer Y, N, Yes, or No. Case is not significant.
For example:
C H A P T E R 2 : O V E R V I E W 19
IRONPORT ASYNCOS 4.7 USER GUIDE
Subcommands
Some commands give you the opportunity to use subcommands. Subcommands include
directives such as NEW, EDIT, and DELETE. For the EDIT and DELETE functions, these
commands provide a list of the records previously configured in the system.
For example:
mail3.example.com> interfaceconfig
Within subcommands, typing Enter or Return at an empty prompt returns you to the main
command.
Escape
You can use the Control-C keyboard shortcut at any time within a subcommand to
immediately exit return to the top level of the CLI.
History
The CLI keeps a history of all commands you type during a session. Use the Up and Down
arrow keys on your keyboard, or the Control-P and Control-N key combinations, to scroll
through a running list of the recently-used commands.
Command Completion
The IronPort AsyncOS CLI supports command completion. You can type the first few letters of
some commands followed by the Tab key, and the CLI completes the string for unique
commands. If the letters you entered are not unique among commands, the CLI “narrows” the
set. For example:
20
GENERAL PURPOSE CLI COMMANDS
For both the history and file completion features of the CLI, you must type Enter or Return to
invoke the command.
Configuration Changes
You can make configuration changes to IronPort AsyncOS while email operations proceed
normally.
Configuration changes will not take effect until you:
1. Issue the commit command at the command prompt.
2. Give the commit command the input required.
3. Receive confirmation of the commit procedure at the CLI.
Changes to configuration that have not been committed will be recorded but not put into
effect until the commit command is run.
Note
Note — Not all commands in AsyncOS require the commit command to be run. See
Appendix A, “AsyncOS Quick Reference Guide,” in the IronPort AsyncOS Advanced User
Guide or view the IronPort AsyncOS CLI Reference Guide for a summary of commands that
require commit to be run before their changes take effect.
Exiting the CLI session, system shutdown, reboot, failure, or issuing the clear command
clears changes that have not yet been committed.
mail3.example.com> commit
C H A P T E R 2 : O V E R V I E W 21
IRONPORT ASYNCOS 4.7 USER GUIDE
Note — To successfully commit changes, you must be at the top-level command prompt.
Note
Type Return at an empty prompt to move up one level in the command line hierarchy.
mail3.example.com> clear
Are you sure you want to clear all changes since the last commit?
[Y]> y
mail3.example.com> quit
mail3.example.com> help
22
3
CHAPTER
This chapter guides you through the process of configuring your IronPort C- or X-Series
appliance for email delivery using the system setup wizard. If you are configuring an IronPort
M-Series appliance, please see “The IronPort M-Series Security Management Appliance” on
page 513. When you have completed this chapter, the IronPort appliance will be able to send
SMTP email over the Internet or within your network.
To configure your system as an Enterprise Gateway (accepting email from the Internet),
complete this chapter first, and then see Chapter 5, “Configuring the Gateway to Receive
Email,” for more information.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 23
IRONPORT ASYNCOS 4.7 USER GUIDE
IN S TA LL A TI O N P L A N NI N G
Note
Note — If you cannot configure the appliance as the first machine receiving email from the
Internet, you can still exercise some of the security services available on the appliance. Refer
to “Incoming Relays” on page 267 for more information.
24
INSTALLATION SCENARIOS
$ host -t mx example.com
example.com mail is handled (pri=10) by mail.example.com
example.com mail is handled (pri=20) by ironport.example.com
By registering the IronPort appliance in DNS, you will attract spam attacks regardless of how
you set the MX record priority. However, virus attacks rarely target backup MTAs. Given this,
if you want to evaluate Sophos Anti-Virus to its fullest potential, configure the IronPort
appliance to have an MX record priority of equal or higher value than the rest of your MTAs.
Installation Scenarios
You may want to review all features of the appliance prior to installing. Chapter 4,
“Understanding the Email Pipeline,” provides an overview of all functions available on the
appliance that may affect the placement of the IronPort appliance within your infrastructure.
Most customers’ network configurations are represented in the following scenarios. If your
network configuration varies significantly and you would like assistance planning an
installation, please contact IronPort Customer Support (see “Contacting IronPort Customer
Support” on page xxxiii).
Configuration Overview
The following figure shows the typical placement of the IronPort appliance in an enterprise
network environment:
Figure 3-1 Enterprise Network Environment
In some scenarios, the IronPort appliance resides inside the network “DMZ,” in which case an
additional firewall sits between the IronPort appliance and the groupware server.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 25
IRONPORT ASYNCOS 4.7 USER GUIDE
Incoming
• Incoming mail is accepted for the local domains you specify. (See “Accepting Email for
Local Domains or Specific Users on Public listeners (RAT)” in the IronPort AsyncOS
Advanced User Guide.)
• All other domains are rejected.
• External systems connect directly to the IronPort appliance to transmit email for the local
domains, and the IronPort appliance relays the mail to the appropriate groupware servers
(for example, Exchange™, Groupwise™, Domino™) via SMTP routes. (See “Routing
Email for Local Domains” in the IronPort AsyncOS Advanced User Guide.)
Outgoing
• Outgoing mail sent by internal users is routed by the groupware server to the IronPort
appliance.
• The IronPort appliance accepts outbound email based on settings in the Host Access Table
for the private listener. (For more information, see “Receiving Email with Listeners” on
page 74.)
Ethernet Interfaces
• Only one of the available Ethernet interfaces on the IronPort appliance is required in these
configurations. However, you can configure two Ethernet interfaces and segregate your
internal network from your external Internet network connection.
See “Using Virtual Gateway™ Technology” in the IronPort AsyncOS Advanced User Guide
and Appendix B, “Assigning Network and IP Addresses,” for more information about assigning
multiple IP addresses to the available interfaces.
Note
Note — The IronPort X1000, C600, C60, C300, and C30 Email Security appliances have
three available Ethernet interfaces by default. The IronPort C10/100 Email Security appliances
have two available Ethernet interfaces.
Advanced Configurations
In addition to this configurations shown in Figure 3-2 and Figure 3-3, you can also configure:
• Multiple IronPort appliances using the Centralized Management feature
• Redundancy at the network interface card level by “teaming” two of the Ethernet
interfaces on IronPort appliances using the NIC Pairing feature.
Both of these features are discussed in the IronPort AsyncOS Advanced User Guide.
26
PHYSICAL DIMENSIONS
Appendix C, “Firewall Information,” contains all information about the possible ports that
may need to be opened for proper operation of the IronPort appliance. For example, ports in
the firewall may need to be opened for connections:
• from the external clients (MTAs) to the IronPort appliance
• to and from groupware servers
• to the Internet root DNS servers or internal DNS servers
• to the Symantec Brightmail Logistics and Operations Center (BLOC™) for Brightmail
Rules updates
• to the IronPort downloads server (http://downloads.ironport.com/) for Sophos Anti-Virus
updates, Virus Outbreak Filters rules, and updates to AnsycOS
• to the NTP servers
• to LDAP servers
Physical Dimensions
The following physical dimensions apply to the IronPort X1000, C600, C300, M1000, and
M600 Email Security appliances:
• Height: 8.656 cm (3.40 inches)
• Width: 48.26 cm (19.0 inches) with rails installed (without rails, 17.5 inches)
• Depth: 75.68cm (29.79 inches)
• Weight: maximum 26.76 kg (59 lbs)
The following physical dimensions apply to the IronPort C60 and C30 Email Security
appliances:
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 27
IRONPORT ASYNCOS 4.7 USER GUIDE
The following physical dimensions apply to the IronPort C10 and C100 Email Security
appliances:
• Height: 4.2 cm (1.68 inches)
• Width: 48.26 cm (19.0 inches) with rails installed (without rails, 17.5 inches)
• Depth: 57.6 cm (22.7 inches)
• Weight: maximum 11.8 kg (26 lbs)
28
PHYSICALLY CONNECTING THE IRONPORT APPLIANCE TO THE NETWORK
P HY SI C A L L Y C ON N E CT I NG TH E IR O NPO R T A P P L I A NC E
TO TH E NE TW O R K
Configuration Scenarios
The typical configuration scenario for the IronPort appliance is as follows:
• Interfaces - Only one of the three available Ethernet interfaces on the IronPort appliance is
required for most network environments. However, you can configure two Ethernet
interfaces and segregate your internal network from your external Internet network
connection.
• Public Listener (incoming email) - The public listener receives connections from many
external hosts and directs messages to a limited number of internal groupware servers.
• Accepts connections from external mail hosts based on settings in the HAT. By
default, the HAT is configured to ACCEPT connections from all external mail hosts.
• Accepts incoming mail only if it is addressed for the local domains specified in the
RAT. All other domains are rejected.
• Relays mail to the appropriate internal groupware server, as defined by SMTP
Routes.
• Private Listener (outgoing email) - The private listener receives connections from a limited
number of internal groupware servers and directs messages to many external mail hosts.
• Internal groupware servers are configured to route outgoing mail to the IronPort C-
or X-Series appliance.
• The IronPort appliance accepts connections from internal groupware servers based
on settings in the HAT. By default, the HAT is configured to RELAY connections
from all internal mail hosts.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 29
IRONPORT ASYNCOS 4.7 USER GUIDE
Internet
SMTP
Firewall
Notes:
• 2 Listeners
• 2 IP addresses
• 1 or 2 Ethernet interfaces (only 1 interface shown)
• SMTP routes configured
Public Listener:
“InboundMail” Inbound Listener: “InboundMail” (public)
• IP address: 1.2.3.4
IP interface: PublicNet (e.g. 1.2.3.4) • Listener on the Data2 interface listens on port 25
• HAT (accept ALL)
Ethernet interface: Data 2 • RAT (accept mail for local domains; reject ALL)
Groupware Client
30
CONFIGURATION SCENARIOS
Notes:
• 1 Listener
• 1 IP addresses
Internet • 1 Ethernet interface
• SMTP routes configured
Groupware server
(Exchange™, Domino™,
Groupwise™)
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 31
IRONPORT ASYNCOS 4.7 USER GUIDE
P RE P A RI N G F OR S E T U P
The process of setting up the IronPort appliance is divided into five steps.
1. Determine how you will connect to the appliance.
2. Determine network and IP address assignments — one IP address or two.
3. Gather information about your system setup.
4. Launch a web browser and enter the IP address of the appliance. (Alternatively, you can
access the command line interface (CLI) described in “Running the Command Line
Interface (CLI) System Setup Wizard” on page 49)
5. Run the system setup wizard to configure your system.
Ethernet An Ethernet connection between a PC and the network and between the network
and the IronPort Management port. The IP address that has been assigned to the
Management port by the factory is 192.168.42.42. This is the easiest way to
connect if it works with your network configuration.
Serial A serial communications connection between the PC and the IronPort Serial
Console port. If you cannot use the Ethernet method, a straight serial-to-serial
connection between the computer and the appliance will work until alternate
network settings can be applied to the Management port. For pinout information,
see “Accessing via a Serial Connection” on page 534. The communications settings
for the serial port are:
Note
Note — Keep in mind that the initial connection method is not final. This process applies
only for the initial configuration. You can change network settings at a later time to allow
different connection methods. (See Appendix A, “Accessing the Appliance,” for more
information.) You can also create multiple user accounts with differing administrative
32
DETERMINING NETWORK AND IP ADDRESS ASSIGNMENTS
privileges to access the appliance. (For more information, see “Adding Additional Users” on
page 460.)
Note
Note — If you are running a firewall on your network between the Internet and the IronPort
appliance, it may be necessary to open specific ports for the IronPort appliance to work
properly. See Appendix C, “Firewall Information,” for more information.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 33
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 3-3 System Setup Worksheet: 2 IP Addresses for Segregating Email Traffic
System Settings
Default System Hostname:
Email System Alerts To:
Time Zone Information:
NTP Server:
Admin Password:
SenderBase Network Participation: Enable / Disable
AutoSupport: Enable / Disable
Network Integration
Gateway:
DNS (Internet or Specify Own):
Interfaces
Data 1 Port
IP Address:
Network Mask:
Fully Qualified Hostname:
Accept Incoming Mail: Domain Destination
Relay Outgoing Mail: System
Data 2 Port
IP Address:
Network Mask:
Fully Qualified Hostname:
Accept Incoming Mail: Domain Destination
Relay Outgoing Mail: System
Management Port
IP Address:
Network Mask:
Fully Qualified Hostname:
Accept Incoming Mail: Domain Destination
Relay Outgoing Mail: System
34
GATHERING THE SETUP INFORMATION
Table 3-3 System Setup Worksheet: 2 IP Addresses for Segregating Email Traffic (Continued)
Message Security
SenderBase Reputation Filtering: Enable / Disable
Enable IronPort Anti-Spam Scanning Engine Enable / Disable
Enable Brightmail Anti-Spam Scanning Engine Enable / Disable
Sophos Anti-Virus Scanning Engine Enable / Disable
Virus Outbreak Filters Enable / Disable
Table 3-4 System Setup Worksheet: 1 IP Address for All Email Traffic
System Settings
Default System Hostname:
Email System Alerts To:
Time Zone:
NTP Server:
Admin Password:
SenderBase Network Participation: Enable / Disable
AutoSupport: Enable / Disable
Network Integration
Gateway:
DNS (Internet or Specify Own):
Interfaces
Data2 Port
IP Address:
Network Mask:
Fully Qualified Hostname:
Accept Incoming Mail: Domain Destination
Data1 Port
IP Address:
Network Mask:
Fully Qualified Hostname:
Message Security
SenderBase Reputation Filtering: Enable / Disable
Enable IronPort Anti-Spam Scanning Engine Enable / Disable
Enable Brightmail Anti-Spam Scanning Engine Enable / Disable
Sophos Anti-Virus Scanning Engine Enable / Disable
Virus Outbreak Filters Enable / Disable
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 35
IRONPORT ASYNCOS 4.7 USER GUIDE
US I NG T H E SY ST E M S E T UP W IZ A R D
The IronPort AsyncOS operating system provides a browser-based system setup wizard to
guide you through the five step process of system configuration. Also included is a command
line interface (CLI) version of the wizard. See “Running the Command Line Interface (CLI)
System Setup Wizard” on page 49 for more information. Some users will want to take
advantage of custom configuration options not available in the wizard. However, you must
use the wizard for the initial setup to ensure a complete configuration. If you have gathered
the information required in “Preparing for Setup” on page 32, the configuration process will
take less time to complete.
WARNING: The system setup wizard will completely reconfigure your system. You
should only use the wizard the very first time you install the appliance, or if you want
to completely overwrite your existing configuration.
WARNING: The IronPort appliance ships with a default IP address of 192.168.42.42
on the Management port of C600, C60, C300, C30, and X1000 systems, and the Data 1 port
of C10/100 systems. Before connecting the IronPort appliance to your network, ensure that no
other device’s IP address conflicts with this factory default setting. If you are configuring an
IronPort M-Series appliance, please see “The IronPort M-Series Security Management
Appliance” on page 513.
If you are connecting multiple factory-configured IronPort appliances to your network, add
them one at a time, reconfiguring each IronPort appliance’s default IP address as you go.
36
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
• Password: ironport
Note
Note — Your session will time out if it is idle for over 30 minutes or if you close your browser
without logging out. If this happens, you will be asked to re-enter your username and
password. If your session times out while you are running the System Setup Wizard, you will
have to start over again.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 37
IRONPORT ASYNCOS 4.7 USER GUIDE
Step through the wizard, clicking Next after you complete each step. You can move back to a
previous step by clicking Previous. At the end of the process, you are prompted to commit the
changes you have made. Your changes will not take effect until they have been committed. If
you click Next, but have left a required field blank (or entered incorrect information), the
fields in question are outlined in red. Make your corrections and click Next again.
Step 1: Start
Begin by reading the license agreement. Once you have read and agreed to the license
agreement, check the box indicating that you agree and then click Begin Setup to proceed.
Figure 3-5 System Setup Wizard: Step 1. Start
Step 2: System
Setting the Hostname
Define the fully-qualified hostname for the IronPort appliance. This name should be assigned
by your network administrator.
Configuring System Alerts
IronPort AsyncOS sends alert messages via email if there is a system error that requires the
user’s intervention. Enter the email address (or addresses) to which to send those alerts.
You must add at least one email address to which to send System Alerts. Enter an email
address, or separate multiple addresses with commas. The email addresses you enter will
initially receive all types of alerts at all levels. You can add more granularity to the alert
configuration later. For more information, see “Alerts” on page 465.
38
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 39
IRONPORT ASYNCOS 4.7 USER GUIDE
Step 3: Network
In Step 3, you define the default router (gateway) and configure the DNS settings, and then set
up the appliance to receive and or relay email by configuring the Data 1, Data 2, and
Management interfaces.
Configuring DNS and Default Gateway
Type the IP address of the default router (gateway) on your network.
Next, configure the DNS (Domain Name Service) settings. IronPort AsyncOS contains a high-
performance internal DNS resolver/cache that can query the Internet’s root servers directly, or
the system can use DNS servers you specify. If you choose to use your own servers, you will
need to supply the IP address and hostname of each DNS server. You can enter up to four
DNS servers via the System Setup Wizard. Please note that DNS servers you enter will have
an initial priority of 0. For more information, see “Configuring Domain Name System (DNS)
Settings” on page 478.
Note
Note — The appliance requires access to a working DNS server in order to perform DNS
lookups for incoming connections. If you cannot specify a working DNS server that is
reachable by the appliance while you are setting up the appliance, a workaround is to either
select “Use Internet Root DNS Servers” or to specify, temporarily, the IP address of the
Management interface so that you can complete the system setup wizard.
40
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
Note
Note — IP addresses within the same subnet cannot be configured on separate physical
Ethernet interfaces. See Appendix B, “Assigning Network and IP Addresses,” for more detailed
information on Network and IP Address configuration.
Accepting Mail
When configuring your interfaces to accept mail, you define:
• the domain for which to accept mail
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 41
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — Configuring SMTP Routes in this step is optional. If no SMTP routes are defined, the
system will use DNS to lookup and determine the delivery host for the incoming mail
received by the listener. (See “Routing Email for Local Domains” in the IronPort AsyncOS
Advanced User Guide for more information.)
You must add at least one domain to the Recipient Access Table. Enter a domain —
example.com, for example. To ensure that mail destined for any subdomain of
example.net will match in the Recipient Access Table, enter .example.net as well as the
domain name. For more information, see “Defining Recipients” in the IronPort AsyncOS
Advanced User Guide.
Relaying Mail (Optional)
When configuring your interfaces to relay mail, you define the systems allowed to relay email
through the appliance.
These are entries in the RELAYLIST of the Host Access Table for a listener. See “Sender Group
Syntax” on page 92 for more information.
Mark the checkbox for Relay Outgoing Mail to configure the interface to relay mail. Enter the
hosts that may relay mail through the appliance.
In the following example, two interfaces are created:
• 192.168.42.42 remains configured on the Management interface.
• 192.168.1.1 is enabled on the Data 1 Ethernet interface, and is configured to accept mail
for domains ending in .example.com and an SMTP route is defined for
exchange.example.com.
42
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
• 192.168.2.1 is enabled on the Data 2 Ethernet interface, and is configured to relay mail
from exchange.example.com.
Note
Note — The following example pertains to X1000, C60/600, and C30/300 appliances. For
C10/100 appliances, the Data 2 interface is typically configured for both incoming and
outgoing mail while the Data 1 interface is used for appliance management (see “C10/100
Installations” on page 43).
Use this configuration if you want your network to look like Figure 3-2 on page 30.
C10/100 Installations
When configuring a single IP address for all email traffic (nonsegregated traffic), step 3 of the
system setup wizard will look like this:
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 43
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 3-8 Network Interfaces: 1 IP Address for Incoming and Outgoing (Nonsegregated) Traffic
Use this configuration if you want your network to look like Figure 3-3 on page 31.
Click Next to continue.
Step 4: Security
In step 4, you configure anti-spam and anti-virus settings. The anti-spam options include
SenderBase Reputation Filtering and selecting an anti-spam scanning engine. For anti-virus,
you can enable Virus Outbreak Filters and Sophos anti-virus scanning.
Enabling SenderBase Reputation Filtering
The SenderBase Reputation Service can be used as a stand-alone anti-spam solution, but it is
primarily designed to improve the effectiveness of a content-based anti-spam system such as
IronPort Anti-Spam or Symantec Brightmail Anti-Spam.
The SenderBase Reputation Service (http://www.senderbase.org) provides an accurate,
flexible way for users to reject or throttle suspected spam based on the connecting IP address
of the remote host. The SenderBase Reputation Service returns a score based on the
probability that a message from a given source is spam. The SenderBase Reputation Service is
unique in that it provides a global view of email message volume and organizes the data in a
44
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
way that makes it easy to identify and group related sources of email. IronPort strongly
suggests that you enable SenderBase Reputation Filtering.
Once enabled, SenderBase Reputation Filtering is applied on the incoming (accepting)
listener.
Enabling Anti-Spam Scanning
Your IronPort appliance may ship with 30-day evaluation keys for IronPort or Symantec
Brightmail Anti-Spam software. During this portion of the system setup wizard, you can
choose to enable IronPort or Symantec Brightmail Anti-Spam globally on the appliance. You
can also elect to not enable either service.
See Chapter 9, “Anti-Spam,” for all of the IronPort and Symantec Brightmail Anti-Spam
configuration options available on the appliance.
Enabling Anti-Virus Scanning
Your IronPort appliance may ship with a 30-day evaluation key for the Sophos Anti-Virus
scanning engine. During this portion of the system setup wizard, you can choose to enable
Sophos Anti-Virus globally on the appliance.
If you choose to enable it, Sophos Anti-Virus will be enabled for both the default incoming
and default outgoing mail policies.
See Chapter 10, “Anti-Virus,” for all of the Sophos Anti-Virus configuration options available
on the appliance.
Enabling Virus Outbreak Filters
Your IronPort appliance may ship with a 30-day evaluation key for Virus Outbreak Filters.
Virus Outbreak Filters provide a “first line of defense” against new virus outbreaks by
quarantining suspicious messages until traditional anti-virus security services can be updated
with a new virus signature file.
See Chapter 11, “The Virus Outbreak Filters Feature,” for more information.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 45
IRONPORT ASYNCOS 4.7 USER GUIDE
Step 5: Review
A summary of the configuration information is displayed. You can edit the System Settings,
Network Integration, and Message Security information by clicking the Previous button or by
clicking the corresponding Edit link in the upper-right of each section. When you return to a
step to make a change, you must proceed through the remaining steps until you reach this
review page again. All settings you previously entered will be remembered.
46
RUNNING THE WEB-BASED SYSTEM SETUP WIZARD
Once you are satisfied with the information displayed click Install This Configuration. A
confirmation dialog is displayed. Click Install to install the new configuration.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 47
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — Clicking Install will cause the connection to the current URL (http://192.168.42.42)
to be lost if you changed the IP address of the interface you used to connect to the appliance
(the Management interface on X1000, C600, C60, C300 and C30 systems, or the Data 1
interface on C10/100 systems) from the default. However, your browser will be redirected to
the new IP address. If you did not change the IP address from the default, the following page
is displayed:
Once System Setup is complete, several alert messages are sent. See “Immediate Alerts” on
page 60 for more information.
48
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
listed next. Initially, only the admin user account has access to the CLI. You can add other
users with differing levels of permission after you have accessed the command line interface
for the first time via the admin account. (See “Adding Additional Users” on page 460.) The
system setup wizard asks you to change the password for the admin account. The password
for the admin account can also be reset directly at any time using the password command.
To connect via Ethernet: Start an SSH or Telnet session with the factory default IP address
192.168.42.42. SSH is configured to use port 22. Telnet is configured to use port 23. Enter the
username and password below.
To connect via a Serial connection: Start a terminal session with the communication port on
your personal computer that the serial cable is connected to. Use the settings for serial port
outlined in “Connecting to the Appliance” on page 32. Enter the username and password
below.
Log in to the appliance by entering the username and password below.
login: admin
password: ironport
IronPort> systemsetup
The system setup wizard warns you that you will reconfigure your system. If this is the very
first time you are installing the appliance, or if you want to completely overwrite your
existing configuration, answer “Yes” to this question.
WARNING: The system setup wizard will completely delete any existing
'listeners' and all associated settings including the 'Host Access
Table' - mail operations may be interrupted.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 49
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — The remainder of the system setup steps are described below. Examples of the CLI
system setup wizard dialogue will only be included for sections that deviate from the GUI
system setup wizard described above in “Running the Web-Based System Setup Wizard” on
page 37.
50
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
Note — The names you define for interfaces are case-sensitive. AsyncOS will not allow you
Note
to create two identical interface names. For example, the names Privatenet and
PrivateNet are considered as two different (unique) names.
Note
Note — IP addresses within the same subnet cannot be configured on separate physical
Ethernet interfaces. See Appendix B, “Assigning Network and IP Addresses,”for more detailed
information on Network and IP Address configuration.
Note
Note — For C10/100 customers, the Data 2 interface is configured first.
Create a Listener
A “listener” manages inbound email processing services that will be configured on a
particular IP interface. Listeners only apply to email entering the IronPort appliance — either
from your internal systems or from the Internet. IronPort AsyncOS uses listeners to specify
criteria that messages must meet in order to be accepted and relayed to recipient hosts. You
can think of a listener as an email listener (or even a “SMTP daemon”) running for IP
addresses you specified above.
X1000, C60/600 and C30/300 customers: By default, the systemsetup command
configures two listeners — one public and one private. (For more information on the types of
listeners available, see “Configuring the Gateway to Receive Email” on page 73.)
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 51
IRONPORT ASYNCOS 4.7 USER GUIDE
C10/100 customers: By default, the systemsetup command configures one public listener
for both receiving mail from the Internet and for relaying email from your internal network.
See “C10/100 Listener Example” on page 55.
When you define a listener, you specify the following attributes:
• A name (nickname) created by you to refer to the listener later. For example, the listener
that accepts email from your internal systems to be delivered to the Internet may be called
OutboundMail.
• One of the IP interfaces (that you created earlier in the systemsetup command) on
which to receive email.
• The name of the machine(s) to which you want to route email (public listeners only). (This
is the first smtproutes entry. See “Routing Email for Local Domains” in the IronPort
AsyncOS Advanced User Guide for more information.)
• Whether or not to enable filtering based on SenderBase Reputation Service (SBRS) Scores
(for public listeners). If enabled, you are also prompted to select between Conservative,
Moderate, or Aggressive settings.
• Rate-limiting per host: the maximum number of recipients per hour you are willing to
receive from a remote host (public listeners only).
• The recipient domains or specific addresses you want to accept email for (public listeners)
or the systems allowed to relay email through the appliance (private listeners). (These are
the first Recipient Access Table and Host Access Table entries for a listener. See “Sender
Group Syntax” on page 92 and “Accepting Email for Local Domains or Specific Users on
Public listeners (RAT)” in the IronPort AsyncOS Advanced User Guide for more
information.)
Public Listener
Note
Note — The following examples of creating a public and private listener apply to C60 and
C30 customers only. IronPort C10/100 customers should skip to the next section “C10/100
Listener Example” on page 55.
In this example portion of the systemsetup command, a public listener named InboundMail
is configured to run on the PublicNet IP interface. Then, it is configured to accept all email for
the domain example.com. An initial SMTP route to the mail exchange
exchange.example.com is configured. Rate limiting is enabled, and the maximum value of
4500 recipients per hour from a single host is specified for the public listener.
Note
Note — The value you enter for maximum recipients per hour you are willing to receive from
a remote host is a completely arbitrary value, one that is usually relative to the size of the
enterprise for which you are administering email. For example, a sender who sends 200
messages in an hour might be considered a “spammer” (sender of unsolicited bulk email), but
if you are configuring the IronPort appliance to handle all email for a 10,000 person
company, 200 messages per hour from a remote host may be a reasonable value. Conversely,
in a 50-person company, someone sending 200 messages in an hour to you may be an
52
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
obvious spammer. You must choose an appropriate value when you enable rate-limiting on a
public listener (throttle) inbound email for your enterprise. For more information on Default
Host Access policies, see “Sender Group Syntax” on page 92.
The default host access policy for the listener is then accepted.
You are now going to configure how the IronPort C60 accepts mail by
creating a "Listener".
Please create a name for this listener (Ex: "InboundMail"):
[]> InboundMail
Enter the domains or specific addresses you want to accept mail for.
Enter the destination mail server which you want mail for example.com
to be delivered. Separate multiple entries with commas.
[]> exchange.example.com
Do you want to enable rate limiting for this listener? (Rate limiting
defines the maximum number of recipients per hour you are willing to
receive from a remote domain.) [Y]> y
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 53
IRONPORT ASYNCOS 4.7 USER GUIDE
Private Listener
In this example portion of the systemsetup command, a private listener named
OutboundMail is configured to run on the PrivateNet IP interface. Then, it is configured to
relay all email for all hosts within the domain example.com. (Note the dot at the beginning
of the entry: .example.com)
The default value for rate limiting (not enabled) and the default host access policy for this
listener are then accepted.
Note that the default values for a private listener differ from the public listener created earlier.
For more information on this topic, see “Public and Private Listeners” on page 76.
Do you want to configure the C60 to relay mail for internal hosts?
[Y]> y
Please specify the systems allowed to relay email through the IronPort
C60.
Hostnames such as "example.com" are allowed.
Partial hostnames such as ".example.com" are allowed.
IP addresses, IP address ranges, and partial IP addressed are allowed.
Separate multiple entries with commas.
[]> .example.com
54
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
Do you want to enable rate limiting for this listener? (Rate limiting
defines the maximum number of recipients per hour you are willing to
receive from a remote domain.) [N]> n
Note
Note — The following example of creating a listener applies to C10/100 customers only.
Note
Note — The value you enter for maximum recipients per hour you are willing to receive from
a remote host is a completely arbitrary value, one that is usually relative to the size of the
enterprise for which you are administering email. For example, a sender who sends 200
messages in an hour might be considered a “spammer” (sender of unsolicited bulk email), but
if you are configuring the IronPort appliance to handle all email for a 10,000 person
company, 200 messages per hour from a remote host may be a reasonable value. Conversely,
in a 50-person company, someone sending 200 messages in an hour to you may be an
obvious spammer. You must choose an appropriate value when you enable rate-limiting on a
public listener (throttle) inbound email for your enterprise. For more information on Default
Host Access policies, see “Sender Group Syntax” on page 92.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 55
IRONPORT ASYNCOS 4.7 USER GUIDE
The default host access policy for the listener is then accepted.
You are now going to configure how the IronPort C10 accepts mail by
creating a "Listener".
Please create a name for this listener (Ex: "MailInterface"):
[]> MailInterface
Enter the domain names or specific email addresses you want to accept
mail for.
Enter the destination mail server where you want mail for example.com
to be delivered. Separate multiple entries with commas.
[]> exchange.example.com
Please specify the systems allowed to relay email through the IronPort
C10.
Hostnames such as "example.com" are allowed.
Partial hostnames such as ".example.com" are allowed.
IP addresses, IP address ranges, and partial IP addresses are allowed.
Separate multiple entries with commas.
[]> .example.com
Do you want to enable rate limiting for this listener? (Rate limiting
defines the maximum number of recipients per hour you are willing to
receive from a remote domain.) [Y]> y
56
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
Note
Note — Because the systemsetup command only configures one listener for both inbound
and outbound mail for C10/100 customers, all outgoing mail will be calculated in the Mail
Flow Monitor feature (which is normally used for inbound messages). See “Using Mail Flow
Monitor” on page 139 for more information.
Note
Note — If you do not accept the license agreement, Symantec Brightmail Anti-Spam is not
enabled on the appliance.
See Chapter 9, “Anti-Spam,” for all of the Symantec Brightmail Anti-Spam configuration
options available on the appliance.
Note
Note — If you do not accept the license agreement, IronPort Anti-Spam is not enabled on the
appliance.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 57
IRONPORT ASYNCOS 4.7 USER GUIDE
See Chapter 9, “Anti-Spam,” for all of the IronPort Anti-Spam configuration options available
on the appliance.
Note
Note — If you do not accept the license agreement, Sophos Anti-Virus will not be enabled on
the appliance.
See Chapter 10, “Anti-Virus,” for all of the Sophos Anti-Virus configuration options available
on the appliance.
Enable Virus Outbreak Filters and SenderBase Email Traffic Monitoring Network
This next step prompts you to enable both SenderBase participation and Virus Outbreak
Filters. Your IronPort appliance ships with a 30-day evaluation key for Virus Outbreak Filters.
Virus Outbreak Filters
Virus Outbreak Filters provide a “first line of defense” against new virus outbreaks by
quarantining suspicious messages until traditional Anti-Virus security services can be updated
with a new virus signature file. If enabled, Virus Outbreak Filters will be enabled on the
default Incoming Mail Policy.
If you choose to enable Virus Outbreak Filters, enter a threshold value and whether you
would like to receive Virus Outbreak Filters alerts. For more information about Virus
Outbreak Filters and threshold values, see “The Virus Outbreak Filters Feature” on page 301.
SenderBase Participation
SenderBase is an email reputation service designed to help email administrators research
senders, identify legitimate sources of email, and block spammers.
If you agree to participate in the SenderBase Email Traffic Monitoring Network, IronPort will
collect aggregated statistics about email sent to your organization. This includes summary
data on message attributes and information on how different types of messages were handled
by IronPort appliances.
See Chapter 12, “SenderBase Network Participation,” for more information.
58
RUNNING THE COMMAND LINE INTERFACE (CLI) SYSTEM SETUP WIZARD
Commit Changes
Finally, the system setup wizard will ask you to commit the configuration changes you have
made throughout the procedure. Answer “Yes” if you want to commit the changes.
When you have successfully completed the system setup wizard, the following message will
appear and you will be presented with the command prompt:
mail3.example.com> mailconfig
Send the configuration to a mailbox to which you have access to confirm that the system is
able to send email on your network.
C H A P T E R 3 : S E T U P A N D I N S T A L L A T I O N 59
IRONPORT ASYNCOS 4.7 USER GUIDE
Immediate Alerts
The IronPort appliance uses feature keys to enable features. The first time you create a listener
in the systemsetup command, enable Symantec Brightmail Anti-Spam, enable Sophos Anti-
Virus, or enable Virus Outbreak Filters, an alert is generated and sent to the addresses you
specified in “Step 2: System” on page 38.
The alert notifies you periodically of the time remaining on the key. For example:
For information on enabling a feature beyond the 30-day evaluation period, contact your
IronPort sales representative. You can see how much time remains on a key via the System
Administration -> Feature Keys page or by issuing the featurekey command. (For more
information, see “Working with Feature Keys” on page 450.)
60
4
CHAPTER
The Email Pipeline is the process or flow email follows as it is processed by the IronPort
appliance. Understanding the Email Pipeline is essential to getting the best performance from
your IronPort appliance.
This chapter provides an overview of the Email Pipeline and a brief description of each
feature. The brief description also includes a link to the chapter or book containing a detailed
explanation of the feature.
This chapter contains the following sections:
• “Overview: Email Pipeline” on page 62
• “Incoming / Receiving” on page 66
• “Work Queue / Routing” on page 68
• “Delivery” on page 71
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 61
IRONPORT ASYNCOS 4.7 USER GUIDE
O V E R V I EW : E M A I L P I P E L I N E
Figure 4-1 and Figure 4-2 provide an overview of how email is processed through the system,
from reception to routing to delivery. Each feature is processed in order (from top to bottom)
and is briefly described below. A full description of each feature can be found in the following
chapters. Some features are described in the IronPort AsyncOS Advanced User Guide.
Shaded areas in Figure 4-2 represent processing that occurs in the Work Queue (see “Work
Queue / Routing” on page 68).
You can test most of the configurations of features in this pipeline using the trace command.
For more information, see“Debugging Mail Flow Using Test Messages: Trace” on page 431.
62
OVERVIEW: EMAIL PIPELINE
Figure 4-1 Email Pipeline for the IronPort Appliance: Receiving Email Features
Feature Description
Domain Map Rewrites the Envelope Recipient for each recipient in a message that
matches a domain in the domain map table.
Recipient Access Table (RAT) (Public listeners only) ACCEPT or REJECT recipients in RCPT TO
plus Custom SMTP Response. Allow special recipients to bypass
throttling.
LDAP Recipient Acceptance LDAP validation for recipient acceptance occurs within the SMTP
conversation. If the recipient is not found in the LDAP directory, the
message is dropped or bounced. LDAP validation can be configured
to occur within the work queue instead.
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 63
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 4-2 Email Pipeline for the IronPort Appliance: Routing and Delivery Features
Virus Outbreak Filters* The Virus Outbreak Filters feature helps protect against
virus outbreaks. * Can send messages to quarantines.
64
OVERVIEW: EMAIL PIPELINE
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 65
IRONPORT ASYNCOS 4.7 USER GUIDE
IN C OM IN G / R E C E I VI N G
The receiving phase of the Email Pipeline involves the initial connection from the sender’s
host. Each message’s domains can be set, the recipient is checked, and the message is handed
off to the work queue.
Host Access Table (HAT), Sender Groups, and Mail Flow Policies
The HAT allows you to specify hosts that are allowed to connect to a listener (that is, which
hosts you will allow to send email).
Sender Groups are used to associate one or more senders into groups, upon which you can
apply message filters, and other Mail Flow Policies. Mail Flow Policies are a way of expressing
a group of HAT parameters (access rule, followed by rate limit parameters and custom SMTP
codes and responses).
Together, sender groups and mail flow policies are defined in a listener’s HAT.
Host DNS verification settings for sender groups allow you to classify unverified senders prior
to the SMTP conversation and include different types of unverified senders in your various
sender groups.
While the connecting host was subject to Host DNS verification in sender groups — prior to
the SMTP conversation — the domain portion of the envelope sender is DNS verified in mail
flow policies, and the verification takes place during the SMTP conversation. Messages with
malformed envelope senders can be ignored. You can add entries to the Sender Verification
Exception Table — a list of domains and email addresses from which to accept or reject mail
despite envelope sender DNS verification settings.
Reputation Filtering allows you to classify email senders and restrict access to your email
infrastructure based on sender’s trustworthiness as determined by the IronPort SenderBase
Reputation Service.
For more information, see “The Host Access Table (HAT): Sender Groups and Mail Flow
Policies” on page 80.
Default Domain
You can configure a listener to automatically append a default domain to sender addresses
that do not contain fully-qualified domain names; these are also known as “bare” addresses
(such as “joe” vs. “joe@example.com”).
For more information, see “Changing the Default Sender Domain” in the IronPort AsyncOS
Advanced User Guide.
Bounce Verification
Outgoing mail is tagged with a special key, and so if that mail is sent back as a bounce, the
tag is recognized and the mail is delivered. For more information, see “IronPort Bounce
Verification” in the IronPort AsyncOS Advanced User Guide.
66
DOMAIN MAP
Domain Map
For each listener you configure, you can construct a domain map table which rewrites the
envelope recipient for each recipient in a message that matches a domain in the domain map
table. For example, joe@old.com -> joe@new.com
For more information, see “The Domain Map Feature” in the IronPort AsyncOS Advanced
User Guide.
Alias Tables
Alias tables provide a mechanism to redirect messages to one or more recipients. Aliases are
stored in a mapping table. When the envelope recipient (also known as the Envelope To, or
RCPT TO) of an email matches an alias as defined in an alias table, the envelope recipient
address of the email will be rewritten.
For more information about Alias Tables, see “Creating Alias Tables” in the IronPort AsyncOS
Advanced User Guide.
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 67
IRONPORT ASYNCOS 4.7 USER GUIDE
WOR K Q UE UE / R O UT I NG
The Work Queue is where the received message is processed before moving to the delivery
phase. Processing includes masquerading, routing, filtering, anti-spam and anti-virus
scanning, Virus Outbreak Filters, and quarantining.
then the message will not be anti-virus scanned upon release from the quarantine, regardless
of whether anti-virus scanning has been re-enabled. However, messages that bypass anti-virus
scanning due to mail policies may be anti-virus scanned upon release from a quarantine, as
the mail policy's settings may have changed while the message was in the quarantine. For
example, if a message bypasses anti-virus scanning due to a mail policy and is quarantined,
then, prior to release from the quarantine, the mail policy is updated to include anti-virus
scanning, the message will be anti-virus scanned upon release from the quarantine.
Similarly, suppose you had inadvertently disabled anti-spam scanning globally (or within the
HAT), and you notice this after mail is in the work queue. Enabling anti-spam at that point will
not cause the messages in the work queue to be anti-spam scanned.
68
LDAP ROUTING
For more information about masquerading via a static mapping table, see “Configuring
Masquerading” in the IronPort AsyncOS Advanced User Guide.
For more information about masquerading via an LDAP query, see “LDAP Queries” in the
IronPort AsyncOS Advanced User Guide.
LDAP Routing
You can configure your IronPort appliance to route messages to the appropriate address and/
or mail host based upon the information available in LDAP directories on your network.
For more information, see “LDAP Queries” in the IronPort AsyncOS Advanced User Guide.
Message Filters
Message filters allow you to create special rules describing how to handle messages and
attachments as they are received. Filter rules identify messages based on message or
attachment content, information about the network, message envelope, message headers, or
message body. Filter actions allow messages to be dropped, bounced, archived, quarantined,
blind carbon copied, or altered.
For more information, see the “Policy Enforcement” in the IronPort AsyncOS Advanced User
Guide.
Multi-recipient messages are “splintered” after this phase, prior to Email Security Manager.
Splintering messages refers to creating splinter copies of emails with single recipients, for
processing via Email Security Manager.
Anti-Virus
Your IronPort appliance includes an integrated virus scanning engine from Sophos, Plc. You
can configure the appliance to scan messages and attachments for viruses on a per-“mail
policy” basis. You can configure the appliance to do the following when a virus is found:
• attempt to repair the attachment
• drop the attachment
• modify the subject header
• add an additional X- header
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 69
IRONPORT ASYNCOS 4.7 USER GUIDE
Content Filters
You can create content filters to be applied to messages on a per-recipient or per-sender basis.
Content filters are similar to message filters, except that they are applied later in the email
pipeline — after a message has been “splintered” into a number of separate messages for each
matching Email Security Manager policy. The functionality of content filters is applied after
message filters processing and anti-spam and anti-virus scanning have been performed on a
message.
For more information about Content Filters, see “Content Filters Overview” on page 170.
Quarantines
IronPort AsyncOS allows you to filter incoming or outgoing messages and place them into
quarantines. Quarantines are special queues or repositories used to hold and process
messages. Messages in quarantines can be delivered or deleted, based on how you configure
the quarantine.
The following Work Queue features can send messages to quarantines:
• Message Filters
• Anti-Virus
• Virus Outbreak Filters
• Content Filters
Messages released from quarantines are re-scanned for viruses.
See Chapter 15, “Quarantines,” for more information.
70
DELIVERY
DE LIV E R Y
The delivery phase of the Email Pipeline focuses on the final phase of email processing,
including limiting connections, bounces, and recipients.
Virtual gateways
The IronPort Virtual Gateway technology enables users to separate the IronPort appliance into
multiple Virtual Gateway addresses from which to send and receive email. Each Virtual
Gateway address is given a distinct IP address, hostname and domain, and email delivery
queue.
For more information, see “Using Virtual Gateway™ Technology” in the IronPort AsyncOS
Advanced User Guide.
Delivery Limits
Use the deliveryconfig command to set limits on delivery, based on which IP interface to
use when delivering and the maximum number of concurrent connections the appliance
makes for outbound message delivery.
For more information, see “Set Email Delivery Parameters” in the IronPort AsyncOS Advanced
User Guide.
Received: Header
Using the listenerconfig command, you can configure a listener to not include the
Received: header by default to all messages received by the listener.
For more information, see “Disabling the Addition of the Received Header” in the IronPort
AsyncOS Advanced User Guide.
Note
Note — The Received: header is not added to the message until it is delivered.
Domain-Based Limits
For each domain, you can assign a maximum number of connections and recipients that will
never be exceeded by the system in a given time period. This “good neighbor” table is defined
through the Mail Policies -> Destination Controls page (or the destconfig command).
For more information, see “Controlling Email Delivery” in the IronPort AsyncOS Advanced
User Guide.
Domain-Based Routing
Use the Network -> SMTP Routes page (or the smtproutes command) to redirect all email
for a particular domain to a specific mail exchange (MX) host, without rewriting the envelope
recipient.
For more information, see “Routing Email for Local Domains” in the IronPort AsyncOS
Advanced User Guide.
C H A P T E R 4 : U N D E R S T A N D I N G T H E E M A I L P I P E L I N E 71
IRONPORT ASYNCOS 4.7 USER GUIDE
Global Unsubscribe
Use Global Unsubscribe to ensure that specific recipients, recipient domains, or IP addresses
never receive messages from the IronPort appliance. If Global Unsubscribe is enabled, the
system will check all recipient addresses against a list of “globally unsubscribed” users,
domains, email addresses, and IP Addresses. Matching emails are not sent.
For more information, see “Using Global Unsubscribe” in the IronPort AsyncOS Advanced
User Guide.
Bounce Limits
You use the Network -> Bounce Profiles page (or the bounceconfig command) to configure
how IronPort AsyncOS handles hard and soft conversational bounces for each listener you
create. You create bounce profiles and then apply profiles to each listener using the Network -
> Listeners page (or the listenerconfig command). You can also assign bounce profiles to
specific messages using message filters.
For more information about bounce profiles, see “Directing Bounced Email” in the IronPort
AsyncOS Advanced User Guide.
72
5
CHAPTER
After you have configured the basic settings of your IronPort appliance via the GUI’s System
Setup Wizard (or the CLI systemsetup command), you are now ready to begin tailoring the
configuration of your IronPort Email Security appliance to receive email. This chapter
discusses, in detail, all of the features available to you as you begin to configure listeners on
the appliance to handle receiving email.
The concept of the Host Access Table (HAT) is introduced. The Host Access Tables (HATs) of
public listeners — with their specific sender groups and mail flow policies — provide the
underlying framework that makes possible the Mail Flow Monitor feature. (Chapter 6, “Using
Mail Flow Monitor,” described the Mail Flow Monitor feature in detail.)
This chapter contains the following sections:
• “Receiving Email with Listeners” on page 74
• “The Host Access Table (HAT): Sender Groups and Mail Flow Policies” on page 80
• “Mail Flow Policies: Access Rules and Parameters” on page 81
• “Sender Groups” on page 91
• “Modifying the HAT for a Listener via the GUI” on page 114
• “Sender Verification” on page 117
• “Accepting Email for Local Domains or Specific Users on Public listeners (RAT)” on
page 129
• “Modifying the RAT for a Listener via the GUI” on page 132
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 73
IRONPORT ASYNCOS 4.7 USER GUIDE
RE CE IV I N G E M AI L W I T H L I S TE NE R S
The IronPort AsyncOS operating system allows the IronPort appliance to function as the
inbound email gateway for your enterprise, servicing SMTP connections from the Internet,
accepting messages, and relaying messages to the appropriate systems.
In this configuration, you enable listeners to service these connections. A listener describes an
email processing service that will be configured on a particular IP interface. Listeners only
apply to email entering the IronPort appliance — either from the internal systems within your
network or from the Internet. IronPort AsyncOS uses listeners to specify criteria that messages
must meet in order to be accepted and relayed to recipient hosts. You can think of a listener as
an “email injector” or even a “SMTP daemon” running on a specific port for each IP address
you specify (including the initial addresses you configured with the systemsetup
command).
The System Setup Wizard or the systemsetup command (CLI) initially configures the IP
interfaces that run on the available Ethernet interfaces on the IronPort appliance. On IronPort
C60 and C30 appliances, these Ethernet interfaces are labelled Data1, Data2, and
Management. On IronPort C10/C100 appliances, they are labelled Data1 and Data2. You can
edit these interfaces at a later time via the IP Interfaces page on the Network tab or the
interfaceconfig command.
Note
Note — If you have completed the GUI’s System Setup Wizard (or the systemsetup
command) and committed the changes, at least one listener should already be configured on
the appliance. (Refer to the settings you entered in the “Step 3: Network” on page 40.) The
specific addresses to accept mail for were entered at that time, as well as the first SMTP
Routes (Network -> SMTP Routes or smtproutes) entry.
Use the Listeners page (Network -> Listeners) or the listenerconfig command to
configure listeners that run over available IP interfaces on the IronPort appliance. For more
information about creating and configuring listeners, see the “Configuring Listeners” chapter
in the IronPort AsyncOS Advanced User Guide. In “Using Virtual Gateway™ Technology” in
the IronPort AsyncOS Advanced User Guide, the IronPort Virtual Gateway technology is
explained, in which you can further define and group IP interfaces over one or many IP
addresses, or groups of IP addresses.
Figure 5-1 Relationship Between Listeners, IP Interfaces, and Physical Ethernet Interfaces
Listener Port
IP interface IP address
IronPort Email
Security appliance
74
ENTERPRISE GATEWAY CONFIGURATION
SMTP
IronPort Email Security appliance Firewall
SMTP Internet
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 75
IRONPORT ASYNCOS 4.7 USER GUIDE
Large Small
corporations corporations ISPs
SMTP
IronPort Email Security appliance Firewall
A SMTP Internet
76
ENTERPRISE GATEWAY CONFIGURATION
In Figure 3-3, one public listener (A) and one private listener (B) are configured on the
appliance in this Enterprise Gateway configuration.
Figure 3-4 further illustrates the differences between the default settings of public and private
listeners. A public listener is intended to receive email from the internet. The public listener
receives connections from many hosts and directs messages to a limited number of recipients.
Conversely, a private listener is intended to receive email from your internal network. The
private listener receives connections from a limited (known) number of hosts and directs
messages to many recipients.
C10/100 customers: By default, the System Setup Wizard walks you through configuring one
public listener for both receiving mail from the Internet and for relaying email from your
internal network. That is, one listener can perform both functions.
Later in the chapter, these differences will be demonstrated in the Host Access Table and
Recipient Access Table for each type of listener.
Figure 5-4 Public and Private Listeners
Internet:
Hosts: Many
Recipients: Limited
Public Listener
IronPort Email
Security appliance
Private Listener
Internal Network:
Hosts: Limited
Recipients: Many
Figure 5-5 illustrates a typical Email Gateway configuration created by the System Setup
Wizard Setup Wizard (or CLI systemsetup command) on IronPort C60 and C30 appliances.
Two listeners are created: a public listener to serve inbound connections on one interface and
a private listener to serve outbound connections on a second IP interface.
Figure 5-6 illustrates a typical Email Gateway configuration created by the System Setup
Wizard (or CLI systemsetup command) on an IronPort C10/C100 appliance. One public
listener on a single IP interface is created to serve both inbound and outbound connections.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 77
IRONPORT ASYNCOS 4.7 USER GUIDE
IronPort Email
Security appliance
78
ENTERPRISE GATEWAY CONFIGURATION
SMTP
Public Listener:
“MailInterface”
Note: This public listener uses SMTP protocol on Port 25 of the PublicNet IP interface on the Data2
Ethernet interface to accept messages from the Internet and to relay messages from internal systems
in the .example.com domain.
IP interface MailNet sends messages to destination hosts on the Internet and to internal mail hosts.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 79
IRONPORT ASYNCOS 4.7 USER GUIDE
TH E H OS T A C C E SS TA BL E ( H AT ) :
SE ND E R G R OU P S A N D M A IL F L OW PO L IC I E S
Each listener that is configured on an appliance has properties that you can configure to
modify the behavior of the message it receives. As discussed in the “Overview: Email
Pipeline” on page 62, one of the first configurable features that influences a listener’s behavior
is its Host Access Table (HAT).
The HAT maintains a set of rules that control incoming connections from remote hosts for a
listener. Every listener you create has its own HAT. HATs are defined for public and private
listeners.
Entries in HAT are defined by this basic syntax:
The remote host definition is the way in which a remote host that is attempting to connect to
the listener is defined (for example, by a single IP address).
A rule defines whether the remote host specified can or cannot connect to the listener.
Extending the basic syntax, HATs in AsyncOS support the ability to create named sets of
remote host definitions; these are called sender groups. Named sets of access rules combined
with parameter sets are called mail flow policies. This extended syntax is illustrated in
Table 5-2:
The order that rules appear in the HAT is important. The HAT is read from top to bottom for
each host that attempts to connect to the listener. If a rule matches a connecting host, the
action is taken for that connection immediately.
Predefined and custom entries you place in the HAT are entered above the final “ALL” host
entry.
80
MAIL FLOW POLICIES: ACCESS RULES AND PARAMETERS
Note — By rejecting all hosts other than the ones you specify, the listenerconfig and
Note
systemsetup commands prevent you from unintentionally configuring your system as an
“open relay.” An open relay (sometimes called an “insecure relay” or a “third party” relay) is
an SMTP email server that allows third-party relay of email messages. By processing email
that is neither for nor from a local user, an open relay makes it possible for an unscrupulous
sender to route large volumes of spam through your gateway.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 81
IRONPORT ASYNCOS 4.7 USER GUIDE
Mail flow policies are then mapped to sender groups as entries in a listener’s HAT.
Parameter Description
Connections
Maximum message size The maximum size of a message that will be accepted by this listener.
The smallest possible maximum message size is 1 kilobyte.
Maximum messages per The maximum number of messages that can be sent through this
connection listener per connection from a remote host.
Maximum recipients per That maximum number of recipients per message that will be
message accepted from this host.
SMTP Banner
SMTP Banner Code The SMTP code returned when a connection is established with this
listener.
SMTP Banner Text The SMTP banner text returned when a connection is established with
this listener.
SMTP Reject Banner Code The SMTP code returned when a connection is rejected by this
listener.
SMTP Reject Banner Text The SMTP banner text returned when a connection is rejected by this
listener.
Override SMTP Banner By default, the appliance will include the hostname associated with
Host Name the interface of the listener when displaying the SMTP banner to
remote hosts (for example: 220-hostname ESMTP). You may choose
to override this banner by entering a different hostname here.
Additionally, you may leave the hostname field blank to choose not to
display a hostname in the banner.
Rate Limiting
82
MAIL FLOW POLICIES: ACCESS RULES AND PARAMETERS
Parameter Description
Rate Limiting: Maximum The maximum number of recipients per hour this listener will receive
Recipients per Hour from a remote host. The number of recipients per sender IP address is
tracked globally. Each listener tracks its own rate limiting threshold;
however, because all listeners validate against a single counter, it is
more likely that the rate limit will be exceeded if the same IP address
(sender) is connecting to multiple listeners.
Rate Limiting: Limit The SMTP code returned when a host exceeds the maximum number
Exceeded Error Code of recipients per hour defined for this listener.
Rate Limiting: Limit The SMTP banner text returned when a host exceeds the maximum
Exceeded Error Text number of recipients per hour defined for this listener.
Flow Control
Use SenderBase Enable “look ups” to the IronPort SenderBase Reputation Service for
this listener.
Group by Similarity of IP Used to track and rate limit incoming mail on a per-IP address basis
Addresses: (significant bits while managing entries in a listener’s Host Access Table (HAT) in large
0-32) CIDR blocks. You define a range of significant bits (from 0 to 32) by
which to group similar IP addresses for the purposes of rate limiting,
while still maintaining an individual counter for each IP address
within that range. Requires “Use SenderBase” to be disabled. For more
information about HAT significant bits, see the “HAT Significant Bits
Feature” in chapter 1 of the IronPort AsyncOS Advanced User Guide.
Directory Harvest Attack The maximum number of invalid recipients per hour this listener will
Prevention: Maximum receive from a remote host. (Use to prevent Directory Harvest Attacks
Invalid Recipients Per Hour and available only when LDAP acceptance validation queries are
enabled for a public listener on the appliance. For more information
on configuration LDAP accept queries, see “LDAP Queries” in the
IronPort AsyncOS Advanced User Guide.
Spam Detection
Virus Detection
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 83
IRONPORT ASYNCOS 4.7 USER GUIDE
Parameter Description
Allow TLS Connections Deny, Prefer, or Require Transport Layer Security (TLS) in SMTP
conversations for this listener.
SMTP Authentication Allows, disallow, or requires SMTP Authentication from remote hosts
connecting to the listener. SMTP Authentication is described in detail
in the “LDAP Queries” chapter of the IronPort AsyncOS Advanced
User Guide.
Domain Keys Signing Enable Domain Keys signing on this listener (RELAY only).
Untagged Bounces
Accept Untagged Bounces Applies only if bounce verification tagging (discussed in detail in the
IronPort AsyncOS Advanced User Guide) is enabled. Untagged
bounces for this mail flow policy are accepted.
Exception Table
Use Exception Table Use the sender verification domain exception table. You can only
have one exception table, but you can enable it per mail flow policy.
See “Sender Verification Exception Table” on page 119 for more
information.
By default, these parameters are set to the following default values shown in Table 5-5 for
each listener on the appliance.
Note
Note — If anti-spam or anti-virus scanning is enabled globally in the HAT, messages are
flagged for anti-spam or anti-virus scanning as they are accepted by the IronPort appliance. If
anti-spam or anti-virus scanning is disabled after the message is accepted, the message will
still be subject to scanning when it leaves the work queue.
84
MAIL FLOW POLICIES: ACCESS RULES AND PARAMETERS
Variable Definition
$Group Replaced by the name of the sender group that was matched in the HAT. If the
sender group has no name, “None” is displayed.
$Hostname Replaced by the remote hostname if and only if is has been validated by the IronPort
appliance. If the reverse DNS lookup of the IP address is successful but returns no
hostname, then “None” is displayed. If the reverse DNS lookup fails (for example, if
the DNS server cannot be reached, or no DNS server has been configured) then
“Unknown” is displayed.
$HATEntry Replaced by the entry in the HAT that the remote client matched.
Note
Note — These variables can be used with the smtp_banner_text and
max_rcpts_per_hour_text advanced HAT parameters shown in Table 1-3 of the
“Customizing Listeners” chapter in the IronPort AsyncOS Advanced User Guide.
Using these variables, you could edit the custom SMTP banner response text for accepted
connections in the $TRUSTED policy in the GUI:
Figure 5-7 Using HAT Variables
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 85
IRONPORT ASYNCOS 4.7 USER GUIDE
Enter the SMTP code to use in the response. 220 is the standard code.
[220]> 200
# telnet IP_address_of_IronPort_Appliance
220 hostname ESMTP
200 You've connected from the hostname: hostname, IP address of: IP-
address_of_connecting_machine, matched the group: WHITELIST, 10.1.1.1 the
SenderBase Organization: OrgID.
86
MAIL FLOW POLICIES: ACCESS RULES AND PARAMETERS
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 87
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 5-10 Default Policy Parameters for a Public Listener (two of two)
88
MAIL FLOW POLICIES: ACCESS RULES AND PARAMETERS
Use SenderBase: ON
Override Hostname NO
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 89
IRONPORT ASYNCOS 4.7 USER GUIDE
Override Hostname NO
90
SENDER GROUPS
Sender Groups
HAT parameters are combined with an access rule to create a mail flow policy (see “Mail
Flow Policies: Access Rules and Parameters” on page 81). When you group together different
HAT parameters and assign a name to them, you are defining a mail flow policy that can be
applied to groups of senders.
A sender group is simply a list of senders gathered together for the purposes of handling email
from those senders in the same way (that is, applying a mail flow policy to a group of senders).
A sender group is a list of senders identified by:
• IP address
• IP range
• Specific host or domain name
• SenderBase Reputation Service (SBRS) “organization” classification
• SBRS score range (or lack of score)
• DNS List query response
See Table 5-6 for the syntax of defining remote hosts (sender entries) that make up sender
groups. These sender entries are separated by commas in a listener’s HAT. You assign a name
for sender groups, as well as mail flow policies.
Together, sender groups and mail flow policies are defined in a listener’s HAT. By default, your
IronPort appliance ships with the predefined mail flow policies and sender groups described
in “Predefined Mail Flow Policies for Public Listeners” on page 96.
In Chapter 6, “Using Mail Flow Monitor,” you will use the predefined sender groups and mail
flow policies to quickly and powerfully classify the mail flowing through your gateway,
enabling real-time changes to a listener’s HAT.
Note
Note — The system acquires and verifies the validity of the remote host’s IP address by
performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup on the IP
address of the connecting host, followed by a forward DNS (A) lookup on the results of the
PTR lookup. The system then checks that the results of the A lookup match the results of the
PTR lookup. If the results do not match, or if an A record does not exist, the system only uses
the IP address to match entries in the HAT.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 91
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 5-6 Defining Remote Hosts in the HAT: Sender Group Syntax
Syntax Meaning
dnslist[dnsserver.domain] DNS List query. For more information, see “Sender Groups
Defined by Querying DNS Lists in the HAT” on page 96.
92
SENDER GROUPS
forged HELO address, or simply rotating through different domain names. This leaves many
mail administrators asking themselves the fundamental question, “Who is sending me all of
this email?” To answer this question, the SenderBase Reputation Service has developed a
unique hierarchy for aggregating identity-based information based on the IP address of the
connecting host — the one thing that is almost impossible for a sender to forge in a message.
An IP Address is defined as the IP address of the sending mail host.
A Domain is defined as an entity that uses hostnames with a given second-level domain name
(for example, yahoo.com), as determined by a reverse (PTR) lookup on the IP address.
A Network Owner is defined as an entity (usually a company) that controls a block of IP
addresses, as determined based on IP address space assignments from global registries such as
ARIN (the American Registry for Internet Numbers) and other sources.
An Organization is defined as an entity that most closely controls a particular group of mail
gateways within a network owner’s IP block, as determined by SenderBase. An Organization
may be the same as the Network Owner, a division within that Network Owner, or a customer
of that Network Owner.
Setting Policies Based on the HAT
Table 5-7 lists some examples of network owners and organizations.
As network owners can range dramatically in size, the appropriate entity to base your mail
flow policy on is the organization. The SenderBase Reputation Service has a unique
understanding of the source of the email down to the organization level, which the IronPort
appliance leverages to automatically apply policies based on the organization. In the example
above, if a user specified “Level 3 Communications” as a sender group in the Host Access
Table (HAT), SenderBase will enforce policies based on the individual organizations
controlled by that network owner.
For example, in Table 3-7 above, if a user enters a limit of 10 recipients per hour for Level 3,
the IronPort appliance will allow up to 10 recipients per hour for Macromedia Inc.,
Alloutdeals.com and Greatoffers.com (a total of 30 recipients per hour for the Level 3 network
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 93
IRONPORT ASYNCOS 4.7 USER GUIDE
owner). The advantage of this approach is that if one of these organizations begins spamming,
the other organizations controlled by Level 3 will not be impacted. Contrast this to the
example of “The Motley Fool” network owner. If a user sets rate limiting to 10 recipients per
hour, the Motley Fool network owner will receive a total limit of 10 recipients per hour.
The IronPort Mail Flow Monitor feature is a way of defining the sender and providing you with
monitoring tools to create mail flow policy decisions about the sender. To create mail flow
policy decisions about a given sender, ask these questions:
1. Which IP addresses are controlled by this sender?
The first piece of information that the Mail Flow Monitor feature uses to control the
inbound email processing is the answer to this question. The answer is derived by
querying the SenderBase Reputation Service. The SenderBase Reputation Service provides
information about the relative size of the sender (either the SenderBase network owner or
the SenderBase organization). Answering this question assumes the following:
• Larger organizations tend to control more IP addresses, and send more legitimate
email.
2. Depending on its size, how should the overall number of connections be allotted for this
sender?
• Larger organizations tend to control more IP addresses, and send more legitimate
email. Therefore, they should be allotted more connections to your appliance.
• The sources of high-volume email are often ISPs, NSPs, companies that manage
outsourced email delivery, or sources of unsolicited bulk email. ISPs, NSPS, and
companies that manage outsourced email delivery are examples of organizations
that control many IP addresses, and should be allotted more connections to your
appliance. Senders of unsolicited bulk email usually do not control many IP
addresses; rather, they send large volumes of mail through a few number of IP
addresses. They should be allotted fewer connections to your appliance.
The Mail Flow Monitor feature uses its differentiation between SenderBase network owners
and SenderBase organizations to determine how to allot connections per sender, based on
logic in SenderBase. See Chapter 6, “Using Mail Flow Monitor,” for more information on
using the Mail Flow Monitor feature.
94
SENDER GROUPS
Score Meaning
Using the SBRS score, you configure the IronPort appliance to apply mail flow policies to
senders based on their trustworthiness. For example, all senders with a score less than -7.5
could be rejected. This is most easily accomplished via the GUI; see “Creating a Sender
Group with SenderBase Reputation Scores” on page 110. However, if you are modifying an
exported HAT in a text file, the syntax for including SenderBase Reputation Scores is
described in Table 5-9. See “Adding a New Listener” in the IronPort AsyncOS Advanced User
Guide.
SBRS[n:n SenderBase Reputation Score. Senders are identified by querying the SenderBase
] Reputation Service, and the scores are defined between the ranges.
SBRS[none] Specify no SBRS (very new domains may not have SenderBase Reputation Scores yet).
Note
Note — Network owners added to a HAT via the GUI use the syntax SBO:n, where n is the
network owner’s unique identification number in the SenderBase Reputation Service.
Use the Network -> Listeners page or listenerconfig -> setup command in the CLI to
enable a listener to query the SenderBase Reputation Service. You can also define the timeout
value that the appliance should wait when querying the SenderBase Reputation Service.
Then, you can configure different policies to use look ups to the SenderBase Reputation
Service by using the values in the Mail Policies Pages in the GUI or the listenerconfig ->
edit -> hostaccess commands in the CLI.
Note
Note — You can also create message filters to specify “thresholds” for SenderBase Reputation
Scores to further act upon messages processed by the system. For more information, see
“SenderBase Reputation Rule,” “Bypass Anti-Spam System Action,” and “Bypass Anti-Virus
System Action” in the IronPort AsyncOS Advanced User Guide.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 95
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — Some DNS Lists use variable responses (for example, “127.0.0.1” versus “127.0.0.2”
versus “127.0.0.3”) to indicate various facts about the IP address being queried against. If you
use the message filter DNS List rule (see “DNS List Rule” in the IronPort AsyncOS Advanced
User Guide), you can compare the result of the query against different values. However,
specifying a DNS List server to be queried in the HAT only supports a Boolean operation for
simplicity (that is, does the IP address appear in the list or not)
Note
Note — Be sure to include brackets in the query in the CLI. Brackets are not necessary when
specifying a DNS List query in the GUI. Use the dnslistconfig command in the CLI to test
a query, configure general settings for DNL queries, or flush the current DNS list cache.
Note that this mechanism can be used to identify “good” connections as well as “bad”
connections. For example, a query to query.bondedsender.org will match on connecting hosts
who have posted a financial bond with IronPort Systems’ Bonded Sender™ program to ensure
the integrity of their email campaign. You could modify the default WHITELIST sender group
to query the Bonded Sender program’s DNS servers (which lists these legitimate email senders
who have willingly posted bonds) and adjust the mail flow policy accordingly.
96
SENDER GROUPS
The Overview page is displayed. If listeners are configured, the Host Access Table
overview page defined for the first alphabetical listener is displayed. Select the desired
listener from the Listener list.
Figure 5-11 Predefined Mail Flow Policies for Public Listeners
3. Click the name of a Mail Flow Policy to view the connection behavior and parameters for
that policy.
Note
Note — By default, C10/100 customers are prompted to create only one public listener
during the systemsetup command. Public listeners created on IronPort C10/100 appliances
also include a $RELAYED mail flow policy that is used to relay mail for internal systems (as
shown in Figure 5-12). For more information, see “RELAYLIST” on page 104. The $RELAYLIST
policy is shown only on private listeners on IronPort X1000, C60/600, and C30/300
appliances.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 97
IRONPORT ASYNCOS 4.7 USER GUIDE
In this table, “Default” means that the default value as defined by the listener is used.
Note: All parameters for the $ACCEPTED policy are user-defined in the CLI systemsetup and
listenerconfig commands. Select “y” when prompted with the question:
Would you like to change the default host access policy?
to modify these values. To change these values using the GUI, follow the steps in “Viewing Default
Mail Flow Policies” on page 86.
98
SENDER GROUPS
Table 5-10 Predefined Mail Flow Policies for Public Listeners (Continued)
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 99
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 5-10 Predefined Mail Flow Policies for Public Listeners (Continued)
100
SENDER GROUPS
$ACCEPTED is a named policy, which is the same as the public listener’s default HAT settings.
You can assign the $ACCEPTED policy to any sender group you create. (See “Adding a New
Sender Group” on page 105 and “Adding a New Mail Flow Policy” on page 107. See also
“Customizing the HAT for a Listener via Export and Import” in the IronPort AsyncOS
Advanced User Guide.)
The final ALL entry in a HAT for a public listener also uses the $ACCEPTED policy as the
primary behavior.
Each public listener, by default, has the sender groups and corresponding mail flow policies
shown in Table 5-11 defined by default.
Table 5-11 Predefined Sender Groups and Mail Flow Policies for Public Listeners
WHITELIST $TRUSTED
BLACKLIST $BLOCKED
SUSPECTLIST $THROTTLED
UNKNOWNLIST $ACCEPTED
These four basic sender groups and mail flow policies enable a framework for you to begin
classifying the email flowing into your gateway on a public listener. In “Using Mail Flow
Monitor” on page 139, you will be able to see the real-time flow of email into your gateway
and be able to make changes to a listener’s HAT in real-time. (You can add IP addresses,
domains, or organizations to an existing sender group, edit the existing or pre-defined
policies, or create new mail flow policies.)
WHITELIST
Add senders you trust to the Whitelist sender group. The $TRUSTED mail flow policy is
configured so that email from senders you trust has no rate limiting enabled, and the content
from those senders is not scanned by the Symantec Brightmail Anti-Spam or Sophos Anti-
Virus software.
BLACKLIST
Senders in the Blacklist sender group are rejected (by the parameters set in the $BLOCKED
mail flow policy). Adding senders to this group rejects connections from those hosts by
returning a 5XX SMTP response in the SMTP HELO command.
SUSPECTLIST
The Suspectlist sender group contains a mail flow policy that throttles, or slows, the rate of
incoming mail. If senders are suspicious, you can add them to the Suspectlist sender group,
where the mail flow policy dictates that:
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 101
IRONPORT ASYNCOS 4.7 USER GUIDE
• Rate limiting limits the maximum number of messages per session, the maximum number
of recipients per message, the maximum message size, and the maximum number of
concurrent connections you are willing to accept from a remote host.
• The maximum recipients per hour from the remote host is set to 1 recipient per hour. Note
that this setting is the maximum throttling available. You can increase the number of
recipients to receive per hour if this parameter is too aggressive.
• The content of messages will be scanned by the Symantec Brightmail scanning engine and
Sophos anti-virus scanning engine (if you have the feature enabled for the system).
• The IronPort SenderBase Reputation Service will be queried for more information about
the sender. This sender group includes the “none” SBRS score.
UNKNOWNLIST
The Unknownlist sender group may be useful if you are undecided about the mail flow policy
you should use for a given sender. The mail flow policy for this group dictates that mail is
accepted for senders in this group, but the Symantec Brightmail Anti-Spam software (if
enabled for the system), the Sophos virus scanning engine, and the IronPort SenderBase
Reputation Service should all be used to gain more information about the sender and the
message content. Rate limits for senders in this group are also enabled with default values. For
more information on the Symantec Brightmail Anti-Spam software, see “Symantec Brightmail
Anti-Spam Filtering” on page 235. For more information on the Sophos virus scanning engine,
see “Sophos Anti-Virus Filtering” on page 278. For more information on the SenderBase
Reputation Service, see “Reputation Filtering” on page 204.
102
SENDER GROUPS
$BLOCKED is a named policy, which is the same as the private listener’s default HAT settings.
The final ALL entry in a HAT for a private listener also uses the $BLOCKED policy as the
default behavior.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 103
IRONPORT ASYNCOS 4.7 USER GUIDE
Each private listener, by default, has the following predefined sender group and
corresponding mail flow policy shown in Table 5-13 defined by default:
Table 5-13 Predefined Sender Groups and Mail Flow Policies for Private Listener
RELAYLIST $RELAYED
ALL $BLOCKED
This basic sender group and mail flow policy enables a framework for you to begin classifying
the email flowing out of your gateway on a private listener.
RELAYLIST
Add senders you know should be allowed to relay to the Relaylist sender group. The
$RELAYED mail flow policy is configured so that email from senders you are allowing to relay
has no rate limiting, and the content from those senders is not scanned by the anti-spam
scanning engine or Sophos Anti-Virus software.
Note
Note — The systems you allowed to relay email through the IronPort appliance when you
created an outbound (private) listener in the GUI System Setup wizard (or CLI systemsetup
command) are automatically added to the RELAYLIST sender group. See “Step 3: Network” on
page 40.
Note
Note — By default, C10/100 customers are prompted to create only one public listener
during the systemsetup command. Public listeners created on IronPort C10/100 appliances
also include a $RELAYED mail flow policy that is used to relay mail for internal systems.
Managing Sender Groups and Mail Flow Policies via the GUI
The Mail Policies -> Host Access Table -> Overview and Mail Flow Policy pages allow you to
configure a HAT settings for a listener. From these pages, you can:
• See the mapping of sender groups to mail flow policies.
• Create, edit, or delete sender groups.
• Create, edit, or delete mail flow policies.
• Re-order HAT entries for a listener.
Click the Mail Policies tab, and choose Host Access Table -> Overview link. See Figure 5-14.
Choose the listener you want to configure from the Listener: drop-down list.
104
MANAGING SENDER GROUPS AND MAIL FLOW POLICIES VIA THE GUI
From the Host Access Table Overview page, you can add a sender group and edit the mail
flow policies for a listener.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 105
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Type the name of the sender group, select the order in which it will be placed in the list of
sender groups, and a comment (optional) in the fields provided.
3. If you do not know the mail flow policy you would like to apply to this group (or if no mail
flow policies exist yet), then use the default “CONTINUE (no policy)” mail flow policy.
Otherwise, choose a mail flow policy from the drop-down list.
4. Select a SBRS score range and DNS list (optional). You can also mark the checkbox to
include senders for which SBRS has no information. This is referred to as “none” and
generally denotes a suspect.
5. Configure any host DNS verification settings (see “Implementing Sender Verification —
Example Settings” on page 120).
6. Click Submit to save the sender group and return to the Host Access Table page, or... click
Submit and Add Senders to create the group and begin adding senders to it.
7. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
Note
Note — If you attempt to enter duplicate entries (identical domain or IP addresses) in a single
sender group, the duplicates are discarded.
106
MANAGING SENDER GROUPS AND MAIL FLOW POLICIES VIA THE GUI
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 107
IRONPORT ASYNCOS 4.7 USER GUIDE
5. Click Submit.
6. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
Note
Note — Defaults for the policy are “greyed out” while the “Use Default” radio button is
selected. To overwrite the default values, enable the feature or setting by selecting the “On”
radio button and making changes to the now accessible values.
Note
Note — The Custom SMTP Banner Text and Max. Recipients Per Hour text string fields
support the HAT variables discussed in “HAT Variable Syntax” on page 85.
Note
Note — Some parameters depend on certain pre-configurations. (For example, the Directory
Harvest Attack prevention setting requires that you have configured an LDAP Acceptance
Query.)
108
MANAGING SENDER GROUPS AND MAIL FLOW POLICIES VIA THE GUI
Figure 5-18 Add to Sender Group Button on Mail Flow Summary Page
2. Choose the sender group from the list defined for each listener.
3. Click Submit to add the domain (or domains) to the selected sender groups, or click
Cancel.
4. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
Note
Note — When you add a domain to a sender group, two actual domains are listed in the GUI.
For example, if you were adding the domain example.net, on the Add to Sender Group
page, both example.net and .example.net are added. The second entry ensures that any
host in the subdomain of example.net will be added to the sender group. For more
information, see “Sender Group Syntax” on page 92.
Note
Note — If one or more of the senders you are adding to a sender group is a duplicate of a
sender that is already present in that sender group, the duplicate senders will not be added
and you will see a confirmation message.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 109
IRONPORT ASYNCOS 4.7 USER GUIDE
5. Click Save to add the sender and return to the Incoming Mail Overview page.
110
MANAGING SENDER GROUPS AND MAIL FLOW POLICIES VIA THE GUI
Figure 5-20 Creating a Sender Group with SenderBase Reputation Scores (1)
In Figure 5-21, senders with a SenderBase Reputation Score greater than 8.0 bypass the
anti-spam scanning for the listener:
Figure 5-21 Creating a Sender Group with SenderBase Reputation Scores (2)
Note
Note — You can also modify the default policies of the TRUSTED and BLOCKED to include
senders based on SenderBase Reputation Scores using these same parameters. See
“Implementing SenderBase Reputation Filters” on page 207 for more information.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 111
IRONPORT ASYNCOS 4.7 USER GUIDE
6. Click Submit to create the sender group based on SenderBase Reputation Scores.
7. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
Figure 5-22 Host Access Table Using SenderBase Reputation Scores
112
MANAGING SENDER GROUPS AND MAIL FLOW POLICIES VIA THE GUI
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 113
IRONPORT ASYNCOS 4.7 USER GUIDE
M O DI F YI NG TH E HAT F OR A LI S TE NE R VI A T HE G UI
Log in to the Graphical User Interface (GUI) and click the Mail Policies tab. (For information
about how to access the GUI, see “Accessing the GUI” on page 13.) Click the HAT Overview
link in the left menu. The Host Access Table Overview page is displayed:
Figure 5-24 The Host Access Table Overview Page
The Host Access Table Overview shows a listing of the sender groups in the HAT, including
the order, SenderBase Reputation Score range, and associated Mail Flow Policy.
From the Host Access Table Overview, you can:
• Add sender groups to the HAT
• Delete sender groups from the HAT
• Modify existing sender groups
• Change the order of the entries
• Import a HAT (overwrites existing entries) from a file (importing and exporting the HAT is
described below, see “Working with the HAT” on page 115)
• Export the HAT to a file
Once you are editing a sender group, you can:
• Add senders to (and remove senders from) sender groups
• Edit settings for a sender group
For more information about working with Sender Groups, see “Managing Sender Groups and
Mail Flow Policies via the GUI” on page 104.
114
WORKING WITH THE HAT
2. Enter a file name for the exported HAT. This is the name of the file that will be created in
the configuration directory on the appliance.
3. Click Submit.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
Importing a HAT
When you import a HAT, all of the existing HAT entries are removed from the current HAT.
To import a HAT from a file:
1. Click Import HAT... The Import Host Access Table page is displayed:
Figure 5-26 Exporting a HAT
Note
Note — The file to import must be in the configuration directory on the appliance.
3. Click Submit. You will see a warning message, asking you to confirm that you wish to
remove all of the existing HAT entries.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 115
IRONPORT ASYNCOS 4.7 USER GUIDE
4. Click Import.
5. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
You can place “comments” in the file. Lines that begin with a ‘#’ character are considered
comments and are ignored by AsyncOS. For example:
116
SENDER VERIFICATION
SE ND ER VE R I FICA TIO N
Spam and unwanted mail is frequently sent by senders whose domains or IP addresses cannot
be resolved by DNS. DNS verification means that you can get reliable information about
senders and process mail accordingly. Sender verification prior to the SMTP conversation
(connection filtering based on DNS lookups of the sender’s IP address) also helps reduce the
amount of junk email processed through the mail pipeline on the IronPort appliance.
Mail from unverified senders is not automatically discarded. Instead, AsyncOS provides
sender verification settings that allow you to determine how the appliance handles mail from
unverified senders: you can configure your IronPort appliance to automatically block all mail
from unverified senders prior to the SMTP conversation or throttle unverified senders, for
example.
The sender verification feature consists of two components: verification of the connecting
host, which occurs prior to the SMTP conversation, and verification of the domain portion of
the envelope sender, which occurs during the SMTP conversation.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 117
IRONPORT ASYNCOS 4.7 USER GUIDE
used to reject or throttle senders. Enabling host DNS verification on the WHITELIST sender
group, for example, would mean that mail from unverified senders would receive the same
treatment as mail from your trusted senders in your WHITELIST (including bypassing
anti-spam/anti-virus checking, rate limiting, etc., depending on how the mail flow policy is
configured).
118
SENDER VERIFICATION: ENVELOPE SENDER
sending domains that are not verified because they do not exist in DNS. Once that mail is
accepted, messages with malformed MAIL FROMs are rejected with a customizable SMTP
code and response. This occurs during the SMTP conversation.
You can enable envelope sender DNS verification (including the domain exception table) in
the mail flow policy settings for any mail flow policy via the GUI or the CLI
(listenerconfig -> edit -> hostaccess -> <policy>).
Partial Domains, Default Domains, and Malformed MAIL FROMs
If you enable envelope sender verification or disable allowing partial domains in SMTP
Address Parsing options for a listener (see “SMTP Address Parsing Options” in chapter 1 of the
IronPort AsyncOS Advanced User Guide), the default domain settings for that listener will no
longer be used.
These features are mutually exclusive.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 119
IRONPORT ASYNCOS 4.7 USER GUIDE
See “Creating the Sender Verification Exception Table via the GUI” on page 125 for more
information about modifying the exception table.
SUSPECTLIST THROTTLED Connecting host reverse DNS lookup (PTR) does not match the
forward DNS lookup (A).
120
IMPLEMENTING SENDER VERIFICATION — EXAMPLE SETTINGS
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 121
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — You can also configure host DNS verification via the CLI. See “Enabling Host DNS
Verification via the CLI” on page 127 for more information.
122
IMPLEMENTING SENDER VERIFICATION — EXAMPLE SETTINGS
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 123
IRONPORT ASYNCOS 4.7 USER GUIDE
For the next step, configure the ACCEPTED mail flow policy to handle unverified senders.
124
IMPLEMENTING SENDER VERIFICATION — EXAMPLE SETTINGS
3. Select On to enable envelope sender DNS verification for this mail flow policy.
4. You may also define custom SMTP code and responses.
5. Enable the domain exception table by selecting On for “Use Domain Exception Table.”
6. Click Submit.
7. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
And for the last step, create the sender verification exception table to list exceptions to the
sender verification settings.
2. Enter an email address. You can enter a specific address (pres@whitehouse.gov), a name
(user@), a domain (@example.com or @.example.com), or an address with a bracketed IP
address (user@[192.168.23.1]).
3. Specify whether to allow or reject messages from the address. When rejecting mail, you
can also specify an SMTP code and custom response.
4. Click Submit.
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish adding the address to the exception table.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 125
IRONPORT ASYNCOS 4.7 USER GUIDE
2. If the address matches any of the entries in the table, the first matching entry is displayed:
Figure 5-36 Listing Matching Entries in the Exception Table
126
ENABLING HOST DNS VERIFICATION VIA THE CLI
Note — If you have configured your IronPort appliance to use a default domain or to
Note
specifically allow partial domains when sending or receiving email or if you have enabled
address parsing (see Chapter 1, “Configuring Listeners” in the IronPort AsyncOS Advanced
User Guide) you may not be able to create, send, and receive an email with a missing or
malformed domain.
Note that the SMTP code and response is the one you configured for the envelope sender
verification settings for the THROTTLED mail flow policy.
If you remove that email address from the sender verification exception table, mail from that
sender will be rejected because the domain portion of the envelope sender is not DNS
verified.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 127
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 5-15 shows the types of unverified senders and the corresponding CLI setting:
Connecting host PTR record does not exist in the DNS. nx.domain
Connecting host PTR record lookup fails due to temporary DNS serv.fail
failure.
Connecting host reverse DNS lookup (PTR) does not match the not.double.verified
forward DNS lookup (A)
128
ACCEPTING EMAIL FOR LOCAL DOMAINS OR SPECIFIC USERS ON PUBLIC LISTENERS (RAT)
A C CE P TI NG E M A I L F OR L O C A L D OM A I NS O R SP E CI FI C U SE R S ON P U BL I C
L I S T E N E R S ( R AT )
When you create a public listener, you define all local domains that the appliance will accept
messages for using the Recipient Access Table (RAT). Many enterprise gateways are
configured to receive messages for several local domains. For example, suppose your
company changed its name. You would need to receive email messages for recipients
addressed to currentcompanyname.com and oldcompanyname.com. In this case, both
local domains would be included in the RAT for your public listener. (Note: the Domain Map
feature can map messages from one domain to another. See “The Domain Map Feature” in
chapter 2 of the IronPort AsyncOS Advanced User Guide.)
Note
Note — If you have completed System Setup Wizard or the systemsetup command and
issued the commit command, one public listener should already be configured on your
appliance. (Refer to the settings you entered for: “Step 3: Network” on page 40.) The default
local domains or specific addresses to accept mail that you entered at that time were the first
entries in the RAT for that public listener.
Rules
The RAT has two basic actions that it performs on recipients as they communicate in the
SMTP conversation:
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 129
IRONPORT ASYNCOS 4.7 USER GUIDE
Defining Recipients
The RAT allows you to define a recipient or group of recipients. Recipients can be defined by
full email address, domain, partial domain, or username:
Note
Note — When you add a domain to the Recipient Access Table in step 4 of the System Setup
Wizard in the GUI (see “Step 3: Network” on page 40), you might want to consider adding a
second entry to specify subdomains. For example, if you type the domain example.net, you
might also want to enter .example.net. The second entry ensures that mail destined for any
subdomain of example.net will match in the Recipient Access Table. Note that only
specifying .example.com in the RAT will accept for all subdomains of .example.com but
will not accept mail for complete email address recipients without a subdomain (for example
joe@example.com).
130
RECIPIENT ACCESS TABLE (RAT)
To specify certain recipients to bypass receiving control via the CLI, answer yes to the
following question when you enter recipients using the listenerconfig -> edit ->
rcptaccess command:
Would you like to bypass receiving control for this entry? [N]> y
ALL REJECT
In the Recipient Access Table Overview listing, the default entry is named “All Other
Recipients.”
Note
Note — By default, the RAT rejects all recipients so that you do not accidentally create an
open relay on the Internet. An open relay (sometimes called an “insecure relay” or a “third-
party” relay) is an SMTP email server that allows third-party relay of email messages. By
processing mail that is neither for — nor from — a local user, an open relay makes it possible
for an unscrupulous sender to route large volumes of spam through your gateway. Use
caution when changing the default values of Recipient Access Tables for public listeners you
create.
You can not delete the default “ALL” entry from the RAT.
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 131
IRONPORT ASYNCOS 4.7 USER GUIDE
M O DI F YI NG TH E RAT F OR A LI S TE NE R VI A T HE G UI
Log in to the Graphical User Interface (GUI) and click the Mail Policies tab. (For information
about how to access the GUI, see “Accessing the GUI” on page 13.) Click the Recipient
Access Table link in the left menu. The Recipient Access Table Overview page is displayed:
Figure 5-38 The Recipient Access Table Overview Page
The Recipient Access Table Overview shows a listing of the entries in your RAT, including the
order, default action, and whether or not the entry has a custom SMTP response or if receiving
control has been bypassed for the entry.
From the Recipient Access Table Overview, you can:
• Add entries to the RAT
• Delete entries from the RAT
• Modify existing RAT entries
• Change the order of the entries
• Import RAT entries (overwrites existing entries) from a file
• Export RAT entries to a file
The RAT can be edited directly from the Command Line Interface (CLI). To customize a RAT
for a listener you have defined, use the edit -> rcptaccess -> new subcommands of the
listenerconfig command to add accepted local domains to the RAT for each public
listener you configure. See the IronPort AsyncOS CLI Reference Guide for more information.
132
DELETING RAT ENTRIES
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 133
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Enter a file name for the exported entries. This is the name of the file that will be created in
the configuration directory on the appliance.
134
IMPORTING RAT ENTRIES
3. Click Submit.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
Note
Note — The file to import must be in the configuration directory on the appliance.
3. Click Submit. You will see a warning message, asking you to confirm that you wish to
remove all of the existing RAT entries.
4. Click Import.
5. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
You can place “comments” in the file. Lines that begin with a ‘#’ character are considered
comments and are ignored by AsyncOS. For example:
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 135
IRONPORT ASYNCOS 4.7 USER GUIDE
SMTP
Public Listener: InboundMail
Host Access Table (HAT):
WHITELIST: $TRUSTED
BLACKLIST: $BLOCKED
SUSPECTLIST: $THROTTLED
UNKNOWNLIST: $ACCEPTED
spamdomain.com REJECT
.spamdomain.com REJECT
251.192.1. TCPREFUSE Note: This public listener’s RAT was
169.254.10.10 RELAY modified to accept connections for the
ALL: $ACCEPTED domain newcompanyname.com. A
custom SMTP response was also created.
Recipient Access Table (RAT):
example.com ACCEPT
newcompanyname.com ACCEPT
ALL REJECT
IronPort Email
Security appliance
136
IMPORTING RAT ENTRIES
Figure 5-44 expands the illustration shown in Figure 5-4 to include the processing sequence
of a listener’s HAT and (if applicable) RAT, and the default values for each.
Figure 5-44 Public and Private Listeners
Internet:
Hosts: Many
Recipients: Limited
Public Listener
IronPort Email
Security appliance
Private Listener
Internal Network:
Hosts: Limited
Recipients: Many
C H A P T E R 5 : C O N F I G U R I N G T H E G A T E W A Y T O R E C E I V E E M A I L 137
IRONPORT ASYNCOS 4.7 USER GUIDE
138
6
CHAPTER
The Mail Flow Monitor feature on the IronPort appliance is a powerful, web-based console
that provides complete visibility into all inbound email traffic for your enterprise.
The Host Access Tables (HATs) of public listeners — which match specific sender groups to
mail flow policies — provide the underlying framework that makes the Mail Flow Monitor
feature possible.
The Mail Flow Monitor database integrates tightly into the system, collecting data from every
step in the email delivery process including reputation filtering, anti-spam and anti-virus
scanning, policy enforcement, and message delivery. The database identifies and records each
email sender by IP address, while interfacing with the SenderBase Reputation Service for real-
time identity information. You can instantly report on any email sender’s local mail flow
history and show a profile that includes the sender’s global record on the Internet. The Mail
Flow Monitor feature allows your security team to “close the loop” on who is sending mail to
your users.
This chapter explains how to:
• Access the Mail Flow Monitor feature to monitor inbound message flow.
• Make mail flow policy decisions (update whitelists, blacklists, and greylists) by querying
for a sender’s SenderBase Reputation Score (SBRS).
This chapter contains the following sections:
• “Mail Flow Monitor Overview” on page 140
• “Mail Flow Monitor Pages” on page 141
• “Example of Mail Flow Monitoring” on page 159
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 139
IRONPORT ASYNCOS 4.7 USER GUIDE
M A I L F L O W M O N I T O R O V E R V IEW
For any given email sender, the Mail Flow Monitor database captures critical parameters such
as:
• Message volume
• Connection history
• Accepted vs. rejected connections
• Acceptance rates and throttle limits
• Reputation filter matches
• Number of anti-spam messages for suspected spam and positively identified spam
• Number of virus-positive message detected by Sophos Anti-Virus scanning
See Chapter 9, “Anti-Spam,” for more information on Anti-Spam scanning. See Chapter 10,
“Anti-Virus,” for more information on Sophos Anti-Spam scanning.
Available in the GUI only, the Mail Flow Monitor feature provides a view into your email
traffic and the status of your IronPort appliance (including quarantines, work queues, and
virus outbreaks). The appliance identifies when a sender falls outside of the normal traffic
profile. Senders that do are highlighted in the interface, allowing you to take corrective action
by assigning that sender to a sender group or refining the access profile of the sender, or you
can let AsyncOS’s security services continue to react and respond. Outbound mail has a
similar monitoring capability, providing you a view into the top domains in the mail queue
and the status of receiving hosts (see “Outgoing Mail Details Page” on page 423).
Note
Note — Information for messages present in the work queue when the appliance is rebooted
is not reported by Mail Flow Monitor.
140
MAIL FLOW MONITOR PAGES
M A I L F L O W M O N I T O R PA G E S
The Mail Flow Monitor feature is the first page displayed after you access the GUI. To view the
Mail Flow Monitor feature, access the GUI. (See “Accessing the GUI” on page 13.) The
Overview page on the Monitor tab is displayed. If you have completed the GUI’s System
Setup Wizard (or the CLI systemsetup command) and committed the changes, at least one
public listener should already be configured to accept email on your appliance. If the
appliance is accepting email, the Overview page will be populated with data.
The following pages in the GUI comprise the Mail Flow Monitor feature:
• Monitor -> Overview
• Monitor -> Incoming Mail, including “profile” pages
You use these pages in the GUI to monitor hosts that are connecting to the IronPort
appliance’s public listeners. You can monitor, sort, analyze, and classify the “mail flow” of
your appliance and differentiate between high-volume senders of legitimate mail and
potential “spammers” (senders of high-volume, unsolicited commercial email) or virus
senders. These pages can also help you troubleshoot inbound connections to the system
(including important information such as SBRS score and most recent sender group match for
domains).
These pages help you classify mail relative to the appliance itself, and also relative to the
services that exist beyond the scope of the gateway: the IronPort SenderBase Reputation
Service, the Symantec Brightmail Anti-Spam scanning security service, and the Sophos
Anti-Virus scanning security service.
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 141
IRONPORT ASYNCOS 4.7 USER GUIDE
• See detailed statistics on domains who have sent mail to you, including the number of
attempted messages broken down by security service (reputation filtering, anti-spam,
anti-virus, etc.).
• View the status of system quarantines.
• See current virus outbreak information based on information available at the IronPort
Threat Operations Center (TOC).
• Sort by senders who have sent you a high percentage of spam or virus email, as
determined by IronPort or Symantec Brightmail Anti-Spam and Sophos Anti-Virus security
services.
The Overview page is divided into two sections: System Overview and Incoming Mail
Overview.
System Overview
The System Overview section of the Overview page serves as a system dashboard, providing
details about the appliance including system and work queue status, quarantine status, and
virus outbreak activity.
Figure 6-1 System Overview Section of the Mail Flow Monitor’s Overview Page
Status
This section provides a quick overview of the current state of the appliance and inbound mail
processing.
System Status: One of the following states:
• Online
• Resource Conservation
• Delivery Suspended
• Receiving Suspended
• Work Queue Paused
• Offline
142
THE OVERVIEW PAGE
See the Managing and Monitoring chapter in the IronPort AsyncOS Advanced User Guide
for more information.
Incoming Messages: The average rate of incoming mail per hour. This projection is based on
the number of incoming messages for the last 15 minutes (so if you have received 4 messages
in the last 15 minutes, the hourly rate would be 16).
Work Queue: The number of messages awaiting processing in the work queue.
Click the System Status Details link to navigate to the System Status page.
System Quarantines
This section displays information about the top three quarantines by disk usage on the
appliance, including the name of the quarantine, how full the quarantine is (disk space), and
the number of messages currently in the quarantine.
Click the Quarantines link to navigate to the Quarantines page.
Virus Threat Level
This section shows the Virus Outbreak status as reported by the IronPort Threat Operations
Center (TOC). For example, Figure 6-1 shows that a virus outbreak has been identified in the
last 24 hours. Also shown is the status of the Outbreak quarantine, including how full it is
(disk space) and the number of messages in the quarantine. The Outbreak quarantine is only
displayed if you have enabled the Virus Outbreak Filters feature on your appliance.
Note
Note — In order for the Virus Threat Level indicator to function, you need to have port 80
open on your firewall to “downloads.ironport.com.” Alternatively, if you have specified a
local update server, the Virus Threat Level indicator will attempt to use that address. The Virus
Threat Level indicator will also update correctly if you have configured a proxy for downloads
via the Service Updates page. For more information, see “Service Updates” on page 485.
Click the Outbreak Details link to view the external IronPort TOC web site. Note that in order
for this link to work your IronPort appliance must be able to reach the Internet. Note that the
Separate Window icon ( ) indicates that a link will open a separate window when clicked.
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 143
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 6-2 Incoming Mail Overview Section of the Mail Flow Monitor’s Overview Page
The mail trend graph (left side, Figure 6-2) shows the breakdown of incoming mail in real
time, including:
Stopped by Reputation Filtering: All connections blocked by HAT policies multiplied by a
fixed multiplier (see “Notes on Counting Messages in Mail Flow Monitor” on page 145) plus
all recipients blocked by recipient throttling.
Invalid Recipient: All recipients rejected by conversational LDAP rejection plus all RAT
rejections.
Spam Messages Detected: The total count of messages detected by the anti-spam scanning
engine as positive or suspect and also those that were both spam and virus positive.
Virus Messages Detected: The total count and percentage of messages detected as virus
positive and not also spam.
Clean Messages Accepted: Mail that is accepted and is deemed to be virus and spam free —
the most accurate representation of clean messages accepted when taking per-recipient
scanning actions into account. However, because messages that are marked as spam or virus
positive and still delivered are not counted, the actual number of messages delivered may
differ from the clean message count.
You can select the time frame for the mail trend graph and summary table via the Time Range
menu. You can select the Past Hour, Past Day, Past Week, or Past Month.
While the mail trend graph displays a visual representation of the mail flow, the summary
table (right side, Figure 6-2) provides a numeric breakdown of the same information. The
summary table includes the percentage and actual number of each type of message, including
the total number of attempted, threat, and clean messages.
144
THE OVERVIEW PAGE
Table 6-1 Time Ranges Defined in the Mail Flow Monitor Feature
Note
Note — Totals for each of the following items are displayed in the “Total (All Senders)” row.
The totals includes all data collected from the Mail Flow Monitor feature, and not just the
domains (top 20, 50, 100) listed on the page.
The Sender Detail listing has two views, Basic and Advanced.
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 145
IRONPORT ASYNCOS 4.7 USER GUIDE
The Basic view shows the total number of attempted messages for each sending domain, and
includes a breakdown by category (the same categories as the Mail Trend graph: number of
clean messages, stopped by reputation filtering, invalid recipients, spam detected, and virus
detected).
The Advanced view shows the connection information (Accepted, Rejected) for senders as
well as the breakdown by category, with the Spam column expanded to show Spam Positive
and Suspect Spam.
Sort the listing by clicking the column header links. The sorting is retained when you switch
between the basic and advanced views, regardless of whether or not the sorted column exists
in both views. In other words, if you sort the basic listing by “Attempted” and then switch to
the advanced view, the data will retain its sorting.
The following data are summarized in the advanced view of the Sender Details table:
Connections Rejected: All connections blocked by HAT policies
Connections Accepted: All connections accepted
Recipients Throttled: All recipients rejected by recipient throttling
Recipients Invalid: Total recipients rejected — recipients throttled
Spam Positive: Total count of messages detected as positive spam by an enabled anti-spam
scanning engine
Spam Suspect: Same for suspect spam
Virus: Total count of all messages detected as virus (messages detected as both spam and virus
positive are included in the Spam Messages Detected category, not in the Virus category.)
Clean Messages: number of recipients accepted minus: spam positive plus spam suspect plus
virus positive (and not also spam positive)
“No Domain Information”
Hosts which have connected to the appliance and could not be verified with a double-DNS
lookup are automatically grouped into the special domain “No Domain Information.” You
can control how these types of unverified hosts are managed via Sender Verification. See
“Sender Verification” on page 117.
You can select the number of domains to show in the listing via the Domains Displayed
menu.
The key at the bottom of the listing shows the meanings of the various colors of rows:
• Yellow shading indicates that data for the sender is not falling within expected bounds.
• No shading (white) indicates that data for the sender is falling within expected bounds.
• Total rows are indicated by the darker beige shading.
146
THE OVERVIEW PAGE
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 147
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 6-4 Sender Details Section of the Mail Flow Monitor’s Overview Page
You can also add a sender to a sender group by selecting the check box next to the sender and
clicking Add to Sender Group. For more information about adding senders to sender groups,
see “Adding a Sender to a Sender Group” on page 108. Of course, you do not have to make
any changes — you can let the security services handle incoming mail.
148
INCOMING MAIL PAGE
Group” on page 108. You can perform a Sender Profile search on IP addresses, domains, or
organizations that have sent mail to you.
The Incoming Mail page is available via the Monitor tab in the GUI.
On the Incoming Mail pages, you can:
• Perform a search on IP addresses, domains, or organizations that have sent mail to you.
• Access a quick report on domains by recipient received.
• View standard and customized reports about the mail flowing into your gateway.
• Add specific senders to the predefined mail flow policies and sender groups (if necessary).
• Use the IronPort SenderBase Reputation service to drill down on and examine the
relationship between specific IP addresses, domains, and organizations to obtain more
information about a sender.
• Drill down on specific domains to obtain more information about a sender from the
IronPort SenderBase Reputation Service, including a sender’s SenderBase Reputation
Score and which sender group the domain matched most recently.
• Drill down on a specific sender who sent a high percentage of spam or virus email, as
determined by the IronPort or Symantec Brightmail Anti-Spam and Sophos Anti-Virus
security services.
Host Access Table Pages Overview and the Mail Flow Monitor Feature
The Incoming Mail and Profile pages provide multiple links to the Host Access Table pages in
the Mail Policies tab. The Mail Flow Monitor feature provides a seamless link between
monitoring and configuration of the appliance.
The Host Access Table -> Overview and Mail Policies pages are the GUI editor for a listener’s
Host Access Table (HAT). (For more information about the Host Access Table, see “The Host
Access Table (HAT): Sender Groups and Mail Flow Policies” on page 80.)
On the Host Access Table pages, you can:
• Edit (add, delete, modify, and re-arrange) entries in the HAT for a listener.
• Edit or create new sender groups.
• Edit or create new mail flow policies.
For more information about working with HAT entries and sender groups, see “Managing
Sender Groups and Mail Flow Policies via the GUI” on page 104.
Standard Reports
To view a standard report:
1. Choose one of the following four standard reports from the list:
• Top IP Addresses by recipients blocked over the past day
• Top domains by recipients blocked over the past day
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 149
IRONPORT ASYNCOS 4.7 USER GUIDE
Custom Reports
You can also create your own reports. To create a custom report:
1. Select Custom to select custom reports.
Figure 6-5 Custom Reports via the Incoming Mail Details Page
150
INCOMING MAIL PAGE
Note
Note — Totals for each of the following items are displayed in the “Total (All Senders)” row.
The totals includes all data collected from the Mail Flow Monitor feature, and not just the top
20 domains listed on the page.
The following data are summarized in the Mail Flow Monitor table:
Recipients Received: The number of RCPT TO commands to which the appliance has replied
“250 recipient OK” is defined as the number of Recipients Received.
Percent Change in Recipients Received: Today’s recipients received divided by the previous
30-day average. Today’s recipients are included in calculating the previous 30-day average.
(See Table 6-1 above.) If the appliance has been monitoring data for less than 30 days, the
average is calculated only for the number of days that data is available. If the denominator is
zero (0), the result is “N/A.” For Example:
0 10 -100%
0 0 N/A
10 10 0%
20 10 100%
10 20 -50%
100 10 900%
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 151
IRONPORT ASYNCOS 4.7 USER GUIDE
Unclassified Recipients: “Unclassified recipients” are defined as those recipients that were
sent from remote hosts that did not specifically match a specific sender group, but instead
matched the ALL sender group. For example, you could classify only three of the five IP
addresses that belong to a domain, and so recipients sent from connections made by the other
two IP addresses would be considered unclassified recipients.
Recipients Blocked by Rate Limit: This value is defined as the sum of all recipients blocked by
a defined mail flow policy that has rate limiting enabled: the maximum number of messages
per session, the maximum number of recipients per message, the maximum message size, the
rate limiting maximum recipients per hour, and/or the maximum number of concurrent
connections that you defined in a mail flow policy of a listener’s HAT.
Percent anti-spam messages with a positive verdict; and percent anti-spam messages with a
suspected verdict: If anti-spam scanning has been enabled, the values in these columns are
defined as the percentage of messages received from the domain that the anti-spam scanning
engine has positively identified as being spam, and suspected as being spam, respectively.
(See “Suspected Spam Threshold” on page 239.)
Virus Positive: If Sophos Anti-Virus has been enabled, the value in this column is defined as
the number of messages received from the domain that Sophos Anti-Virus has identified as
containing a virus.
Connections Rejected: This value is defined as the number of connection attempts by the
domain that the appliance rejected.
Highlighted Rows in the Incoming Mail Listing
Rows in the Incoming Mail listing are highlighted in the same was as the Overview page:
• Yellow shading indicates that data for the sender is not falling within expected bounds.
• No shading (white) indicates that data for the sender is falling within expected bounds.
• Total rows are indicated by the darker beige shading.
Rows in the Incoming Mail and Profile listings are highlighted (that is, the background cells
turn to yellow) when:
• The percentage change in recipients received exceeds 200%
• Blocked by rate limit exceeds 25% of the sum of the number of recipients received and
recipients blocked
• Spam Positive percentage is greater than 50%
• Spam Suspect percentage is greater than 10%
• Virus Positive percentage is greater than 15%
• The SenderBase Reputation Score (SBRS) is less than or equal to -8.0
The value in the cell (or cells) which caused the row to be highlighted is shown in bold so you
can easily determine the reason for the row highlighting.
152
INCOMING MAIL PAGE
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 153
IRONPORT ASYNCOS 4.7 USER GUIDE
• A Recipients Over Time graph of mail from the IP address, domain, or network owner for
the time range specified.
• The Global information from the SenderBase Reputation Service, including:
• IP Address, Domain Name, and/or Network Owner
• Network Owner Category (Network Owner Only)
• CIDR Range (IP addresses only)
• Daily Magnitude and Monthly Magnitude for the IP address, Domain, and/or
Network Owner
Daily magnitude is a measure of how many messages a domain has sent over the last 24
hours. Similar to the Richter scale used to measure earthquakes, SenderBase magnitude is
a measure of message volume calculated using a log scale with a base of 10. The
maximum theoretical value of the scale is set to 10, which equates to 100% of the world's
email message volume (approximately 10 billion messages/day). Using the log scale, a
one-point increase in magnitude equates to a 10x increase in actual volume.
Monthly magnitude is calculated using the same approach as daily magnitude, except the
percentages are calculated based on the volume of email sent over the last 30 days.
• Average Magnitude (IP addresses only)
• Lifetime Volume / 30 Day Volume (IP address profile pages only)
• Bonded Sender Status (IP address profile pages only)
• SenderBase Reputation Score (IP address profile pages only)
• Days Since First Message (network owner and domain profile pages only)
• Number of Domains Associated with this Network Owner (network owner and
domain profile pages only)
• Number of IP Addresses in this Network Owner (network owner and domain
profile pages only)
• Number of IP Addresses used to Send Email (network owner pages only)
Click the “More from SenderBase” link to see a page with all information supplied by the
SenderBase Reputation Service.
• The Mail Flow Statistics information, with Mail Flow Monitor information collected about
the sender over the last hour, day, week, month, and year.
• Details about the domains and IP addresses controlled by this network owner are
displayed on network owner profile pages. Details about the IP addresses in the domain
are displayed on domain pages.
From a domain profile page, you can drill down to a specific IP address, or drill up to view an
organization profile page.
154
INCOMING MAIL PAGE
If you are an administrator of the system, on each of these pages, you can choose to add the
network owner, domain, or IP address to a sender group by clicking the check box for the
entity (if necessary) and then clicking Add to Sender Group.
Sender Profile Search
Type an IP address, a domain, or an organization name in the Quick Search box to search for
a specific sender.
A details (“profile”) page is displayed with the information. See “Reporting Pages Populated
with Data: Profile Pages” on page 153.
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 155
IRONPORT ASYNCOS 4.7 USER GUIDE
156
INCOMING MAIL PAGE
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 157
IRONPORT ASYNCOS 4.7 USER GUIDE
158
EXAMPLE OF MAIL FLOW MONITORING
E X A M P L E OF M A I L F L O W M O NI T OR IN G
Typically, you can let AsyncOS’s security services handle highlighted senders, especially
when using reputation filtering (SBRS). However, you may occasionally want to classify
senders via sender groups. The following steps show an example of how the Mail Flow
Monitoring feature can be used to classify trusted senders using sender groups.
1. To begin, imagine that the Incoming Mail Overview page shows the following highlighted
sender.
Figure 6-10 Mail Flow Monitor Example: Screen 1
2. To find more detail on the first sender, click the domain name
newpartner.com. The following detail page is shown:
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 159
IRONPORT ASYNCOS 4.7 USER GUIDE
160
EXAMPLE OF MAIL FLOW MONITORING
• The details for the two IP addresses used to send mail most recently have
SenderBase Reputation Scores of 3.6 and 3.4.
This data confirms that the new partner, NewPartner.com, is sending spam free mail, and
also that some mail from that domain is being throttled. Based on this data, email from
this sender should bypass anti-spam and reputation filtering. One approach would be to
add the sender “newpartner.com” to the WHITELIST sender group.
4. In the Domain Details section of this page, click Add to Sender Group... to add this
domain to the previously-defined sender group WHITELIST.
Figure 6-12 Mail Flow Monitor Example: Screen 3
Note
Note — When you add a domain to a sender group, two actual domains are listed in the GUI.
For example, if you were adding the domain newpartner.com, on the Add to Sender Group
page, both newpartner.com and .newpartner.com are added. The second entry ensures
that any host in the subdomain of newpartner.com will be added to the sender group. For
more information, see “Sender Group Syntax” on page 92.
6. To see the updated details for the WHITELIST sender group is displayed, click Mail
Policies -> Host Access Table -> HAT Overview to display the Host Access Table page.
Choose the public listener and then click WHITELIST to display the Sender Group page
for the WHITELIST sender group. The domain newpartner.com is the first two entries in
the sender group.
Summary
When a sender falls outside of the normal traffic profile, you can let AsyncOS’s powerful
security services handle things, or take corrective action by assigning that sender to a sender
group or refining the access profile of the sender.
You can use the predefined mail flow policies to classify the mail for your entire enterprise in
a similar fashion. You can edit parameters in the predefined mail flow policies to tailor your
configuration, and you can also edit or create as many new sender groups as necessary.
C H A P T E R 6 : U S I N G M A I L F L O W M O N I T O R 161
IRONPORT ASYNCOS 4.7 USER GUIDE
The SenderBase Reputation Service provides data about the sender’s reputation to help you
choose an appropriate policy to apply to the sender. The anti-spam scanning engine helps
identify senders of unsolicited bulk email. Combined with the simple, yet powerful, syntax of
the HAT, you can:
• Create mail flow policies to fit the needs of your business.
• Assign senders to mail flow policies.
• Allow the system to intelligently assign unknown senders to policies using SenderBase
Reputation Service.
• Gather more information about the relationship between IP addresses, domains, and
network owners so that you can target the correct entity when assigning senders to mail
flow policies.
162
7
CHAPTER
Email Security Manager is a single, comprehensive dashboard to manage all email security
services and applications on IronPort appliances. Prior to this release, the anti-spam and anti-
virus settings were configured on a per-listener basis — meaning the policy was applied based
on the receiving listener of an IP address, and not based on the recipient or sender of the
message. Chapter 5, “Configuring the Gateway to Receive Email,” describes how to create
and configure listeners.
Email Security Manager allows you to manage the Virus Outbreak Filters feature, anti-spam,
anti-virus, and email content policies — on a per-recipient or per-sender basis, through
distinct inbound and outbound policies.
Through the Mail Policies tab in the GUI (or the policyconfig command in the CLI), you
create and manage incoming or outgoing mail policies. Mail policies are defined as a specific
set of users (Envelope Recipients, Envelope Sender, From: header, or Reply-To: header) that
map to specific settings for the following features:
• Anti-Spam Scanning
• Anti-Virus Scanning
• Virus Outbreak Filters
• Content Filters
Users can be defined by email address, email domains, or LDAP group queries.
This chapter contains the following sections:
• “Overview of User-Based Policies” on page 164
• “Content Filters Overview” on page 170
• “Practical Example (GUI)” on page 177
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 163
IRONPORT ASYNCOS 4.7 USER GUIDE
OV E R V IEW O F U SE R- B A SE D POL I C IE S
User-based policies in Email Security Manager are designed to allow you to create the
policies that satisfy the different and sometimes disparate security needs of all users within
your organization.
For example, using this feature, you can quickly create policies to enforce the following
conditions:
• Disable IronPort Anti-Spam scanning for all email to the Sales organization. Enable it for
the Engineering organization with a moderate policy: tag the subject lines of suspected
spam, and drop positively identified spam. For the Human Resources organization, enable
Symantec Brightmail Anti-Spam scanning with an aggressive policy: quarantine suspected
spam messages, and drop positively identified spam.
• Drop dangerous executable attachments for all users except those in the System
Administrator group.
• Scan and attempt to repair viruses in messages destined for the Engineering organization,
but drop infected attachments for all messages sent to the address jobs@example.com.
• Scan all outgoing messages for the word “Confidential” and words that match terms in the
special code name dictionary. If a message matches, send a blind-carbon copy to the
Legal department.
• If an incoming message contains an MP3 attachment, quarantine the message and send a
message to the intended recipient with instructions for calling the Network Operations
Center to retrieve the message. Expire such messages after 10 days.
• Include a footer to all outgoing mail from the Executive Staff with the company’s newest
tag line, but include a different “forward-looking statements” disclaimer footer to all
outgoing mail from the Public Relations organization.
• Enable the Virus Outbreak Filters feature for all incoming messages, but bypass scanning
for messages with attachments whose file extension is .dwg.
Note
Note — Content dictionaries, footers, and notification templates must be created before they
can be referenced by content filters. For more information, see “Text Resources” on page 327.
164
POLICY MATCHING
Note — In certain installations, “internal” mail being routed through the IronPort appliance
Note
will be considered outgoing, even if all the recipients are addressed to internal addresses. For
example, by default for IronPort C10/100 customers, the system setup wizard will configure
only one physical Ethernet port with one listener for receiving inbound email and relaying
outbound email.
For many configurations, you can think of the incoming table as Public, while the Outgoing
table is Private, although both could be used by a single listener. The policy table used on a
particular message is not dependant on the direction of the message, with respect to sender or
recipient addresses, out to the internet or in to an intranet.
You manage these tables using the Mail Policies -> Incoming Mail Policies or Outgoing Mail
Policies pages in the GUI, or the policyconfig command in the CLI.
Figure 7-1 Email Security Manager Tables
Policy Matching
As incoming messages are received by listeners on the system, each message recipient
matches a policy in one of the tables, regardless of the number of listeners configured on the
system. Matches are based on either the recipient’s address or the sender’s address:
• Recipient address matches the Envelope Recipient address
• Sender address matches:
• Envelope Sender (RFC821 MAIL FROM address)
• Address found in the RFC822 From: header
• Address found in the RFC822 Reply-To: header
Addresses may be matched on either a full email address, user, domain, or partial domain,
and addresses may also match LDAP group membership.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 165
IRONPORT ASYNCOS 4.7 USER GUIDE
166
MESSAGE SPLINTERING
Example 1
A message from sender bill@lawfirm.com sent to recipient jim@example.com will match
policy #2, because the user description that matches the sender (@lawfirm.com) appears
sooner in the table than the user description that matches the recipient (jim@).
Example 2
Sender joe@yahoo.com sends an incoming message with three recipients:
john@example.com, jane@newdomain.com, and bill@example.com. The message for
recipient jane@newdomain.com will receive the anti-spam, anti-virus, virus outbreak filters,
and content filters defined in policy #3, while the message for recipient john@example.com
will receive the settings defined in policy #5. Because the recipient bill@example.com does
not match the engineering LDAP query, the message will receive the settings defined by the
default policy. This example shows how messages with multiple recipients can incur message
splintering. See “Message Splintering” on page 167 for more information.
Example 3
Sender bill@lawfirm.com sends a message to recipients ann@example.com and
larry@example.com. The recipient ann@example.com will receive the anti-spam,
anti-virus, virus outbreak filters, and content filters defined in policy #1, and the recipient
larry@example.com will receive the anti-spam, anti-virus, virus outbreak filters, and
content filters defined in policy #2, because the sender (@lawfirm.com) appears sooner in
the table than the user description that matches the recipient (jim@).
Message Splintering
Intelligent message splintering (by matching policy) is the mechanism that allows for differing
recipient-based policies to be applied independently to message with multiple recipients.
Each recipient is evaluated for each policy in the appropriate Email Security Manager table
(incoming or outgoing) in a top-down fashion.
Each policy that matches a message creates a new message with those recipients. This process
is defined as message splintering:
• If some recipients match different policies, the recipients are grouped according to the
policies they matched, the message is split into a number of messages equal to the
number of policies that matched, and the recipients are set to each appropriate “splinter.”
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 167
IRONPORT ASYNCOS 4.7 USER GUIDE
• If all recipients match the same policy, the message is not splintered. Conversely, a
maximum splintering scenario would be one in which a single message is splintered for
each message recipient.
• Each message splinter is then processed by anti-spam, anti-virus, Virus Outbreak Filters,
and content filters independently in the email pipeline.
Figure 7-2 illustrates the point at which messages are splintered in the email pipeline.
Figure 7-2 Message Splintering in the Email Pipeline
Message Filters
(filters) ↓ message for all recipients
Note
Note — New MIDs (message IDs) are created for each message splinter (for example, MID 1
becomes MID 2 and MID 3). For more information, see the “Logging” chapter in the IronPort
AsyncOS Advanced User Guide. In addition, the trace function shows which policies cause a
message to be split.
Policy matching and message splintering in Email Security Manager policies obviously affect
how you manage the message processing available on the appliance.
Managed Exceptions
Because the iterative processing of each splinter message impacts performance, IronPort
recommends using the Incoming and Outgoing Mail Policies tables of Email Security
Manager to configure policies on a managed exception basis. In other words, evaluate your
organization’s needs and try to configure the feature so that the majority of messages will be
handled by the default policy and the minority of messages will be handled by a few
additional “exception” policies. In this manner, message splintering will be minimized and
168
CONTENTS OF POLICIES
you are less likely to impact system performance from the processing of each splinter message
in the work queue.
Contents of Policies
Email Security Manager tables match incoming or outgoing messages for specific groups of
users (Envelope Recipients, Envelope Sender, From: header, or Reply-To: header) and map
them to specific settings for the following features:
• Anti-Spam Scanning — These settings are the same settings as per-listener settings in
previous releases of AsyncOS. See Chapter 9, “Anti-Spam,” for more information.
• Anti-Virus Scanning — These settings are the same settings as per-listener settings in
previous releases of AsyncOS. See Chapter 10, “Anti-Virus,” for more information.
• Content Filters — See “Content Filters Overview” on page 170 for more information.
• Virus Outbreak Filters
IronPort’s Virus Outbreak Filters feature is a predictive security service that provides a
“first line of defense” against new virus outbreaks by quarantining suspicious messages
until traditional anti-virus security services can be updated with a new virus signature file.
You can enable or disable Virus Outbreak filters for given recipients, and also define the
file types that will bypass the Virus Outbreak Filters feature in Email Security Manager. See
Chapter 11, “The Virus Outbreak Filters Feature,” for more information.
Figure 7-3 illustrates the Email Security Manager in the GUI that maps users defined in a
policy to specific Anti-Spam, Anti-Virus, Virus Outbreak Filter, and Content Filters settings.
Figure 7-3 Summary of Email Security Manager Policies in the GUI
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 169
IRONPORT ASYNCOS 4.7 USER GUIDE
CO N TE NT F I L TE R S O VE R V I EW
Email Security Manager policies allow you to create content filters to be applied to messages
on a per-recipient or per-sender basis. Content filters are similar to message filters, except that
they are applied later in the email pipeline — after a message has been “splintered” into a
number of separate messages for each matching Email Security Manager policy. The
functionality of content filters is applied after message filters processing and anti-spam and
anti-virus scanning have been performed on a message.
Like regular message filters, you define a name for each content filter. The name must be
unique to the Incoming or Outgoing Mail Policies table in which it will be used. Each
Incoming and Outgoing Mail Policies table will have its own, singular “master list” of content
filters. The order is defined on a per-table basis (for incoming or outgoing). However, each
individual policy determines which particular filters will be executed.
Unlike regular message filters (which are applied before anti-spam and anti-virus scanning),
content filters can be configured both in the CLI and in the GUI. The GUI includes a “rule
builder” page that allows you to easily create the conditions and actions that constitute a
content filter. Email Security Manager incoming or outgoing mail policy tables manage which
content filters are enabled the order in which they will be applied for any given policy.
Table 7-2 lists the available conditions you can use to create a content filter. Table 7-3 and
Table 7-4 list the non-final and final actions you can use to define a content filter. Together,
conditions and action constitute a content filter.
Figure 7-4 Content Filtering Lists for Incoming Mail and Outgoing Mail Policy Tables
170
CONTENT FILTERS OVERVIEW
Multiple conditions may defined for each filter. When multiple conditions are defined, you
can choose whether the conditions are tied together as a logical OR (“Any of the following
conditions...”) or a logical AND (“All of the following conditions”).
Dictionary Match dictionary- Does the message body contain any of the
match(<dictionary regular expressions or terms in the content
name>) dictionary named dictionary name?
The dictionary must already have been created.
See “Content Dictionaries” on page 328.
Subject Header subject- Does the subject header contain any of the
Dictionary Match dictionary- regular expressions or terms in the content
match(<dictionary dictionary named dictionary name?
name>) The dictionary must already have been created.
See “Content Dictionaries” on page 328.
Other Header header- Does the specified header contain any of the
Dictionary Match dictionary- regular expressions or terms in the content
match(<dictionary dictionary named dictionary name?
name>, <header>) The dictionary must already have been created.
See “Content Dictionaries” on page 328.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 171
IRONPORT ASYNCOS 4.7 USER GUIDE
Envelope Sender mail-from Does the Envelope Sender (i.e., the Envelope
Address From, <MAIL FROM>) match a given pattern?
Envelope Sender mail-from- Does the envelope sender contain any of the
Dictionary Match dictionary- regular expressions or terms in the content
match(<dictionary dictionary named dictionary name?
name>) The dictionary must already have been created.
See “Content Dictionaries” on page 328.
Envelope Recipient rcpt-to Does the Envelope Recipient, (i.e. the Envelope
Address To, <RCPT TO>) match a given pattern?
Note: The rcpt-to rule is message-based. If
a message has multiple recipients, only one
recipient has to match the rule for the specified
action to affect the message to all recipients.
172
CONTENT FILTERS OVERVIEW
Envelope Recipient mail-to- Does the envelope recipient contain any of the
Dictionary Match dictionary- regular expressions or terms in the content
match(<dictionary dictionary named dictionary name?
name>) The dictionary must already have been created.
See “Content Dictionaries” on page 328.
Envelope Sender mail-from-group Is the Envelope Sender (i.e., the Envelope From,
Address in Group <MAIL FROM>) in a given LDAP group?
Envelope Recipient rcpt-to-group Is the Envelope Recipient, (i.e. the Envelope To,
Address in Group <RCPT TO>) in a given LDAP group?
Note: The rcpt-to-group rule is
message-based. If a message has multiple
recipients, only one recipient has to be found in
a group for the specified action to affect the
message to all recipients.
Note
Note — The various dictionary-related conditions will only be visible if you have any one or
more dictionaries enabled. See “Content Dictionaries” on page 328.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 173
IRONPORT ASYNCOS 4.7 USER GUIDE
Only one final action may be defined per filter, and the final action must be last action listed.
Bounce, deliver, and drop are final actions. When entering actions for content filters, the GUI
and CLI will force final actions to be placed last.
Bypass Outbreak skip-vofcheck Bypass Virus Outbreak Filter scanning for this
Filter Scanning message.
174
CONTENT FILTERS OVERVIEW
Send to Alternate alt-mailhost Change the destination mail host for the
Destination Host message.
Add Header insert-header Inserts a header and value pair into the
message before delivering.
Deliver message deliver Delivers the message now without further processing.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 175
IRONPORT ASYNCOS 4.7 USER GUIDE
Action Variables
Headers added to messages processed by content filters can contain Filter Action Variables
(see “Message Filter Action Variables” in the Policy Enforcement chapter of the IronPort
AsyncOS Advanced User Guide).
176
PRACTICAL EXAMPLE (GUI)
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 177
IRONPORT ASYNCOS 4.7 USER GUIDE
Upgraded Systems
On systems that have upgraded from previous releases of AsyncOS, additional policies will be
created for each listener that existed prior to upgrading to AsyncOS 4.5. These policies use
the special “Listener:” user key in an attempt to preserve the pre-upgrade system behavior.
You can delete these policies, re-order them, or edit them. See “Upgrading from Earlier
Versions of AsyncOS” on page 166 for more information.
178
EDITING THE DEFAULT POLICY: ANTI-SPAM SETTINGS
Note
Note — For default security service settings, the first setting on the page defines whether the
service is enabled for the policy. You can click “Disable” to disable the service altogether.
2. In the “Positively Identified Spam Settings” section, change the “Action to apply to this
message” to Drop.
3. In the “Suspected Spam Settings” section, click Yes to enable suspected spam scanning.
If enabled, the default action is to deliver suspected spam messages while prepending the
subject with the text [SUSPECTED SPAM].
The “Add text to message” field only accepts US-ASCII characters.
4. Click Submit. The Incoming Mail Policies table page is re-displayed. Note that the
summary link for the anti-spam security service has changed to reflect the new values.
Similar to the steps above, you can change the default anti-virus and virus outbreak filter
settings for the default policy.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 179
IRONPORT ASYNCOS 4.7 USER GUIDE
180
CREATING A NEW POLICY
Note
Note — Entries for users are case-sensitive in both the GUI and CLI in AsyncOS. Use caution
when entering user for a given policy. For example, if you enter the recipient Joe@ for a user,
a message sent to joe@example.com will not match.
If you store user information within LDAP directories in your network infrastructure — for
example, in Microsoft Active Directory, SunONE Directory Server (formerly known as
“iPlanet Directory Server”), or Open LDAP directories — you can configure the IronPort
appliance to query your LDAP servers for the purposes of accepting recipient addresses,
rerouting messages to alternate addresses and/or mail hosts, masquerading headers, and
determining if messages have recipients or senders from specific groups.
If you have configured the appliance to do so, you can use the configured queries to
define users for a mail policy in Email Security Manager.
See the “LDAP Queries” chapter in the IronPort AsyncOS Advanced User Guide for more
information.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 181
IRONPORT ASYNCOS 4.7 USER GUIDE
4. Click the Add button to add users into the Current Users list.
Policies can contain mixtures of senders, recipients, and LDAP queries.
Use the Remove button to remove a defined user from the list of current users.
5. When you are finished adding users, click Submit.
The Mail Policies page is displayed with the new policy added.
Note that all security services settings are set to use the default values when you first add a
policy. See “Newly Added Policy — Sales Team” on page 182.
Figure 7-11 Newly Added Policy — Sales Team
6. Click the Add Policy button again to add another new policy.
182
CREATING A NEW POLICY
In this policy, individual email addresses for members of the engineering team are
defined:
Figure 7-12 Creating a Policy for the Engineering Team
7. When you are finished adding users for the engineering policy, click Submit.
The Mail Policies page is displayed with the new policy added. See Figure 7-13.
8. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish defining the two policies.
Figure 7-13 Newly Added Policy — Engineering Team
Note
Note — At this point, both newly created policies have the same settings applied to them as
those in the default policy. Messages to users of either policy will match; however, the mail
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 183
IRONPORT ASYNCOS 4.7 USER GUIDE
processing settings are not any different from the default policy. Therefore, messages that
match users in the “sales_team” or “engineering” policies will not be processed any
differently than the default policy.
• Yellow shading shows that the policy is using the same settings as the default policy.
• No shading (white) shows that the policy is using different settings than the default policy.
• Grey shading shows that the security service has been disabled for the policy.
184
CREATING CUSTOM POLICIES
Figure 7-14 Editing the Anti-Spam Settings for the Sales Team Policy
Choosing either “Use IronPort Anti-Spam” or “Use Symantec Brightmail” here allows you
to override the settings defined in the default policy.
3. In the “Positively Identified Spam Settings” section, change the “Action to apply to this
message” to “Drop.”
4. In the “Suspected Spam Settings” section, click Yes to enable suspected spam scanning.
5. For “Apply action to this message,” choose “IronPort Spam Quarantine” or “Symantec
Brightmail Quarantine” (if you are using IronPort Anti-Spam you can only selected
IronPort Spam Quarantine).
Note
Note — If you select the external Symantec Brightmail quarantine, suspected spam mail will
be sent to an external quarantine host, and not the on-box system quarantines discussed in
“Quarantines” on page 365. If you select the IronPort Spam quarantine, mail is forwarded
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 185
IRONPORT ASYNCOS 4.7 USER GUIDE
according to the settings defined in “Configuring the IronPort Spam Quarantines Feature” on
page 383.
Note
Note — Using the Brightmail Quarantine requires you to specify a “Reinsertion Key” for
messages that are reinserted to the IronPort appliance from the Brightmail Quarantine. Be sure
to set this value on the Security Services -> Anti-Spam page. The IronPort Spam quarantine
does not require a reinsertion key.
8. Click Submit.
The Incoming Mail Policies page is displayed with the changes shown for the sales policy.
See Figure 7-17. Not that the shading shows that the policy is using different settings than
the default policy.
186
CREATING CUSTOM POLICIES
Figure 7-17 Anti-Spam Settings for the Sales Team Policy Changed
9. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
At this point, any message that is suspected spam and whose recipient matches the LDAP
query defined for the sales team policy will be delivered to an external quarantine.
To edit the Virus Outbreak Filter settings for the engineering team policy:
1. Click the link for the Virus Outbreak Filters feature security service (the Virus Outbreak
Filters column) in the engineering policy row.
Because the policy was just added, the link is named: (use default).
Figure 7-18 Editing the Virus Outbreak Filters Feature Settings for the Engineering Team Policy
2. On the Virus Outbreak Filters feature security service page, change the value for “Enable
Virus Outbreak Filter Scanning for this Policy” from “Use Default Settings” to “Yes.”
Choosing “Yes” here allows you to override the settings defined in the default policy.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 187
IRONPORT ASYNCOS 4.7 USER GUIDE
Doing so will also enable the contents of the rest of the page to allow you to select
different settings.
3. In the “Bypass Outbreak Filtering For” section of the page, type dwg in the in the file
extension field.
The file extension “dwg” is not in the list of known file type that the IronPort appliance can
recognize by its fingerprint when attachment scanning.
Note
Note — You do not need to type the period (.) before the three letter filename extension.
4. Click Add Extension to add .dwg files to the list of file extensions that will bypass Virus
Outbreak Filters feature scanning.
Figure 7-19 Bypassing Virus Outbreak Filtering for the dwg File Extension
5. Click Submit.
The Incoming Mail Policies page is displayed with the changes shown for the engineering
policy. See Figure 7-17. Note that the shading shows that the policy is using different
settings than the default policy.
188
FINDING USERS IN POLICIES OF THE EMAIL SECURITY MANAGER
Figure 7-20 Anti-Spam Settings for the Sales Team Policy Changed
6. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
At this point, any message that contains an attachment whose file extension is dwg — and
whose recipient matches the recipients defined for the engineering team policy — will bypass
the Virus Outbreak Filter scanning and continue processing.
Click the name of the policy to jump to the Edit Policy page to edit the users for that policy.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 189
IRONPORT ASYNCOS 4.7 USER GUIDE
Note that the default policy will always be shown when you search for any user, because, by
definition, if a sender or recipient does not match any other configured policies, it will always
match the default policy.
190
CREATING NEW CONTENT FILTERS
This filter will strip MP3 attachments and notify the recipients that an MP3 file was
stripped.
3. “ex_employee”
This content filter will scan for messages sent to a specific envelope recipient address (an
ex-employee). If the message matches, a specific notification message will be sent to the
sender of the message and then the message will be bounced.
After creating the content filters, you will then configure each of the policies (including the
default policy) to enable the specific content filters in differing combinations.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 191
IRONPORT ASYNCOS 4.7 USER GUIDE
No MP3 Attachments
The second example content filter contains no conditions and one action. To create the
second content filter:
1. Click the Add Filter button.
The Add Filter page is displayed.
2. In the Name: field, type no_mp3s as the name of the new filter.
3. In the Description: field, type the description. For example: strip all MP3
attachments
4. In the Actions section of the page, choose “Strip Attachment.”
The page refreshes to show the available options.
5. In the next available field, select “If File Type Is....”
The page refreshes to show the available options.
6. In the next available field, select “-- mp3” from the list of available attachment types.
7. Add a “replacement message” if desired.
8. Click Add Action.
192
CREATING NEW CONTENT FILTERS
Note
Note — It is not necessary to specify a condition when creating a content filter. When no
condition is defined, any actions defined will always apply in the rule. (Specifying no
condition is equivalent to using the true() message filter rule — all messages will be
matched if the content filter is applied to a policy.)
Ex-employee
To create the third content filter:
1. Click the Add Filter Button.
The Add Filter page is displayed.
2. In the Name: field, type ex_employee as the name of the new filter.
3. In the Description: field, type the description. For example: bounce messages
intended for Doug
4. In the Conditions section of the page, choose “Envelope Recipient.”
The page refreshes to show the available options.
5. In the next available field, choose “Begins with,” type: doug@ and click Add Condition.
The page refreshes to show the condition added. Note that you could create an LDAP
directory containing the email addresses of former employees. As ex-employees are
added to that directory, this content filter would be dynamically updated.
6. In the Actions section of the page, choose “Notify.”
The page refreshes to show the available options.
7. Select the checkbox for “Sender” and, in the “Subject:” field, type: message bounced
for ex-employee of example.com
8. In the “Notify template:” section, choose a notification template.
Note
Note — Some sections of the content filter rule builder will not appear in the user interface if
the resource has not been preconfigured. For example, content dictionaries, notification
templates, and message footers will not appear as options if they have not been configured
previously via the Mail Policies -> Dictionaries page (or the dictionaryconfig command
in the CLI). For more information about creating dictionaries, see “Content Dictionaries” on
page 328.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 193
IRONPORT ASYNCOS 4.7 USER GUIDE
You can only specify one final action for a content filter. If you try to attempt to add more
than one final action, the GUI displays an error.
Adding this action may will cause senders of messages to this ex-employee to potentially
receive two messages: one for the notification template, and one for the bounce
notification template.
11. Click Submit.
The Incoming Content Filters page is displayed to show the newly-added content filter.
In this part of the example, you will apply the three new content filters to be used in the
Incoming Mail Policy table.
• The default policy will receive all three content filters.
• The engineering group will not receive the no_mp3s filter.
• The sales team will receive the content filters as the default incoming mail policy.
Click the links to enable and select content filters for individual policies. To edit the default
incoming mail policy:
1. Click Incoming Mail Policies to return to the Incoming Mail Policy table.
The page is refreshed to show the default policy and the two policies added in “Creating a
New Policy” on page 181. Note that content filtering is disable by default for all policies.
2. Click the link for the Content Filters security service (the Content Filters column) in the
default policy row. See Figure 7-24.
194
ENABLING AND APPLYING CONTENT FILTERS TO INDIVIDUAL POLICIES
Figure 7-24 Editing the Content Filters Setting for the Default Incoming Mail Policy
3. On the Content Filtering security service page, change the value for “Enable Content
Filtering for this Policy” from “No” to “Yes.”
Figure 7-25 Enabling Content Filters for the Policy and Selecting Specific Content Filters
The content filters defined in the master list (which were created in “Creating New
Content Filters” on page 190 using the Incoming Content Filters pages) are displayed on
this page. When you change the value from “No” to “Yes,” the checkboxes for each filter
change from disabled (greyed out) to become enabled.
Note
Note — By default, when you enable content filtering for a policy, all content filters will be
selected.
4. Click Submit.
The Incoming Mail Policies page is displayed, and the table is updated to show the names
of the filters that have been enabled for the default policy.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 195
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 7-26 Three Content Filters Enabled for the Default Incoming Mail Policy
4. Click Submit.
The Incoming Mail Policies page is displayed, and the table is updated to show the names
of the filters that have been enabled for the engineering policy.
196
ADDING A NEW CONTENT FILTER WITHIN AN INDIVIDUAL POLICY
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
At this point, incoming messages that match the user list for the engineering policy will not
have MP3 attachments stripped; however, all other incoming messages will have MP3
attachments stripped.
Note
Note — When you add a content filter from within an individual policy, be sure to note the
order of the content filter within its context of the master list. Like the policies themselves,
content filters for each policy are evaluated in a top-down fashion.
In this part of the example, you will add a new content filter from within the “sales_team”
policy. Suppose, for example, that while examining the content filters for the “sales_team,”
you decided to begin limiting the size of attachments that the members of this policy can
receive.
To add a content filter from within the “sales_team” policy:
1. Click the link for the Content Filters security service (the Content Filters column) in the
sales_team policy row.
2. On the Content Filtering security service page, change the value for “Enable Content
Filtering for this Policy” from “Use Default Settings” to “Yes.”
Because this policy was using the default values, when you change the value from “Use
Default Settings” to “Yes,” the checkboxes for each filter change from disabled (greyed
out) to become enabled.
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 197
IRONPORT ASYNCOS 4.7 USER GUIDE
Selecting the order to be first will help ensure that this rule is evaluated for this policy.
7. In the Actions section of the page, choose “Strip Attachment.” In the next available field,
choose “If the file size in bytes is greater than.” In the text box, type 5M.
Remember that it is not necessary to specify a condition when creating a content filter.
When no condition is defined, any actions defined will always apply in the rule.
In the text box, typing 5M is interpreted to mean 5 megabytes.
8. Click Submit.
The “sales_team” content filters page is displayed to show the newly added content filter
in the order specified. Note that the new filter is enabled, also, by default, when you add
it from within a policy.
9. Click Submit again to return to the Incoming Mail Policies page.
An action results message is displayed to show that the Content Filter settings for the
chosen policy were successfully changed.
198
NOTES ON CONFIGURING CONTENT FILTERS IN THE GUI
10. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
Note that:
• The newly-added content filter was not enabled for any other defined policy,
including the default policy.
• The specific order of the content filter is reflected in the description of the Content
Filters column for the policy.
• The content filter will appear in the master list of content filters for Incoming Mail
Policy table. You can confirm this by clicking the link on the left side of the page
for Incoming Content Filters:
Figure 7-31 Newly Added Content Filter: Incoming Content Filters Page
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 199
IRONPORT ASYNCOS 4.7 USER GUIDE
If you do not wish to use regular expression you should use a '\' (backslash) to escape any
of these characters. For example: "\*Warning\*"
• When you define more than one Condition for a content filter, you can define whether all
of the defined actions (that is, a logical AND) or any of the defined actions (logical OR)
need to apply in order for the content filter to be considered a match.
Figure 7-32 Choosing Any or All of the Following Conditions
• You can test message splintering and content filters by creating “benign” content filters.
For example, it is possible to create a content filter whose only action is “deliver.” This
content filter will not affect mail processing; however, you can use this filter to test how
Email Security Manager policy processing affects other elements in the system (for
example, the mail logs).
• Conversely, using the “master list” concept of the Incoming or Outgoing Content Filters, it
is possible to create very powerful, wide-sweeping content filters that will immediately
affect message processing for all mail handled by the appliance. The process for this is to:
a. Use the Incoming or Outgoing Content Filters page to create a new content filter
whose order is 1.
b. Use the Incoming or Outgoing Mail Policies page to enable the new content filter
for the default policy.
c. Enable the content filter for all remaining policies.
• The Bcc: and Quarantine actions available in Content Filters can help you determine the
retention settings of quarantines you create. (See Chapter 15, “Quarantines,” for more
details.) You can create filters that would simulate mail flow into and out of your system
quarantines so that messages are not released too quickly from the system (that is, the
quarantine areas do not fill their allotted disk space too quickly).
• Because it uses the same settings as the scanconfig command, the “Entire Message”
condition does not scan a message’s headers; choosing the “Entire Message” will scan
only the message body and attachments. Use the “Subject” or “Header” conditions to
search for specific header information.
200
NOTES ON CONFIGURING CONTENT FILTERS IN THE GUI
• Configuring users by LDAP query will only appear in the GUI if you have LDAP servers
configured on the appliance (that is, you have configured the appliance to query specific
LDAP servers with specific strings using the ldapconfig command).
• Some sections of the content filter rule builder will not appear in the GUI if the resource
has not been preconfigured. For example, notification templates and message footers will
not appear as options if they have not been configured previously using the Text
Resources page or the textconfig command in the CLI.
• Content filters features will recognize, can contain, and/or scan for text in the following
character encodings:
• Unicode (UTF-8)
• Unicode (UTF-16)
• Western European/Latin-1 (ISO 8859-1)
• Western European/Latin-1 (Windows CP1252)
• Traditional Chinese (Big 5)
• Simplified Chinese (GB 2312)
• Simplified Chinese (HZ GB 2312)
• Korean (ISO 2022-KR)
• Korean (KS-C-5601/EUC-KR)
• Japanese (Shift-JIS (X0123))
• Japanese (ISO-2022-JP)
• Japanese (EUC)
You can mix and match multiple character sets within a single content filter. Refer to your
web browser’s documentation for help displaying and entering text in multiple character
encodings. Most browsers can render multiple character sets simultaneously.
Figure 7-33 Multiple Character Sets in a Content Filter
• On the Incoming or Outgoing Content Filters summary pages, use the links for
“Description,” “Rules,” and “Policies” to change the view presented for the content filters:
• The Description view shows the text you entered in the description field for each
content filter. (This is the default view.)
C H A P T E R 7 : E M A I L S E C U R I T Y M A N A G E R 201
IRONPORT ASYNCOS 4.7 USER GUIDE
• The Rules view shows the rules and regular expressions build by the rule builder
page.
• The Policies shows the policies for which each content filter is enabled.
Figure 7-34 Using the Links to Toggle Description, Rules, and Policy for Content Filters
202
8
CHAPTER
Reputation Filtering
The IronPort appliance offers a unique, layered approach to stopping spam at the email
gateway. The first layer of spam control, reputation filtering, allows you to classify email
senders and restrict access to your email infrastructure based on senders’ trustworthiness as
determined by the IronPort SenderBase™ Reputation Service. The second layer of defense
(discussed in the next chapter), scanning, is powered by either IronPort Anti-Spam™ or
Symantec Brightmail™ Anti-Spam technology. Coupled together, reputation filtering and
anti-spam scanning offer the most effective and highest performing anti-spam solution
available today.
Using the IronPort appliance, it is very easy to create policies to deliver messages from known
or highly reputable senders — such as customers and partners — directly to the end user
without any anti-spam scanning. Messages from unknown or less reputable senders can be
subjected to anti-spam scanning, and you can also throttle the number of messages you are
willing to accept from each sender. Email senders with the worst reputation can have their
connections rejected or their messages bounced based on your preferences.
The unique, two-layer approach to fighting spam of the IronPort appliance provides you with
a powerful and unprecedented flexibility to manage and protect your enterprise email
gateway.
This chapter contains the following sections:
• “Reputation Filtering” on page 204
• “Configuring Reputation Filtering” on page 209
The following chapter, Anti-Spam, discusses both anti-spam scanning engines in detail.
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 203
IRONPORT ASYNCOS 4.7 USER GUIDE
RE P UT A T IO N F I L TE RI NG
The SenderBase Reputation Service provides an accurate, flexible way for users to reject or
throttle suspected spam based on the connecting IP address of the remote host. The
SenderBase Reputation Service returns a score based on the probability that a message from a
given source is spam and exposes objective data in the Mail Flow Monitor feature to allow
mail administrators to get a more complete picture of who is sending them email (see “Using
Mail Flow Monitor” on page 139). The SenderBase Reputation Service can be used as a stand-
alone anti-spam solution. It is primarily designed to improve the effectiveness of a content-
based anti-spam system such as IronPort Anti-Spam or Symantec Brightmail Anti-Spam.
Using the SenderBase Reputation Service, you can:
• Reduce spam
The SenderBase Reputation Service allows enterprises to identify known spam based on the
connecting IP address, allowing organizations to block spam as soon as it reaches the
gateway. This increases the effectiveness of the anti-spam scanning engine being used or any
content-based filter.
• Protect against spam floods
Viruses such as SoBig and “hit and run” spam attacks can create sudden and unexpected
spikes in message volume. If a particular sender starts sending at high volumes, the
SenderBase Reputation Service can detect this through its global affiliate network and assign a
more negative score, which the IronPort appliance can use to immediately begin limiting the
number of recipients per hour allowed from the sender. (See also “The Virus Outbreak Filters
Feature” on page 301.)
• Improve throughput
The IronPort appliance can reduce system load and increase message throughput by
immediately rejecting known spam and routing known good messages past content filters.
204
SENDERBASE REPUTATION SERVICE (SBRS) SCORE
Note — If your IronPort appliance is set to receive mail from a local MX/MTA, you must
Note
identify upstream hosts that may mask the sender's IP address. See “Incoming Relays” on
page 267 for more information.
Several key elements of the SenderBase Reputation Service are that it is:
• Non-spoofable
The email sender’s reputation is based on the IP addresses of the email sender. Because SMTP
is a two-way conversation over TCP/IP, it is nearly impossible to “spoof” an IP address — the
IP address presented must actually be controlled by the server sending the message.
• Comprehensive
The SenderBase Reputation Service uses global data from the SenderBase Affiliate network
such as complaint rates and message volume statistics as well as data from carefully selected
public blacklists and open proxy lists to determine the probability that a message from a given
source is spam.
• Configurable
Unlike other “identity-based” anti-spam techniques like blacklists or whitelists that return a
simple yes/no decision, the SenderBase Reputation Service returns a graduated response
based on the probability that a message from that source is spam. This allows you to set your
own threshold for where you choose to block spam and automatically assign senders to
different groups based on their SenderBase Reputation Score.
Score Meaning
The lower (more negative) the score, the more likely that a message is spam. A score of -10.0
means that this message is “guaranteed” to be spam, while a score of 10.0 means that the
message is “guaranteed” to be legitimate.
Using the SBRS, you configure the IronPort appliance to apply mail flow policies to senders
based on their trustworthiness. (You can also create message filters to specify “thresholds” for
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 205
IRONPORT ASYNCOS 4.7 USER GUIDE
SenderBase Reputation Scores to further act upon messages processed by the system. For
more information, refer to “SenderBase Reputation Rule” and “Bypass Anti-Spam System
Action” in the “Policy Enforcement” chapter in the IronPort AsyncOS Advanced User Guide.)
Figure 8-1 The SenderBase Reputation Service
5 250-Recipient Accepted
or 452-Too many recipients this hour
or 554-Access Denied IronPort appliance
Sending MTA
2 HELO
3 4
206
IMPLEMENTING SENDERBASE REPUTATION FILTERS
Table 8-1 lists a set of recommended policies for implementing SenderBase reputation
filtering. Depending on the objectives of your enterprise, you can implement a conservative,
moderate, or aggressive approach.
Note
Note — Although IronPort recommends throttling, an alternative for implementing the
SenderBase Reputation Service is to modify the subject line of suspected spam messages. To
do this, use the following message filter shown in . This filter uses the reputation filter rule
and the strip-header and insert-header filter actions to replace the subject line of
messages with a SenderBase Reputation Score lower than -2.0 with a subject line that
includes the actual SenderBase Reputation Score represented as: {Spam SBRS}. Replace
listener_name in this example with the name of your public listener. (The period on its own
line is included so that you can cut and paste this text directly into the command line
interface of the filters command.)
Refer to “Policy Enforcement” chapter in the IronPort AsyncOS Advanced User Guide. for
more information.
Code Example 8-1 Message Filter to Modify Subject Header with SBRS: Example 1
sbrs_filter:
if ((recv-inj == "listener_name" AND subject != "\\{Spam -?[0-9.]+\\}"))
{
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 207
IRONPORT ASYNCOS 4.7 USER GUIDE
Code Example 8-1 Message Filter to Modify Subject Header with SBRS: Example 1
insert-header("X-SBRS", "$REPUTATION");
if (reputation <= -2.0)
{
strip-header("Subject");
insert-header("Subject", "$Subject \\{Spam $REPUTATION\\}");
}
}
.
208
CONFIGURING REPUTATION FILTERING
CO N FI GU R IN G R E P U TA TI ON F I L T E R IN G
Configure reputation filtering via the Mail Policies -> HAT Overview page. For more
information, see “Implementing SenderBase Reputation Filters” on page 207.
Conservative
A conservative approach is to block messages with a SenderBase Reputation Score lower than
-7.0, throttle between -7.0 and -2.0, apply the default policy between -2.0 and +6.0, and
apply the trusted policy for messages with a score greater than +6.0. Using this approach
ensures a near zero false positive rate while achieving better system performance.
Moderate
A moderate approach is to block messages with a SenderBase Reputation Score lower than
-4.0, throttle between -4.0 and 0, apply the default policy between 0 and +6.0, and apply the
trusted policy for messages with a score greater than +6.0. Using this approach ensures a very
small false positive rate while achieving better system performance (because more mail is
shunted away from Anti-Spam processing).
Aggressive
An aggressive approach is to block messages with a SenderBase Reputation Score lower than
-1.0, throttle between -1.0 and 0, apply the default policy between 0 and +4.0, and apply the
trusted policy for messages with a score greater than +4.0. Using this approach, you might
incur some false positives; however, this approach maximizes system performance by
shunting the most mail away from Anti-Spam processing.
Note
Note — Users are also recommended to assign all messages with a SenderBase Reputation
Score greater than 6.0 to the $TRUSTED policy.
Table 8-1 Recommended Phased Approach to Implementing Reputation Filtering using the SBRS
Conservative -10 to -7 -7 to -2 -2 to 7 7 to 10
Moderate -10 to -4 -4 to -1 -1 to 6 6 to 10
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 209
IRONPORT ASYNCOS 4.7 USER GUIDE
$TRUSTED
The HAT Overview shows the range of SBRS scores that are assigned to each sender group
(the horizontal bar) as well as the associated mail flow policy.
2. Click the link for a sender group.
210
IMPLEMENTING REPUTATION FILTERING IN A LISTENER’S HAT
For example, click the “SUSPECTLIST” link. The Edit Sender Group page is displayed:
Figure 8-4 Modifying a Sender Group’s SBRS Score ranges
3. Type the range of SBRS Scores to define the sender group. You can also define an optional
comment.
For example, for “SUSPECTLIST,” enter a range from -4.0 to 0. Refer to “Sender Groups
defined by SenderBase Reputation Scores” on page 94 for the syntax.
4. Click Submit.
Repeat steps 2-5 for each group in the listener’s HAT. For example, define the values for
conservative approach. You can configure the values shown in Table 8-1 for a moderate
or aggressive approach as well.
WHITELIST 6 to 10 TRUSTED
SUSPECTLIST -7 to -2 THROTTLED
UNKOWNLIST -2 to 6 ACCEPTED
Note
Note — Remember that order matters when defining sender groups in a listener’s HAT. (The
HAT is read from top to bottom for each host that attempts to connect to the listener. If a rule
matches a connecting host, the action is taken for that connection immediately.) IronPort
recommends maintaining the default order of the predefined sender groups in a listener’s HAT
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 211
IRONPORT ASYNCOS 4.7 USER GUIDE
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish implementing reputation filtering in a listener’s HAT.
Table 8-2 Suggested Mail Flow Policies for Implementing the SBRS
212
MONITORING THE STATUS OF THE SENDERBASE REPUTATION SERVICE
Table 8-2 Suggested Mail Flow Policies for Implementing the SBRS (Continued)
Note
Note — In the $THROTTLED policy, the maximum recipients per hour from the remote host
is set to 20 recipient per hour, by default. Note that this setting controls the maximum
throttling available. You can increase the number of recipients to receive per hour if this
parameter is too aggressive. For more information on Default Host Access policies, see
“Predefined Mail Flow Policies for Public Listeners” on page 96.
The sbstatus command in CLI displays the same information. For example:
mail3.example.com> sbstatus
C H A P T E R 8 : R E P U T A T I O N F I L T E R I N G 213
IRONPORT ASYNCOS 4.7 USER GUIDE
If the IronPort appliance is unable to contact the SenderBase Reputation Service, or the
service has never been contacted, the following is displayed:
mail3.example.com> sbstatus
214
9
CHAPTER
Anti-Spam
The IronPort appliance offers a unique, layered approach to stopping spam at the email
gateway. The first layer of spam control, reputation filtering (discussed previously in Chapter
8, “Reputation Filtering,”) allows you to classify email senders and restrict access to your
email infrastructure based on senders’ trustworthiness as determined by the IronPort
SenderBase™ Reputation Service. The second layer of defense, scanning, is powered by
either IronPort Anti-Spam™ or Symantec Brightmail™ Anti-Spam technology. Coupled
together, reputation filtering and anti-spam scanning offer the most effective and highest
performing anti-spam solution available today.
Using the IronPort appliance, it is very easy to create policies to deliver messages from known
or highly reputable senders — such as customers and partners — directly to the end user
without any anti-spam scanning. Messages from unknown or less reputable senders can be
subjected to anti-spam scanning, and you can also throttle the number of messages you are
willing to accept from each sender. Email senders with the worst reputation can have their
connections rejected or their messages dropped based on your preferences.
The unique, two-layer approach to fighting spam of the IronPort appliance provides you with
a powerful and unprecedented flexibility to manage and protect your enterprise email
gateway.
This chapter contains the following sections:
• “Anti-Spam Overview” on page 216
• “IronPort Anti-Spam Filtering” on page 220
• “Symantec Brightmail Anti-Spam Filtering” on page 235
• “Incoming Relays” on page 267
C H A P T E R 9 : A N T I - S P A M 215
IRONPORT ASYNCOS 4.7 USER GUIDE
A N T I - S P A M O V E R V I EW
Your IronPort appliance provides support for two anti-spam scanning engines: IronPort
Anti-Spam and Symantec Brightmail Anti-Spam. While you can license and have both of
these engines enabled on the same appliance at the same time, any particular email message
can only be scanned by one engine. Scanning a message with both engines could lead to
increased false positives and is not supported in AsyncOS.
Using the Email Security Manager, you can quickly and easily specify a different anti-spam
scanning engine for different groups of users.
Note
Note — Please see “Email Pipeline and Security Services” on page 68 for information about
how and when anti-spam scanning is applied.
Once the system is set up, you can specify which anti-spam scanning engine is used per
recipient (if you have more than one engine licensed), via the Mail Policies tab, under Email
Security Manager -> Incoming Mail Policies. (Anti-spam scanning is typically disabled for
outgoing mail policies.) You can have a different anti-spam scanning engine enabled for each
policy. You can even have the same engine enabled but configured differently for each policy.
In this example, both the default mail policy and the “Partners” policy are using the IronPort
Anti-Spam scanning engine.
216
ENABLING ANTI-SPAM SCANNING
To change the Partners policy to use the Symantec Brightmail engine, click on the entry in the
Anti-Spam column corresponding with the Partners row (“use default”). Select “Use Symantec
Brightmail.”
Figure 9-3 Mail Policies - Selecting an Anti-Spam Engine for a Mail Policy
After submitting and committing the changes, the mail policy looks like this:
C H A P T E R 9 : A N T I - S P A M 217
IRONPORT ASYNCOS 4.7 USER GUIDE
The scanning engine specific settings are discussed below, in the corresponding sections. The
Security Services -> Anti-Spam page also displays the list of the most recent anti-spam rule
updates.
218
ANTI-SPAM SCANNING AND MESSAGES GENERATED BY THE IRONPORT APPLIANCE
C H A P T E R 9 : A N T I - S P A M 219
IRONPORT ASYNCOS 4.7 USER GUIDE
IR O NPO R T A N TI - SP A M F I L TE RI N G
Your IronPort appliance includes a 30-day license for the integrated IronPort Anti-Spam
scanning engine.
Note
Note — If your IronPort appliance is set to receive mail from a local MX/MTA, you must
identify upstream hosts that may mask the sender’s IP address. See “Incoming Relays” on
page 267 for more information.
220
ENABLING IRONPORT ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
accuracy and performance by analyzing over 100,000 message attributes across four
dimensions:
1. Email reputation — who is sending you this message?
2. Message content — what content is included in this message?
3. Message structure — how was this message constructed?
4. Web reputation — where does the call to action take you?
Analyzing multi-dimensional relationships allows CASE to catch a broad range of threats
while maintaining exceptional accuracy. For example, a message that has content claiming to
be from a legitimate financial institution but that is sent from an IP address on a consumer
broadband network or that contains a URL hosted on a “zombie” PC will be viewed as
suspicious. In contrast, a message coming from a pharmaceutical company with a positive
reputation will not be tagged as spam even if the message contains words closely correlated
with spam.
Industry-Leading Performance
CASE combines the following features to deliver accurate verdicts quickly:
• Multiple threats are scanned for in a single pass
• Dynamic “early exit” system
System performance is optimized using IronPort's unique “early exit” system. IronPort
developed a proprietary algorithm to determine the order in which rules are applied based
on rule accuracy and computational expense. Lighter and more accurate rules are run
first, and if a verdict is reached, additional rules are not required. This improves system
throughput, allowing our products to meet the needs of large-scale enterprises.
Conversely, the efficiency of the engine allows for implementation on low-cost hardware,
making IronPort’s security services attractive for low-end customers.
• Off-box network calculations
International Users
IronPort Anti-Spam is tuned to deliver industry-leading efficacy world-wide. In addition to
locale-specific content-aware threat detection techniques, IronPort Anti-Spam leverages
globally representative email and web content-agnostic data contributed by over 125,000
ISPs, universities and corporations throughout the Americas, Europe, and Asia. The Threat
Operations Center is set up for global operations with centers in Sao Paulo, Beijing and
London. In addition, analysts speak 32 languages including Chinese, Japanese, Korean,
Portuguese, and Spanish.
C H A P T E R 9 : A N T I - S P A M 221
IRONPORT ASYNCOS 4.7 USER GUIDE
license agreement for IronPort Anti-Spam. If you do not accept the license agreement,
IronPort Anti-Spam is not enabled on the appliance.
Overview
You enable IronPort Anti-Spam and modify its global configuration settings using the Security
Services -> Anti-Spam and Security Services -> Service Updates pages (GUI) or the
antispamconfig and updateconfig commands (CLI). The following global settings are
configured:
• Enable IronPort Anti-Spam globally for the appliance.
• Configure the maximum size of message to be scanned by IronPort Anti-Spam.
• Enter a length of time to wait for timeout when scanning a message.
Most users will not need to change the maximum message size to be scanned or the
timeout value. That said, you may be able to optimize the throughput of your appliance by
lowering the maximum message size setting.
• Define and (optionally) enable a proxy server for obtaining IronPort Anti-Spam rules
updates (Security Services -> Service Updates). If you define a proxy server to retrieve
rules updates, you can optionally configure an authenticated username, password, and
specific port when connecting to the proxy server.
• Define and (optionally) enable a download server from which to receive IronPort
Anti-Spam rules updates (Security Services -> Service Updates).
• Enable or disable receiving automatic updates to IronPort Anti-Spam rules, and also
specify the update interval.
Note
Note — The proxy server setup is available via the Security Services -> Service Updates page.
For more information about specifying a proxy server, see “The Service Updates Page” on
page 485. Note that the proxy server is global in that all services that are configured to use a
proxy server will use the same proxy server.
Note
Note — If you chose to enable IronPort Anti-Spam in the GUI’s system setup wizard (or the
CLI systemsetup command) and not Symantec Brightmail Anti-Spam, it will be enabled for
the default incoming mail policy with the default values for the global settings.
Evaluation Key
Note
Your IronPort appliance ships with a 30-day evaluation key for the IronPort Anti-Spam
software. This key is not enabled until you accept the license agreement in the system setup
wizard or Security Services -> Anti-Spam pages (in the GUI) or the systemsetup or
antispamconfig commands (in the CLI). Once you have accepted the agreement, IronPort
Anti-Spam will be enabled, by default, for the default incoming Mail Policy. An alert is also
sent to the administrator address you configured (see “Step 2: System” on page 38) noting that
the IronPort Anti-Spam license will expire in 30 days. Alerts are sent 30, 15, 5, and 0 days
prior to expiration. For information on enabling the feature beyond the 30-day evaluation
222
ENABLING IRONPORT ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
period, contact your IronPort sales representative. You can see how much time remains on the
evaluation via the System Administration -> Feature Keys page or by issuing the featurekey
command. (For more information, see “Working with Feature Keys” on page 450.)
Figure 9-13 shows the global settings that you configure on the Security-Services ->
Anti-Spam page.
Figure 9-6 IronPort Anti-Spam Global Settings: Editing
Note
Note — If you do not accept the license agreement, IronPort Anti-Spam is not enabled on the
appliance.
3. Scroll to the bottom of the page and click Accept to accept the agreement. Click Edit
Global Settings.
A page similar to Figure 9-6 is displayed.
4. Check the box next to Enable IronPort Anti-Spam scanning.
Checking this box enables the feature globally for the appliance. However, you must still
enable per-recipient settings in Mail Policies. For more information, see “Configuring Per-
Recipient Policies for IronPort Anti-Spam” on page 226
5. Choose a value for the maximum message size to scan by IronPort Anti-Spam.
The default value is 262,144 bytes (256 Kb). Messages larger than this size will not be
scanned by IronPort Anti-Spam and the X-IronPort-Anti-Spam-Filtered: true
header will not be added to the message.
6. Enter a length of time to wait for timeout when scanning a message.
When entering a time value, use ‘s’ for seconds, ‘m’ for minutes, and ‘h’ for hours. For
example ‘1m’ is one minute. The default value is 1 minute.
7. Click Submit.
C H A P T E R 9 : A N T I - S P A M 223
IRONPORT ASYNCOS 4.7 USER GUIDE
The Security Services -> Anti-Spam -> IronPort page is refreshed to display the values you
chose in the previous steps.
Figure 9-7 IronPort Anti-Spam Global Settings
8. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish enabling IronPort Anti-Spam and configuring global settings for
the appliance.
Additional Steps
Once you have enabled IronPort Anti-Spam, you must also enable SenderBase Reputation
Service (SBRS) scoring, even if you are not rejecting connections based on SBRS scores. For
more information about enabling SBRS, see “Implementing SenderBase Reputation Filters” on
page 207.
224
CONFIGURING IRONPORT ANTI-SPAM RULE UPDATING
To configure updates for IronPort Anti-Spam, click Edit Update Settings... The Edit Update
Settings page is displayed:
Figure 9-9 Edit Service Updates Page
C H A P T E R 9 : A N T I - S P A M 225
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — If you define a proxy server, it will be used for all service updates that are configured
to use a proxy server, automatically.
For more information about defining a proxy server, see “Specify an HTTP Proxy Server
(Optional)” on page 487.
Note
Note — If the update has not occurred, or a server has not been configured, the string “Never
Updated” is displayed.
Figure 9-10 Rules Updates Section of Security Services -> Anti-Spam Page: GUI
226
CONFIGURING PER-RECIPIENT POLICIES FOR IRONPORT ANTI-SPAM
Note
Note — These actions are not mutually exclusive; you can combine some or all of them
differently within different incoming or outgoing policies for different processing needs for
groups of users. You can also treat positively identified spam differently from suspected spam
in the same policy. For example, you may want to drop messages positively identified as
spam, but quarantine suspected spam messages.
You enable IronPort Anti-Spam actions on a per-recipient basis using the Email Security
Manager feature: the Mail Policies -> Incoming or Outgoing Mail Policies pages (GUI) or the
policyconfig -> antispam command (CLI). After IronPort Anti-Spam has been enabled
globally, you configure these actions separately for each mail policy you create. You can
configure different actions for different mail policies.
Each row in the Email Security Manager represents a different policy. Each column represents
a different security service.
Figure 9-11 Mail Policies - Anti-Spam Engine
C H A P T E R 9 : A N T I - S P A M 227
IRONPORT ASYNCOS 4.7 USER GUIDE
228
CONFIGURING PER-RECIPIENT POLICIES FOR IRONPORT ANTI-SPAM
Note
Note — White space is not ignored in the “Modify message subject” field. Add spaces after (if
prepending) or before (if appending) the text you enter in this field to separate your added text
from the original subject of the message. For example, add the text [SPAM] with a few trailing
spaces if you are prepending.
Note
Note — The “Add text to message” field only accepts US-ASCII characters.
C H A P T E R 9 : A N T I - S P A M 229
IRONPORT ASYNCOS 4.7 USER GUIDE
230
POSITIVE AND SUSPECT SPAM THRESHOLD
Table 9-1 Common Example Configurations of Positively Identified and Suspected Spam
C H A P T E R 9 : A N T I - S P A M 231
IRONPORT ASYNCOS 4.7 USER GUIDE
The first configuration method tags only suspected spam messages, while dropping those
messages that are positively identified. Administrators and end-users can check the subject
line of incoming message for false positives, and an administrator can adjust, if necessary, the
suspected spam threshold.
In the second configuration method, positively identified and suspected spam is delivered
with an altered subject. Users can delete suspected and positively identified spam. This
method is more conservative than the first.
See Table 7-5 on page 190 for a further discussion of mixing aggressive and conservative
policies on a per-recipient basis using the Email Security Manager feature.
X-IronPort-Anti-Spam-Filtered: true
A second header will also be inserted for each message filtered by IronPort Anti-Spam. This
header contains information that allows IronPort Support to identify the CASE rules and
engine version used to scan the message:
X-IronPort-Anti-Spam: result
In addition, using the Email Security Manager feature, you can define an additional custom
header to be added to all messages for a given policy that are either positively identified as or
suspected to be spam. (See “Adding a Custom X-Header” on page 229.)
You can also create message filters that use the skip-spamcheck action so that certain
messages skip IronPort Anti-Spam scanning. For more information, refer to “Bypass Anti-Spam
System Action” in Chapter 8, “Policy Enforcement,” of the IronPort AsyncOS Advanced User
Guide.
232
TESTING IRONPORT ANTI-SPAM
X-Advertisement: spam
For testing purposes, IronPort Anti-Spam considers any message with an X-header
formatted as X-Advertisement: spam to be spam. The test message you send with this
header is flagged by IronPort Anti-Spam, and you can confirm that the actions you
configured for the mail policy (“Configuring Per-Recipient Policies for IronPort Anti-Spam”
on page 226) are performed. You can use the trace command and include this header, or
use a Telnet program to send SMTP commands to the appliance. See Chapter 9, “Testing
and Troubleshooting,” in the IronPort AsyncOS Advanced User Guide and Appendix A,
“Accessing the Appliance,” for more information.
Note
Note — Examining a message’s headers for specific headers added by IronPort Anti-Spam is
another method to test the configuration of IronPort Anti-Spam on your appliance. See
“Headers Added by IronPort Anti-Spam” on page 232.
C H A P T E R 9 : A N T I - S P A M 233
IRONPORT ASYNCOS 4.7 USER GUIDE
Example
Use SMTP commands to send a test message with the X-advertisement: spam header to
an address to which you have access. Ensure that the mail policy is configured to receive
messages for the test address (see “Accepting Email for Local Domains or Specific Users on
Public listeners (RAT)” in the IronPort AsyncOS Advanced User Guide) and that the HAT will
accept the test connection.
spam test
.
250 Message MID accepted
221 hostname
quit
Then, check the mailbox of the test account and confirm that the test message was correctly
delivered based upon the actions you configured for the mail policy.
For example:
• Was the subject line altered?
• Was your additional custom header added?
• Was the message delivered to an alternate address?
• Was the message dropped?
234
SYMANTEC BRIGHTMAIL ANTI-SPAM FILTERING
SY M A NT E C B R IG HT M A IL A N TI - SP A M F I L TE RI NG
The IronPort appliance includes a 30-day license for the integrated spam-fighting technology
from Symantec Inc.
C H A P T E R 9 : A N T I - S P A M 235
IRONPORT ASYNCOS 4.7 USER GUIDE
Anti-Spam Filters
The nature of spam — and the business implications of false positives — demands a careful
and flexible approach to filter creation. Accordingly, Symantec does not use a one-size-fits-all
approach to creating filters. Instead, it employs a combination of filtering strategies, based on
the specific type of spam. Some technologies perform sophisticated comparisons with the
latest spam received by the Probe Network, resulting in matches of unparalleled accuracy.
Others are more proactive, attacking future spam based on special characteristics or
origination information. Symantec filter types include:
• Heuristic Filters
• URL Filters
• Signature Filters
• Header Filters
Heuristic Filters
Heuristic Filters scan the headers and the body of a message, applying a variety of tests. These
tests search for tell-tale characteristics that are usually inherent in spam, such as opt-out links,
specific phrases, and forged headers. Each characteristic is assigned a spam probability, and
the message is given a cumulative probability score based on the overall test results. If a
certain probability threshold is reached, Brightmail AntiSpam determines the message to be
spam. Using heuristics, Brightmail AntiSpam software can make the determination that a
message is spam, even if it hasn’t passed through the Probe Network. The BLOC transmits
updated Heuristic Filters as it does other AntiSpam Filters.
URL Filters
Symantec’s URL Filters catch messages based on specific URLs found in spam. URL-based
spam is increasingly pervasive because spammers want to direct readers to a specific Web site
for contact information or purchasing instructions. Although the underlying URLs do not
change frequently, spammers attempt to obfuscate and disguise them. As a result, these URLs
appear to be unique across similar spam messages.
236
ENABLING SYMANTEC BRIGHTMAIL ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
Signature Filters
When messages flow into the BLOC, they are characterized using proprietary algorithms into
a unique signature, which is added to the database of known spam. Using this signature,
Signature Filters group and match seemingly random messages that originated from a single
attack. By distilling a complex and evolving attack to its DNA, more spam can be deflected
with a single filter. Signature Filters include BrightSig2 Filters, Body Hash Filters and
Attachment Filters.
Header Filters
Header Filters are regular expression-based filters that are applied to the header lines of a
message. Header Filters can be used to compare email messages to spam messages seen by
the Probe Network, and to exploit commonalities or trends present in spam messages (similar
to the use of Symantec’s Heuristic Filters).
Evaluation Key
Note
Note — Your IronPort appliance ships with a 30-day evaluation key for the Symantec
Brightmail Anti-Spam software. This key is not enabled until you accept the Symantec
Brightmail license agreement in the system setup wizard or Security Services -> Anti-Spam
pages (in the GUI) or the systemsetup or antispamconfig commands (in the CLI). (A copy
of the license agreement is available on the IronPort website here: https://
support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html.) Once you have accepted the
agreement, Symantec Brightmail Anti-Spam will be enabled, by default, for the default
incoming Mail Policy. An alert is also sent to the administrator address you configured (see
“Step 2: System” on page 38) noting that the Symantec Brightmail Anti-Spam license will
expire in 30 days. Alerts are sent 30, 15, 5, and 0 days prior to expiration. For information on
enabling the feature beyond the 30-day evaluation period, contact your IronPort sales
representative. You can see how much time remains on the evaluation via the System
Administration -> Feature Keys page or by issuing the featurekey command. (For more
information, see “Working with Feature Keys” on page 450.)
Overview
You enable Symantec Brightmail Anti-Spam and modify its global configuration settings using
the Security Services -> Anti-Spam and Security Services -> Server Updates (proxy server
only) pages (GUI) or the antispamconfig and updateconfig commands (CLI). The
following global settings are configured:
• Enable Symantec Brightmail Anti-Spam globally for the appliance.
C H A P T E R 9 : A N T I - S P A M 237
IRONPORT ASYNCOS 4.7 USER GUIDE
• Define the suspected spam threshold for messages suspected to be spam (as opposed to
messages positively identified as spam).
• Configure the maximum size of message to be scanned by Symantec Brightmail Anti-
Spam.
• Choose to enable the two elements of the Symantec Brightmail Reputation System: the
Symantec Brightmail Open Proxy List and the Symantec Brightmail Safe List. Beginning
with the 6.0 release of Symantec Brightmail Anti-Spam engine, you can enable or disable
the use of this system globally for the IronPort appliance.
• Choose to enable the Language Identification feature of Symantec Brightmail Anti-Spam,
wherein the anti-spam engine applies a new series of heuristics that apply only to that
language. By identifying the language of a message, Symantec Brightmail Anti-Spam can
run only the filters that apply to the message’s language (language-specific heuristics),
resulting in better performance.
• Choose to enable Verdict Caching. For more information about verdict caching, see
“Verdict Caching” on page 241.
• Specify a reinsertion key for messages released from an optional quarantine queue
(installed on a separate system).
• Define and (optionally) enable a proxy server for obtaining Symantec Brightmail rules
updates (Security Services -> Service Updates). If you define a proxy server to retrieve
rules updates, you can optionally configure an authenticated username, password, and
specific port when connecting to the proxy server.
Note
Note — The proxy server setup is available via the Security Services -> Server Updates page.
For more information about specifying a proxy server, see “The Service Updates Page” on
page 485. Note that the proxy server is global in that all services that are configured to use a
proxy server will use the same proxy server.
Note
Note — If you chose to enable Symantec Brightmail Anti-Spam in the GUI’s system setup
wizard (or the CLI systemsetup command) and not IronPort Anti-Spam, it will be enabled
for the default incoming mail policy with the default values for the global settings.
Figure 9-13 shows the global settings that you configure on the Security-Services ->
Anti-Spam page.
238
ENABLING SYMANTEC BRIGHTMAIL ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
Note
Note — If you do not accept the license agreement, Symantec Brightmail Anti-Spam is not
enabled on the appliance.
3. Scroll to the bottom of the page and click Accept to accept the agreement.
A page similar to Figure 9-13 is displayed.
4. Check the box next for Enable Symantec Brightmail Anti-Spam scanning.
Checking this box enables the feature globally for the appliance. However, you must still
enable per-recipient settings in Mail Policies. For more information, see “Configuring
Symantec Brightmail Actions Per Recipient” on page 244.
5. Choose a suspected spam threshold value.
Suspected Spam Threshold
When evaluating messages for spam, Symantec Brightmail software applies hundreds of
rules in order to arrive at an overall spam score for the message. To maintain its high
accuracy, the Symantec Brightmail Server by default sets this threshold value quite high.
Messages returning a score between 90 and 100 are considered to be positively identified
as spam. Some administrators, however, want to tailor Symantec Brightmail Anti-Spam to
reflect the spam tolerance levels of their organization. To accommodate these requests,
C H A P T E R 9 : A N T I - S P A M 239
IRONPORT ASYNCOS 4.7 USER GUIDE
Symantec Brightmail provides a configurable spam threshold. This allows you to create an
optional category of “suspected spam” — a gray area of messages that are suspiciously
similar to spam, but also share some traits with legitimate messages.
You can change the threshold setting of this new category to different levels of
aggressiveness, so that any messages with scores below the configured suspected spam
range will be considered legitimate, and any messages above the threshold but below 90
will be considered to be suspected spam and will be treated accordingly. You can also
define a separate action to take on suspected spam; for example, you may wish to drop
“positively identified” spam, but quarantine “suspected” spam.
Enter a value between 25 and 89. The higher the number you enter, the higher the
threshold for Symantec Brightmail Rules used to determine if a message qualifies as
suspected spam. (The threshold for messages to positively be identified as spam is always
90.) Depending on the sensitivity of your enterprise configuration, you may want to
change this value. Enter a lower number to enable a lower threshold and subsequently
mark more messages as “possible spam” (which may result in a higher false positive rate).
Conversely, enter a higher number if you want to ensure that only spam messages are
being filtered (which may result in some spam getting through). The default value is 75.
See “Positively Identified versus Suspected Spam” on page 249 for common
configurations using this two categories.
Entering a value of 100 disables the configurable spam threshold feature. If you enter 100
for this value, the Symantec Brightmail Anti-Spam engine will only evaluate messages as
either positively identified spam or not spam.
The suspected spam threshold is set globally for Brightmail Anti-Spam and it is not
configurable on a per recipient basis.
6. Choose a value for the maximum message size to scan by Symantec Brightmail
Anti-Spam.
The default value is 120,000 bytes (117 Kb). Messages larger than this size will not be
scanned by Brightmail Anti-Spam and the X-BrightmailFiltered: true header will not be
added to the message.
7. Choose whether to enable the two elements of the Symantec Brightmail Reputation
System: the Symantec Brightmail Open Proxy List and the Symantec Brightmail Safe List.
The Brightmail Reputation Service provides comprehensive email source analysis and
reputation filtering; Leveraging extensive research on email traffic, the service increases
filtering effectiveness by determining the reputation of originating IP addresses, as a
source of spam or of legitimate email. The Brightmail Reputation Service is automatically
integrated and filters messages using the same automated delivery model as the other
filters used in Symantec Brightmail AntiSpam available on IronPort appliances.
Beginning with the 6.0 release of the Symantec Brightmail Anti-Spam engine, you can
enable or disable the use of this system globally for the IronPort appliance. The Open
Proxy List is a constantly updated list of open proxy servers maintained by Symantec.
(Open proxies are frequent conduits for spam.) Similarly, the Safe IP List is a constantly
240
ENABLING SYMANTEC BRIGHTMAIL ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
C H A P T E R 9 : A N T I - S P A M 241
IRONPORT ASYNCOS 4.7 USER GUIDE
Reinsertion Key
The reinsertion key is needed only for those configurations that plan to use the off-box
quarantine, whose released message may be “reinjected” by the IronPort appliance.
In this field, a unique text string (a “reinsertion key”) is specified to be used so that
messages that have been released from the optional quarantine are not immediately
quarantined again as they re-enter the email pipeline of the IronPort appliance. For more
information, see “Symantec Brightmail Quarantine Queue” on page 251. The reinsertion
key must be unique and must also match the reinsertion key that is configured within the
Symantec Brightmail Quarantine software.
11. Click Submit.
The Security Services -> Anti-Spam -> Symantec Brightmail page is refreshed to display
the values you chose in the previous steps.
Figure 9-14 Symantec Brightmail Anti-Spam Global Settings
12. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish enabling Symantec Brightmail Anti-Spam and configuring
global settings for the appliance.
242
ENABLING SYMANTEC BRIGHTMAIL ANTI-SPAM AND CONFIGURING GLOBAL SETTINGS
Symantec Brightmail will automatically use a proxy server if one has been defined. There is
no way to turn off the proxy server for Symantec Brightmail without disabling it for all other
service updates. For more information about defining a proxy server, see “Specify an HTTP
Proxy Server (Optional)” on page 487.
Figure 9-15 Downloading Symantec Brightmail Rules from a proxy server to the appliance
Firewall
Probe
Brightmail rules network
BLOC
https://aztec.brightmail.com
HTTPS
Proxy server
HTTP
Note
Note — If you define a proxy server, it will be used for all service updates that are configured
to use a proxy server, automatically.
Note
Note — If the update has not occurred, or a server has not been configured, the string “No
Rule Update Information...” is displayed.
Figure 9-16 Rules Updates Section of Security Services -> Anti-Spam Page: GUI
C H A P T E R 9 : A N T I - S P A M 243
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — These actions are not mutually exclusive; you can combine some or all of them
differently within different incoming or outgoing policies for different processing needs for
groups of users. You can also treat positively identified spam differently from suspected spam
in the same policy. For example, you may want to drop messages positively identified as
spam, but quarantine suspected spam messages.
You enable Symantec Brightmail Anti-Spam actions on a per-recipient basis using the Email
Security Feature: the Mail Policies -> Incoming or Outgoing Mail Policies pages (GUI) or the
policyconfig -> antispam command (CLI). After Symantec Brightmail Anti-Spam has
been enabled globally, you configure these actions separately for each mail policy you create.
You can configure different actions for different mail policies.
Each row in the Email Security Manager represents a different policy. Each column represents
a different security service.
244
CONFIGURING SYMANTEC BRIGHTMAIL ACTIONS PER RECIPIENT
C H A P T E R 9 : A N T I - S P A M 245
IRONPORT ASYNCOS 4.7 USER GUIDE
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish configuring Symantec Brightmail Anti-Spam settings for a Mail
Policy.
Note
Note — The external quarantine destination can be an alternate groupware server, or it can
the Symantec Brightmail Quarantine software. (See below.) You cannot directly send either
positively identified or suspected spam messages directly to a quarantine area on the IronPort
appliance, in the same way that you can with messages that are classified by the Sophos Anti-
Virus scanning engine. See Chapter 15, “Quarantines,” for more information on the IronPort
appliance quarantine feature.
Note
Note — The “Add text to message” field only accepts US-ASCII characters.
Note
Note — White space is not ignored in the “Modify message subject” field. Add spaces after (if
prepending) or before (if appending) the text you enter in this field to separate your added text
from the original subject of the message. For example, add the text [SPAM] with a few trailing
spaces if you are prepending.
Note
Note — If you choose to send positively identified or suspected spam messages to an external
quarantine, you must specify the correct hostname or IP address of the machine running the
Symantec Brightmail Quarantine software in the “Send message to quarantine or alternate
destination host” box. (You cannot leave the value blank.) It is recommended that you also
define a Reinsertion Key (see “Reinsertion Key” on page 261) on the Global Settings page.
246
CONFIGURING SYMANTEC BRIGHTMAIL ACTIONS PER RECIPIENT
Note that the “Send to alternate envelope recipient” field becomes inactive if you choose the
External Quarantine action.
For more information, see “Symantec Brightmail Quarantine Queue” on page 251.
Adding a Custom X-Header
• You can add a custom X-Header to identified messages.
Click Yes and define the header name and text.
Changing the Envelope Recipient Address
• You can have identified messages sent to an alternate envelope recipient address.
Click Yes and define an alternate address.
For example, you could route messages identified as spam to an administrator’s mailbox
for subsequent examination. In the case of a multi-recipient message, only a single copy is
sent to the alternate recipient.
C H A P T E R 9 : A N T I - S P A M 247
IRONPORT ASYNCOS 4.7 USER GUIDE
248
POSITIVELY IDENTIFIED VERSUS SUSPECTED SPAM
Table 9-2 Common Example Configurations of Positively Identified and Suspected Spam
The first configuration method quarantines only suspected spam messages, while dropping
those messages that are positively identified. Administrators and end-users can check the
quarantine for false positives, and an administrator can adjust, if necessary, the suspected
spam threshold. In this method, less mail is delivered to end-users’ inboxes.
In the second configuration method, positively identified spam is quarantined, and suspected
spam is delivered with an altered subject. Users can delete suspected spam and check the
quarantine for false positives. This method is more conservative than the first. In this
configuration more mail is delivered to end-users’ inboxes; however, since quarantined mail
will be deleted only after it has been expunged, there is a smaller chance of deleting false
positives. See Table 7-5 on page 190 for a further discussion of mixing aggressive and
conservative policies on a per-recipient basis using the Email Security Manager feature.
X-BrightmailFiltered: true
In addition, using the Email Security Manager feature, you can define an additional custom
header to be added to all messages for a given policy that are either positively identified as or
suspected to be spam. (See “Adding a Custom X-Header” on page 247.)
You can also create message filters that use the skip-spamcheck action so that certain
messages skip Brightmail Anti-Spam scanning. For more information, see to “Bypass Anti-
Spam System Action” in Chapter 4 of the IronPort AsyncOS Advanced User Guide.
C H A P T E R 9 : A N T I - S P A M 249
IRONPORT ASYNCOS 4.7 USER GUIDE
250
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
Note
Note — The Symantec Brightmail Quarantine is not the same as the quarantine areas on the
IronPort appliance! You cannot directly send either positively identified or suspected spam
messages directly to a quarantine area on the IronPort appliance, in the same way that you
can with messages that are classified by the Sophos Anti-Virus scanning engine. See Chapter
15, “Quarantines,” for more information on the IronPort appliance quarantine feature.
The quarantine action in the Email Security Settings settings removes the email from the email
pipeline (see “Understanding the Email Pipeline” on page 61) and reroutes the message to the
Symantec Brightmail Quarantine. Recipients can access messages from a web browser via
HTTP.
Figure 9-20 details the system architecture of the Symantec Brightmail Quarantine.
C H A P T E R 9 : A N T I - S P A M 251
IRONPORT ASYNCOS 4.7 USER GUIDE
Probe
network
Firewall
BLOC
SMTP HTTPS Quarantined
messages
Port: 41025
Brightmail Quarantine
IronPort Email Security appliance
with Brightmail Anti-Spam enabled
Groupware server /
message generation system End users and administrators view the
quarantine via HTTP.
Users can also send suspected messages
from their message generation system to
the Brightmail Quarantine.
Note
Note — You cannot use the same hostname for both regular and quarantine delivery.
252
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
default, Tomcat is installed with Quarantine and used as the servlet container for Quarantine.
For technical information about Tomcat, see http://jakarta.apache.org/tomcat/.
(Instead of using Tomcat, you can configure Quarantine to use the WebLogic application
server. Refer to the Symantec Brightmail Quarantine documentation supplied by IronPort
Systems, Inc.)
SMTP Listener
The SMTP Listener receives spam messages sent by the Symantec Brightmail Anti-Spam
feature on the IronPort and stores them in the Quarantine database. The listening port is
41025.
Expunger
The Expunger is a Java servlet that scans the Quarantine database and deletes messages that
are older than a certain number of days, by default, 30 days. You can configure the number of
days to wait before messages are deleted. Refer to the Symantec Brightmail Quarantine
documentation supplied by IronPort Systems, Inc.
Notifier
The Notifier is a Java servlet that scans the Quarantine database and sends users a summary of
their spam messages. You can edit the format of the summary message. Refer to the Symantec
Brightmail Quarantine documentation supplied by IronPort Systems, Inc.
Quarantine Database
Quarantine stores spam messages in a relational database. Storing messages in a relational
database instead of a flat file allows faster access to messages, more efficient searching, and
better scalability. Currently the MySQL program is used as the database software. For more
information about MySQL, see http://www.mysql.com.
C H A P T E R 9 : A N T I - S P A M 253
IRONPORT ASYNCOS 4.7 USER GUIDE
Spam Legitimate
Email
Messages assigned
“Quarantine” Action
Brightmail Quarantine:
Send User 1
Delete old SMTP Listener notification
messages messages mail client
Access User 3
messages mail client
Java Business
Components
Display Authenticate
Quarantine
Pages user at login
Use Browser
(Read and delete LDAP Directory
messages)
254
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
Table 9-3 Minimum Hardware Requirements for Installing Symantec Brightmail Quarantine
Storage Requirements
Storage requirements for the Symantec Brightmail Quarantine can be significant, depending
on your mail flow and spam volume. The Symantec Brightmail Quarantine requires 188MB
on Windows systems and 170 MB on Solaris systems in order to be installed.
Because the Symantec Brightmail Quarantine stores copies of filtered messages, the size of
the Symantec Brightmail Quarantine can become quite large. Due to the many variables that
affect the quarantine size (for example, which messages you choose to quarantine, your
overall message volume, your spam percentage, and so on), your specific quarantine
requirements will likely differ from the averages listed.
To more accurately gauge your storage needs for Symantec Brightmail Quarantine, you might
consider phasing in your quarantine deployment after Symantec Brightmail Anti-Spam
scanning has been enabled for some time at your site. The following table suggests one
timeline that you might adopt.
C H A P T E R 9 : A N T I - S P A M 255
IRONPORT ASYNCOS 4.7 USER GUIDE
Month Task
3 Use the Mail Flow Monitor feature reports to determine statistics for your site
4 Deploy Quarantine
Quarantine size = (total email received per day) X (total number of days for retention) X (average spam
message size)
If you do not want to delay your quarantine deployment, you can examine your existing mail
logs and make some estimates about the percentage of spam you receive. For a rough
guideline of storage requirements, use the following table as a baseline. The storage estimates
were obtained based on a survey of Symantec Brightmail enterprise customers with average
spam volume of about 50% of filtered mail.
1 - 1000 2
1001 - 10,000 20
10,001 - 25,000 40
256
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
Table 9-6 LDAP Server and Mail Server Compatibility for Symantec Brightmail Quarantine
C H A P T E R 9 : A N T I - S P A M 257
IRONPORT ASYNCOS 4.7 USER GUIDE
41025 Symantec Brightmail Anti-Spam sends spam email to this port using
the SMTP email protocol.
Mail delivery policies cannot be configured so that mail is delivered to multiple ports on a
single IP address (e.g., port 25 for normal delivery and port 41025 for BrightMail quarantine).
IronPort Systems recommends running each delivery option on a separate IP address or host.
Further, it is not possible to use the same hostname for regular email delivery and quarantine
delivery.
http://domain-name:8080/brightmail
...where domain-name is the domain name of the server where you installed the
Symantec Brightmail Quarantine. For example:
http://quarantine.example.com:8080/brightmail
Although the URL specified above should work, sometimes supplying the exact IP address
for the server in the URL can circumvent network configuration issues. For example, if the
IP address for the host “quarantine.example.com” is 192.168.17.2, users would type:
http://192.168.17.2:8080/brightmail
2. Log in using the desired account:
258
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
To log in as a Quarantine Administrator, type the Quarantine user name and password.
After installation, the following user name and password are set for the Quarantine
administrator, by default:
User name: admin
Password: brightmail
IronPort Systems recommends changing this password in accordance with your security
procedures.
See “Changing an Administrator User Name or Password” in the Symantec Brightmail
Quarantine documentation supplied by IronPort Systems, Inc. Note that this user can
conflict with pre-configured users named “admin” in your LDAP directory server.
To log in as a user that exists in your iPlanet or Sun ONE Directory Server:
a. In the User Name box, type your full email address, such as pam@example.com.
b. In the Password box, type the password you normally use to log on to your system.
To log in as a user that exists in Active Directory:
a. In the User Name box, type your user name, such as pam.
b. In the Password box, type the password you normally use to log on to your system.
c. In the Domain list, click the appropriate Windows domain.
3. Click Log in.
If you cannot log in, check the case of the letters in your user name and password. The
user name and password are case sensitive. This means that “kris”, “Kris”, and “KRIS”
are different.
If the name you use to log on to your UNIX system is different than your email address,
use your logon name for the Quarantine User Name. For example, if you normally log on
to the system using pamela, type pamela@example.com for the Quarantine User Name.
Left idle, your Quarantine session will expire after a certain period, usually 30 minutes,
and log you out. If that happens, log in to access Quarantine again.
C H A P T E R 9 : A N T I - S P A M 259
IRONPORT ASYNCOS 4.7 USER GUIDE
Very rarely, users may see messages in Quarantine that are not spam. Users can click on
the check box to the left of a misidentified message and then click This is Not Spam to
re-deliver the message to the user’s inbox and remove (release) it from Quarantine.
Depending on how you configured Quarantine, a copy of the message may also be sent to
an administrator email address (such as yourself), Brightmail, or both. This allows the
email administrator and/or Symantec Brightmail Inc. to monitor the effectiveness of the
Quarantine software.
You must specify a reinsertion key to look for these specific messages which have been
released from the Quarantine and are routed again to the IronPort appliance. See
“Reinsertion Key” on page 261 for more information on where to specify the key.
Important Note!
When you configure the Symantec Brightmail Quarantine, you specify a default SMTP
server to send these misidentified messages. If the SMTP server you specify is the same as
the IronPort appliance (from which the message originated), all messages released from
the quarantine by the This is Not Spam button will be redirected back to the IronPort
appliance, and all email routing and delivery features will be in effect for the message as if
it were a new message. (See “Understanding the Email Pipeline” on page 61.) This means
that misidentified messages that have been released and rerouted to the IronPort
appliance may be affected by a listener’s HAT and RAT configuration, the Domain Map
feature, Alias Table expansion, LDAP recipient acceptance, masquerading, and/or routing
queries, message filters, smtproutes, delivery limits, etc...
Specifically, smtproutes entries are in effect for the quarantine queue. So if a route is
configured that would match a message destined for the quarantine queue, the message
will be delivered to the host specified by the smtproute entry. For example, suppose the
only smtproutes entry is an ALL entry configured to send all email mail to a groupware
server. Email destined to be quarantined would be sent to the groupware server in this
case. To correct the problem, the IronPort appliance will automatically add an
smtproutes entry when you configure Symantec Brightmail to quarantine to a specific
hostname. For more information, see “Routing Email for Local Domains” in the IronPort
AsyncOS Advanced User Guide.
Routing and delivery features affect reinserted mail in many ways. For example, if a
message was scanned and found to have a virus, it will be scanned again when it is
reinserted. This will cause the subject to have the tag string appended twice. Other
possible concerns are message filters that insert headers — the header will be inserted
twice after the message has been reinserted. Message filters that modify subjects will also
be enforced again upon reinsertion.
You can avoid these reinsertion problems by creating message filters that force messages
to skip antivirus checking or skip other filters if the email is coming from a specific IP
address (use the IP address of the server running the Quarantine software).
• Delete Messages (all or individually)
260
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
Users can choose to delete messages one at a time, or delete all. Deleting a message in
the Administrator’s Quarantine also deletes the message from the associated user’s
Quarantine. For example, if you delete Pam’s spam messages in the administrator’s
Quarantine, Pam will not be able to see those messages when accessing Quarantine.
• Search Messages
Users and administrators can search messages in the Quarantine for a specific recipient,
sender, subject, message ID, or date range.
Differences Between the Administrator and User Search Pages include:
• The Quarantine Administrator user can search for recipients.
In the Search Results page, users can only delete their own spam messages. Quarantine
Administrators can delete all users’ spam messages.
Reinsertion Key
You must specify a reinsertion key to be added as an additional header to a messages that
have been released from the Quarantine and “re-inserted” into the email pipeline of the
IronPort appliance. The reinsertion key used to generate this header is configured in the
antispamconfig command or also on the Security Services -> Anti-Spam -> Global Settings
page. The reinsertion key must also match the reinsertion key that is configured within the
Symantec Brightmail Quarantine software. If the two keys do not match, email that is
reinserted to the IronPort appliance from the Quarantine will not bypass Symantec Brightmail
Anti-Spam scanning, and will be subject to the actions that are configured on the IronPort
appliance (that is, messages will immediately be sent to the Quarantine again).
C H A P T E R 9 : A N T I - S P A M 261
IRONPORT ASYNCOS 4.7 USER GUIDE
The re-insertion key automatically causes messages that have been released and are
reentering the IronPort appliance’s email pipeline again to skip Symantec Brightmail
Anti-Spam scanning.
Note
Note — You must enter a reinsertion key in order to avoid released messages from being
immediately re-quarantined after they have been released, and the reinsertion key must also
match the reinsertion key that is configured within the Symantec Brightmail Quarantine
software.
WARNING: If the system time on the IronPort appliance and the servers running Symantec
Brightmail Quarantine differs by more than 10 minutes, email that is reinserted may not
bypass Symantec Brightmail Anti-Spam scanning. (As a security measure, the Symantec
Brightmail Anti-Spam scanning engine will consider any reinsertion header that is more than
10 minutes old to be scanned as positive.) You should ensure that the IronPort appliances and
the servers running Symantec Brightmail Quarantine are set to the same system time. One
possible solution is to configure both the IronPort appliances and the servers running
Symantec Brightmail Quarantine to use the same NTP (network time protocol) server to
synchronize time.
262
SYMANTEC BRIGHTMAIL QUARANTINE QUEUE
update the reinsertion header. However, if you rely on the reinsertion key to make sure that
messages released from the quarantine are not marked as spam, follow this procedure to
configure the reinsertion process to work seamlessly with the upgraded Symantec Brightmail
6.0 engine included with AsyncOS:
1. On the Brightmail Quarantine host where MySQL is installed, connect to the MySQL
server using the appropriate command for your operating system.
On UNIX systems, log in as root or use the sudo command when running the mysql
command. Type the following on UNIX systems:
# /opt/brightmail/MySQL/mysql-pro-version-platform/bin/mysql
On Windows systems, open a command prompt by clicking Start, clicking Run, typing
cmd, and clicking OK. Type the following at the command prompt:
Database changed
3. Type the following commands at the mysql> prompt. (Note that you must terminate each
command with a semicolon.)
4. Use the “select” command to show the old value of the
QUARANTINE_REINSERTION_HEADER.
C H A P T E R 9 : A N T I - S P A M 263
IRONPORT ASYNCOS 4.7 USER GUIDE
mysql> quit
Bye
X-Advertisement: spam
For testing purposes, Symantec Brightmail Anti-Spam considers any message with an X-
header formatted as X-Advertisement: spam to be spam. The test message you send
with this header is flagged by Symantec Brightmail Anti-Spam, and you can confirm that
the Symantec Brightmail actions you configured for the mail policy (“Configuring
Symantec Brightmail Actions Per Recipient” on page 244) are performed. You can use the
trace command and include this header, or use a Telnet program to send SMTP
commands to the appliance. See Chapter 9, “Testing and Troubleshooting,” in the IronPort
264
TESTING SYMANTEC BRIGHTMAIL ANTI-SPAM
AsyncOS Advanced User Guide and Appendix A, “Accessing the Appliance,” for more
information.
Note
Note — Examining a message’s headers for specific headers added by Symantec Brightmail
Anti-Spam is another method to test the configuration of Symantec Brightmail Anti-Spam on
your appliance. See “Headers Added by Symantec Brightmail Anti-Spam” on page 249.
Note
Note — If you plan to test Symantec Brightmail Anti-Spam with a “saved” body of spam
messages you have collected, please note that the Symantec Brightmail rules do expire, and
the scanning will appear less effective. IronPort recommends testing the accuracy of
Symantec Brightmail Anti-Spam with a live email stream directly from the Internet.
Using the X-Advertisement: spam header is the best method to test if your system
configuration is correctly handling a message that would be considered spam if it were “live.”
Use the trace command (see “Debugging Mail Flow Using Test Messages: Trace” on
page 431) or see the following example.
Example
Use SMTP commands to send a test message with the X-advertisement: spam header to
an address to which you have access. Ensure that the mail policy is configured to receive
messages for the test address (see “Accepting Email for Local Domains or Specific Users on
Public listeners (RAT)” in the IronPort AsyncOS Advanced User Guide) and that the HAT will
accept the test connection.
spam test
.
250 Message MID accepted
221 hostname
quit
Then, check the mailbox of the test account and confirm that the test message was correctly
delivered based upon the Symantec Brightmail Actions you configured for the mail policy.
C H A P T E R 9 : A N T I - S P A M 265
IRONPORT ASYNCOS 4.7 USER GUIDE
For example:
• Was the subject line altered?
• Was your additional custom header added?
• Was the message delivered to an alternate address?
• Was the message dropped or delivered to the Quarantine?
266
INCOMING RELAYS
IN C OM IN G R E L AY S
The Incoming Relays feature helps your IronPort appliance obtain the IP address of an
external machine that is sending mail to the IronPort appliance via one or more mail
exchange/transfer agents (MX or MTA), filtering servers, etc. at the edge of the network. In this
type of configuration, the IP address of the external machine is not automatically known by
the IronPort appliance. Instead, mail appears to originate from the local MX/MTA (the
incoming relay) rather than from the external machine. IronPort Anti-Spam depends on
accurate IP addresses for external senders so it is vital for the IronPort appliance to have this
information.
Note
Note — You should only enable this feature if you have a local MX/MTA relaying mail to your
IronPort appliance.
Figure 9-22 shows a very basic example of an incoming relay. Mail from IP address 7.8.9.1
appears to come from IP address 10.2.3.4 because the local MX/MTA is relaying mail to the
IronPort appliance.
Figure 9-22 Mail Relayed by MX/MTA — Simple
Firewall
IP: 7.8.9.1
Sending
Machine
IP: 10.2.3.4
MX / MTA
IP: 10.2.3.5
Figure 9-23 shows two other, slightly more complicated examples of how mail may be
relayed inside the network and how mail may be processed by several servers within the
network before it is passed to the IronPort appliance. In example A, mail from 7.8.9.1 passes
through the firewall and is processed by an MX and an MTA before being delivered to the
IronPort appliance. In example B, mail from 7.8.9.1 is sent to a load balancer or other type of
traffic shaping appliance and is sent to any one of a range of MXs prior to being delivered to
the IronPort appliance.
C H A P T E R 9 : A N T I - S P A M 267
IRONPORT ASYNCOS 4.7 USER GUIDE
IP: 7.8.9.1
Firewall
Sending
Machine
A B
Mail Filter
IronPort Email Security appliance
268
MESSAGE HEADERS AND INCOMING RELAYS
7.8.9.1) sent 5 emails through the internal MX/MTA (IP 10.2.3.4), Mail Flow Summary will
show 5 messages coming from IP 7.8.9.1 and 5 more coming from the internal relay MX/MTA
(IP 10.2.3.5).
Also note that data reported in the Mail Flow Central application may have similar issues.
Please consult the Mail Flow Central User Guide for more information.
IP Addresses
As a general rule, when specifying an IP address (of the machine connecting to the IronPort
appliance — the incoming relay), be as specific as possible. That said, IP addresses can also
be entered using standard CIDR format or an IP address range. For example, if you have
several MTAs at the edge of your network receiving email, you might want to enter a range of
IP addresses to include all of your MTAs, such as 10.2.3.1/8 or 10.2.3.1-10.
C H A P T E R 9 : A N T I - S P A M 269
IRONPORT ASYNCOS 4.7 USER GUIDE
IP: 7.8.9.1
Firewall
Sending
Machine
C
IP: 10.2.3.4 D
MX
Hop 2
IP: 10.2.3.5
MTA
Hop 1
IP: 10.2.3.6
Received Header
If configuring the MX/MTAs to include a custom header containing the sending IP address is
not an option, you can configure the incoming relays feature to attempt to determine the
sending IP address by examining the “Received:” headers in the message. Using the
“Received:” header will only work if the number of network “hops” will always be constant
for an IP address. In other words, the machine at the first hop (10.2.3.5 in Figure 9-23) should
always be the same number of hops away from the edge of your network. If incoming mail
can take different paths (resulting in a different number of hops, as described in Figure 9-24)
to the machine connecting to your IronPort appliance, you must use a custom header (see
“Custom Header” on page 269).
Specify a parsing character or string and the number of network hops (or Received: headers)
back to look. A hop is basically the message travelling from one machine to another (being
received by the IronPort appliance does not count as a hop. See “Determining Which
Headers are Used” on page 273 for more information). AsyncOS looks for the first IP address
following the first occurrence of the parsing character or string in the Received: header
corresponding to the number of specified hops. For example, if you specify two hops, the
second Received: header, working backward from the IronPort appliance is parsed. If the
270
MESSAGE HEADERS AND INCOMING RELAYS
parsing character is not found, or if there is not a valid IP address found, the IronPort
appliance uses the real IP address of the connecting machine.
If you specify an opening square bracket ([) and two hops for the following example mail
headers, the IP address of the external machine is 7.8.9.1. However, if you specify an opening
parenthesis (() as the parsing character, a valid IP address will not be found. In this case, the
Incoming Relays feature is treated as disabled, and the IP of the connecting machine is used
(6.16.60.1).
In the example in Figure 9-23 the incoming relays are:
• Path A — 10.2.3.5 (with 2 hops when using received headers) and
• Path B — 10.2.6.1 (with 2 hops when using received headers)
Table 9-8 shows example email headers for a message as it moves through several hops on its
way to the IronPort appliance as in Figure 9-23. This example shows extraneous headers
(ignored by your IronPort appliance) which are present once the message has arrived in the
recipient’s inbox. The number of hops to specify would be two. Table 9-9 shows the headers
for the same email message, without the extraneous headers
C H A P T E R 9 : A N T I - S P A M 271
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 9-25 shows the incoming relay for path A (above) as configured in the Add Relay page
in the GUI:
272
CONFIGURING THE INCOMING RELAYS FEATURE (GUI)
mail3.example.com> logconfig
Please enter the list of headers you wish to record in the log files.
Separate multiple headers with commas.
[]> Received
C H A P T E R 9 : A N T I - S P A M 273
IRONPORT ASYNCOS 4.7 USER GUIDE
1. Click the Incoming Relays link on the Network Tab. The Incoming Relays page is
displayed:
Figure 9-26 Incoming Relays Page
2. Click Enable to enable Incoming Relays. (If the Incoming Relays feature is enabled, you
can disable it by clicking Disable.)
3. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish enabling the Incoming Relays feature globally for the
appliance.
Adding a Relay
To add a relay:
1. Click the Add Relay... button on the Incoming Relays page. The Add Relay page is
displayed:
Figure 9-27 Add Relay Page
274
INCOMING RELAYS AND LOGGING
3. Enter an IP Address for the relay. For more information about valid IP address entries, see
“IP Addresses” on page 269.
4. Select a header type (Custom or Received). For more information about custom headers,
see “Custom Header” on page 269. When entering a header, you do not need to enter the
trailing colon.
• For custom headers, enter the header name.
• For Received: headers, enter the character or string after which the IP address will
appear. Enter the number for the “hop” to check for the IP address. For more
information, see “Received Header” on page 270.
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish adding the relay.
Editing a Relay
To edit a relay:
1. Click on the relay’s name in the Incoming Relay page. The Edit Relay page is displayed.
2. Make changes to the relay.
3. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish editing the relay.
Deleting a Relay
To delete a relay:
1. Click on the trash can icon in the corresponding row for the relay you want to delete. You
are prompted to confirm the deletion.
2. Click Delete.
3. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish deleting the relay.
1 Fri Apr 28 17:07:29 2006 Info: ICID 210158 ACCEPT SG UNKNOWNLIST match
nx.domain SBRS rfc1918
2 Fri Apr 28 17:07:29 2006 Info: Start MID 201434 ICID 210158
3 Fri Apr 28 17:07:29 2006 Info: MID 201434 ICID 210158 From: <joe@sender.com>
4 Fri Apr 28 17:07:29 2006 Info: MID 201434 ICID 210158 RID 0 To: <mary@example.com>
C H A P T E R 9 : A N T I - S P A M 275
IRONPORT ASYNCOS 4.7 USER GUIDE
7 Fri Apr 28 17:07:29 2006 Info: MID 201434 Subject 'That report...'
8 Fri Apr 28 17:07:29 2006 Info: MID 201434 ready 2367 bytes from <joe@sender.com>
9 Fri Apr 28 17:07:29 2006 Info: MID 201434 matched all recipients for per-recipient policy
DEFAULT in the inbound table
11 Fri Apr 28 17:07:35 2006 Info: MID 201434 using engine: CASE spam negative
13 Fri Apr 28 17:07:35 2006 Info: MID 201434 queued for delivery
276
10
CHAPTER
Anti-Virus
The IronPort appliance includes an integrated virus scanning engine from Sophos, Plc. You
can configure the appliance to scan messages for viruses (based on the matching incoming or
outgoing mail policy), and, if a virus is found, to perform different actions on the message
(including “repairing” the message of viruses, modifying the subject header, adding an
additional X-header, sending the message to an alternate address or mailhost, archiving the
message, or deleting the message).
If enabled, virus scanning is performed in the “work queue” on the appliance, immediately
after Anti-Spam scanning. (See “Understanding the Email Pipeline” on page 61.)
By default, virus scanning is enabled for the default incoming and outgoing mail policies.
This chapter contains the following section:
• “Sophos Anti-Virus Filtering” on page 278
• “Enabling Sophos Virus Scanning and Configuring Global Settings” on page 282
• “Configuring Sophos Virus Scanning Actions for Users” on page 287
• “Testing Sophos Virus Scanning” on page 298
C H A P T E R 1 0 : A N T I - V I R U S 277
IRONPORT ASYNCOS 4.7 USER GUIDE
S O P H O S A NT I - V I R U S F I L T E RI N G
The IronPort appliance includes integrated virus-scanning technology from Sophos, Plc.
Sophos Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
Sophos Anti-Virus provides a virus detection engine that scans files for viruses, Trojan horses,
and worms. These programs come under the generic term of malware, meaning “malicious
software.” The similarities between all types of malware allow anti-virus scanners to detect
and remove not only viruses, but also all types of malicious software.
Virus Scanning
In broad terms, the engine’s scanning capability is managed by a powerful combination of
two important components: a classifier that knows where to look, and the virus database that
knows what to look for. The engine classifies the file by type rather than by relying on the
extension.
The virus engine looks for viruses in the bodies and attachments of messages received by the
system; an attachment’s file type helps determine its scanning. For example, if a message’s
attached file is an executable, the engine examines the header which tells it where the
executable code starts and it looks there. If the file is a Word document, the engine looks in
the macro streams. If it is a MIME file, the format used for mail messaging, it looks in the place
where the attachment is stored.
Detection Methods
How viruses are detected depends on their type. During the scanning process, the engine
analyzes each file, identifies the type, and then applies the relevant technique(s). Underlying
all methods is the basic concept of looking for certain types of instructions or certain ordering
of instructions.
278
VIRUS DESCRIPTIONS
Pattern matching
In the technique of pattern matching, the engine knows the particular sequence of code and is
looking for an exact match that will identify the code as a virus. More often, the engine is
looking for sequences of code that are similar, but not necessarily identical, to the known
sequences of virus code. In creating the descriptions against which files are compared during
scanning, Sophos virus researchers endeavor to keep the identifying code as general as
possible so that – using heuristics, as explained below – the engine will find not just the
original virus but also its later derivatives.
Heuristics
The virus engine can combine basic pattern matching techniques with heuristics – a
technique using general rather than specific rules – to detect several viruses in the same
family, even though Sophos researchers might have analyzed only one virus in that family.
The technique enables a single description to be created that will catch several variants of one
virus. Sophos tempers its heuristics with other methods, minimizing the incidence of false
positives.
Emulation
Emulation is a technique applied by the virus engine to polymorphic viruses. Polymorphic
viruses are encrypted viruses that modify themselves in an effort to hide themselves. There is
no visible constant virus code and the virus encrypts itself differently each time it spreads.
When it runs, it decrypts itself. The emulator in the virus detection engine is used on DOS and
Windows executables, while polymorphic macro viruses are found by detection code written
in Sophos’s Virus Description Language.
The output of this decryption is the real virus code and it is this output that is detected by the
Sophos virus detection engine after running in the emulator.
Executables that are sent to the engine for scanning are run inside the emulator, which tracks
the decryption of the virus body as it is written to memory. Normally the virus entry point sits
at the front end of a file and is the first thing to run. In most cases, only a small amount of the
virus body has to be decrypted in order for the virus to be recognized. Most clean executables
stop emulating after only a few instructions, which reduces overhead.
Because the emulator runs in a restricted area, if the code does turn out to be a virus, the virus
does not infect the appliance.
Virus Descriptions
Sophos exchanges viruses with other trusted anti-virus companies every month. In addition,
every month customers send thousands of suspect files directly to Sophos, about 30% of
which turn out to be viruses. Each sample undergoes rigorous analysis in the highly secure
virus labs to determine whether or not it is a virus. For each newly discovered virus, or group
of viruses, Sophos creates a description.
C H A P T E R 1 0 : A N T I - V I R U S 279
IRONPORT ASYNCOS 4.7 USER GUIDE
280
EVALUATION KEY
Evaluation Key
Your IronPort appliance ships with a 30-day evaluation key for the Sophos anti-virus scanning
engine. You enable the evaluation key by accessing the license agreement in the system setup
wizard or Security Services -> Anti-Virus pages (in the GUI) or running the
antivirusconfig or systemsetup commands (in the CLI). Once you have accepted the
agreement, the Sophos Anti-Virus scanning engine will be enabled, by default, for the default
incoming and outgoing mail policies. For information on enabling the feature beyond the 30-
day evaluation period, contact your IronPort sales representative. You can see how much time
remains on the evaluation via the System Administration -> Feature Keys page or by issuing
the featurekey command. (For more information, see “Working with Feature Keys” on
page 450.)
Sophos Alerts
IronPort encourages customers who enable Sophos Anti-Virus scanning to subscribe to
Sophos alerts on the Sophos site at http://www.sophos.com/virusinfo/notifications/.
Subscribing to receive alerts directly from Sophos will ensure you are apprised of the latest
virus outbreaks and their available solutions.
C H A P T E R 1 0 : A N T I - V I R U S 281
IRONPORT ASYNCOS 4.7 USER GUIDE
E N A B L IN G S OP H OS V I R U S S CA N N IN G A N D C ON F IG U RI NG GL O BA L
SE TT ING S
Note
Note — The very first time you attempt to edit the Sophos Anti-Virus global settings — either
via the system setup wizard or Security Services -> Anti-Virus pages in the GUI, or via the
systemsetup or antivirusconfig commands in the CLI — you are presented with a
license agreement for Sophos Anti-Virus. If you do not accept the license agreement, Sophos
Anti-Virus is not enabled on the appliance.
Overview
You enable the Sophos virus scanning engine and modify its global configuration settings
using Security Services -> Anti-Virus pages (GUI) or the antivirusconfig command (CLI).
The following global settings are configured:
• Globally enable Sophos anti-virus scanning for the entire system.
• Specify the Anti-Virus scanning timeout value.
Figure 10-1 shows the global settings that you configure on the Security-Services -> Anti-Virus
page.
Figure 10-1 Sophos Anti-Virus Global Settings: Editing
In addition to the two values on the global settings page, you can further configure the
anti-virus settings via the Update Settings page (available from the System Administration
page). Additional settings include:
• How (from which URL) the system will receive Sophos updates.
• How frequently the system checks for new virus definitions. (You define the number of
minutes between checks.)
• You can optionally enable a proxy server for obtaining Sophos updates.
For more information about configuring these additional settings, see “Service Updates” on
page 485.
282
ENABLING SOPHOS ANTI-VIRUS SCANNING
To enable Sophos Anti-Virus scanning if you have not previously enabled Sophos Anti-Virus
in the system setup wizard (see “Step 4: Security” on page 44 for the GUI or the “Enable
Sophos Anti-Virus” on page 58 for the CLI), follow these steps:
1. Select Security Services -> Anti-Virus.
2. Click Enable... The license agreement page is displayed.
Note
Note — If you do not accept the license agreement, Sophos Anti-Virus is not enabled on the
appliance.
Clicking Enable... enables the feature globally for the appliance. However, you must still
enable per-recipient settings in Mail Policies.
3. After reading the agreement, scroll to the bottom of the page and click Accept to accept
the agreement. A page similar to Figure 10-2 is displayed.
Figure 10-2 Sophos Anti-Virus Settings
4. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish enabling Sophos Anti-Virus and configuring global settings for
the appliance.
5. You can now configure anti-virus settings on a per-recipient basis. See “Configuring
Sophos Virus Scanning Actions for Users” on page 287.
C H A P T E R 1 0 : A N T I - V I R U S 283
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Check the box next to Enable Sophos Anti-Virus scanning to enable anti-virus scanning if
it is not already enabled. Checking Enable... enables the feature globally for the
appliance. However, you must still enable per-recipient settings in Mail Policies.
Note
Note — Please see “Email Pipeline and Security Services” on page 68 for information about
how and when anti-virus scanning is applied.
284
MONITORING AND MANUALLY CHECKING FOR UPDATES
Firewall
Internet mail
Anti-Virus Updates
SMTP HTTP
In the CLI, use the antivirusupdate command to manually check for updates:
mail3.example.com> antivirusstatus
C H A P T E R 1 0 : A N T I - V I R U S 285
IRONPORT ASYNCOS 4.7 USER GUIDE
mail3.example.com>
mail3.example.com> antivirusupdate
The antivirus log can be used to verify that all individual identity files based on
filename.ide have been successfully downloaded, extracted, or updated. Use the tail
command to show the final entries in any “AntiVirus” log subscription to ensure that virus
updates were obtained.
286
CONFIGURING SOPHOS VIRUS SCANNING ACTIONS FOR USERS
CO N FI GU R IN G S OP H O S V IR U S S CA NN IN G A CT IO N S F OR U S E R S
Once enabled globally, the Sophos virus scanning engine integrated into the IronPort
appliance processes messages for viruses for incoming and outgoing mail based on policies
(configuration options) you configure using the Email Security Manager feature. You enable
Sophos Anti-Virus actions on a per-recipient basis using the Email Security Feature: the Mail
Policies -> Incoming or Outgoing Mail Policies pages (GUI) or the policyconfig ->
antivirus command (CLI). The Sophos virus scanning engine scans messages for
classification according to the process described in “Detection Methods” on page 278.
Users will always be notified if their messages were modified in any way because they
were infected with a bad attachment. You can configure a secondary notification action,
as well (see “Sending Notifications” on page 290). The notify action is not needed to
inform users that a message was modified if you choose to drop infected attachments.
• X-IronPort-AV Header
All messages that are processed by the Sophos Anti-Virus scanning engine on the
appliance have the header X-IronPort-AV: added to messages. This header provides
additional information to you when debugging issues with your anti-virus configuration,
particularly with messages that are considered “unscannable.” You can toggle whether the
X-IronPort-AV header is included in messages that are scanned. Including this header is
recommended.
C H A P T E R 1 0 : A N T I - V I R U S 287
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — If you are upgrading from a previous version of AsyncOS (prior to AsyncOS 3.8) and
had configured Sophos Anti-Virus scanning, you will have to configure the Encrypted
Message Handling section after upgrading.
Note
Note — If you are upgrading from a previous version of AsyncOS and had configured Sophos
Anti-Virus scanning, you will have to configure the Unscannable Message Handling section
in order to use it.
288
CONFIGURING SETTINGS FOR MESSAGE HANDLING ACTIONS
Note
Note — These actions are not mutually exclusive; you can combine some or all of them
differently within different incoming or outgoing policies for different processing needs for
groups of users. See the following sections and “Notes on Anti-Virus Configurations” on
page 295 for more information on defining various scanning policies using these options.
Note
Note — Repaired messages have only two advanced options: Add custom header and Send
custom alert notification. All other message types have access to all of the advanced options.
C H A P T E R 1 0 : A N T I - V I R U S 289
IRONPORT ASYNCOS 4.7 USER GUIDE
For example, a content filter can cause a message to be dropped or bounced, in which case
the message will not be quarantined.
Note
Note — White space is not ignored in the “Modify message subject” field. Add spaces after (if
prepending) or before (if appending) the text you enter in this field to separate your added text
from the original subject of the message. For example, add the text [WARNING: VIRUS
REMOVED] with a few trailing spaces if you are prepending.
Table 10-1 Default Subject Line Text for Anti-Virus Subject Line Modification
Infected n/a
Any message with multiple states causes a multi-part notification message informing users
what actions the appliance performed on the message (for example, the user is notified that
the message was repaired of a virus, but another part of the message was encrypted).
Note
Note — In the GUI, you may need to click the “Advanced” link to reveal the “Archive original
message” setting.
Sending Notifications
When the system has identified a message as containing viruses, you can send the default
notification to the sender, the recipient, and/or additional users. When specifying additional
290
CONFIGURING SETTINGS FOR MESSAGE HANDLING ACTIONS
users to notify, separate multiple addresses with commas (in both the CLI and the GUI). The
default notification messages are:
Verdict Notification
Repaired The following virus(es) was detected in a mail message: <virus name(s)>
Actions taken: Infected attachment dropped (or Infected attachment repaired).
Encrypted The following message could not be fully scanned by the anti-virus engine due to
encryption.
Unscannable The following message could not be fully scanned by the anti-virus engine.
Infectious The following unrepairable virus(es) was detected in a mail message: <virus
name(s)>.
C H A P T E R 1 0 : A N T I - V I R U S 291
IRONPORT ASYNCOS 4.7 USER GUIDE
Firewall
Internet mail
SMTP
292
EDITING THE ANTI-VIRUS SETTINGS FOR A MAIL POLICY
Note — By default, Sophos Anti-Virus scanning is enabled in the $TRUSTED mail flow policy
Note
for public listeners, which is referenced by the WHITELIST sender group. See “Mail Flow
Policies: Access Rules and Parameters” on page 81.
C H A P T E R 1 0 : A N T I - V I R U S 293
IRONPORT ASYNCOS 4.7 USER GUIDE
294
NOTES ON ANTI-VIRUS CONFIGURATIONS
C H A P T E R 1 0 : A N T I - V I R U S 295
IRONPORT ASYNCOS 4.7 USER GUIDE
In a “Scan for Viruses only” environment, these actions “clean” messages by dropping the bad
message parts. Only if the RFC822 headers themselves are attacked or encounter some other
problem would this result in the unscannable actions taking place. However, when Anti-Virus
scanning is configured for “Scan for Viruses only” and “Drop infected attachments if a virus is
found and it could not be repaired,” is not chosen, the unscannable actions are very likely to
take place.
Table 10-3 lists some common Anti-Virus configuration options.
296
FLOW DIAGRAM FOR ANTI-VIRUS ACTIONS
C H A P T E R 1 0 : A N T I - V I R U S 297
IRONPORT ASYNCOS 4.7 USER GUIDE
TE ST I NG S O P HO S V IR U S S C A NN I NG
To test the Sophos virus scanning configuration of your appliance:
1. Enable Sophos virus scanning for a mail policy.
Use the Security Services -> Anti-virus page or the antivirusconfig command to set
global settings, and then use the Email Security Manager pages (GUI) or the antivirus
subcommand of policyconfig to configure the settings for a specific mail policy.
2. Open a standard text editor, then type the following character string as one line, with no
spaces or line breaks:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-
FILE!$H+H*
Note
Note — The line shown above should appear as one line in your text editor window, so be
sure to maximize your text editor window and delete any line breaks. Also, be sure to type the
letter O, not the number 0, in the “X5O...” that begins the test message.
If you are reading this manual on your computer, you can copy the line directly from the
PDF file or HTML file and paste it into your text editor. If you copy the line, be sure to
delete any extra carriage returns or spaces.
3. Save the file with the name EICAR.COM.
The file size will be 68 or 70 bytes.
Note
Note — This file is not a virus — it cannot spread or infect other files, or otherwise harm your
computer. However, you should delete the file when you have finished testing your scanner to
avoid alarming other users.
4. Attach the file EICAR.COM to an email message, and send it to the listener that will match
the mail policy you configured in step 1.
Ensure the that the recipient you specify in the test message will be accepted on the
listener. (For more information, see “Accepting Email for Local Domains or Specific Users
on Public listeners (RAT)” in the IronPort AsyncOS Advanced User Guide.)
Note that it may be difficult to email the file if you have virus scanning software is
installed for outgoing mail on a gateway other than the IronPort (for example, a Microsoft
Exchange server).
Note
Note — The test file always scans as unrepairable.
5. Evaluate if the actions you configured for virus scanning on the listener were enabled and
working as expected.
This is most easily accomplished by either:
298
TESTING SOPHOS VIRUS SCANNING
• Configuring the Sophos virus scanning settings to Scan and Repair mode or Scan
only mode without dropping attachments.
Confirm that the actions taken match your configuration for Virus Infected Message
Handling (the settings in “Virus Infected Message Handling” on page 289).
• Configuring the Sophos virus scanning settings to Scan and Repair mode or Scan
only mode with dropping attachments.
Confirm that the actions taken match your configuration for Repaired Message
Handling (the settings in “Repaired Message Handling” on page 288).
For more information obtaining virus files for testing anti-virus scanning, see:
http://www.eicar.org/anti_virus_test_file.htm
This page provides 4 files for downloading. Note that it may be difficult to download and
extract these files if you have a client-side virus scanning software installed.
C H A P T E R 1 0 : A N T I - V I R U S 299
IRONPORT ASYNCOS 4.7 USER GUIDE
300
11
CHAPTER
IronPort’s Virus Outbreak Filters feature provides you with a “head start” when battling virus
outbreaks. Historically, as new viruses or variants hit the Internet, the most critical time period
is the window of time between when the virus is released and when the anti-virus vendors
release an updated virus definition. Having advanced notice — even a few hours — is vital to
curbing the spread of malicious code. During that vulnerability window, a modern virus can
propagate globally, bringing email infrastructure to a halt.
IronPort’s Virus Outbreak Filters act proactively to provide a critical first layer of defense
against new outbreaks. By detecting new outbreaks in real-time and dynamically responding
to prevent suspicious traffic from entering the network, IronPort’s Virus Outbreak Filters offer
protection until new anti-virus signature updates are deployed. Integrated into IronPort’s email
security appliances, the Virus Outbreak Filters have two principal components: the outbreak
detection technology and the intelligent quarantine system implemented in the IronPort
appliances.
IronPort’s industry leading Virus Outbreak Filters technology provides “fire and forget”
functionality, requiring no administrator interaction once enabled. The technology uses two
different rule sets to provide the highest efficacy and the most focused set of criteria for virus
detection to ensure that filters can be laser focussed on a particular threat. The Virus Outbreak
Filters rules and actions are visible to the administrator, not hidden away behind the scenes,
providing instant access to the messages that were quarantined, and the reason why they were
quarantined.
Your IronPort appliance ships with a 30-day evaluation license for the Virus Outbreak Filters
feature.
This chapter contains the following sections:
• “Virus Outbreak Filters Overview” on page 302
• “Managing Virus Outbreak Filters (GUI)” on page 309
• “Monitoring Virus Outbreak Filters” on page 318
• “Troubleshooting The Virus Outbreak Filters Feature” on page 319
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 301
IRONPORT ASYNCOS 4.7 USER GUIDE
V IR U S O UT BR E A K F I L T E R S O VE R VI EW
The Virus Outbreak Filters engine compares incoming messages with published Virus
Outbreak Filter rules. Messages that match rules are assigned a threat level and that threat
level is compared to the threat level threshold you set. Messages that meet or exceed that
threshold are quarantined.
The process of outbreak detection and filtering begins with SenderBase: SenderBase tracks
more than 20 million IP addresses and has a view into approximately 25% of the world’s
email traffic. IronPort uses historical SenderBase data to create a statistical view of normal
global traffic patterns. The Virus Outbreak Filters engine depends on the set of rules that are
used to determine threat levels of incoming messages.
Outbreak Rules
Outbreak rules are generated by the IronPort Threat Operations Center (TOC), and focus on
the message as a whole, rather than just attachment filetypes. Outbreak rules use SenderBase
data (real time and historical traffic data) and any combination of message parameters such as
attachment file type, file name keywords, or anti-virus engine update to recognize and
prevent virus outbreaks in real time. Outbreak Rules are given a unique ID used to refer to the
rule in various places in the GUI (such as the Outbreak quarantine).
Real-time data from the global SenderBase network is then compared to this baseline,
identifying anomalies that are proven predictors of an outbreak. The IronPort Threat
Operations Center (TOC) reviews the data and issues a threat indicator or Virus Threat Level
(VTL). The VTL is a numeric value between 0 (no threat) and 5 (extremely risky), and measures
302
TYPES OF RULES: ADAPTIVE AND OUTBREAK.
the likelihood that a message contains a virus for which no other gateway defense is widely
deployed by IronPort customers (for more information, see “Virus Threat Levels (VTL)” on
page 305). VTL are published as outbreak rules by the TOC.
Some example characteristics that can be combined in Outbreak Rules include:
• File Type, File Type & Size, File Type & File Name Keyword, etc.
• File Name Keyword & File Size
• File Name Keyword
• Message URL
• File Name & Sophos IDE
Adaptive Rules
Adaptive Rules are a set of rules within CASE that accurately compare message attributes to
attributes of known viral and outbreak messages. These rules have been created after studying
known viral messages and known good messages within an extensive IronPort virus corpus.
Adaptive Rules are updated often as the corpus is evaluated. They complement existing
Outbreak Rules to detect outbreak messages at all times. While Outbreak Rules take effect
when a possible outbreak is occurring, Adaptive Rules (once enabled) are “always on,”
catching outbreak messages locally before the full anomaly has formed on a global basis.
Additionally, Adaptive Rules continuously respond to small and subtle changes in email traffic
and structure, providing updated protection to customers.
Figure 11-1 Detection: Multiple Methods, More Parameters
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 303
IRONPORT ASYNCOS 4.7 USER GUIDE
Outbreaks
A Virus Outbreak Filter rule is basically a VTL (e.g. 4) associated with a set of characteristics
for an email message and attachment — things such as file size, file type, file name, message
content, and so on. For example, assume the IronPort TOC notices an increase in the
occurrences of a suspicious email message carrying a .exe attachment that is 143 kilobytes in
size, and whose file name includes a specific keyword (“hello” for example). An Outbreak
Rule is published increasing the VTL for messages matching this criteria. Your IronPort
appliance checks for and downloads newly published Outbreak and Adaptive Rules every 5
minutes by default (see “Updating Virus Outbreak Filter Rules” on page 312). Adaptive Rules
are updated less frequently. On the IronPort appliance, you set a threshold for quarantining
(e.g. 3). If the VTL for a message equals or exceeds your threshold, the message is sent to the
Outbreak quarantine area.
Note
Note — It is possible to use the Virus Outbreak Filters feature without having enabled
anti-virus scanning on the IronPort appliance. The two security services are designed to
complement each other, but will also work separately. That said, if you do not enable
anti-virus scanning on your IronPort appliance, you will need to need to monitor your
anti-virus vendor’s updates and manually release or re-evaluate some messages in the
Outbreak quarantine. When using Virus Outbreak Filters without anti-virus scanning enabled,
keep the following in mind:
304
VIRUS THREAT LEVELS (VTL)
VT Risk Meaning
L
4 High There is a confirmed virus threat that is either large scale or very dangerous.
5 Extreme There is a confirmed virus threat that is either extremely large scale, or large
scale and extremely dangerous.
Information about each Outbreak Rule and the associated VTL can be found here:
http://support.ironport.com/outbreaks/
The site lists current Outbreak Rules, including comments about each rule from the IronPort
Threat Operations Center (TOC). See this site for information on how to report outbreaks.
You can click the View link for an Outbreak Rule to see a history of all Outbreak Rules related
to a specific extension type.
Note
Note — The site is password protected. Please contact IronPort Customer Support if you are
unable to access the site.
For more information about VTL and outbreak rules, see “Virus Outbreak Filters Rules” on
page 311.
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 305
IRONPORT ASYNCOS 4.7 USER GUIDE
the Email Pipeline” on page 61). As the messages proceed through the email pipeline, they
are run through the anti-spam (AS) and anti-virus (AV) scanning engines (only if anti-spam and
anti-virus are enabled for that mail policy). Only messages that pass through those scans are
scanned by the Virus Outbreak Filters feature (see “Message and Content Filters and the Email
Pipeline” on page 319 for more information about how the email pipeline can affect which
messages are scanned by the Virus Outbreak Filters feature). In other words, known spam or
messages containing recognized viruses are not scanned by the Virus Outbreak Filters feature
because they will have already been removed from the mail stream — deleted, quarantined,
etc., — based on your anti-spam and anti-virus settings. Messages that arrive at the Virus
Outbreak Filters feature have therefore been marked virus-free.
Message Scoring
When a new virus is released into the wild, no anti-virus software recognizes it as a virus yet,
so this is where the Virus Outbreak Filters feature can be invaluable. Incoming messages are
scanned and scored by CASE — each message is compared with published Outbreak and
Adaptive Rules (see “Types of Rules: Adaptive and Outbreak.” on page 302). Based on which,
if any, rules the message matches, it is assigned the corresponding virus threat level or VTL.
For cases where a message receives multiple scores (from Outbreak and Adaptive Rules), see
“Message Scoring, the Context Adaptive Scanning Engine, and Virus Outbreak Filters” on
page 306. If there is no associated VTL (the message does not match any rules), then the
message is assigned a default VTL of 0.
Once that calculation has been completed, the Virus Outbreak Filters feature will check
whether the VTL of that message meets or exceeds your threshold value. If it does, that
message will be quarantined, otherwise it will be passed along for further processing in the
pipeline.
Message Scoring, the Context Adaptive Scanning Engine, and Virus Outbreak Filters
Virus Outbreak Filters are powered by IronPort’s unique Context Adaptive Scanning Engine
(CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on
a regular basis, based on real-time analysis of messaging threats. For Virus Outbreak Filters,
CASE analyzes the message content, context and structure to accurately determine likely
Adaptive Rule triggers.
CASE combines Adaptive Rules and real-time Outbreak Rules published by the TOC (Threat
Operations Center) to score every message and assign a unique Virus Threat Level (VTL). This
VTL is compared to the preset quarantining threshold on the appliance and if it is equal to or
exceeds this threshold level, messages will automatically start getting quarantined.
Additionally, CASE re-evaluates existing quarantine messages against the latest rules
published to determine the latest threat level of a message. This ensures that only messages
that have a threat level consistent with an outbreak message stay within the quarantine and
messages that are no longer a threat flow out of the quarantine after an automatic re-evaluate.
For more information about CASE, see “IronPort Anti-Spam and CASE: an Overview” on
page 220.
306
DYNAMIC QUARANTINE
In the case of multiple scores — one score from an Adaptive Rule (or the highest score if
multiple Adaptive Rules apply), and another score from an Outbreak Rule (or the highest
score if multiple Outbreak Rules apply) — intelligent algorithms are used to determine the
score.
Dynamic Quarantine
The Virus Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to
store messages until new virus definitions have been created and your anti-virus software
updated. See “Outbreak Lifecycle and Rules Publishing” on page 308 for more information.
Quarantined messages can be released from the Outbreak quarantine in several ways. As new
outbreak rules are downloaded, messages in the Outbreak quarantine are automatically
re-evaluated, beginning with the oldest message. If the revised threat level of a message falls
under the system's threshold, the message will automatically be released (regardless of the
Outbreak quarantine’s settings), thereby minimizing the time it spends in the quarantine. If
new rules are published while messages are being re-evaluated, the rescan is restarted.
Please note that messages are not automatically released from the outbreak quarantine when
new anti-virus signatures are available. New rules that are published may or may not
reference new anti-virus signatures; however, messages will not be released due to an
anti-virus engine update unless an Outbreak Rule changes the threat level of the message to a
score lower than your Threat Level Threshold.
Messages are also released from the Outbreak quarantine once the timeout period (default is
12 hours) has elapsed. Messages can be manually released from the quarantine. Messages
can also be released from the quarantine when the quarantine is full and more messages are
inserted (this is referred to as overflow). Overflow only occurs when the Outbreak quarantine
is at 100% capacity, and a new message is added to the quarantine. At this point, messages
are released in the following order of priority:
• Messages quarantined by Adaptive Rules (those scheduled to be released soonest are first)
• Messages quarantined by Outbreak Rules (those scheduled to be released soonest are first)
Overflow stops the moment the Outbreak quarantine is below 100% capacity. For more
information about how quarantine overflow is handled, see “Overflow Messages” on
page 370.
Messages released from the Outbreak quarantine are run through the anti-virus filter again. If
it is now marked as a known virus, then it will be subject to your anti-virus settings (including
a possible second quarantining in the Virus quarantine). For more information, see “The Virus
Outbreak Filters Feature and the Outbreak Quarantine” on page 314.
Thus it is important to note that in a message's lifetime, it may actually be quarantined twice
— once due to the Virus Outbreak Filters feature, and once when it is released from the
Outbreak quarantine. A message will not be subject to a second quarantine if the anti-virus
verdicts from each anti-virus scan (prior to Virus Outbreak Filters, and when released from the
Outbreak quarantine) match. Also note that the Virus Outbreak Filters feature does not take
any final actions on messages. The Virus Outbreak Filters feature will either quarantine a
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 307
IRONPORT ASYNCOS 4.7 USER GUIDE
message (for further anti-virus processing) or move the message along to the next step in the
pipeline.
T=0 Adaptive Rule A consolidated rule set based Messages are automatically
(based on past on over 100K message quarantined if they match Adaptive
outbreaks) attributes, which analyzes Rules
message content, context and
structure
T=5 Outbreak Rule Quarantine messages Quarantine all attachments that are
min containing .zip (exe) files .zips containing a .exe
T=10 Outbreak Rule Quarantine messages that have Any message with .zip (exe) files that
min .zip (exe) files greater than 50 are less than 50 KB would be
KB released from quarantine
T=20 Outbreak Rule Quarantine messages that have Any message that does not match
min .zip (exe) files between 50 to 55 this criteria would be released from
KB, and have “Price” in the file quarantine
name
T=12 Outbreak Rule Scan against new signature All remaining messages are scanned
hours against the latest anti-virus signature
308
MANAGING VIRUS OUTBREAK FILTERS (GUI)
M A N A G IN G V I R US OU TB R E A K F I LT E R S ( GU I )
Log in to the Graphical User Interface (GUI) and click the Security Services tab. For
information about how to access the GUI, see “Accessing the GUI” on page 13. Click the
Virus Outbreak Filters link in the left menu.
Figure 11-2 Virus Outbreak Filters Main Page
The Virus Outbreak Filters page shows two sections: the Virus Outbreak Filters Overview and
a listing of current Virus Outbreak Filter Rules (if any).
In Figure 11-2, Virus Outbreak Filters are enabled, Adaptive Scanning is enabled, the
maximum message size is set to 256k, and the Threat Level Threshold is set to 3. To change
these settings, click Edit Global Settings... For more information about editing Global Settings,
see “Configuring Virus Outbreak Filters Global Settings” on page 310.
The Virus Outbreak Filter Rules section lists the time, date, and version of the latest update for
various components (the rules engine as well as the rules themselves), as well as a listing of
the current Virus Outbreak Filter rules, sorted by rules above or below your Threat Level
Threshold.
For more information about Outbreak Rules, see “Virus Outbreak Filters Rules” on page 311.
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 309
IRONPORT ASYNCOS 4.7 USER GUIDE
Use this page to: enable Virus Outbreak Filters globally, enable Adaptive Scanning, set a
maximum size for files to scan (note that you are entering the size in bytes), select a Threat
Level Threshold, and elect whether to enable alerts for the Virus Outbreak Filter. Note that
alerts and Adaptive Rules are not enabled by default. This functionality is also available via
the vofconfig CLI command (see the IronPort AsyncOS CLI Reference Guide). Once you
have made changes, click Submit, click Commit Changes..., add an optional comment if
necessary, and then click Commit Changes to save the changes.
Note
Please see “Email Pipeline and Security Services” on page 68 for information about how and
when the Virus Outbreak Filter feature is applied.
Note
Note — If you have not already agreed to the license during system setup (see “Step 4:
Security” on page 44), you must click Enable... on the Security Services -> Virus Outbreak
Filters page, and then read and agree to the license.
310
VIRUS OUTBREAK FILTERS RULES
box next to Enable Adaptive Rules on the Virus Outbreak Filters Global Settings page, and
click Submit.
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 311
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — If you click Clear Current Rules in the GUI or use vofflush from the CLI for the
same effect, you are basically disabling Outbreak Rules until the next time that your IronPort
appliance is able to download a new set of scores from SenderBase. Adaptive Rules are not
cleared.
.zip(exe) 4 This rule sets a threat level of 4 for .exe files within .zip files.
.zip(doc) 0 This rule sets a threat level of 0 for .doc files within .zip files.
zip(*) 2 This rule sets a threat level of 3 for all .zip files, regardless of the
types of files they contain.
312
THE VIRUS OUTBREAK FILTERS FEATURE AND MAIL POLICIES
In this example, a .foo file within a .zip file will assume the threat level of 2.
To modify the Virus Outbreak Filters feature settings for a specific listener, click the link in the
Virus Outbreak Filters column of the policy to change. The Virus Outbreak Filter Settings page
is displayed.
Figure 11-6 Virus Outbreak Filters Settings and Mail Policies
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 313
IRONPORT ASYNCOS 4.7 USER GUIDE
To enable the Virus Outbreak Filters feature for a particular mail policy, select Yes. Select Use
Default Settings to use the Virus Outbreak Filters settings that are in place for the Default Mail
Policy. If the Default Mail Policy has the Virus Outbreak Filters feature enabled, all other mail
policies using the default will also have the Virus Outbreak Filters feature enabled. Once you
have made changes, click the Commit Changes button, add a optional comment if necessary,
and then click Commit Changes to save the changes.
314
THE VIRUS OUTBREAK FILTERS FEATURE AND THE OUTBREAK QUARANTINE
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 315
IRONPORT ASYNCOS 4.7 USER GUIDE
are released due to overflow: strip attachments, modify the subject, add an X-Header. For
more information about these actions, see “Overflow Messages” on page 370.
Because quarantined messages are rescanned whenever new rules are published, it is very
likely that messages in the Outbreak quarantine will be released prior to the expiration time.
Still, it can be important to monitor the Outbreak quarantine if the Default Action is set to
“delete.” IronPort recommends most users to not set the default action to delete. For more
information about releasing messages from the Outbreak quarantine, or changing the Default
Action for the Outbreak Quarantine, see “Default Action” on page 369.
Conversely, if you have messages in your Outbreak quarantine that you would like to keep in
the quarantine longer while you wait for a new virus definition, for example, you can delay
the expiration of those messages. For more information, see “Retention Time” on page 369.
Keep in mind that increasing the retention time for messages can cause the size of the
quarantine to grow.
Note
Note — If anti-virus scanning is disabled globally (not via a mail policy) while a message is in
the Outbreak quarantine, the message is not anti-virus scanned when it leaves the quarantine,
even if anti-virus scanning is re-enabled prior to the message leaving the quarantine.
Note
Note — You can use the Virus Outbreak Filters feature without having enabled anti-virus
scanning on the IronPort appliance (see “Quarantines and Anti-Virus Scanning” on page 304).
Using the Summary View to Perform Message Actions on Messages in the Outbreak
Quarantine Based on Rule ID.
Click on the Manage by Rule Summary link to see a listing of the contents of the Outbreak
quarantine, grouped by rule ID:
316
THE VIRUS OUTBREAK FILTERS FEATURE AND THE OUTBREAK QUARANTINE
From this view, you can choose to release, delete, or delay the exit for all messages pertaining
to a specific outbreak or adaptive rule, rather than selecting individual messages. You can also
search through or sort the listing.
This functionality is also available via the quarantineconfig -> vofmanage CLI
command. For more information, see the IronPort AsyncOS CLI Reference Guide.
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 317
IRONPORT ASYNCOS 4.7 USER GUIDE
M O NI T OR IN G V I R US O U TB R E A K F IL T E R S
IronPort Systems provides you several tools to monitor the performance and activity of the
Virus Outbreak Filters feature.
Outbreak Quarantine
Use the outbreak quarantine to monitor how many messages are being flagged by your Virus
Outbreak Filters threat level threshold. Also available is a listing of quarantined messages by
rule. View this information via the Monitor -> Quarantines -> Outbreak page and the Manage
Rule by Summary link on the Monitor -> Quarantines page.
318
TROUBLESHOOTING THE VIRUS OUTBREAK FILTERS FEATURE
TR OU B L ES HO OT ING TH E V I R U S OU T BR E A K F I LTE R S FE AT UR E
This section provides some basic troubleshooting tips for the Virus Outbreak Filters feature.
Use the checkbox on the Manage Quarantine page for the Outbreak quarantine to notify
IronPort of mis-classifications.
Optionally, you can use the following email address to report mis-classifications to IronPort
Systems:
• clean@ironport.com
• outbreaks@ironport.com — for reporting messages sent to the outbreak quarantine for
investigation.
The Virus Outbreak Filters Feature, Attachments, and the Email Pipeline
You may notice messages which have been quarantined due to a Virus Outbreak Filters rule
that have no associated attachments. Please note that messages quarantined by the Virus
Outbreak Filters feature can have their attachments stripped before arriving in the Outbreak
quarantine.
Because messages are marked for the Virus Outbreak Filters feature quarantine prior to being
processed by Per Recipient Scanning Actions in the email pipeline, it is possible to have a
message sent to the quarantine after its attachment is stripped by a content filter.
Always use trace to emulate how a particular message will be processed by the email
pipeline.
C H A P T E R 1 1 : T H E V I R U S O U T B R E A K F I L T E R S F E A T U R E 319
IRONPORT ASYNCOS 4.7 USER GUIDE
320
12
CHAPTER
C H A P T E R 1 2 : S E N D E R B A S E N E T W O R K P A R T I C I P A T I O N 321
IRONPORT ASYNCOS 4.7 USER GUIDE
E N A B L IN G S H A R I N G
To share statistics from your IronPort appliance with the SenderBase network:
1. Access the Security Services -> SenderBase page.
Figure 12-1 Security Services -> SenderBase Page
Note
Note — If you have not already agreed to the license agreement during system setup (see
“Step 2: System” on page 38), this page will look different. You must click Enable... on the
Security Services -> SenderBase page and then read and agree to the license before you can
edit global settings.
3. Mark the box to enable sharing statistical data with the SenderBase Information Service.
Checking this box enables the feature globally for the appliance. When enabled, the
Context Adaptive Scanning Engine (CASE) is used to collect and report the data (regardless
of whether or not IronPort anti-spam scanning is enabled).
4. As an option, you can enable a proxy server for sharing statistical data with the
SenderBase Information Service. If you define a proxy server to retrieve rules updates, you
can also configure an authenticated username, password, and specific port when
connecting to the proxy server in the additional fields provided. To edit these settings, see
“Service Updates” on page 485. You can configure the same settings using the
senderbaseconfig command in the CLI
322
FREQUENTLY ASKED QUESTIONS
FR E Q UE N T L Y A S KE D Q U E ST I ON S
IronPort recognizes that privacy is important to you, so we design and operate our services
with the protection of your privacy in mind. If you enroll in SenderBase Network
Participation, IronPort will collect aggregated statistics about your organization’s email traffic;
however, we do not collect or use any personally identifiably information. Any information
IronPort collects that would identify your users or your organization will be treated as
confidential.
C H A P T E R 1 2 : S E N D E R B A S E N E T W O R K P A R T I C I P A T I O N 323
IRONPORT ASYNCOS 4.7 USER GUIDE
Sum of Anti-Spam and Anti-Virus scores 2,000 (sum of anti-spam scores for all messages
and verdicts seen)
324
FREQUENTLY ASKED QUESTIONS
Obfuscated URL Path (d) There was a link found inside a message to
hostname www.domain.com, and had path
aaa000aa/aa00aaa.
Correlation of attachment types, true file 100 attachments that have a “.doc” extension but
type, and container type are actually “.exe”
50 attachments are “.exe” extensions within a zip
Correlation of extension and true file type 30 attachments were “.exe” within the 50-55K
with attachment size range
C H A P T E R 1 2 : S E N D E R B A S E N E T W O R K P A R T I C I P A T I O N 325
IRONPORT ASYNCOS 4.7 USER GUIDE
replaced with “0,” and all other single byte characters (whitespace, punctuation, etc.)
maintained. For example, the file Britney1.txt.pif would appear as Aaaaaaa0.aaa.pif.
(c) URL hostnames point to a web server providing content, much as an IP address does. No
confidential information, such as usernames and passwords, are included.
(d) URL information following the hostname is obfuscated to ensure that any personal
information of the user is not revealed.
What does IronPort do to make sure that the data I share be secure?
If you agree to participate in the SenderBase Network:
Data sent from your IronPort appliances will be sent to the IronPort SenderBase Network
servers using the secure protocol HTTPS.
All customer data will be handled with care at IronPort. This data will be stored in a secure
location and access to the data will be limited to employees and contractors at IronPort who
require access in order to improve the company's email security products and services or
provide customer support.
No information identifying email recipients or the customer's company will be shared outside
of IronPort Systems when reports or statistics are generated based on the data.
Note
Note — For C30 and C10/100 appliances, if you choose to participate in the SenderBase
Network, a “body scan” is performed on each message. This happens regardless of whether a
filter or other action applied to the message would have triggered a body scan. See “Body
Scanning Rule” in the Policy Enforcement chapter of the IronPort AsyncOS Advanced User
Guide for more information about body scanning.
If you have additional questions, please contact IronPort Customer Support. See “Contacting
IronPort Customer Support” on page xxxiii.
326
13
CHAPTER
Text Resources
This chapter discusses creating and managing various text resources, such as content
dictionaries, footers, and templates.
Content Dictionaries
You can use content dictionaries to scan messages against message filters in order to take
appropriate action in accordance with your corporate policies. You can create, delete, and
view dictionaries; add and delete entries from a dictionary; and import and export entire
dictionaries. You can also determine case sensitivity and word boundary detection for each
dictionary. For example, you could create a list of confidential words or profanity, and, using
a filter rule to scan messages for words in the list, drop or archive messages containing
matching words. Dictionaries can contain non-ASCII characters.
Text Resources
Text resources are text objects, such as footers, notification templates, and anti-virus
templates. You can create new objects for use in various components of AsyncOS. You can
import and export text resources.
Message Footer Stamping
Message footer stamping allows you to add a footer text resource to messages. For example,
you could append a copyright statement, promotional message, or disclaimer to every
message sent from within your enterprise.
This chapter contains the following sections:
• “Content Dictionaries” on page 328
• “Managing Dictionaries (GUI)” on page 330
• “Using and Testing Content Dictionaries” on page 335
• “Text Resources” on page 337
• “Managing Text Resources (GUI)” on page 338
• “Using Text Resources” on page 342
C H A P T E R 1 3 : T E X T R E S O U R C E S 327
IRONPORT ASYNCOS 4.7 USER GUIDE
CO N TE NT D I CT IO N A R IE S
Content dictionaries are groups of “words” or entries that work in conjunction with the Body
Scanning feature on the appliance and are available to both Content and Message filters. Use
the dictionaries you define to scan messages, message headers, and message attachments for
terms included in the dictionary in order to take appropriate action in accordance with your
corporate policies. For example, you could create a list of confidential words or profanity,
and, using a filter rule to scan messages that contain words in the list, drop, archive, or
quarantine the message.
The AsyncOS operating system includes the ability to define a total of 32 content dictionaries
using the GUI (Mail Policies -> Dictionaries) or the CLI’s dictionaryconfig command. You
can create, delete, and view dictionaries; add and delete entries from a dictionary; and import
and export entire dictionaries.
Dictionary Content
Words in dictionaries are created with one text string per line, and entries can be in plain text
or in the form of regular expressions. (For more information, see “Regular Expressions in
Rules” in the Policy Enforcement chapter of the IronPort AsyncOS Advanced User Guide.)
Dictionaries can contain non-ASCII characters.
Note
Note — Dictionaries containing non-ASCII characters may or may not display properly in the
CLI on your terminal. The best way to view and change dictionaries that contain non-ASCII
characters is to export the dictionary to a text file, edit that text file, and then import the new
file back into the appliance. For more information, see “Importing and Exporting Dictionaries
as Text Files” on page 329.
Note
Note — In some languages (double-byte character sets), the concepts of a word or word
boundary, or case do not exist. Complex regular expressions that depend on concepts like
328
IMPORTING AND EXPORTING DICTIONARIES AS TEXT FILES
what is or is not a character that would compose a word (represented as “\w” in regex syntax)
cause problems when the locale is unknown or if the encoding is not known for certain. For
that reason, you may want to disable word-boundary enforcement.
C H A P T E R 1 3 : T E X T R E S O U R C E S 329
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G IN G D I CT IO N A R IE S ( GU I )
Log in to the GUI and click the Mail Policies tab. Click the Dictionaries link in the left menu.
Figure 13-1 The Dictionaries Page
Adding Dictionaries
To create a new dictionary:
1. Click Add Dictionary on the Dictionaries page. The Add Dictionary page is displayed:
Figure 13-2 The Dictionaries Page
330
EDITING DICTIONARIES
3. Specify whether to ignore case by marking the checkbox next to Ignore Case. See
“Ignoring Case” on page 331 for more information.
4. Specify whether to match whole words only by marking the checkbox next to Match
Whole Words Only. See “Matching Whole Words Only” on page 331 for more
information.
5. Enter new dictionary entries into the list of terms. For more information about the kinds of
entries that are supported, see “Dictionary Content” on page 328.
6. Mark the Sort Terms checkbox to sort the list of terms. See “Sorting Terms” on page 331 for
more information.
7. Click Submit to create the new dictionary.
8. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
The Dictionaries page now lists the new dictionary, along with the terms included and the
setting configured for the dictionary.
Ignoring Case
Checking this box will cause words to match regardless of case. For example, the words
“codename” and “CodeName” would match a dictionary entry of “codename.”
Sorting Terms
Checking this box will cause the entries in the Terms window to be listed in alphabetically
sorted order. If the box is not checked, the entries are listed in the order in which they are
entered.
Editing Dictionaries
To edit an existing dictionary:
1. Click the name of the dictionary in the listing on the Dictionaries page. The Edit
Dictionary page is displayed:
C H A P T E R 1 3 : T E X T R E S O U R C E S 331
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Make changes to the entries or the settings for the dictionary, and click Submit.
3. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
Deleting Dictionaries
To delete a dictionary:
1. Click the trash can icon next to the dictionary to delete in the dictionary listing. A
confirmation message is displayed.
2. The confirmation message lists any filters that are currently referencing the dictionary.
3. Click Delete to delete the dictionary.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
5. Any message filters that reference the deleted dictionary are marked as invalid.
6. Any content filters that reference the deleted dictionary are left enabled, but will evaluate
to false.
332
IMPORTING DICTIONARIES
Importing Dictionaries
To import a dictionary via the GUI:
1. Click Import Dictionary... on the Dictionaries page. The Import Dictionary dialog is
displayed:
Figure 13-4 The Import Dictionary Page
Note
Note — The file to import must be in the configuration directory on the appliance.
3. Select an encoding.
4. Click Next.
5. The imported dictionary is displayed in the Add Dictionary page.
6. You can now name and edit the dictionary before adding it.
7. Click Submit.
8. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
Exporting Dictionaries
To export a dictionary via the GUI:
1. Click Export Dictionary... on the Dictionaries page. The Export Dictionary dialog is
displayed:
C H A P T E R 1 3 : T E X T R E S O U R C E S 333
IRONPORT ASYNCOS 4.7 USER GUIDE
334
USING AND TESTING CONTENT DICTIONARIES
US I NG A ND TE ST IN G C O NT E N T D IC TI O NA RI E S
Dictionaries can be used along with the various dictionary-match() message filter rules
and with content filters.
In the following example, a new message filter using the dictionary-match() rule is
created to blind carbon copy the administrator when the IronPort appliance scans a message
that contains any words within the dictionary named “secret_words” (created in the previous
example). Note that because of the settings, only messages that contain the whole word
“codename” matching the case exactly will evaluate to true for this filter.
bcc_codenames:
if (dictionary-match ('secret_words'))
{
bcc('administrator@example.com');
}
quarantine_codenames:
if (dictionary-match ('secret_words'))
{
quarantine('Policy');
}
C H A P T E R 1 3 : T E X T R E S O U R C E S 335
IRONPORT ASYNCOS 4.7 USER GUIDE
Description Example
Wildcard *
336
TEXT RESOURCES
TE X T R E S OU R CE S
Text resources are text templates that can be attached to messages or sent as messages. Text
resources can be one of three types:
• Message footers — text that is added to messages (for more information about footer
stamping, see “Message Footer Stamping” on page 342)
• Notification templates — messages that are sent as notifications, used with the notify()
and notify-bcc() actions (for more information, see “Notification Templates” on
page 346)
• Anti-virus notification templates — are messages that are sent as notifications when a
virus is found in a message (for more information, see “Anti-Virus Notification Template”
on page 347)
You can use the CLI (textconfig) or the GUI to manage text resources, including: adding,
deleting, editing, importing, and exporting. For information on managing text resources, see
“Managing Text Resources (GUI)” on page 338.
Text resources can contain non-ASCII characters.
Note
Note — When using text resources and the CLI, text resources containing non-ASCII
characters may or may not display properly in the CLI on your terminal. The best way to view
and change text resources that contain non-ASCII characters is to export the text resource to a
text file, edit that text file, and then import the new file back into the appliance. For more
information, see “Importing and Exporting Text Resources as Text Files” on page 337
C H A P T E R 1 3 : T E X T R E S O U R C E S 337
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G IN G TE X T RE SO UR C E S ( G UI )
Log in to the GUI and click the Mail Policies tab. Click the Text Resources link in the left
menu. The Text Resources page is displayed, including a list of existing text resources.
Figure 13-6 The Text Resources Page
338
EDITING TEXT RESOURCES
C H A P T E R 1 3 : T E X T R E S O U R C E S 339
IRONPORT ASYNCOS 4.7 USER GUIDE
4. Any message filters that reference the deleted text resource are marked as invalid.
5. Any content filters that reference the deleted text resource are left enabled, but will
evaluate to false.
Note
Note — The file to import must be in the configuration directory on the appliance.
3. Specify an encoding.
4. Click Next.
5. The imported text resource is displayed.
6. You can now name, edit, and select the type of the text resource before adding it.
7. Click Submit.
8. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save your changes.
340
EXPORTING TEXT RESOURCES
C H A P T E R 1 3 : T E X T R E S O U R C E S 341
IRONPORT ASYNCOS 4.7 USER GUIDE
US I NG TE X T R E SO U RC E S
All three types of text resources are created in the same way, using the Text Resources page or
the textconfig CLI command. Once created, each type is used in a different way. Footers
and notification templates are used with filters and listeners, while anti-virus notification
templates are used with mail policies and anti-virus settings.
342
MESSAGE FOOTER STAMPING
Add-Disclaimer-For-Legal-Team:
if (mail-from-group == 'Legal')
{
add-footer('legal.disclaimer');
}
Enter or paste the message footer here. Enter '.' on a blank line to
end.
This message processed at: $Timestamp
.
C H A P T E R 1 3 : T E X T R E S O U R C E S 343
IRONPORT ASYNCOS 4.7 USER GUIDE
mail3.example.com>commit
Add-Timestamp:
if (mail-from-group == 'Legal')
{
add-footer('legal.disclaimervar');
}
The add-footer() action supports non-ASCII text by adding the footer as an inline, UTF-8
coded, quoted printable attachment.
To: joe@example.com
From: mary@example.com Headers
Subject: Hi!
<blank line>
344
FOOTER STAMPING AND MULTIPLE ENCODINGS
The message body after the first blank line may contain many MIME parts. The second and
following parts are often called “attachments,” while the first is often called the “body” or
“text.”
A footer can be included in an email as either an attachment (above) or as part of the body
part:
To: joe@example.com
From: mary@example.com Headers
Subject: Hi!
<blank line>
This message has been scanned... Footer now included in body part
Typically, when there is an encoding mismatch between the message body and a footer,
AsyncOS attempts to encode the entire message in the same encoding as the message body so
that the footer will be included in the body (“inline”) and not included as a separate
attachment. In other words, the footer will be included inline if the encoding of the footer
matches that of the body, or if the text in the footer contains characters that can be displayed
inline (in the body). For example, it is possible to have a ISO-8859-1 encoded footer that only
contains US-ASCII characters; consequently, this will display “inline” without problems.
However, if the footer cannot be combined with the body, you can use the localeconfig
command to configure AsyncOS to attempt to promote, or convert, the body text to match the
encoding of the footer so that the footer can be included in the body of the message:
mail3.example.com> localeconfig
C H A P T E R 1 3 : T E X T R E S O U R C E S 345
IRONPORT ASYNCOS 4.7 USER GUIDE
[]>mail3.example.com>
For more information about the localeconfig command, see the “Customizing Listeners”
chapter in the IronPort AsyncOS Advanced User Guide.
Notification Templates
Notification templates are used with the notify() and notify-copy() filter actions.
Notification templates may contain action variables (see “Message Filter Action Variables” in
the “Policy Enforcement” chapter in the IronPort AsyncOS Advanced User Guide) and non-
ascii text. You can configure the From: address for notifications, see “Configuring the From:
Address for Various Generated Messages” on page 464.
Once you have created a notification template, you can refer to it in content and message
filters. Figure 13-12 shows a content filter where the notify-copy() filter action is set to
send the “grape_text” notification to “grapewatchers@example.com:”
346
ANTI-VIRUS NOTIFICATION TEMPLATE
C H A P T E R 1 3 : T E X T R E S O U R C E S 347
IRONPORT ASYNCOS 4.7 USER GUIDE
348
ANTI-VIRUS NOTIFICATION TEMPLATE
$AV_REPAIRED_TABLE Table of all parts and viruses found and repaired: “HELLO.SCR” :
“W32/Bagel-F”
Note
Note — Variable names are not case-sensitive. For example, specifying “$to” is equivalent to
specifying “$To” in the text resource. If an “AV_” variable is empty in the original message,
the string <None> is substituted.
After the text resource has been defined, use the Mail Policies -> Incoming/Outgoing Mail
Policies -> Edit Anti-Virus Settings page or the policyconfig -> edit -> antivirus
command to specify that the original message is to be included as an RFC 822 attachment for
Repaired, Unscannable, Encrypted, or Virus Positive messages. See “Send custom alert
notification (to recipient only)” on page 291 for more information.
C H A P T E R 1 3 : T E X T R E S O U R C E S 349
IRONPORT ASYNCOS 4.7 USER GUIDE
350
14
CHAPTER
Reporting
The IronPort appliance generates and emails reports to a given set of users. This chapter
describes types of reports and how to generate them using the CLI and the GUI. See “Using
the GUI” on page 399 for information on the GUI.
This chapter contains the following sections:
• “Automatic Reporting” on page 352
• “Managing Reports Via the Graphical User Interface” on page 353
C H A P T E R 1 4 : R E P O R T I N G 351
IRONPORT ASYNCOS 4.7 USER GUIDE
A U TO M A T I C R E P OR T I NG
You can run reports on a daily, weekly, or monthly basis. Configure reports with either the
Graphical User Interface (GUI) or the Command Line Interface (CLI). The GUI uses the
Scheduled Reports section of the Monitor tab; the CLI uses the reportconfig command to
create or edit reports and the reportview command to see previous reports. If you make a
change to a report from either interface, the change will be applied to the report regardless of
which interface you use.
Reports can be sent as plain text, HTML, and/or a list of comma separated values (CSV).
Note
Note — If you read email in a proportional font, request the report in HTML or a CSV file. The
columns do not properly align in proportional fonts.
The appliance will retain the most recent reports it generates, up to 1000 total versions for all
reports. You can define as many recipients for reports as you want, including zero recipients.
If you do not specify an email recipient, the system will still archive the reports. If you need to
send the reports to a large number of addresses, however, it may be easier to create a mailing
list rather than listing the recipients individually.
By default, the appliance archives the three most recent reports; you can increase this value to
fourteen. Reports are stored in the /saved_reports directory of the appliance. (See
Appendix A, “Accessing the Appliance,” for more information.)
If you configure reports to be sent in more than one format, you will receive multiple
messages (one message per format).
352
MANAGING REPORTS VIA THE GRAPHICAL USER INTERFACE
M A N A G IN G R E P O R TS V I A T HE G RA P HI CA L U SE R I NT E R FA CE
You can create, edit, delete, and view archived scheduled reports. There are two types of
reports: Incoming Volume and System Summary. Managing and viewing these reports via the
Graphical User Interface (GUI) and Command Line Interface (CLI) is discussed below.
Note
Note — When in Cluster Mode, you are unable to view reports via the GUI. Instead, please
use the CLI command, reportview. For more information, see the IronPort AsyncOS CLI
Reference Guide.
Scheduling Reports
Reports are not allowed to be scheduled to run between 00:00 and 00:59 due to database
processing. Regardless of when you run a report, it will only include the data for the specified
period (previous day, week or month). So, a daily report scheduled to run at 1AM will contain
data for the previous day, midnight to midnight.
Virus Senders This section is only shown if the Sophos Anti-Virus feature key is present. It
shows the domain of the sender (or “no domain information” if reverse
lookup fails), the percent change in messages, the number of unclassified
messages, the number of messages received, the number of messages
blocked by rate limit, the number of messages testing positive for viruses, the
percentage of messages testing positive for viruses, how many bytes received,
and the number of connections rejected. See Chapter 10, “Anti-Virus,” for
more information.
Spam Senders This section is only shown if the IronPort Anti-Spam or Brightmail Anti-Spam
feature key is present. It shows the domain (or “no domain information” if
reverse lookup fails), the number of messages received, the percent change
in messages, the number of unclassified messages, the number of messages
blocked by rate limit, the number of messages with Brightmail positives, the
percentage of messages with IronPort or Brightmail positives, and the
number of connections rejected. See Chapter 9, “Anti-Spam,” for more
information about IronPort or Brightmail Anti-Spam scanning.
C H A P T E R 1 4 : R E P O R T I N G 353
IRONPORT ASYNCOS 4.7 USER GUIDE
Unclassified This section shows those recipients that were sent from remote hosts that did
Recipients not specifically match a specific sender group, but instead matched the ALL
sender group. The section shows the domain (or “no domain information” if
reverse lookup fails), the number of messages received, the percent change
in messages, the number of unclassified messages, the number of messages
blocked by rate limit, and the number of rejected connections.
Rejected This section shows the value defined as the number of connection attempts
Connections by a domain that the appliance rejected. The section shows the domain (or
“no domain information” if reverse lookup fails), the number of messages
received, the percent change in messages, the number of unclassified
messages, the number of messages blocked by rate limit, the number of
rejected connections, and the number of rejected TLS connections.
Recipients Received The number of RCPT TO commands to which the appliance replies “250
recipient OK” is defined as the Recipients Received. This section shows the
domain (or “no domain information” if reverse lookup fails), the number of
messages received, the percent change in messages, the number of
unclassified messages, the number of messages blocked by rate limit, the
number of bytes received, and the number of connections rejected.
Received Bytes Total bytes received, excluding SMTP protocol messages, are shown in this
section. This section shows the domain (or “no domain information” if
reverse lookup fails), the number of messages received, the percent change
in messages, the number of unclassified messages, the number of messages
blocked by rate limit, the number of bytes received, and the number of
connections rejected.
Accepted TLS This section shows the domain (or “no domain information” if reverse lookup
Connections fails), the number of messages received, the percent change in messages, the
number of unclassified messages, the number of messages blocked by rate
limit, the number of bytes received, the number of connections rejected, the
number of messages TLS accepted, and the number of messages TLS
rejected.
Rejected TLS This section shows the domain (or “no domain information” if reverse lookup
Connections fails), the number of messages received, the percent change in messages, the
number of unclassified messages, the number of messages blocked by rate
limit, the number of bytes received, the number of connections rejected, the
number of messages TLS accepted, and the number of messages TLS
rejected.
In the GUI, the number of display rows is limited to 100. Using the CLI, you can choose an
arbitrary number of rows displayed. If you choose 0 (zero), the report will display all known
data for the report, with no limit.
354
INCOMING VOLUME REPORTS
Note
Note — If you have not specified an Email Return Address for reports, you will be directed to
the Global Reporting Settings page. You must specify an email return address when creating a
report for the first time. Set the Email Return Address and click Save to continue.
C H A P T E R 1 4 : R E P O R T I N G 355
IRONPORT ASYNCOS 4.7 USER GUIDE
3. In the Report Information section, type a name and a description for your report. The
description becomes the subject of the email. Note that each report must have a unique
name.
4. In the Scheduling section, select if you want to run the report daily, weekly (and which
day), or monthly. Select a time to run the report, and how many prior versions to archive
(up to fourteen versions). Note that monthly reports are only generated on the first of the
month.
356
INCOMING VOLUME REPORTS
5. In the Delivery section, select if you want the report to be delivered in HTML, text and/or
as a CSV attachment. Type the email addresses for delivery of each report format.
Note
Note — You can select HTML, text, and CSV attachment reports without specifying an email
address to generate the reports without emailing them to anyone.
6. In the Sections section, select the information you want to be included in your report, the
number of display rows for each section, and the order in which you want the sections to
appear. You can also change the title of each section.
7. Click Submit to create the report.
8. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
C H A P T E R 1 4 : R E P O R T I N G 357
IRONPORT ASYNCOS 4.7 USER GUIDE
2. You will be given a choice to open the report, save the report to disk, or cancel. Click
Save. Save the report in the directory of your choice. You can now open the report in
Microsoft Excel or any other program that can read CSV files.
Incoming Mail Graph Includes the Mail Trend graph and Summary table from the Monitor ->
and Summary Overview page.
Sender Details Shows the Sender Details listing from the Monitor -> Overview page.
358
INCOMING MAIL OVERVIEW REPORTS
2. Select Incoming Mail Overview Report and click Add Report. The Create Report:
Incoming Mail Overview Report page is displayed.
Note
Note — If you have not specified an Email Return Address for reports, you will be directed to
the Global Reporting Settings page. You must specify an email return address when creating a
report for the first time. Set the Email Return Address and click Submit to continue.
3. In the Report Information section, type a name and a description for your report. The
description becomes the subject of the email. Note that each report must have a unique
name.
4. In the Scheduling section, select if you want to run the report daily, weekly (and which
day), or monthly. Select a time to run the report, and how many prior versions to archive
(up to fourteen versions). Note that monthly reports are only generated on the first of the
month.
C H A P T E R 1 4 : R E P O R T I N G 359
IRONPORT ASYNCOS 4.7 USER GUIDE
5. In the Delivery section, select if you want the report to be delivered in HTML, text and/or
as a CSV attachment. Type the email addresses for delivery of each report format.
Note
Note — You can select HTML, text, and CSV attachment reports without specifying an email
address to generate the reports without emailing them to anyone.
6. In the Sections section, select the information you want to be included in your report, the
number of display rows for each section, and the order in which you want the sections to
appear. You can also change the title of each section.
7. Click Submit to create the report.
8. Click Commit Changes, add an optional comment if necessary, and then click Commit
Changes to save the changes.
System Statistics Shows the number of bytes processed, the number of messages processed, and the
number of messages delivered.
360
SYSTEM SUMMARY REPORTS
Spam Statistics Shows the number of messages scanned, the amount of spam, and the amount of
suspected spam. The number of messages scanned can be lower than the number
of messages received due to whitelisting (explicit within Sender Groups) or
maximum message size.
Virus Statistics Shows how many messages were scanned and any virus information.
Message Flow A histogram of how many messages went in or out of the external network. For
Histogram daily reports, the unit is one hour. For monthly and weekly reports, the unit is one
day.
Note
Note — Only the last classification for a sender is reported in the System Summary report. It is
possible that if a sender's classification changes in the middle of a reporting period, the
System Summary report will report IP addresses that were originally classified in a different
sender group within your blacklist sender group. For example, a sender's SRBS Score may
drop from +3 to -5 during the span of a reporting period (and thus the sender has moved from
the UNKNOWNLIST to the SUSPECTLIST to the BLACKLIST). The System Summary report
will for the end of the time period report all messages from that sender as being within the
most recent policy (BLACKLIST, in this example).
2. Select System Summary Report. Choose Create New Report. The Create Report: System
Summary Report page is displayed.
C H A P T E R 1 4 : R E P O R T I N G 361
IRONPORT ASYNCOS 4.7 USER GUIDE
3. In the Report Information section, type a name for your report and a description of your
report, which will become the subject of the email. Note that each report must have a
unique name.
4. In the Scheduling section, select if you want to run the report daily, weekly (and which
day), or monthly. Select a time to run the report, and how many prior versions to archive
(up to fourteen versions). Note that monthly reports are only generated on the first of the
month.
5. In the Delivery section, select if you want the report in HTML, text and/or as a CSV
attachment. Type the email address for delivery of each report.
6. In the Sections section, select the information you want in your report, the number of
display rows for each section, and the order in which you want the sections to appear.
Change the title of each section if you want.
7. Click Submit to store the report.
362
SYSTEM SUMMARY REPORTS
8. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
C H A P T E R 1 4 : R E P O R T I N G 363
IRONPORT ASYNCOS 4.7 USER GUIDE
364
15
CHAPTER
Quarantines
Quarantines are special queues or repositories used to hold and process messages. IronPort
AsyncOS allows you to place incoming or outgoing messages into one of two kinds of
quarantines: ‘system’ and ‘IronPort Spam.’
Messages in quarantines can be delivered or deleted. You can create, modify, and delete
quarantines. You can associate users with quarantines. You can view the contents of each of
your quarantines, search a quarantine for specific messages, and send copies of the messages.
This chapter contains the following sections:
• “Quarantines Overview” on page 366
• “Managing System Quarantines via the Graphical User Interface (GUI)” on page 368
• “Working with Messages in System Quarantines” on page 374
• “Configuring the IronPort Spam Quarantines Feature” on page 383
C H A P T E R 1 5 : Q U A R A N T I N E S 365
IRONPORT ASYNCOS 4.7 USER GUIDE
Q U A R A N T I N E S O V E R V I EW
As messages are processed by the IronPort appliance, various actions are applied. Filters are
applied to messages, messages are scanned for spam or viruses, and the Virus Outbreak Filters
feature scans messages. Any of these actions can cause a message to be quarantined,
depending on your settings.
Quarantine Types
An IronPort Spam quarantine is a special kind of quarantine used to hold spam or suspected
spam messages for end users. End users are mail users, outside of AsyncOS. You can have a
local IronPort Spam quarantine, stored on the IronPort appliance. You can also send messages
to an external IronPort Spam quarantine, stored on a separate IronPort appliance. IronPort
Spam quarantines can be accessed by both AsyncOS administrators and end users (these are
not AsyncOS users).
A system quarantine (unchanged from previous versions) is used to hold messages based on
various actions performed by AsyncOS, such as filtering, anti-virus scanning, and Virus
Outbreak Filters.
System Quarantines
Typically, messages are placed in system quarantines due to a filter action. Additionally, the
Virus Outbreak Filters feature quarantines suspicious messages in the Outbreak quarantine,
specifically. System quarantines are configured to process messages automatically—messages
are either delivered or deleted based on the configuration settings (for more information, see
“System Quarantine Settings” on page 368) set for the quarantine(s) in which the message is
placed. In addition to the automated process, designated users (such as your mail
administrator, Human Resources personnel, Legal department, etc.) can review the contents
of the quarantines and then either release, delete, or send a copy of each message. Released
messages are scanned for viruses (assuming that anti-virus is enabled for that particular mail
policy).
System Quarantines are ideal for:
• Policy Enforcement - have Human Resources or the Legal department review messages
that contain offensive or confidential information before delivering them.
• Virus quarantine - store messages marked as not scannable (or encrypted, infected, etc.)
by the anti-virus scanning engine.
• Providing a foundation for the Virus Outbreak Filters feature - hold messages flagged by
the Virus Outbreak Filters feature until a virus update is released. For more information
about the Virus Outbreak Filters feature, see “The Virus Outbreak Filters Feature” on
page 301.
Your IronPort appliance can have several pre-configured quarantines, depending on features
licensed; however, the Policy quarantine is created by default, regardless of license.
366
IRONPORT SPAM QUARANTINES
• Outbreak, a quarantine used by the Virus Outbreak Filters feature created when the Virus
Outbreak Filters feature license key is enabled.
• Virus, a quarantine used by the anti-virus engine, created when the anti-virus license key
is enabled.
• Policy, a default quarantine (for example, use this to store messages requiring review).
For details on how to add, modify, or delete additional quarantines, see “Managing System
Quarantines via the Graphical User Interface (GUI)” on page 368.
Access and interact with system quarantines via the Graphical User Interface (GUI) or the
Command Line Interface (CLI) via the quarantineconfig command.
Note
Note — The Command Line Interface (CLI) for system quarantines contains a subset of the
functionality found in the GUI (see the IronPort AsyncOS CLI Reference Guide).
C H A P T E R 1 5 : Q U A R A N T I N E S 367
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G IN G S Y ST E M Q UA R A N T IN E S V I A TH E GR A P H IC A L US E R
IN T E R FAC E ( G U I )
Log in to the Graphical User Interface (GUI) and click the Monitor tab. (For information about
how to access the GUI, see “Accessing the GUI” on page 13.) Click the Local Quarantines
link in the Quarantines section of the left menu.
Figure 15-1 The Local Quarantines Page
The Local Quarantines page shows information about all of your quarantines, including the
number of messages contained in each, the default action (length of time to retain, and then
the final action of delete or release), and the percentage full. You can edit the settings (size,
retention period, default action, how to handle overflow messages, and users associated with
the quarantine) via the Edit link (for more information, see “System Quarantine Settings” on
page 368). Also displayed is the status of the quarantine, including whether or not the
associated security service (anti-virus scanning for the Virus quarantine, and Virus Outbreak
Filters for the Outbreak quarantine) is enabled, and whether or not the particular quarantine’s
contents are currently available.
Also note that if the IronPort Spam Quarantine is enabled on the appliance, it is visible in the
Local Quarantines listing. This is an end user quarantine, for more information about working
with end user quarantines, see “Configuring the IronPort Spam Quarantines Feature” on
page 383.
368
SYSTEM QUARANTINE SETTINGS
Retention Time
Retention Time is the length of time messages are kept in a quarantine. The Default Action
(see “Default Action” on page 369) is performed on any message in the quarantine once that
retention time is reached. Each message has its own specific expiration time, displayed in the
quarantine listing.
Messages are stored for the amount of time specified (Normal Expiration) unless they are
manually processed by a mail administrator (or other user) or the size limit set for the
quarantine is reached. If the size limit is reached, the oldest messages are processed (Early
Expiration) and the Default Action in performed for each message until the size of the
quarantine is again less than the size limit. The policy is First In First Out (FIFO). For more
information about specifying quarantine size limits, see “Creating System Quarantines” on
page 371.
The expiration time on a message can be delayed (extended) via the Select Action menu in
the various quarantine listings. Delaying the expiration of a message can be helpful when you
need to keep specific messages in the quarantine past their scheduled expiration (for
example, waiting for an administrator to have time to review the messages or for a specific
anti-virus IDE to be published).
Default Action
The Default Action is the action performed on messages in a quarantine when either of the
two following circumstances occur:
• Normal Expiration - the Retention Time is met for a message in the quarantine (see
“Retention Time” on page 369).
C H A P T E R 1 5 : Q U A R A N T I N E S 369
IRONPORT ASYNCOS 4.7 USER GUIDE
• Early Expiration - a message is forced from the quarantine when the size limit for the
quarantine is reached. For more on setting size limits for quarantines, see “Creating
System Quarantines” on page 371. Messages released from quarantine because of a
queue-full condition (early expiration) can optionally have other operations performed on
them. For more information, see “Overflow Messages” on page 370.
There are two Default Actions:
• Delete - the message is deleted.
• Release - the message is released for delivery. Upon release, the message is rescanned for
viruses, assuming anti-virus is enabled for that particular mail policy. For more
information about virus scanning and messages released from quarantines, see “System
Quarantines and Virus Scanning” on page 380.
Note
Note — In addition to these two default actions, a third message action (Delay Exit) is
available in the Select Action menu in the quarantined messages listing.
Overflow Messages
The Overflow Messages section is used to dictate how messages are handled as they are
released from the quarantine due to overflow. These settings include: Subject Tagging, Adding
an X-Header, and Stripping Attachments.
Subject Tagging
Messages released or deleted from a quarantine because of a queue-full condition (early
expiration only) can optionally have their subjects tagged with text you specify when editing
or creating a quarantine.
The tag is a user-defined string that can either be prepended or appended to the original
subject header.
Note
Note — In order for a subject with non-ASCII characters to display correctly it has to be
represented according to RFC 2047.
Add X-Header
Messages released or deleted from a quarantine because of a queue-full condition (early
expiration only) can optionally have an X-Header added.
Specify the name of the X-Header and the value.
Strip Attachment
Messages released or deleted from a quarantine because of a queue-full condition (early
expiration only) can optionally have their attachments stripped. This can be used to help
reduce the chance for virus infected files will be released from a quarantine.
370
CREATING SYSTEM QUARANTINES
process, or search messages within a quarantine), but cannot change the quarantine's
configuration (e.g. the size, retention period, etc.), or create or delete quarantines.
C H A P T E R 1 5 : Q U A R A N T I N E S 371
IRONPORT ASYNCOS 4.7 USER GUIDE
11. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
2. Make changes to the settings for the quarantine and click Submit.
3. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
372
DELETING SYSTEM QUARANTINES
C H A P T E R 1 5 : Q U A R A N T I N E S 373
IRONPORT ASYNCOS 4.7 USER GUIDE
WOR K IN G W IT H ME SS AG ES I N S YS T E M QU A R A N TI N E S
Use the Quarantine Overview to work with messages within quarantines. As a user with
access to a quarantine, you can:
• View the messages in a quarantine.
• Perform Message Actions on (process) messages.
• Search for messages in quarantines.
Note
Note — The functionality described in this section applies only to the GUI.
Click the name of the quarantine to view the messages in the quarantine. From this page, you
can view a particular message, process one or more messages, or search through messages.
374
VIEWING MESSAGES IN A SYSTEM QUARANTINE
All of the messages within the quarantine are listed, including the following information for
each message: To, From, Subject, Date Received, Scheduled Exit date, Size, and “In other
quarantines.” You can navigate through the list of pages using the Previous, Next, page
number, or double arrow links. The double arrows take you to the first (<<) or last (>>) page in
the listing.
The “In other quarantines” column will contain ‘Yes’ if the message is present in one or more
other quarantines, regardless of whether you have permissions to access those other
quarantines. See “Multi-User Access and Messages in Multiple Quarantines” on page 379 for
more information.
Sort the results ascending or descending by clicking on any of the column headings (except
“In other quarantines”).
You can select messages by clicking the corresponding checkbox in the row of checkboxes to
the left of the listing. To select all of the messages currently displayed in the listing, mark the
All box in the header (the very top of the listing, above the first message). Note that this only
applies to the currently displayed messages. Messages not displayed on the current page are
not affected.
You can apply an action (Delete, Release, Delay Scheduled Exit) on all selected messages in
the listing. Select an action from the pulldown menu at the bottom of the listing and click
Submit. A dialog box is displayed, asking you to confirm your choice. Click Yes to perform the
action on all marked messages.
Click the “Manage Rule by Summary” link for the Outbreak quarantine to process the
messages in the Outbreak quarantine by rule. For more information, see “The Virus Outbreak
Filters Feature and the Outbreak Quarantine” on page 381.
C H A P T E R 1 5 : Q U A R A N T I N E S 375
IRONPORT ASYNCOS 4.7 USER GUIDE
The Quarantined Message page has two sections: Quarantine Details and Message Details.
From the Quarantined Message page, you can read the message, select a Message Action,
send a copy of the message, or test for viruses.
The Message Details section displays only the first 100K of the message. If the message is
longer, the first 100K is shown, followed by an ellipsis (...). The actual message is not
truncated. This is for display purposes only.
Note
Note — If you view a message that contains a virus and you have desktop anti-virus software
installed on your computer, your anti-virus software may complain that it has found a virus.
This is not a threat to your computer and can be safely ignored.
376
SEARCHING SYSTEM QUARANTINES
Note — For the special Outbreak quarantine, additional functionality is available. See “The
Note
Virus Outbreak Filters Feature and the Outbreak Quarantine” on page 381 for more
information.
Note
Note — Messages can be placed in multiple quarantines. Please see “Multi-User Access and
Messages in Multiple Quarantines” on page 379 for more information about processing
messages belonging to multiple quarantines.
C H A P T E R 1 5 : Q U A R A N T I N E S 377
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — The search that is performed is an “AND” search, in that results are returned only if
they satisfy all of the criteria specified in the search fields. For example, specifying an
Envelope Recipient and a Subject in the search fields, means that only messages that match
both the terms specified in Envelope Recipient and Subject are returned.
3. Click Search.
4. The results (messages that match all of the specified criteria) are displayed.
You can use the search results in the same way you use the quarantine listings. The search
results listing also allows sorting by Scheduled Exit time. See “Processing Messages in a
Quarantine” on page 374 for more information.
378
MULTI-USER ACCESS AND SYSTEM QUARANTINES
C H A P T E R 1 5 : Q U A R A N T I N E S 379
IRONPORT ASYNCOS 4.7 USER GUIDE
• The user will not be told the names of the other quarantine(s) holding the message.
• Releasing a message only affects the queues to which the user has access.
• If the message is also queued in other quarantines not accessible to the user, the message
will remain in quarantine, unchanged, until acted upon by users who have the required
access to the remaining quarantines (or until it is released “normally” via early or normal
expiration).
380
THE VIRUS OUTBREAK FILTERS FEATURE AND THE OUTBREAK QUARANTINE
C H A P T E R 1 5 : Q U A R A N T I N E S 381
IRONPORT ASYNCOS 4.7 USER GUIDE
Send to IronPort
When viewing message details for a message in the Outbreak quarantine, you can optionally
report the message to IronPort. Do this to report false positives or to report suspicious
messages to IronPort.
To send a copy of a message to IronPort:
1. On the Message Details page, mark the Send a Copy to IronPort Systems box:
Figure 15-11Searching Quarantines
382
CONFIGURING THE IRONPORT SPAM QUARANTINES FEATURE
CO N FI GU R IN G T HE I R ON POR T S P A M Q UA RA NT IN E S FE A T U RE
Each IronPort appliance can have a local IronPort Spam quarantine enabled, if either
Symantec Brightmail or IronPort anti-spam has been enabled. Each IronPort appliance can
also refer to an external IronPort Spam quarantine, configured on another IronPort appliance
(typically an M-Series appliance, see “The IronPort M-Series Security Management
Appliance” on page 513 for more information).
However, when both the local and an external IronPort Spam quarantine is enabled the local
IronPort Spam quarantine is used.
Follow these steps to configure your IronPort appliance to send spam or suspect spam
messages to an IronPort Spam quarantine (local or external):
1. Add an external IronPort Spam quarantine (see “Configuring an External IronPort Spam
Quarantine” on page 393) or enable and configure the local IronPort Spam quarantine
(see “Configuring the Local IronPort Spam Quarantine” on page 386). Configuring the
local IronPort Spam quarantine allows you to specify settings related to quarantine access,
contents, and behavior, notifications, authentication, and AsyncOS user access.
2. If you are configuring the local IronPort Spam quarantine, edit an IP interface and enable
the IronPort Spam quarantine HTTP or HTTPS service (see “Enabling the IronPort Spam
Quarantine HTTP/S Service on an IP Interface” on page 394). Enabling the IronPort Spam
quarantine HTTP/S service allows you to access the quarantine.
3. Configure the anti-spam scanning options for the policy to send spam or suspect spam (or
both) to the IronPort Spam Quarantine (see “Enabling IronPort Spam Quarantines for a
Mail Policy” on page 396). This step is where you actually configure the system to
quarantine spam or suspect spam.
4. See “Considerations for Deployment” on page 397. This important section provides a
wealth of additional guidance and information about the IronPort Spam quarantine,
including notifications, authentication, and configuration of other related AsyncOS
features.
C H A P T E R 1 5 : Q U A R A N T I N E S 383
IRONPORT ASYNCOS 4.7 USER GUIDE
2. The IronPort Spam Quarantine is enabled. If the IronPort Spam Quarantine is not
configured, the Edit IronPort Spam Quarantine page is displayed (see “Configuring the
Local IronPort Spam Quarantine” on page 386).
3. Click Submit. Click the Commit Changes button, add an optional comment if necessary,
and then click Commit Changes to save the changes.
384
IRONPORT SPAM QUARANTINE SETTINGS
Note — The Delete All link is not available on the IronPort M-Series appliance. To remove all
Note
messages from the IronPort Spam quarantine on an M-Series appliance, stop sending spam to
it and allow the quarantined messages to expire.
Spam Notifications
Enable and configure the content of the spam notifications, including: the From: address,
subject, message body, message format, bounce address, and notification schedule.
Notifications allow end users to access their quarantined messages without using LDAP or
mailbox authentication. Notifications are sent to each Envelope Recipient that has
quarantined email, including mailing lists and other aliases. Each mailing list will receive a
single digest. This means that all subscribers to a mailing list will receive the notification and
can log in to the quarantine to release or delete messages. In this case, users visiting the
quarantine to view messages mentioned in a notification may find those messages have
already been deleted by other users. Users belonging to multiple aliases and/or using multiple
email addresses will receive multiple notifications (see “Receiving Multiple Notifications” on
page 400). See “Configuring Spam Notifications” on page 390.
Administrative Users
Specify AsyncOS Operator users that may view or interact with the messages in the local
IronPort Spam quarantine. All Administrator level users (such as the default ‘admin’ user)
created in AsyncOS are automatically able to access and modify the IronPort Spam
quarantine. Operators can view quarantine contents, but may not change the quarantine
settings. See “Configuring Administrative Users for IronPort Spam Quarantines” on page 392.
C H A P T E R 1 5 : Q U A R A N T I N E S 385
IRONPORT ASYNCOS 4.7 USER GUIDE
Configuring Spam Quarantine Settings for the Local IronPort Spam Quarantine
To edit the IronPort Spam Quarantine settings for the IronPort Spam quarantine on the local
IronPort appliance:
1. Click Edit in the Settings column for the IronPort Spam Quarantine on the Monitor ->
Local Quarantines page. The Edit IronPort Spam Quarantine page is displayed.
Figure 15-14Editing the IronPort Spam Quarantine Settings
386
CONFIGURING THE LOCAL IRONPORT SPAM QUARANTINE
Note — If you are configuring an IronPort M-Series appliance, see “Configuring the Local
Note
Quarantine” on page 524 for more information.
C H A P T E R 1 5 : Q U A R A N T I N E S 387
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Once you have enabled IronPort Spam Quarantine access, you can customize the page
end users see when they view the quarantine, as well as how users connect and are
authenticated.
3. Upload a custom logo (optional). The logo is displayed at the top of the IronPort Spam
quarantine page when the user logs in to view quarantined messages.
• The logo should be a .jpg or .gif file, measuring 500 x 50 pixels.
• If a logo file is not supplied, the default IronPort Spam Quarantine logo is used.
Note
Note — If you specify a custom logo the IronPort logo is deleted.
4. Specify a login page message. This message is shown to end users when they are asked to
log in prior to viewing the quarantine.
5. Specify whether or not to display message bodies before messages are released. If this box
is checked, users may not view the message body via the IronPort Spam quarantine page.
Instead, to view a quarantined message’s body users must release the message and view it
in their mail application (Outlook, etc.). This is especially relevant to compliance issues
where all viewed email must be archived.
6. Specify the method you would like to use to authenticate end-users when they attempt to
view their quarantine directly via web browser (not via the email notification). You may
use either Mailbox or LDAP authentication.
Note that you can allow end user access to the IronPort Spam quarantine without
enabling authentication. In this case, users can access the quarantine via the link included
in the notification message and the system does not attempt to authenticate the user. If you
want to enable end user access without authentication, simply leave the default
authentication values in place.
LDAP Authentication: If you maintain end-user passwords and mail aliases in a corporate
LDAP directory, you can use this directory to authenticate users for access to their
quarantine. When logging into the web UI, a user’s login and password is validated
against the LDAP server, and then a list of email aliases for that user is retrieved. This
means that a user will be able to see all messages in the quarantine that may be destined
for any of their email aliases that were not rewritten by the IronPort appliance.
To configure LDAP authentication, enter the LDAP server settings and then build the LDAP
query used to retrieve the email address(es) for the user. Specify the LDAP server
hostname or IP address. For a secure connection, select SSL or TLS. Enter a port number
for the LDAP server. Select the LDAP server type (OpenLDAP, Active Directory, Other).
Specify a server login, anonymous or username/password (Active Directory requires a
password).
Finally specify an LDAP query to retrieve the user’s email address. The token {u} is used to
specify the user (it is replaced by the user’s login name). The token {a} is used to specify
the user’s email address. Your LDAP query should not strip “SMTP:” as that is
automatically stripped by AsyncOS.
388
CONFIGURING THE LOCAL IRONPORT SPAM QUARANTINE
LDAP authentication for IronPort Spam quarantines does not support multiple servers (via
referrals, or via multiple queries associated via a domain).
ActiveDirectory server configurations do not allow authentication via TLS with Windows
2000. This is a known issue with ActiveDirectory. TLS authentication for ActiveDirectory
and Windows 2003 does work.
You can test your LDAP authentication settings via the Test button. Once you have entered
your LDAP settings, enter a username and password in the Test Settings fields and click
Test. The results of the test are displayed at the top of the Edit IronPort Spam Quarantine
page.
Figure 15-16Examples of LDAP Authentication Tests
Note that if you have configured your LDAP server to allow binds with empty passwords,
the test will pass even with an empty password.
Mailbox Authentication: For sites without an LDAP directory to use for authentication, the
quarantine can also validate user’s email addresses and passwords against and standards-
based IMAP or POP server that holds their mailbox. When logging in to the web UI, the
users enter their full email address and mailbox password, and the quarantine uses this to
attempt to log in to the mailbox server as that user. If the login is successful, the user is
authenticated and the quarantine then immediately logs out and no changes are made to
the user’s inbox. Using mailbox authentication works well for sites that do not run an
LDAP directory, but mailbox authentication can not present a user with messages that may
have been bound for an email alias.
Select the type (IMAP or POP). Specify a server name and whether or not to use SSL for a
secure connection. Enter a port number for the server. Supply a domain (example.com, for
example) to append to unqualified usernames.
If the POP server advertises APOP support in the banner, then for security reasons (i.e., to
avoid sending the password in the clear) the IronPort appliance will only use APOP. If
C H A P T E R 1 5 : Q U A R A N T I N E S 389
IRONPORT ASYNCOS 4.7 USER GUIDE
APOP is not supported for some or all users then the POP server should be reconfigured to
not advertise APOP.
7. Click Submit.
8. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
390
CONFIGURING THE LOCAL IRONPORT SPAM QUARANTINE
2. Enter a From: address for the notifications. Users may want to add this address to any
“whitelist” supported by their email client (see “Considerations for Deployment” on
page 397).
3. Enter a subject for the notification.
4. Customize the message body. AsyncOS support several message variables that, when
placed in the message body, are expanded to the actual value for the specific end user. For
example, %username% is expanded to the actual user’s name when the notification is
generated for that user. The supported message variables include:
• New Message Count (%new_message_count%) - the number of new messages
since the user’s last login.
• Total Message Count (%total_message_count%) - the number of messages for
the user in the end user quarantine.
C H A P T E R 1 5 : Q U A R A N T I N E S 391
IRONPORT ASYNCOS 4.7 USER GUIDE
392
CONFIGURING AN EXTERNAL IRONPORT SPAM QUARANTINE
3. Click Submit. Click the Commit Changes button, add an optional comment if necessary,
and then click Commit Changes to save the changes.
2. Enter a name for the quarantine. The name is not significant, and is used for reference
only.
3. Enter an IP address and port number. The IP Address and port number are specified on the
M-Series appliance in the Spam Quarantines Settings page (see “Configuring the Local
Quarantine” on page 524).
4. Click Submit.
5. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
C H A P T E R 1 5 : Q U A R A N T I N E S 393
IRONPORT ASYNCOS 4.7 USER GUIDE
4. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
394
ENABLING THE IRONPORT SPAM QUARANTINE HTTP/S SERVICE ON AN IP INTERFACE
2. Specify whether to use HTTP or HTTPS as well as the associated port numbers.
3. Select whether to redirect HTTP requests to HTTPS.
4. Specify whether this is the default interface (notifications and quarantine logins will
originate on this interface) for IronPort Spam quarantine access. Select whether to use the
hostname in the URL or specify a custom URL.
5. Click Submit.
6. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to save the changes.
C H A P T E R 1 5 : Q U A R A N T I N E S 395
IRONPORT ASYNCOS 4.7 USER GUIDE
396
CONSIDERATIONS FOR DEPLOYMENT
C H A P T E R 1 5 : Q U A R A N T I N E S 397
IRONPORT ASYNCOS 4.7 USER GUIDE
Users can also access the quarantine by entering a link in their web browser directly. When
accessing the quarantine via a URL typed into a web browser, users will have to authenticate.
The authentication method — LDAP or “mailbox” (IMAP/POP) — is defined in the End User
Quarantine Access section of the quarantine settings (see “Configuring End User Quarantine
Access” on page 387).
LDAP Authentication
The authentication process for LDAP works like this:
1. A user enters their username and password into the web UI login page.
2. The IronPort Spam quarantine connects to the specified LDAP server either to perform an
anonymous search or as an authenticated user with the specified “Server Login” DN and
password. For Active Directory, you will usually need to have the server connect on the
“Global Catalog port” (it is in the 6000s) and you need to create a low privilege LDAP user
that the IronPort Spam quarantine can bind as in order to execute the search.
3. The IronPort Spam quarantine then searches for the user using the specified BaseDN and
Query String. When a user’s LDAP record is found, the IronPort Spam quarantine then
extracts the DN for that record and attempts bind to the directory using the user records’
DN and the password they entered originally. If this password check succeeds then the
user is properly authenticated, but the IronPort Spam quarantine still needs to determine
which mailboxes’ contents to show for that user.
4. Messages are stored in the IronPort Spam quarantine using the recipient's envelope
address. After a user's password is validated against LDAP, the IronPort Spam quarantine
then retrieves the “Primary Email Attribute” from the LDAP record to determine which
envelope address they should show quarantined messages for. The “Primary Email
Attribute” can contain multiple email addresses which are then used to determine what
envelope addresses should be displayed from the quarantine for the authenticated user.
IMAP/POP Authentication
The authentication process for IMAP/POP works like this:
1. Depending on your mail server configuration, a user enters their username (joe) or email
address (joe@example.com) and password into the web UI login page. You can modify
the Login Page Message to tell your users whether they should enter a full email address or
just their username (see “Configuring End User Quarantine Access” on page 387).
2. The IronPort Spam quarantine connects to the IMAP or POP server and uses the entered
login (either username or email address) and password to try to log into the IMAP/POP
server. If the password is accepted then the user is considered authenticated and the
IronPort Spam quarantine immediately logs out of the IMAP/POP server.
3. Once the user is authenticated, the IronPort Spam Quarantine lists email for the user,
based on the email address:
• If you have configured the IronPort Spam quarantine to specify a domain to append
to bare usernames (like joe), then this domain is appended and that fully qualified
email address is used to search for matching envelopes in the quarantine.
398
CONSIDERATIONS FOR DEPLOYMENT
• Otherwise, the IronPort Spam quarantine uses the entered email address to search
for matching envelopes.
Example Configurations
Example POP/IMAP Configurations:
On UW IMAP and POP (single domain):
• Enter the server name.
• Enable SSL if you have configured your server to use it.
• Enable “Append Domain to Unqualified Usernames” and set this to the domain of
the envelope for users logging in.
For more information about IMAP, see the University of Washington website:
http://www.washington.edu/imap/
Testing Notifications
You can test notifications by configuring a testing mail policy in the Email Security Manager,
and have spam quarantined for just a single user. Then, configure the IronPort Spam
Quarantine notification settings: check the “Enable Spam Notification” checkbox and do not
check “Enable End-User Quarantine Access” checkbox. Then only the administrator
configured in the “Deliver Bounced Messages To” field is notified of new spam in the
quarantine.
C H A P T E R 1 5 : Q U A R A N T I N E S 399
IRONPORT ASYNCOS 4.7 USER GUIDE
Sam sam@example.com 1
You can configure your IronPort appliance to use LDAP routing on inbound email to rewrite
incoming recipient addresses so that there is only one envelope address to which to send
notifications for a particular user. For example, rewriting admin@example.com and
hr@example.com to joe@example.com will result in Joe receiving just one notification based
on the example above.
If you do not want your end users to receive multiple email notifications, and you are not
using LDAP, consider disabling notifications and instead allow end users to access the
quarantine directly and authenticate via LDAP or POP/IMAP.
400
CONSIDERATIONS FOR DEPLOYMENT
Charset Encodings
AsyncOS attempts to determine the charset of a message based on the encoding specified in
the message headers. However, if the encoding specified in the headers does not match that
of the actual text, the message will not be displayed properly when viewed in the IronPort
Spam quarantine. This situation is more likely to occur with spam messages.
Specifying Charset Encodings
In the case where incoming email does not have a charset encoding specified in the headers,
you can configure your IronPort appliance to specify a default encoding. Doing so will help
ensure that these types of messages display properly in the IronPort Spam quarantine.
However, specifying a default encoding can cause messages in other charsets to display
incorrectly. This applies only to messages that do not specify the encoding in the message
headers. Generally, you would only want to set a default encoding if you expect the majority
of your mail that falls into this category to be of one specific encoding. For example, if the
majority of your mail that gets quarantined and that does not specify the charset encoding in
the message headers is in Japanese (ISO-2022-JP), you would select option 12 (in the
scanconfig options, below).
To set a default encoding for messages that do not specify the encoding in the message
headers, use the scanconfig command via the CLI. In this example, UTF-8 is set as the
default:
mail3.example.com> scanconfig
C H A P T E R 1 5 : Q U A R A N T I N E S 401
IRONPORT ASYNCOS 4.7 USER GUIDE
Configure encoding to use when none is specified for plain body text
or
anything with MIME type plain/text or plain/html.
1. US-ASCII
2. Unicode (UTF-8)
3. Unicode (UTF-16)
[ ... list of encodings ... ]
13. Japanese (EUC)
[1]> 2
402
MANAGING IRONPORT SPAM QUARANTINES
C H A P T E R 1 5 : Q U A R A N T I N E S 403
IRONPORT ASYNCOS 4.7 USER GUIDE
To delete specific messages, click the checkbox next to the messages you want to delete and
then click the Delete button. Click the checkbox in the heading row to automatically select
all of the messages currently displayed on the page.
To delete all of the messages in the IronPort Spam quarantine, disable the quarantine (see) and
then click the Delete All Messages link. The number in parenthesis at the end of the link is the
number of messages in the IronPort Spam quarantine.
Figure 15-25 Delete All Messages Link
Note, when changing the amount of time to retain quarantined messages, if you set the time
to a time shorter than the original quarantine time, messages older than the new time are
deleted immediately. For example, if you initially configured your IronPort Spam Quarantine
to hold messages for 21 days before automatically deleting, and then after two weeks, you
changed that value to 10 days, all messages in the quarantine over 10 days old will be deleted
immediately.
404
16
CHAPTER
DomainKeys
C H A P T E R 1 6 : D O M A I N K E Y S 405
IRONPORT ASYNCOS 4.7 USER GUIDE
DO MA IN KEYS : O VE R VIEW
AsyncOS supports DomainKeys signing to help fight email forgery. DomainKeys is a
mechanism used to verify that the domain of the email sender and the contents of the
message were not altered during transit. The sender signs the email using public key
cryptography. The verified domain can then be used to detect forgeries by comparing it with
the domain in the From: (or Sender:) header of the email.
Figure 16-1 Domain Keys Work Flow
DomainKeys in AsyncOS
DomainKeys signing in AsyncOS is implemented via domain profiles and applied via a
“relay” outgoing mail flow policy (see “Mail Flow Policies: Access Rules and Parameters” on
page 81). Domain profiles associate a domain with domain key information (signing key and
406
DOMAINKEYS IN ASYNCOS
related information). As email is sent via a “relay” mail flow policy on the IronPort appliance,
sender email addresses that match any domain profile are DomainKeys signed with the
signing key specified in the domain profile.
DomainKeys signing works like this: a domain owner generates two keys — a public key
stored in the public DNS (a DNS TXT record associated with that domain) and a private key
that is used to sign mail that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the IronPort
appliance checks to see if any domain profiles exist. If there are domain profiles created on
the appliance, the message is scanned for a valid Sender: or From: address. If both are
present, the Sender: is used. Otherwise, the first From: address is used. If a valid address is not
found, the message is not signed and the event is logged.
If a valid sending address is found, the sending address is matched against the existing
domain profiles. If a match is found the message is domain key signed. If not, the message is
sent without signing. If the message has an existing DomainKeys signature (a
“DomainKey-Signature:” header) the message is only DomainKeys signed if a new sender
address has been added after the original DomainKeys signing.
AsyncOS provides a mechanism for signing email based on domain as well as a way to
manage (create new or input existing) signing keys.
Use the Mail Policies -> Domain Keys page in the GUI or the domainkeysconfig command
in the CLI (see the IronPort AsyncOS CLI Reference Guide for more information) to manage
DomainKeys signing.
C H A P T E R 1 6 : D O M A I N K E Y S 407
IRONPORT ASYNCOS 4.7 USER GUIDE
CO N FI GU R IN G D OM A I NKEY S S IG NI N G O N YO UR I R ON POR T A P P L IA NC E
Signing Keys
A signing key is the private key stored on the IronPort appliance. When creating a signing key,
you specify a key size. Larger key sizes are more secure; however, larger keys also can impact
performance. The 768 - 1024 bit key sizes are considered secure and used by most senders
today. Keys based on larger key sizes can impact performance. For more information about
creating signing keys, see “Creating New Signing Keys” on page 411.
If you are entering an existing key, simply paste it into the form. Another way to use existing
signing keys is to import the key as a text file. For more information about adding existing
signing keys, see “Importing or Entering Existing Signing Keys” on page 412.
Once a key is entered, it is available for use in domain profiles, and will appear in the Signing
Key list:
Figure 16-2 Add Domain Profile Page — Signing Keys
408
PUBLIC KEYS
Public Keys
Once you have associated a signing key with a domain profile, you can create the
corresponding public key (a version for insertion into your DNS TXT record) via the Generate
link in the DNS Text Record column in the domain profile listing (or via domainkeysconfig
-> profiles -> dnstxt in the CLI):
Figure 16-3 Generate DNS Text Record Link on Domain Profiles Page
For more information about generating a DNS Text Record, see “Generating a DNS Text
Record” on page 413.
You can also view the public key via the View link on the Signing Keys page:
Figure 16-4 View Public Key Link on Signing Keys Page
Domain Profiles
A domain profile associates a sender domain with a signing key, along with some other
information needed for DomainKeys signing. A domain profile consists of 6 pieces of
information:
• A name for the domain profile
• A domain name (the domain to be included in the DomainKey-Signature, d=)
• A selector (a selector is used to form the query for the public-key. In the DNS query type,
this value is prepended to the “_domainkey.” namespace of the sending domain)
• A canonicalization method (the method by which the headers and content are prepared
for presentation to the signing algorithm. AsyncOS supports both “simple” and “nofws”)
• A signing key (see “Signing Keys” on page 408 for more information)
• A list of Profile Users (addresses allowed to use the domain profile for signing)
C H A P T E R 1 6 : D O M A I N K E Y S 409
IRONPORT ASYNCOS 4.7 USER GUIDE
Note — The domain in the addresses specified in the profile users must match the domain
Note
specified in the Domain field.
You can search through all of your existing domain profiles for a specific term. See “Searching
Domain Profiles” on page 415 for more information.
410
CONFIGURING DOMAINKEYS (GUI)
2. Type a name for the domain profile, and enter the domain name.
3. Enter a selector and select the canonicalization.
4. Select a signing key (If you have already created a signing key, otherwise, skip to the next
step). You must create (or import) at least one signing key in order to have signing keys to
choose from in the list. See “Creating New Signing Keys” on page 411.
5. Enter users (email addresses, hosts, etc.) that will use the domain profile for signing.
6. Click Submit.
7. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish adding the new domain profile.
8. At this point (if you have not already) you should enable DomainKeys signing on an
outgoing mail flow policy (see “Enabling DomainKeys Signing” on page 410).
C H A P T E R 1 6 : D O M A I N K E Y S 411
IRONPORT ASYNCOS 4.7 USER GUIDE
1. Click Add Key... on the Mail Policies -> Domain Keys -> Signing Keys page. The Add Key
page is displayed.
2. Select a key size and then click Generate. The key is generated.
Larger key sizes are more secure; however, larger keys can have an impact on
performance. IronPort recommends a key size of 768 bits, which should provide a good
balance between security and performance.
3. Click Submit.
4. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish adding the new signing key.
To import keys from an existing export file (see “Exporting Signing Keys” on page 412):
1. Click Import Keys... on the Mail Policies -> Domain Keys -> Signing Keys page. The
Import Key page is displayed.
2. Select the file that contains the exported signing keys.
412
CONFIGURING DOMAINKEYS (GUI)
3. Click Submit. You are warned that importing will replace all existing signing keys. All of
the keys in the text file are imported.
4. Click Import.
C H A P T E R 1 6 : D O M A I N K E Y S 413
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Mark the checkbox for the attributes you wish to include in the DNS text record.
3. Click Generate Again to re-generate the key with any changes you have made.
4. The new key is displayed in the text field (where you can now copy/paste it).
5. Click Done.
2. A message is displayed at the top of the page, indicating success or failure. If the test fails,
a warning message in displayed, including the error text:
Figure 16-10An Unsuccessful Domain Profile Test
414
DOMAINKEYS AND LOGGING
C H A P T E R 1 6 : D O M A I N K E Y S 415
IRONPORT ASYNCOS 4.7 USER GUIDE
416
17
CHAPTER
The graphical user interface (GUI) is the web-based alternative to some command line
interface (CLI) commands for system monitoring and configuration. The GUI enables you to
monitor the system using a simple Web-based interface without having to learn the IronPort
AsyncOS command syntax.
So far, the following GUI components have been described:
• Chapter 5, “Configuring the Gateway to Receive Email,” described how to use the GUI to
edit the Host Access Table (HAT) of listeners, customizing your own sender groups.
• Chapter 6, “Using Mail Flow Monitor,” described the Mail Flow Monitor feature to
monitor inbound message flow. (The Mail Flow Monitor feature is only available from the
GUI.) You learned to use the Mail Flow Monitor feature to make mail flow policy
decisions (update whitelists, blacklists, and greylists) by querying for a sender’s
SenderBase Reputation Score (SBRS).
• Chapter 7, “Email Security Manager,” described the GUI components of Email Security
Manager, the single, comprehensive dashboard to manage all email security services,
including content filters.
• Chapter 9, “Anti-Spam,” described how to use the GUI to configure reputation filtering
with the SenderBase Reputation Service and configure the global and per-recipient
settings for Symantec Brightmail Anti-Spam feature.
• Chapter 10, “Anti-Virus,” showed how to use the GUI to configure the global and per-
recipient settings the Sophos Anti-Virus scanning feature.
• Chapter 11, “The Virus Outbreak Filters Feature,” explained how to use the GUI to
configure IronPort’s Virus Outbreak Filters feature.
• Chapter 13, “Text Resources,” showed how to create and manage text resources,
including dictionaries, footers, and notification templates.
• Chapter 14, “Reporting,” described how to use the GUI to Create, view, and run existing
and customized scheduled reports.
• Chapter 15, “Quarantines,” described how to use the GUI to configure quarantines and
view messages in quarantines.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 417
IRONPORT ASYNCOS 4.7 USER GUIDE
418
THE IRONPORT GRAPHICAL USER INTERFACE (GUI)
TH E I RO NPO R T G RA PH I CA L U SE R I NT E R FA CE ( G UI )
After HTTP and/or HTTPS services have been enabled for an interface, you can access the
GUI (see “Accessing the GUI” on page 13) and log in (see “Logging In” on page 14).
Chapter 2, “Overview,” also introduces the GUI sections and basic navigation.
Note
Note — You can also use the Network -> IP Interfaces page to enable or disable the GUI on
an interface, once you have the GUI enabled on any other interface. See “IP Interfaces” on
page 528 for more information.
Note
Note — Enabling secure HTTP on an interface requires you to install a certificate. For more
information, see “Enabling a Certificate for HTTPS” in the IronPort AsyncOS Advanced User
Guide.
For either service, you specify the port on which you want the service to be enabled. By
default, HTTP is enabled on port 80 and HTTPS on port 443. If you enable both services for
an interface, you can automatically redirect HTTP requests to the secure service.
In addition, all users (see “Adding Additional Users” on page 460) who attempt to access the
GUI on this interface (either via http or https) must authenticate themselves via a standard
username and password login page.
Note
Note — You must save the changes by using the commit command before you are able to
access the GUI.
In the following example, the GUI is enabled for the Data 1 interface. The
interfaceconfig command is used to enable HTTP on port 80 and HTTPS on port 443.
(The demonstration certificate is temporarily used for HTTP until the certconfig command
can be run. For more information, see “Installing Certificates on the IronPort Appliance” in the
IronPort AsyncOS Advanced User Guide.) HTTP requests to port 80 are configured to be
automatically redirected to port 443 for the Data1 interface.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 419
IRONPORT ASYNCOS 4.7 USER GUIDE
Example
mail3.example.com> interfaceconfig
Ethernet interface:
1. Data 1
2. Data 2
3. Management
[1]>
Hostname:
[mail3.example.com]>
420
OVERVIEW OF REMAINING TASKS AVAILABLE IN THE GUI
Both HTTP and HTTPS are enabled for this interface, should HTTP
requests
redirect to the secure service? [Y]> y
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 421
IRONPORT ASYNCOS 4.7 USER GUIDE
• View historical graphs and tables showing some of the key system status and
performance information.
• View the version of the IronPort AsyncOS operating system installed on the
appliance.
• View a subset of key statistics.
• The System Status page provides a detailed representation of all real-time mail and DNS
activity for the system. You can also reset the counters for system statistics and view the
last time the counters were reset.
• On the System Trace page, you can debug the flow of messages through the system by
emulating sending a test message. You can emulate a message as being accepted by a
listener and print a summary of features that would have been “triggered” or affected by
the current configuration of the system.
422
OUTGOING MAIL MONITORING
OU T GO IN G M A I L M O N IT OR I NG
If you suspect delivery problems to a specific recipient domain or if you want to gather
information on a Virtual Gateway address, the Monitor -> Outgoing Mail page provides
monitoring information about email operations relating to a specific recipient domain.
Note
Note — Any activity for a recipient domain results in that domain being “active” and thus
present in the overview page. For example, if mail is remaining in the outbound queue due to
delivery problems, that recipient domain will continue to show up in the outgoing mail
overview.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 423
IRONPORT ASYNCOS 4.7 USER GUIDE
424
OUTGOING MAIL DETAILS PAGE
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 425
IRONPORT ASYNCOS 4.7 USER GUIDE
SY S TE M M ON I TO RI N G
The following pages allow you to perform system monitoring from within the GUI:
• System Overview Page
• System Status Page
Historical Graphs
The Historical Graphs section of this page allows you to configure two different graphs that
show historical rates for the system. By default, the first graph is set to show received
messages over the past hour, and the second graph is set to show received recipients over the
past hour.
Use the lists to select the following graph types:
• Received Messages
• Received Recipients
• Soft Bounce Events
• Completed Recipients (All)
• Completed Recipients: Hard Bounce Events
• Completed Recipients: Delivered Recipients
• Current Inbound Connections
• Current Outbound Connections
• Active Recipients (All)
• Active Recipients: Unattempted Recipients
• Active Recipients: Attempted Recipients
Chapter 5, “Managing and Monitoring via the CLI” in the IronPort AsyncOS Advanced User
Guide describes each of these rates. See “Reading the Rates” in that chapter.
Use the Interval list to select the scale of the graph to display:
• Past Hour
• Past Day
• Past Week
• Past Month
426
THE SYSTEM OVERVIEW PAGE
Statistics
The Statistics section of this page shows the following system statistics:
• System Status
• RAM Utilization
• CPU Utilization
• Disk I/O Utilization
• Queue Memory Utilization
• Free Memory Available for the Queue
• Injected Recipients
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 427
IRONPORT ASYNCOS 4.7 USER GUIDE
Version Information
The Version Information section of this page includes:
• the IronPort appliance model name
• the version and build date of the IronPort AsyncOS operating system installed
• the installation date of the IronPort AsyncOS operating system
• the serial number of the system to which you are connected
• the version of Symantec Brightmail Anti-Spam (if available) in use on the system
This information is useful if you are contacting IronPort Customer Support. (See “Contacting
IronPort Customer Support” on page xxxiii.)
Note
Note — Only user accounts that are in the administrator or operator group have access to
reset the counters. User accounts you create in the Guest group will not be able to reset the
counters. For more information, see “Adding Additional Users” on page 460.
Click Reset Counters to reset the counters. This button offers the same functionality as the
resetcounters command in the CLI. For more information, see “Resetting Email
Monitoring Counters” in Chapter 5 in the IronPort AsyncOS Advanced User Guide.
428
SYSTEM STATUS PAGE
Figure 17-4 System Status Page: Status Detail — Counters and Rates (1 of 2)
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 429
IRONPORT ASYNCOS 4.7 USER GUIDE
Figure 17-5 System Status Page: Gauges, DNS status, and DNS Status (2 of 2)
For system gauges, MGA refers to the percentage of the CPU that AsyncOS processes are
consuming. CASE refers to several items, including the IronPort Anti-Spam scanning engine
and Virus Outbreak Filters processes.
430
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
DE BU G GI NG M A I L F L O W US I NG TE S T M E SS A G E S : TRA CE
You can use System Administration -> Trace page (the equivalent of the trace command in
the CLI) to debug the flow of messages through the system by emulating sending a test
message. The Trace page (and trace CLI command) emulates a message as being accepted
by a listener and prints a summary of features that would have been “triggered” or affected by
the current configuration (including uncommitted changes) of the system. The test message is
not actually sent. The Trace page (and trace CLI command) can be a powerful
troubleshooting or debugging tool, especially if you have combined many of the advanced
features available on the IronPort appliance.
The Trace page (and trace CLI command) prompts you for the input parameters listed in
Table 17-1.
Table 17-1 Input for the Trace page and trace Command
Source IP address Type the IP address of the remote client to mimic 203.45.98.109
the source of the remote domain.
Listener to Trace Choose from the list of listeners configured on the InboundMail
Behavior on system to emulate sending the test message to.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 431
IRONPORT ASYNCOS 4.7 USER GUIDE
Table 17-1 Input for the Trace page and trace Command (Continued)
SenderBase Type the SBRS score you want to provide for the -7.5
Reputation Score spoofed domain, or allow the system to look up
(SBRS scores) the SBRS score associated with source IP address.
This can be helpful when testing policies that use
SBRS scores. Note that manually entered SBRS
scores are not passed to the Context Adaptive
Scanning Engine (CASE). See “Reputation Filtering:
the IronPort SenderBase Reputation Service” on
page 204 for more information.
Envelope Sender Type the Envelope Sender of the test message. admin@example.net
Message Body Type the message body for the test message, To: 1@example.com
including headers. Type a period on a separate line From: ralph
to end entering the message body. Note that Subject: Test
“headers” are considered part of a message body
(separated by a blank line), and omitting headers, A test message
or including poorly formatted ones can cause .
unexpected trace results.
After you have entered the values, click Start Trace. A summary of all features configured on
the system affecting the message is printed.
You can upload message bodies from your local file system. (In the CLI, you can test with
message bodies you have uploaded to the /configuration directory. See Appendix A,
“Accessing the Appliance,” for more information on placing files for import onto the IronPort
appliance.)
After the summary is printed, you are prompted to view the resulting message and re-run the
test message again. If you enter another test message, the Trace page and the trace
command uses any previous values from Table 17-1 you entered.
Note
Note — The sections of configuration tested by the trace command listed in Table 17-2 are
performed in order. This can be extremely helpful in understanding how the configuration of
one feature affects another. For example, a recipient address transformed by the domain map
432
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
feature will affect the address as it is evaluated by the RAT. A recipient that is affected by the
RAT will affect the address as it is evaluated by alias table, and so on.
Host Access Table (HAT) and The Host Access Table settings for the listener you specified are
Mail Flow Policy Processing processed. The system reports which entry in the HAT matched from
the remote IP address and remote domain name you entered. You
can see the default mail flow policies and sender groups and which
one matched the given entries.
These sections summarize how the appliance configuration affects the Envelope Sender you supply.
(That is, how the MAIL FROM command would be interpreted by the configuration of the appliance.)
The trace command prints “Processing MAIL FROM:” before this section.
Default Domain If you specified that a listener to change the default sender domain of
messages it receives, any change to the Envelope Sender is printed in
this section.
These sections summarize how the appliance affects the Envelope Recipients you supply. (That is, how
the RCPT TO command would be interpreted by the configuration of the appliance.) The trace
command prints “Processing Recipient List:” before this section.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 433
IRONPORT ASYNCOS 4.7 USER GUIDE
Default Domain If you specified that a listener to change the default sender domain of
messages it receives, any changes to the Envelope Recipients are
printed in this section.
Domain Map Translation The domain map feature transforms the recipient address to an
alternate address. If you specified any domain map changes and a
recipient address you specified matches, the transformation is printed
in this section.
For more information, see “The Domain Map Feature” in the IronPort
AsyncOS Advanced User Guide.
Recipient Access Table (RAT) Each Envelope Recipient that matches an entry in the RAT is printed
in this section, in addition to the policy and parameters. (For
example, if a recipient was specified to bypass limits in the listener’s
RAT.)
Alias Table Each Envelope Recipient that matches an entry in the alias tables
configured on the appliance (and the subsequent transformation to
one or more recipient addresses) is printed in this section.
These sections summarize how the appliance affects each message after the message contents have
been received, but before the messages are enqueued on the work queue. This processing occurs
before the final 250 ok command is returned to the remote MTA.
434
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
Note that the virtual gateway address assigned at this point may be
overridden by message filter processing below.
Bounce Profiles Bounce profiles are applied at three different points in the
processing. This is the first occurrence. If a listener has a bounce
profile assigned to it, it is assigned at this point in the process. That
information is printed in this section.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 435
IRONPORT ASYNCOS 4.7 USER GUIDE
The following group of functions are performed on messages in the work queue. This occurs after the
message has been accepted from the client, but before the message is enqueued for delivery on a
destination queue. “Messages in Work Queue” is reported by the status and status detail
commands.
Masquerading If you specified that the To:, From:, and CC: headers of messages
should be masked (either from a static table entered from a listener or
via an LDAP query), the change is noted here. You enable
masquerading for the message headers on private listeners using the
listenerconfig -> edit -> masquerade -> config
subcommands.
LDAP Routing If LDAP queries have been enabled on a listener, the results of LDAP
acceptance, re-routing, masquerading, and group queries are printed
in this section.
Message Filters Processing All messages filters that are enabled on the system are evaluated by
the test message at this point. For each filter, the rule is evaluated,
and if the end result is “true,” each of the actions in that filter are then
performed in sequence. A filter may contain other filters as an action,
and the nesting of filters is unlimited. If a rule evaluates to “false” and
a list of actions is associated with an else clause, those actions are
evaluated instead. The results of the message filters, processed in
order, are printed in this section.
The mail policy processing section displays the Anti-Spam, Anti-Virus, Virus Outbreak Filter feature,
and footer stamping for all recipients you supplied. If multiple recipients match multiple policies in
Email Security Manager, the following sections will be repeated for each matching policy. The string:
“Message Going to” will define which recipients matched which policies.
436
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
Anti-Spam This section notes messages that are not flagged to be processed by
Brightmail Anti-Spam. If messages are to be processed by Brightmail
Anti-Spam for the listener, the message is processed and the verdict
returned is printed. If the IronPort appliance is configured to bounce
or drop the messages based on the verdict, that information is printed
and the trace command processing stops.
Anti-Virus This section notes messages that are not flagged to be processed by
anti-virus scanning. If messages are to be processed by anti-virus
scanning for the listener, the message is processed and the verdict
returned is printed. If the IronPort appliance is configured to “clean”
infected messages, that information is noted. If configured to bounce
or drop the messages based on the verdict, that information is printed
and the trace command processing stops.
Virus Outbreak Filters This section notes messages that contain attachments are to
Processing bypass the Virus Outbreak Filters feature. If messages are to be
processed by the Virus Outbreak Filters feature for the recipient, the
message is processed and the evaluation. If the appliance is
configured to quarantine, bounce, or drop the messages based on the
verdict, that information is printed and the processing stops.
See Chapter 11, “The Virus Outbreak Filters Feature,” for more
information.
Footer Stamping This section notes whether a footer text resource was appended to
the message. The name of the text resource is displayed. See
“Message Footer Stamping” in the IronPort AsyncOS Advanced User
Guide.
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 437
IRONPORT ASYNCOS 4.7 USER GUIDE
Delivery Operations
The following sections note operations that occur when a message is delivered. The trace command
prints “Message Enqueued for Delivery” before this section.
Global Unsubscribe per If any recipients you specified as input for the trace command
Domain and per User match recipients, recipient domains, or IP addresses listed in the in
the Global Unsubscribe feature, any unsubscribed recipient
addresses are printed in this section.
Final Result
When all processing has been printed, you are prompted with the final result. In the CLI, Answer y to:
“Would you like to see the resulting message?”
438
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 439
IRONPORT ASYNCOS 4.7 USER GUIDE
440
DEBUGGING MAIL FLOW USING TEST MESSAGES: TRACE
C H A P T E R 1 7 : O T H E R T A S K S I N T H E G U I 441
IRONPORT ASYNCOS 4.7 USER GUIDE
GA TH ER IN G X M L S T AT US F R OM T HE G U I
• View status through XML pages, or access XML status information programatically.
The XML Status feature provides a programmatic method to access email monitoring statistics.
Note that some newer browsers can also render XML data directly.
Information from the pages in the GUI in this table is also available as dynamic XML output
by accessing the corresponding URL:
http://hostname/xml/tophosts
Top Outgoing Domainsa
a
The default sort order for this page is by number of active recipients. You can
change the order by appending “?sort=order” to the URL, where order is conn_out,
deliv_recip, soft_bounced, or hard_bounced.
442
18
CHAPTER
System Administration
System administration in general is handled primarily via the System Administration tab in the
Graphical User Interface (GUI). Some system administration features are accessible only via
the Command Line Interface (CLI).
In addition, you may want to access the IronPort appliance’s system monitoring features via
the IronPort Graphical User Interface (GUI), which is described in Chapter 17, “Other Tasks in
the GUI,” on page 417.
Note
Note — Several of the features or commands described in this section will affect, or be
affected by routing precedence. Please see “IP Addresses, Interfaces, and Routing” on
page 538 for more information.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 443
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G E M E N T O F T H E I R O N POR T A P P L I A N C E
The following tasks allow you to easily manage the common functions within the IronPort
appliance. The following operations and commands are described:
• shutdown
• reboot
• suspend
• offline
• resume
• resetconfig
• version
• upgradecheck
• upgradeinstall
444
RESUMING FROM AN OFFLINE STATE
Note
Note — The difference between the suspend command and the offline command is that
the suspend command retains its state even after the machine is rebooted. If you issue the
suspend command and reboot the appliance, you must use the resume command to return
the system to an online state.
See also:
• “Suspending Email Delivery,” “Resuming Email Delivery.” “Suspending Receiving,” and
“Resuming Receiving” in the IronPort AsyncOS Advanced User Guide.
mail3.example.com> suspend
mail3.example.com> offline
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 445
IRONPORT ASYNCOS 4.7 USER GUIDE
mail3.example.com> resume
Receiving resumed.
Mail delivery resumed.
mail3.example.com>
Note
Note — The resetconfig command only works when the appliance is in the offline state.
When the resetconfig command completes, the appliance is automatically returned to the
online state, even before you run the systemsetup command again. If mail delivery was
suspended before you issued the resetconfig command, the mail will attempt to be
delivered again when the resetconfig command completes.
WARNING: The resetconfig command will return all network settings to factory
defaults, potentially disconnecting you from the CLI, disabling services that you used to
connect to the appliance (FTP, Telnet, SSH, HTTP, HTTPS), and even removing additional user
accounts you created with the userconfig command. Do not use this command if you are
not able to reconnect to the CLI using the Serial interface or the default settings on the
Management port through the default Admin user account.
mail3.example.com> offline
mail3.example.com> resetconfig
Are you sure you want to reset all configuration values? [N]> Y
446
DISPLAYING THE VERSION INFORMATION FOR ASYNCOS
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 447
IRONPORT ASYNCOS 4.7 USER GUIDE
SUPPOR T COMMANDS
The following commands and features are useful when you are upgrading the appliance or
contacting your support provider:
• Technical Support (Support Request and Remote Access pages)
• Feature Keys
Technical Support
The Technical Support section of the System Administration tab contains two pages: Support
Request and Remote Access.
Remote Access
Use the Remote Access page to allow IronPort customer support remote access to your
IronPort appliance.
Figure 18-1 The Remote Access Page
By enabling Remote Access you are activating a special account used by IronPort Customer
Support for debugging and general access to the system. This is used by IronPort Customer
Support for tasks such as assisting customers in configuring their systems, understanding
configurations, and investigating problem reports. You can also use the techsupport
command in the CLI.
When enabling the use of the “Secure Tunnel,” the appliance creates an SSH tunnel over the
specified port to the server upgrades.ironport.com. By default this connection is over port 25,
which will work in most environments because the system also requires general access over
that port in order to send email messages. Once a connection is made to
upgrades.ironport.com, IronPort Customer Support is able to use the SSH tunnel to
obtain access to the appliance. As long as the connection over port 25 is allowed, this will
bypass most firewall restrictions. You can also use the techsupport tunnel command in
the CLI.
In both the “Remote Access” and “Tunnel” modes, a password is required. It is important to
understand that this is not the password that will be used to access the system. Once that
448
TECHNICAL SUPPORT
password and the system serial number are provided to your Customer Support
representative, a password used to access the appliance is generated.
Once the techsupport tunnel is enabled, it will remain connected to
upgrades.ironport.com for 7 days. At the end of the 7 days, established connections will
not be disconnected but will be unable to re-attach to the tunnel once disconnected. The
timeout set on the SSH tunnel connection does not apply to the Remote Access account; it
will remain active until specifically deactivated.
Support Request
You can use the System Administration -> Technical Support -> Support Request page or the
supportrequest command (see the IronPort AsyncOS CLI Reference Guide for more
information about the supportrequest command) to email the configuration of your
appliance to the IronPort Customer Support team and/or additional users, and enter
comments describing the issue for which you need support. This command requires that the
appliance is able to send mail to the Internet.
Figure 18-2 The Support Request Page
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 449
IRONPORT ASYNCOS 4.7 USER GUIDE
450
WORKING WITH FEATURE KEYS
To add a new feature key manually, paste or type the key into the Feature Key field and click
Submit. An error message is displayed if the feature is not added (if the key is incorrect, etc.),
otherwise the feature key is added to the display.
To activate a new feature key from the Pending Activation list, select the key (mark the
“Select” checkbox) and click Activate Selected Keys.
You can configure your IronPort appliance to automatically download and install new keys as
they are issued. In this case, the Pending Activation list will always be empty. You can tell
AsyncOS to look for new keys at any time by clicking the Check for New Keys button, even if
you have disabled the automatic checking via the Feature Key Settings page.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 451
IRONPORT ASYNCOS 4.7 USER GUIDE
UP G R A DI N G A S YN C OS
Note
Note — Regardless of which upgrade method you use, you should also consider saving your
configuration via the saveconfig command once your upgrade is complete. For more
information, see “Managing the Configuration File” on page 490.
452
REMOTE UPGRADE OVERVIEW
This method requires that your IronPort appliance contacts the IronPort Systems update
servers, http://downloads.ironport.com/, directly from the network.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 453
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — For this release, if you need to configure a firewall setting to allow HTTP access to
this address, you must configure it using the DNS name and not a specific IP address.
For hosting AsyncOS update images, you must have a server in your internal network that has:
• A web server — for example, Microsoft IIS (Internet Information Services) or the Apache
open source server — which:
• supports the display of directory or filenames in excess of 24 characters
• has directory browsing enabled
• is configured for anonymous (no authentication) or basic (“simple”) authentication
• contains at least 90MB of free disk space for each AsyncOS update image
Note
Note — Each AsyncOS update image will be saved with the .ipup extension. You may
change the filename, but changing the extension will cause the AsyncOS updates to fail for
your IronPort appliances.
454
OBTAINING UPDATES (GUI)
Note — One update image can support multiple appliances. The URL for a multiple
Note
appliance update image is constructed as: http://downloads.ironport.com/asyncos/
upgrade/?serial=serial_number1,serial_number2,serial_number3,serial_number4, etc....
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 455
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Select an upgrade source (local or streaming). For local upgrades, specify the server URL
and port number as well as the optional authentication information.
3. Select the interface to use for the upgrade.
4. Enter HTTP proxy server information if desired.
5. Click Submit. Click the Commit Changes button, add an optional comment if necessary,
then click Commit Changes to save the changes.
Upgrading AsyncOS
To upgrade AsyncOS once you have configured your upgrade settings:
1. Click Available Upgrades... on the System Administration -> System Upgrade page. The
Available Upgrades page is displayed:
Figure 18-8 The System Upgrade Page
2. Select an upgrade from the list of available upgrades. Click Begin Upgrade. A progress bar
appears near the top of the page. You may be asked one or more times to confirm changes
or read and agree to new license agreements, etc.
Figure 18-9 An Upgrade in Progress
456
OBTAINING UPDATES (CLI)
3. Once the upgrade is finished, you are asked to reboot the appliance:
Figure 18-10Upgrade Complete
mail3.example.com> upgradeconfig
Please select the upgrade source you want to use for AsyncOS updates:
1. IronPort upgrade server
2. Local upgrade server
[1]> 2
Please select the location of the upgrade files using the format
(http://optionalname:password@local.server:port/directory/). The
default HTTP port is 80; you do not need to specify the port unless you
wish to use a non-standard port. The optional username/password will
be presented using HTTP BASIC_AUTH.
Note
Note — You can use the ping command to ensure that the appliance can contact the local
server. You can also use the telnet command to telnet to port 80 of the local server to ensure
the local server is listening on that port.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 457
IRONPORT ASYNCOS 4.7 USER GUIDE
mail3.example.com> upgrade
Upgrades available:
1. AsyncOS 4.5.0 build 627 upgrade, 2005-07-20
2. AsyncOS 4.5.0 build 628 upgrade, 2005-07-20
[2]>
458
OBTAINING UPDATES (CLI)
Rebooting...
Upgrade installation finished.
Enter the number of seconds to wait before abruptly closing
connections.
[30]>
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 459
IRONPORT ASYNCOS 4.7 USER GUIDE
A D DI N G A D DI T IO NA L U SE R S
You can add new user accounts to access the IronPort appliance. Manage users via the System
Administration -> Users page in the GUI (or the userconfig command in the CLI). The
default user account for the system, admin, has all administrative privileges. The admin user
account cannot be edited or deleted, aside from changing the password. To change the
password for the default admin user account, use the Edit User page in the GUI (see “Editing
Users” on page 462 for more information) or use the password or passwd command in the
CLI.)
For each new user account your create, you specify a username and a full name, and then
assign the user to one of three groups: administrators, operators, or guests. Each group
contains differing levels of permissions within the system. After you have assigned a group,
you specify a password for the user.
Group Description
administrators User accounts in the “Administrators” group have full access to all
configuration settings of the system. However, only the “admin” user account
can issue the upgradecheck and upgradeinstall commands.
guests Users accounts in the “Guest” group may only view status information.
Note that these permissions include the GUI as well as the CLI.
While there is no limit to the number of user accounts you can create for the system, you
cannot create user accounts with special names that are reserved by the system. (For example,
you cannot create the user accounts named “operator” or “root.”)
Note
Note — User accounts and passwords are stored locally on the IronPort appliance. They
cannot be linked to or imported from other naming services on your network. Passwords are
encrypted when they are reported using the showconfig command.
Note
Note — If you have lost the admin user’s password, contact your support provider.
460
MANAGING USERS (GUI)
The Users page lists the existing users for the system, including the user name, full name, and
user type or group.
From the Users page, you can:
• Add new users
• Delete users
• Edit users (including changing the admin user’s password)
Adding Users
To add a user:
1. Click Add User... The Add User page is displayed:
Figure 18-12Adding a User
2. Enter a name for the user. Some words are reserved (such as “operator” or “root”).
3. Enter a full name for the user.
4. Select a user type. (See Table 18-1 for more information about user types.)
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 461
IRONPORT ASYNCOS 4.7 USER GUIDE
5. Enter a password and retype it. Passwords must be at least 6 characters long.
6. Click Submit to add the user.
7. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Deleting Users
To delete a user:
1. Click the trash can icon corresponding to the user’s name in the Users listing.
2. Confirm the deletion by clicking Delete in the warning dialog that appears.
3. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Editing Users
To edit a user (change a password, etc.):
1. Click the user’s name in the Users listing. The Edit User page is displayed.
2. Make changes to the user.
3. Click Submit to edit the user.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Enter the old password then enter the new password and retype it for confirmation. Click
Submit. You are logged out and taken to the log in screen.
mail3.example.com> who
462
MANAGING USERS (GUI)
• The whoami command displays the username and full name of the user currently logged
in, and which groups the user belongs to:
mail3.example.com> whoami
Username: admin
Full Name: Administrator
Groups: admin, operators, config, log, guest
• The last command displays which users have recently logged into the appliance. The IP
address of the remote host, and the login, logout, and total time are also displayed.
mail3.example.com> last
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 463
IRONPORT ASYNCOS 4.7 USER GUIDE
CO N FI GU R IN G T HE FRO M : A DD R E SS FO R VA RI O US G E N E R A T E D
M E S S A GE S
You can configure the From: header address (this is not the Envelope Sender) for mail
generated by AsyncOS for the following circumstances:
• Anti-Virus notifications
• Bounces
• Notifications (notify() and notify-copy() filter actions)
• Quarantine notifications (and “Send Copy” in quarantine management)
You can specify the display, user, and domain names of the From: address. You can also
choose to use the Virtual Gateway domain for the domain name.
Use the Return Addresses page available on the System Administration tab in the GUI, or use
the addressconfig command via the CLI.
Figure 18-14 The Return Addresses Page
To modify the return address (From: header) for system-generated email messages via the GUI,
click Edit Settings... on the Return Addresses page. Make changes to the address or addresses
you want to modify, click Submit, and, finally, commit your changes.
464
ALERTS
ALER TS
Alerts are email notifications containing information about events occurring on the IronPort
appliance. These events can be of varying levels of importance (or severity) from minor to
major and pertain generally to a specific component or feature on your appliance. Alerts are
generated by the IronPort appliance. Alerts in this release of AsyncOS offer more precise
system administration notifications than previous versions. You can now specify, at a much
more granular level, which alert messages are sent to which users and for which severity of
event they are sent. Manage alerts via the System Administration -> Alerts page in the GUI (or
via the alertconfig command in the CLI).
Alerting Overview
The alerting feature consists of two main parts:
• Alerts - consist of an Alert Recipient (email addresses for receiving alerts), and the alert
notification (severity and alert type) sent to the recipient.
• Alert Settings - specify global behavior for the alerting feature, including alert sender
(FROM:) address, seconds to wait between sending duplicate alerts, and whether to
enable AutoSupport (and optionally send weekly AutoSupport reports).
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 465
IRONPORT ASYNCOS 4.7 USER GUIDE
Severities
Alerts can be sent for the following severities:
• Critical: Requires immediate attention.
• Warning: Problem or error requiring further monitoring and potentially immediate
attention.
• Information: Information generated in the routine functioning of this device.
Alert Settings
Alert settings control the general behavior and configuration of alerts, including:
• The RFC 2822 Header From: when sending alerts (enter an address or use the default
“alert@<hostname>”). You can also set this via the CLI, using the
alertconfig -> from command.
• The initial number of seconds to wait before sending a duplicate alert.
• The maximum number of seconds to wait before sending a duplicate alert.
• The status of AutoSupport (enabled or disabled).
• The sending of AutoSupport’s weekly status reports to alert recipients set to receive System
alerts at the Information level.
Sending Duplicate Alerts
You can specify the initial number of seconds to wait before AsyncOS will send a duplicate
alert. If you set this value to 0, duplicate alert summaries are not sent and instead, all
duplicate alerts are sent without any delay (this can lead to a large amount of email over a
short amount of time). The number of seconds to wait between sending duplicate alerts (alert
interval) is increased after each alert is sent. The increase is the number of seconds to wait
plus twice the last interval. So a 5 second wait would have alerts sent at 5 seconds, 15,
seconds, 35 seconds, 75 seconds, 155 seconds, 315 seconds, etc.
Eventually, the interval could become quite large. You can set a cap on the number of seconds
to wait between intervals via the maximum number of seconds to wait before sending a
duplicate alert field. For example, if you set the initial value to 5 seconds, and the maximum
value to 60 seconds, alerts would be sent at 5 seconds, 15 seconds, 35 seconds, 60 seconds,
120 seconds, etc.
466
IRONPORT AUTOSUPPORT
IronPort AutoSupport
To allow IronPort to better support and design future system changes, the IronPort appliance
can be configured to send IronPort Systems a copy of all alert messages generated by the
system. This feature, called AutoSupport, is a useful way to allow our team to be proactive in
supporting your needs. AutoSupport also sends weekly reports noting the uptime of the
system, the output of the status command, and the AsyncOS version used.
By default, alert recipients set to receive Information severity level alerts for System alert types
will receive a copy of every message sent to IronPort. This can be disabled if you do not want
to send the weekly alert messages internally. To enable or disable this feature, see
“Configuring Alert Settings” on page 470.
Alert Messages
Alert messages are standard email messages. You can configure the Header From: address, but
the rest of the message is generated automatically.
Alert Subject
An alert email message's subject follows this format:
Subject: [severity]-[hostname]: ([class]) short message
Version: 4.5.0-419
Serial Number: XXXXXXXXXXXX-XXXXXXX
Timestamp: Tue May 10 09:39:24 2005
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 467
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — If you enabled AutoSupport during System Setup, the email address you specified
will receive alerts for all severities and classes by default. You can change this configuration at
any time.
The Alerts page lists the existing alert recipients and alert settings.
From the Alerts page, you can:
• Add, configure, or delete alert recipients
• Modify the alert settings
468
MANAGING ALERT RECIPIENTS
2. Enter the recipient’s email address. You can enter multiple addresses, separated by
commas.
3. Select which alert severities to receive.
4. Click Submit to add the alert recipient.
5. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 469
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Enter a Header From: address to use when sending alerts, or select Automatically
Generated (“alert@<hostname>”).
3. Mark the checkbox if you want to specify the number of seconds to wait between sending
duplicate alerts. For more information, see “Sending Duplicate Alerts” on page 466.
• Specify the initial number of seconds to wait before sending a duplicate alert.
• Specify the maximum number of seconds to wait before sending a duplicate alert.
4. You can enable AutoSupport by checking the IronPort AutoSupport option. For more
information about AutoSupport, see “IronPort AutoSupport” on page 467.
• If AutoSupport is enabled, the weekly AutoSupport report is sent to alert recipients
set to receive System alerts at the Information level. You can disable this via the
checkbox.
5. Click Submit to edit the alert settings.
6. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Alert Listing
The following tables list alerts by classification, including the alert name, description, and
severity.
470
ALERT LISTING
Anti-Spam Alerts
Table 18-2 contains a list of the various anti-spam alerts that can be generated by AsyncOS,
including a description of the alert and the alert severity.
Anti-Virus Alerts
Table 18-3 contains a list of the various Anti-Virus alerts that can be generated by AsyncOS,
including a description of the alert and the alert severity.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 471
IRONPORT ASYNCOS 4.7 USER GUIDE
Hardware Alerts
Table 18-5 contains a list of the various Hardware alerts that can be generated by AsyncOS,
including a description of the alert and the alert severity.
472
ALERT LISTING
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 473
IRONPORT ASYNCOS 4.7 USER GUIDE
System Alerts
Table 18-7 contains a list of the various System alerts that can be generated by AsyncOS,
including a description of the alert and the alert severity.
474
ALERT LISTING
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 475
IRONPORT ASYNCOS 4.7 USER GUIDE
476
ALERT LISTING
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 477
IRONPORT ASYNCOS 4.7 USER GUIDE
CH A N GI N G N E T W O R K SE T T IN G S
This section describes the features used to configure the network operation of the IronPort
appliance. These features give you direct access to the hostname, DNS, and routing settings
that you configured via the System Setup Wizard (or the systemsetup command) in “Using
the System Setup Wizard” on page 36.
The following features are described:
• sethostname
• DNS Configuration (GUI and via the dnsconfig command)
• Routing Configuration (GUI and via the routeconfig and setgateway commands)
• dnsflush
• Password
oldname.example.com> sethostname
[oldname.example.com]> mail3.example.com
oldname.example.com>
For the hostname change to take effect, you must enter the commit command. After you have
successfully committed the hostname change, the new name appears in the CLI prompt:
oldname.example.com> commit
478
CONFIGURING DOMAIN NAME SYSTEM (DNS) SETTINGS
0 1.2.3.4, 1.2.3.5 5, 5
1 1.2.3.6 10
2 1.2.3.7 45
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 479
IRONPORT ASYNCOS 4.7 USER GUIDE
AsyncOS will randomly choose between the two servers at priority 0. If one of the priority 0
servers is down, the other will be used. If both of the priority 0 servers are down, the priority 1
server (1.2.3.6) is used, and then, finally, the priority 2 (1.2.3.7) server.
The timeout period is the same for both priority 0 servers, longer for the priority 1 server, and
longer still for the priority 2 server.
Note
Note — If you choose to set the default DNS server to something other than the Internet root
servers, that server must be able to recursively resolve queries for domains for which it is not
an authoritative server.
DNS Alert
Occasionally, an alert may be generated with the message “Failed to bootstrap the DNS
cache” when an appliance is rebooted. The messages means that the system was unable to
contact its primary DNS servers, which can happen at boot time if the DNS subsystem comes
online before network connectivity is established. If this message appears at other times, it
could indicate network issues or that the DNS configuration is not pointing to a valid server.
480
CONFIGURING DOMAIN NAME SYSTEM (DNS) SETTINGS
made to your local DNS system. The command takes place immediately and may cause a
temporary performance degradation while the cache is repopulated.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 481
IRONPORT ASYNCOS 4.7 USER GUIDE
2. Select whether to use the Internet’s root DNS servers or your own internal DNS server or
the Internet’s root DNS servers and specify authoritative DNS servers.
3. If you want to use your own DNS server(s), or specify authoritative DNS servers, enter the
server ID and click Add Row. Repeat this for each server. When entering your own DNS
servers, specify a priority as well. For more information, see “Specifying DNS Servers” on
page 479.
4. Choose an interface for DNS traffic.
5. Enter the number of seconds to wait before cancelling a reverse DNS lookup.
6. You can also clear the DNS cache by clicking Clear Cache.
7. Click Submit.
8. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
482
CONFIGURING TCP/IP TRAFFIC ROUTES
5. Click Submit.
6. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Deleting Static Routes
To delete a static route:
1. Click the trash can icon corresponding to the static route name in the Static Routes listing.
2. Confirm the deletion by clicking Delete in the warning dialog that appears.
3. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
Editing Static Routes
To edit a static route:
1. Click the name of the route in the Static Route listing. The Edit Static Route page is
displayed.
2. Make changes to the route.
3. Click Submit.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 483
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — Changes to the password take effect immediately and do not require you to execute
the commit command.
Note
Note — If you have lost the password for the admin account, please contact Customer
Support.
484
SERVICE UPDATES
SE R VI C E U P D A TE S
Many of the settings used to configure how the IronPort appliance updates various services
(such as the anti-spam, anti-virus, and Virus Outbreak Filter services) are accessible via the
Service Updates page from the Security Services tab or via the updateconfig command in
the CLI.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 485
IRONPORT ASYNCOS 4.7 USER GUIDE
486
EDITING UPDATE SETTINGS (GUI)
HTTP Proxy Server - an optional proxy server used for all of the following services: Sophos
Anti-Virus definitions, IronPort Anti-Spam rules, Virus Outbreak Filter rules, Virus Threat
Level, and SenderBase Network Participation sharing. Note that if you specify a proxy server,
it will be used for ALL of these services.
HTTPS Proxy Server - an optional proxy server using HTTPS. If you define the HTTPS proxy
server, it will be used to update the Symantec Brightmail anti-spam rules only.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 487
IRONPORT ASYNCOS 4.7 USER GUIDE
SY S TE M T I M E
To set the System Time on your IronPort appliance, set the Time Zone used, or select an NTP
server and query interface, use the Time Zone or Time Settings page from the System
Administration tab in the GUI or use the following commands in the CLI: ntpconfig,
settime, and settz
2. Select a Region, country, and time zone from the pull-down menus.
3. Click Submit.
4. Click the Commit Changes button, add an optional comment if necessary, then click
Commit Changes to save the changes.
488
EDITING TIME SETTINGS (GUI)
Editing the Network Time Protocol (NTP) Configuration (Time Keeping Method)
To use an NTP server to synchronize the system clock with other computers and edit the NTP
server settings:
1. Click Edit Settings... on the System Administration -> Time Settings page. The Edit Time
Settings page is displayed.
2. In the Time Keeping Method section, select Use Network Time Protocol.
3. Enter an NTP server address and click Add Row. You can add multiple NTP servers.
4. To delete an NTP server from the list, click the trash can icon for that server.
5. Select an interface for NTP queries. This is the IP address from which NTP queries should
originate.
6. Click Submit. Click the Commit Changes button, add an optional comment if necessary,
then click Commit Changes to save the changes.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 489
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G IN G T H E C O NF I GU RA TI O N F IL E
All configuration settings within the IronPort appliance can be managed via a single
configuration file. The file is maintained in XML (Extensible Markup Language) format.
You can use this file in several ways:
• You can save the configuration file to a different system to back up and preserve crucial
configuration data. If you make a mistake while configuring your appliance, you can “roll
back” to the most recently saved configuration file.
• You can download the existing configuration file to view the entire configuration for an
appliance quickly. (Many newer browsers include the ability to render XML files directly.)
This may help you troubleshoot minor errors (like typographic errors) that may exist in the
current configuration.
• You can download an existing configuration file, make changes to it, and upload it to the
same appliance. This, in effect, “bypasses” both the CLI and the GUI for making
configuration changes.
• You can upload entire configuration file via FTP access, or you can paste portions of or an
entire configuration file directly into the CLI.
• Because the file is in XML format, an associated DTD (document type definition) that
describes all of the XML entities in the configuration file is also provided. You can
download the DTD to validate an XML configuration file before uploading it. (XML
Validation tools are readily available on the Internet.)
490
MANAGING CONFIGURATION FILES VIA THE GUI
• Current Configuration - used to save and export the current configuration file.
• Load Configuration - used to load a complete or partial configuration file.
• Reset Configuration - used to reset the current configuration back to the factory defaults
(you should save your configuration prior to resetting it).
You can mask the user’s passwords by clicking the checkbox. Masking a password causes the
original, encrypted password to be replaced with “*****” in the exported or saved file. Please
note, however, that configuration files with masked passwords cannot be loaded back into
AsyncOS.
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 491
IRONPORT ASYNCOS 4.7 USER GUIDE
Regardless of the method, you must include the following tags at the top of your
configuration:
The closing </config> tag should follow your configuration information. The values in XML
syntax are parsed and validated against the DTD (document type definition) located in the
configuration directory on your IronPort appliance. The DTD file is named config.dtd.
If validation errors are reported at the command line when you use the loadconfig
command, the changes are not loaded. You can download the DTD to validate configuration
files outside of the appliance before uploading them.
In either method, you can import an entire configuration file (the information defined
between the highest level tags: <config></config>), or a complete and unique sub-section
of the configuration file, as long as it contains the declaration tags (above) and is contained
within the <config></config> tags.
492
MANAGING CONFIGURATION FILES VIA THE GUI
“Complete” means that the entire start and end tags for a given subsection as defined by the
DTD are included. For example, uploading or pasting this:
will not.
“Unique” means that the subsection of the configuration file being uploaded or pasted is not
ambiguous for the configuration. For example, a system can have only one hostname, so
uploading this (including the declarations and <config></config> tags):
<hostname>mail4.example.com</hostname>
is allowed. However, a system can have multiple listeners defined, each with different
Recipient Access Tables defined, so uploading only this:
<rat>
<rat_entry>
<rat_address>ALL</rat_address>
<access>RELAY</access>
</rat_entry>
</rat>
<listeners></listeners>
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 493
IRONPORT ASYNCOS 4.7 USER GUIDE
494
CLI COMMANDS FOR CONFIGURATION FILES
• loadconfig
• resetconfig (See “Resetting to Factory Defaults” on page 446.)
Note
Note — When saving, showing, or mailing your configuration file if you choose to include
passwords (answer yes to “Do you want to include passwords?”) the passwords are encrypted.
However, the private keys and certificates are included in unencrypted PEM format.
mail3.example.com> showconfig
<!--
Product: IronPort model number Messaging Gateway Appliance(tm)
Model Number: model number
Version: version of AsyncOS installed
Serial Number: serial number
Current Time: current time and date
[The remainder of the configuration file is printed to the screen.]
Use the mailconfig command to email the current configuration to a user. A configuration
file in XML format named config.xml will be attached to the message.
mail3.example.com> mailconfig
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 495
IRONPORT ASYNCOS 4.7 USER GUIDE
The saveconfig command saves the configuration file with a unique filename to the
configuration directory.
mail3.example.com> saveconfig
mail3.example.com> loadconfig
496
CLI COMMANDS FOR CONFIGURATION FILES
In this example, a new configuration file is pasted directly at the command line. (Remember
to type Control-D on a blank line to end the paste command.) Then, the system setup wizard
is used to change the default hostname, IP address, and default gateway information. (For
more information, see “Using the System Setup Wizard” on page 36.) Finally, the changes are
committed.
mail3.example.com> loadconfig
Paste the configuration file now. Press CTRL-D on a blank line when
done.
[The configuration file is pasted until the end tag </config>. Control-D is entered on a separate
line.]
mail3.example.com> commit
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 497
IRONPORT ASYNCOS 4.7 USER GUIDE
M A N A G IN G S E C UR E S HE L L ( S SH ) KEY S
The sshconfig command adds and deletes secure shell (SSH) public User keys to the
authorized_keys file of user accounts that have been configured on the system, including the
admin account. This allows authentication to user accounts using SSH keys rather than
password challenge. Both SSH protocol version 1 (SSH1) and SSH protocol version 2 (SSH2)
with RSA-based authentication and DSA key types are supported. You can disable SSH1 via
the setup subcommand.
Note
Note — To configure Host keys, which are used when performing SCP pushes of log files
from the IronPort appliance to other host machines, use logconfig -> hostkeyconfig.
For more information, see “Logging” in the IronPort AsyncOS Advanced User Guide.
Using hostkeyconfig, you can scan for keys of remote hosts and add them to the IronPort
appliance.
Note
Note — When pasting new keys directly into the CLI, type Enter or Return on a blank line to
finish entering the key.
In the following example, a new public key is installed for the admin account:
mail3.example.com> sshconfig
498
REMOTE SSH COMMAND EXECUTION
Disabling SSH1
To disable (or enable) SSH1, use the setup subcommand of the sshconfig command:
mail3.example.com> sshconfig
mail3.example.com> commit
C H A P T E R 1 8 : S Y S T E M A D M I N I S T R A T I O N 499
IRONPORT ASYNCOS 4.7 USER GUIDE
500
19
CHAPTER
The C300D appliance is a special model of the IronPort appliances, specifically designed for
outbound email delivery. This chapter discusses the various features of and modifications to
the AsyncOS operating system specific to the C300D appliance.
This chapter contains the following sections:
• “Overview: The C300D Appliance” on page 502
• “Configuring the C300D Appliance” on page 504
• “IronPort Mail Merge (IPMM)” on page 505
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 501
IRONPORT ASYNCOS 4.7 USER GUIDE
OV E R V IEW : T HE C 30 0 D A P P L I A NC E
The C300D appliance is a C300 appliance with a feature key for AsyncOS modifications
designed and optimized for outbound delivery of mail. The C300D appliance includes
dramatically enhanced performance intended to meet the specific needs of outbound
customer messaging.
Additional features:
• 256 Virtual Gateway Addresses - The IronPort Virtual Gateway technology allows you to
configure enterprise mail gateways for all domains you host — with distinct IP addresses,
hostname and domains — and create separate corporate email policy enforcement and
anti-spam strategies for those domains, while hosted within the same physical appliance.
For more information, see Chapter 2 in the IronPort AsyncOS Advanced User Guide.
• IronPort Mail Merge (IPMM) - IronPort Mail Merge (IPMM) removes the burden of
generating individual personalized messages from customer systems. By removing the
need to generate thousands of individual messages and transmit them between message
generating systems and the email gateway, users benefit from the decreased load on their
systems and increased throughput of email delivery. For more information, see “IronPort
Mail Merge (IPMM)” on page 505.
• Resource-conserving bounce setting - The C300D appliance allows you to configure the
system to detect potential blocked destinations and bounce all messages bound for that
destination. For more information, see “Configuring Resource-Conserving Bounce
Settings” on page 504.
• Software based performance enhancement - The C300D appliance includes a software
module that dramatically enhances the outbound delivery performance.
Non-Applicable Features:
• IronPort and Symantec Brightmail anti-spam scanning and on or off box spam
quarantining — Because anti-spam scanning pertains mostly to incoming mail, the
IronPort and Symantec Brightmail anti-spam scanning engines are disabled. Chapter 9 is,
therefore, not applicable.
502
ASYNCOS FEATURES APPLICABLE TO THE C300D
• Virus Outbreak Filters — Because IronPort’s Virus Outbreak Filters feature is used to
quarantine incoming mail, this feature has been disabled on the C300D. Chapter 11 is,
therefore, not applicable.
• SenderBase Network Participation capabilities — Because SenderBase Network
Participation reports information about incoming mail, this feature has been disabled on
the C300D appliance. Chapters 8 and 12 are, therefore, not applicable.
Domain Key signing Domain Keys is a method for verifying authenticity of email based on
a signing key used by the sender. See “DomainKeys: Overview” on
page 406.
Centralized management See the “Centralized Management” chapter in the IronPort AsyncOS
Advanced User Guide.
Delivery throttling For each domain, you can assign a maximum number of connections
and recipients that will never be exceeded by the system in a given
time period. This “good neighbor” table is defined through the
setgoodtable command.
For more information, see “Controlling Email Delivery” in the
IronPort AsyncOS Advanced User Guide.
Bounce Verification Verify the authenticity of bounce messages. See “IronPort Bounce
Verification” in the IronPort AsyncOS Advanced User Guide.
Trace (debug) See “Debugging Mail Flow Using Test Messages: Trace” on page 431.
VLAN, NIC-pairing See the Advanced Networking chapter in the IronPort AsyncOS
Advanced User Guide.
Optional Sophos engine You can add optional Sophos anti-virus scanning to ensure the
integrity of your outbound messages. See “Sophos Anti-Virus
Filtering” on page 278.
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 503
IRONPORT ASYNCOS 4.7 USER GUIDE
CO N FI GU R IN G T HE C 3 00 D A P P L I A N CE
To enable your C300D:
1. Apply the provided feature key. You will need to apply the key to your C300D IronPort
Email Security appliance prior to running the system setup wizard (prior to configuring the
appliance). Apply the key via the System Administration -> Feature Key page or by issuing
the featurekey command in the CLI.
Note
Note — The preceding feature keys include a sample 30 day Sophos Anti-Virus license you
can use to test anti-virus scanning on outbound mail.
Note
Note — Using this setting will bounce all messages in the queue for a destination domain that
is deemed undeliverable. You will need to re-send the message once the delivery issues have
been resolved.
mail3.example.com> bounceconfig
Do you want to bounce all enqueued messages bound for a domain if the
host is down? [N]> y
When using this feature, a host is considered “down” after at least 10 consecutive connection
attempts fail. AsyncOS scans for down hosts every 15 minutes, so it is possible that more than
10 attempts will be made before the queue is cleared.
504
IRONPORT MAIL MERGE (IPMM)
I R O N PO R T M A I L M E R G E ( I P M M )
Note
Note — IronPort Mail Merge is only available on the IronPort C300D appliance.
Overview
IronPort Mail Merge removes the burden of generating individual personalized messages from
customer systems. By removing the need to generate thousands of individual messages and
transmit them between message generating systems and the email gateway, users benefit from
the decreased load on their systems and increased throughput of email delivery.
With IPMM, a single message body is created with variables representing locations in the
message to be replaced for personalization. For each individual message recipient, only the
recipient email address and the variable substitutions need to be transmitted to the email
gateway. In addition, IPMM can be used to send certain recipients specific “parts” of the
message body, while excluding certain parts from others recipients. (For example, suppose
you needed to include a different copyright statements at the end of your messages to
recipients in two different countries.)
Benefits
Using the Mail Merge function of the IronPort C300D appliance has many benefits:
• Ease of use for the mail administrator. The complexities of creating personalized messages
for each recipient are removed, as IPMM provides variable substitution and an abstracted
interface in many common languages.
• Reduced load on message generation systems. By requiring one copy of the message body
and a table of required substitutions, most of the message generation “work” is off-loaded
from message generation systems and moved to the IronPort C300D appliance.
• Increased delivery throughput. By reducing the resources necessary to accept and queue
thousands of incoming messages, the IronPort appliance can significantly increase
out-bound delivery performance.
• Queue storage efficiency. By storing less information for each message recipient, users
can achieve orders-of- magnitude, better use of queue storage on the C300D appliance.
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 505
IRONPORT ASYNCOS 4.7 USER GUIDE
IPMM modifies SMTP by altering two commands — MAIL FROM and DATA — and adding
another: XDFN. The MAIL FROM command is replaced with XMRG FROM and, the DATA
command is replaced with XPRT.
To generate a Mail Merge message, the commands used to generate the message need to be
issued in a particular sequence.
1. The initial EHLO statement, identifying the sending host.
2. Each message starts with an XMRG FROM: statement, indicating the sender address.
3. Each recipient is then defined:
• One or more XDFN variable allocation statements are made, including defining
the parts (XDFN *PART=1,2,3…), and any other recipient specific variables.
• The recipient email address is defined with the RCPT TO: statement. Any variable
allocations prior to the RCPT TO:, but after the prior XMRG FROM, or RCPT TO
command, will be mapped to this recipient email address.
4. Each part is defined using the XPRT n command, with each part terminated by a period (.)
character similar to the DATA command. The last part is defined by the XPRT n LAST
command.
Variable Substitution
Any part of the message body, including message headers, can contain variables for
substitution. Variables can appear in HTML messages, as well. Variables are user-defined and
must begin with the ampersand (&) character and end with the semi-colon character (;).
Variable names beginning with an asterisk (*) are reserved and cannot be used.
Reserved Variables
IPMM contains five special “reserved” variables that are predefined.
*FROM The reserved variable *FROM is derived from the “Envelope From” parameter. The
“Envelope From” parameter is set by the “XMRG FROM:” command.
*TO The reserved variable *TO is derived from the envelope recipient value, as set by the
“RCPT TO:” command.
*PARTS The reserved variable *PARTS holds a comma separated list of parts. It is set prior to
defining a recipient with the “RCPT TO:” and determines which of the “XPRT n”
message body blocks a given user will receive.
*DATE The reserved variable *DATE is replaced with the current date stamp.
*DK The reserved variable *DK is used to specify a DomainKeys Signing profile (this profile
must already exist in AsyncOS). For more information about creating DomainKeys
Signing profiles, see “Domain Profiles” on page 409.
506
USING THE MAIL MERGE
For example, the following example message body (including headers) contains four distinct
variables and five substitution locations that will be replaced in the final message. Note that
the same variable may be used more than once in the message body. Also, the reserved
variable &*TO; is used, which will be replaced with the recipient email address. This reserved
variable does not need to be passed in as a separate variable. The variables in the example
appear in bold.
Example Message #1
Dear &first_name;,
This message needs only be injected once into the IronPort C300D appliance. For each
recipient, the following additional information is required:
• A recipient email address
• Name-value pairs for the variable substitution
Part Assembly
Where SMTP uses a single DATA command for each message body, IPMM uses one or many
XPRT commands to comprise a message. Parts are assembled based upon the order specified
per-recipient. Each recipient can receive any or all of the message parts. Parts can be
assembled in any order.
The special variable *PARTS holds a comma separated list of parts.
For example, the following example message contains two parts.
The first part contains the message headers and some of the message body. The second part
contains an offer that can be variably included for specific customers.
Dear &first_name;,
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 507
IRONPORT ASYNCOS 4.7 USER GUIDE
Please accept our offer for 10% off your next sprocket purchase.
The message parts need only be injected once into the IronPort C300D appliance. In this
case, each recipient requires the following additional information:
• The ordered list of parts to be included in the final message
• A recipient email address
• Name value pairs for the variable substitution
Command Descriptions
When a client injects IPMM messages to the listener, it uses extended SMTP with the
following key commands.
XMRG FROM
Syntax:
XMRG FROM: <sender email address>
This command replaces the SMTP MAIL FROM: command and indicates that what follows is
an IPMM message. An IPMM job is initiated with the XMRG FROM: command.
XDFN
Syntax:
XDFN <KEY=VALUE> [KEY=VALUE]
The XDFN command sets the per-recipient metadata. Note that key-value pairs can optionally
be enclosed in angle brackets or square brackets.
*PARTS is a special reserved variable that indicates the index number as defined by the XPRT
command (described below). The *PARTS variable is split as a comma-delimited list of
integers. The integers match the body parts to be sent as defined by the XPRT commands. The
other reserved variables are: *FROM, *TO, and *DATE.
508
NOTES ON DEFINING VARIABLES
XPRT
Syntax:
The XPRT command replaces the SMTP DATA command. The command accepts the transfer
of the message part after the command is issued. The command is completed with a single
period on a line followed by a return (which is the same way an SMTP DATA command is
completed).
The special keyword LAST indicates the end of the mail merge job and must be used to
specify the final part that will be injected.
After the LAST keyword is used, the message is queued, and delivery begins.
220 ESMTP
EHLO foo
250-ehlo responses from the injector enabled for IPMM
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 509
IRONPORT ASYNCOS 4.7 USER GUIDE
XMRG FROM:<user@domain.com> [Note: This replaces the MAIL FROM: SMTP command.]
250 OK
&*DATE;
Dear &first_name;,
And then part 2 is transmitted. Note that the LAST keyword is used to identify Part 2 as the
final part to assemble:
XPRT 2 LAST
Please accept our offer for 10% off your next sprocket purchase.
.
250 Ok, mailmerge message enqueued
The “250 Ok, mailmerge message queued” notes that the message has been accepted.
510
EXAMPLE IPMM CONVERSATION
Based on this example, recipient Jane User will receive this message:
message date
Dear Jane,
Please accept our offer for 10% off your next sprocket purchase.
message date
Dear Joe,
Example Code
IronPort has created libraries in common programming languages to abstract the task of
injecting IPMM messages into the IronPort appliance listener enabled for IPMM. Contact
IronPort Customer Support for examples of how to use the IPMM library. The code is
commented extensively to explain its syntax.
C H A P T E R 1 9 : E N A B L I N G Y O U R C 3 0 0 D A P P L I A N C E 511
IRONPORT ASYNCOS 4.7 USER GUIDE
512
20
CHAPTER
The IronPort M-Series appliance is a special model of the IronPort appliances, specifically
designed to serve as an external or “off box” spam quarantine for use with other IronPort
appliances. This chapter discusses network planning, system setup, and general use of the
IronPort M-Series appliance.
This chapter contains the following sections:
• “Network Planning” on page 514
• “System Setup” on page 516
• “Using the System Setup Wizard — IronPort M-Series Appliance” on page 518
• “Operating the IronPort M-Series Appliance” on page 523
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 513
IRONPORT ASYNCOS 4.7 USER GUIDE
NE TW OR K PLA NN IN G
The IronPort M-Series appliance lets you separate the end-user user interfaces (mail
applications, etc.) from the more secure gateway systems residing in your various DMZs.
Using a two-layer firewall can provide you with flexibility in network planning so that end
users will not connect directly to the outer DMZ (see Figure 20-1).
Figure 20-1 Typical Network Configuration Incorporating the IronPort M-Series Appliance
C-Series Appliance
M-Series Appliance
C-Series Appliance
Large corporate data centers can share one IronPort M-Series appliance acting as an external
IronPort Spam quarantine for one or more IronPort C- or X-Series appliances. Further, remote
offices can be set up to maintain their own local IronPort appliance quarantines for local use
(using the local IronPort Spam quarantine on C- or X-Series appliances).
Figure 20-1 shows a typical network configuration incorporating the IronPort M-Series
appliance and multiple DMZs. Incoming mail from the Internet is received by the IronPort
appliances in the outer DMZ. Clean mail is sent along to the MTA (groupware) in the inner
DMZ and eventually to the end users within the corporate network.
Spam and suspected spam (depending on your mail flow policy settings) is sent to the IronPort
M-Series appliance’s Spam quarantine. End users may then access the quarantine and elect to
delete spam and release messages they would like to have delivered to themselves. Messages
remaining in the IronPort Spam quarantine are automatically deleted after a configurable
amount of time (see “Configuring the Local IronPort Spam Quarantine” on page 386).
514
CENTRALIZED MANAGEMENT AND THE IRONPORT M-SERIES APPLIANCE
appliance changes, the receiving C- or X-Series appliance will process the message as it
would any other incoming message. You should always use the same IP address for receiving
and delivery on the IronPort M-Series appliance.
The IronPort M-Series appliance accepts mail for quarantining from the IP addresses specified
in the IronPort Spam Quarantine settings. To configure the local quarantine on the IronPort
M-Series appliance see “Configuring the Local Quarantine” on page 524. Note that the local
quarantine on the IronPort M-Series appliance is referred to as an external quarantine by the
other IronPort appliances sending mail to it.
Mail released by the IronPort M-Series appliance is delivered to the primary and secondary
hosts (IronPort appliance or other groupware host) as defined in the Spam Quarantine Settings
(see “Configuring the Local Quarantine” on page 524). Therefore, regardless of the number of
IronPort appliances delivering mail to the IronPort M-Series appliance, all released mail,
notifications, and alerts are sent to a single host (groupware or IronPort appliance). Take care
to not overburden the primary host for delivery from the IronPort M-Series appliance.
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 515
IRONPORT ASYNCOS 4.7 USER GUIDE
SY S TE M S E T U P
To set up and configure the IronPort M-Series appliance you must use the graphical user
interface (GUI) system setup wizard, available via the System Administration tab. The IronPort
M-Series appliance does not include support for system setup via the CLI.
To log in to the GUI, you will need to set up a private connection between a PC and the
IronPort M-Series appliance. For example, you can use the included crossover cable to
connect directly from the management port on the appliance to your laptop. Optionally, you
can connect via an Ethernet connection between a PC and the network (Ethernet hub, for
example) and between the network and the Management port on the IronPort M-Series
appliance (see Figure 20-4). The IP address that has been assigned to the Management port by
the factory is 192.168.42.42. Once the setup is finished you can use the Network -> IP
Interfaces page to change the interface used by your M-Series appliance.
Note
Note — If you are running a firewall on your network between the Internet and the IronPort
appliance, it may be necessary to open specific ports for the IronPort appliance to work
properly. See Appendix C, “Firewall Information,” for more information.
516
GATHERING THE SETUP INFORMATION
Netmask: *
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 517
IRONPORT ASYNCOS 4.7 USER GUIDE
US I NG T H E SY ST E M S E T UP W IZ A R D — I RO NPO R T M - SE RI E S A P P L IA NC E
The IronPort AsyncOS operating system provides a browser-based system setup wizard to
guide you through the process of system configuration. Some users will want to take
advantage of custom configuration options not available in the wizard. However, you must
use the wizard for the initial setup to ensure a complete configuration. If you have gathered
the information required in Table 20-1, the configuration process will take less time to
complete.
Be sure to connect the IronPort M-Series appliance to your network via the Management port.
WARNING: The system setup wizard will completely reconfigure your system. You
should only use the wizard the very first time you install the appliance, or if you want
to completely overwrite your existing configuration.
WARNING: The IronPort appliance ships with a default IP address of 192.168.42.42
on the Management port. Before connecting the IronPort M-Series appliance to your network,
ensure that no other device’s IP address conflicts with this factory default setting.
Note
Note — Your session will time out if you are idle for over 30 minutes or if you close your
browser without logging out. If this happens, you will be asked to re-enter your username and
password. If your session times out while you are running the System Setup Wizard, you will
have to start over again.
518
RUNNING THE SYSTEM SETUP WIZARD
Note
Note — If you cancel the system setup after resetting the password, your password changes
are not undone.
The system setup wizard (also available via the System Administration tab) walks you through
completing the following configuration tasks:
1. Resetting the admin password
2. Configuring settings:
• Setting the hostname of the appliance
• Specifying the IP address, network mask, and gateway of the appliance
• Defining the default router and DNS settings
• Configuring alert settings and AutoSupport
• Setting the system time settings
3. Review your configuration
Step through the wizard. Review your configuration at step 3. You can move back to step 2 by
clicking Previous. At the end of the process, you are prompted to commit the changes you
have made. Your changes will not take effect until they have been committed.
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 519
IRONPORT ASYNCOS 4.7 USER GUIDE
Network Settings
Enter the fully-qualified hostname for the IronPort appliance. This name should be assigned
by your network administrator.
Enter the IP address of the IronPort M-Series appliance.
Type the network mask and IP address of the default router (gateway) on your network.
Next, configure the DNS (Domain Name Service) settings. IronPort AsyncOS contains a high-
performance internal DNS resolver/cache that can query the Internet’s root servers directly, or
the system can use DNS servers you specify. If you choose to use your own servers, you will
need to supply the IP address of each DNS server. You can enter up to four DNS servers via
the System Setup Wizard. Please note that DNS servers you enter will have an initial priority
of 0. For more information, see “Configuring Domain Name System (DNS) Settings” on
page 478.
520
RUNNING THE SYSTEM SETUP WIZARD
Note — The appliance requires access to a working DNS server in order to perform DNS
Note
lookups for incoming connections. If you cannot specify a working DNS server that is
reachable by the appliance while you are setting up the appliance, a work around is to either
select “Use Internet Root DNS Servers” or to specify, temporarily, the IP address of the
Management interface so that you can complete the system setup wizard.
System Settings
Set the time zone on the IronPort appliance so that timestamps in message headers and log
files are correct. Use the drop-down menus to locate your time zone or to define the time
zone via GMT offset.
You can set the system clock time manually, or you can use the Network Time Protocol (NTP)
to synchronize time with other servers on your network or the Internet. By default, one entry
to the IronPort Systems time servers (time.ironport.com) to synchronize the time on your
IronPort appliance is already configured. Enter the hostname of the NTP server and click Add
Entry to configure an additional NTP server. For more information, see “System Time” on
page 488.
The IronPort AutoSupport feature (enabled by default) keeps the IronPort Customer Support
team aware of issues with your IronPort appliance so that we can provide better support to
you. (For more information, see “IronPort AutoSupport” on page 467.)
IronPort AsyncOS sends alert messages via email if there is a system error that requires the
user’s intervention. Enter the email address (or addresses) to which to send those alerts.
You must add at least one email address to which to send System Alerts. Enter an email
address, or separate multiple addresses with commas. The email addresses you enter will
initially receive all types of alerts at all levels. You can add more granularity to the alert
configuration later. For more information, see “Alerts” on page 465.
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 521
IRONPORT ASYNCOS 4.7 USER GUIDE
Once you have reviewed the information, click Install This Configuration.
Remember to see “IronPort Spam Quarantine Settings” on page 385 for information about
configuring your IronPort Spam Quarantine.
522
OPERATING THE IRONPORT M-SERIES APPLIANCE
OP E RA TI NG TH E IR O NPO R T M - SE RI E S A P P L IA N C E
Once your IronPort M-Series appliance has been installed and you have run the system setup
wizard via the GUI, you can modify other settings on the appliance including configuring the
IronPort Spam quarantine.
To configure the IronPort Spam quarantine on your IronPort M-Series appliance:
1. Configure the IronPort Spam quarantine on the IronPort M-Series appliance. See
“Configuring the Local Quarantine” on page 524 for additional information.
2. Configure any connecting IronPort appliances to send spam and/or suspected spam to an
external quarantine (follow the steps outlined for enabling the external quarantine and
configuring an IronPort appliance to quarantine spam/suspected spam here: “Configuring
the IronPort Spam Quarantines Feature” on page 383).
3. Configure any connecting appliances (such as IronPort appliances or groupware servers)
to receive mail from your IronPort M-Series appliance.
For information about configuring the other settings available on the IronPort M-Series
appliance (items in the Network and System Administration tabs) see the related sections of
this guide and the IronPort AsyncOS Advanced User Guide.
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 523
IRONPORT ASYNCOS 4.7 USER GUIDE
The following tabs and pages are available to administrator and operator users:
Monitor tab: Quarantines, System Status
Network tab: IP Interfaces DNS
System Administration tab: Alerts, Users, Log Subscriptions, System Time, Technical Support,
Configuration File, Feature Keys, Upgrades, System Setup Wizard
The Monitor tab and associated pages are available to Guest users.
524
CONFIGURING THE LOCAL QUARANTINE
Quarantine Port: The port number on which to accept spam. This is the port number that
should be referenced by the sending IronPort appliance in the External Quarantine settings.
See Figure 20-8 for more information.
Deliver Messages Via: The primary and alternate destination for delivering mail. This could be
an IronPort appliance or another SMTP/Groupware server. As a rule of thumb, you will
probably want to deliver to another IronPort appliance if you have complex mail routing. If
you are only using a back end groupware server, you can deliver messages directly to it.
Figure 20-7 Spam Quarantine Settings on the IronPort M-Series Appliance
Note
Note — The IP addresses and port numbers must be properly configured on both the IronPort
M-Series appliance and any connecting IronPort appliances in order to have mail correctly
quarantined and also delivered when released.
C H A P T E R 2 0 : T H E I R O N P O R T M - S E R I E S S E C U R I T Y M A N A G E M E N T A P P L I A N C E 525
IRONPORT ASYNCOS 4.7 USER GUIDE
Note
Note — You cannot disable the quarantine on the M-Series appliance.
526
A
APPENDI X
You can access any IP interface you create on the appliance through a variety of services.
By default, the following services are either enabled or disabled on each interface:
Enabled by default?
FTP 21 No No
Telnet 23 Yes No
SSH 22 Yes No
HTTP 80 Yes No
(a) the “Management Interface” settings shown here are also the default settings for the Data 1
Interface on IronPort C10/100 appliances.
• If you need to access the appliance via the graphical user interface (GUI), you must
enable HTTP and/or HTTPS on an interface.
• If you need to access the appliance for the purposes of uploading or downloading
configuration files, you must enable FTP or Telnet on an interface. See “FTP Access” on
page 531.
• You can also upload or download files using secure copy (scp).
A P P E N D I X A : A C C E S S I N G T H E A P P L I A N C E 527
IRONPORT ASYNCOS 4.7 USER GUIDE
IP I N T E R F A C E S
An IP interface contains the network configuration data needed for an individual connection
to the network. You can configure multiple IP interfaces to a physical Ethernet interface. You
can also configure access to the IronPort Spam quarantine via an IP interface. For email
delivery and Virtual Gateways, each IP interface acts as one Virtual Gateway address with a
specific IP address and hostname. You can also “join” interfaces into distinct groups (via the
CLI), and the system will cycle through these groups when delivering email. Joining or
grouping Virtual Gateways is useful for load-balancing large email campaigns across several
interfaces. You can also create VLANs, and configure them just as you would any other
interface (via the CLI). For more information, see the “Advanced Networking” chapter in the
IronPort AsyncOS Advanced User Guide.
Figure A-1 IP Interfaces Page
Configuring IP Interfaces
The Network -> IP Interfaces page (and interfaceconfig command) allows you to add,
edit, or delete IP interfaces.
Note
Note — You can not change the name or ethernet port associated with the Management
interface on the M-Series appliance. Further, the IronPort M-Series appliance does not support
all of the features discussed below (Virtual Gateways, for example).
Netmask (or subnetmask) You can enter the netmask in standard dotted octet form (e.g.
255.255.255.0) or hexadecimal form (e.g. 0xffffff00). The default
netmask is 255.255.255.0, a common class C value.
528
CONFIGURING IP INTERFACES
Hostname The hostname that is related to the interface. This hostname will be
used to identify the server during the SMTP conversation. You are
responsible for entering a valid hostname associated with each IP
address. The software does not check that DNS correctly resolves the
hostname to the matching IP address, or that reverse DNS resolves to
the given hostname.
Allowed services FTP, SSH, Telnet, IronPort Spam Quarantine, HTTP, and HTTPS can
be enabled or disabled on the interface. You can configure the port
for each service. You can also specify the HTTP/HTTPS, port, and
URL for the IronPort Spam Quarantine.
Note
Note — If you have completed the GUI’s System Setup Wizard (or the Command Line
Interface systemsetup command) as described in Chapter 3, “Setup and Installation,” and
committed the changes, one or two interfaces should already be configured on your
appliance. (Refer to the settings you entered in the “Assign and Configure Logical IP
Interface(s)” section.) In addition, the Management interface is configured on the IronPort
appliance.
A P P E N D I X A : A C C E S S I N G T H E A P P L I A N C E 529
IRONPORT ASYNCOS 4.7 USER GUIDE
530
FTP ACCESS
to HTTPS. Finally, you can specify whether the IP interface is the default interface for the
IronPort Spam quarantine, whether to use the hostname as the URL, or provide a custom
URL.
9. Click Submit.
10. Click the Commit Changes button, add an optional comment if necessary, and then click
Commit Changes to finish creating the IP interface.
FTP Access
To access the appliance via FTP, follow these steps:
1. Use the Network -> IP Interfaces page (or the interfaceconfig command) to enable
FTP access for the interface.
WARNING: By disabling services via the Network -> IP Interfaces page or the
interfaceconfig command, you have the potential to disconnect yourself from the
GUI or CLI, depending on how you are connected to the appliance. Do not disable
services with this command if you are not able to reconnect to the appliance using
another protocol, the Serial interface, or the default settings on the Management port.
In this example, the Management interface is edited to enable FTP access on port 21 (the
default port):
Figure A-3 Edit IP Interface Page
Note
Note — Remember to commit your changes before moving on to the next step.
2. Access the interface via FTP. Ensure you are using the correct IP address for the interface.
For example:
ftp 192.168.42.42
Many browsers also allow you to access interfaces via FTP. For example:
ftp://192.10.10.10
A P P E N D I X A : A C C E S S I N G T H E A P P L I A N C E 531
IRONPORT ASYNCOS 4.7 USER GUIDE
3. Browse to the directory for the specific task you are trying to accomplish. After you have
accessed an interface via FTP, you can browse the following directories to copy and add
(“GET” and “PUT”) files. See Table 3 on page 532.
/avarchive Created automatically for logging via the System Administration -> Logging page
/bounces or the logconfig and rollovernow commands. See the “Logging” chapter
/cli_logs in the IronPort AsyncOS Advanced User Guide for a detailed description of each
/delivery log.
/error_logs
See “Log File Type Comparison” in the Logging chapter for the differences
/ftpd_logs
between each log file type.
/gui_logs
/mail_logs
/rptd_logs
/sntpd.logs
/status
/system_logs
/configuration The directory where data from the following pages and commands is exported to
and/or imported (saved) from:
• Virtual Gateway mappings (altsrchost)
• configuration data in XML format
(saveconfig, loadconfig)
• Host Access Table (HAT) Page (hostaccess)
• Recipient Access Table (RAT) Page (rcptaccess)
• SMTP Routes Page (smtproutes)
• alias tables (aliasconfig)
• masquerading tables (masquerade)
• message filters (filters)
• global unsubscribe data (unsubscribe)
• test messages for the trace command
/brightmail The Brightmail Anti-Spam scanning feature log files are kept here.
/antivirus The directory where the Sophos Anti-Virus engine log files are kept. You can
inspect the log files this directory to manually check for the last successful
download of the virus definition file (scan.dat).
532
S E C U R E C O P Y ( scp) A C C E S S
/MFM The Mail Flow Monitoring database directory contains data for the Mail Flow
Monitor functionality available from the GUI. Each subdirectory contains a
README file that documents the record format for each file.
You can copy these files to a different machine for record keeping, or load the
files into a database and create your own analysis application. The record format
is the same for all files in all directories; this format may change in future releases.
/saved_reports The directory where all periodic reports configured on the system are stored. (See
“Exporting Tables from System Summary Reports” on page 363.)
4. Use your FTP program to upload and download files to and from the appropriate
directory.
In this example, the same file is copied from the appliance to the client machine:
% scp admin@mail3.example.com:configuration/text.txt .
admin@mail3.example.com's password: (type the password)
test.txt 100% |****************************| 1007
00:00
A P P E N D I X A : A C C E S S I N G T H E A P P L I A N C E 533
IRONPORT ASYNCOS 4.7 USER GUIDE
You can use secure copy (scp) as an alternative to FTP to transfer files to and from the IronPort
appliance.
Note
Note — Only users in the operators and administrators group can use secure copy (scp) to
access the appliance. For more information, see “Adding Additional Users” on page 460.
9 RI I Ring indicator
534
B
APPENDI X
This appendix describes general rules on networks and IP address assignments, and it presents
some strategies for connecting the IronPort appliance to your network.
Topics included in this appendix include:
• “Ethernet Interfaces” on page 536
• “Selecting IP Addresses and Netmasks” on page 537
• “Strategies for Connecting Your IronPort Appliance” on page 540
A P P E N D I X B : A S S I G N I N G N E T W O R K A N D I P A D D R E S S E S 535
IRONPORT ASYNCOS 4.7 USER GUIDE
E T H E R NE T I N T E R F A C E S
The IronPort X1000, C600, and C300 appliances are equipped with as many as four Ethernet
interfaces located on the rear panel of the system depending on the configuration (whether or
not you have the optional optical network interface). They are labeled:
• Management
• Data1
• Data2
• Data3
• Data4
The IronPort C60 and C30 appliances are equipped with three Ethernet interfaces located on
the rear panel of the system. They are labeled:
• Management
• Data1
• Data2
The IronPort C10/100 appliance is equipped with two Ethernet interfaces located on the rear
panel of the system. They are labeled:
• Data1
• Data2
536
SELECTING IP ADDRESSES AND NETMASKS
SE L E C TI NG IP A D DR E S S E S A N D N E T M A S K S
When you configure the network, the IronPort appliance must be able to uniquely select an
interface to send an outgoing packet. This requirement will drive some of the decisions
regarding IP address and netmask selection for the Ethernet interfaces. The rule is that only
one interface can be on a single network (as determined through the applications of netmasks
to the IP addresses of the interfaces).
An IP address identifies a physical interface on any given network. A physical Ethernet
interface can have more than one IP address for which it accepts packets. An Ethernet
interface that has more than one IP address can send packets over that interface with any one
of the IP addresses as the source address in the packet. This property is used in implementing
Virtual Gateway technology.
The purpose of a netmask is to divide an IP address into a network address and a host address.
The network address can be thought of as the network part (the bits matching the netmask) of
the IP address. The host address is the remaining bits of the IP address. The number of bits in a
four octet address that are significant are sometimes expressed in CIDR (Classless Inter-
Domain Routing) style. This is a slash followed by the number of bits (1-32).
A netmask can be expressed in this way by simply counting the ones in binary, so
255.255.255.0 becomes “/24” and 255.255.240.0 becomes “/20”.
Data addressed to 192.168.1.X (where X is any number 1-255, except for your own
address, 10 in this case) will go out on Int1. Anything addressed to 192.168.0.X will go out
on Int2. Any packet headed for some other address not in these formats, most likely out on a
WAN or the Internet, will be sent to the default gateway which must itself be on one of these
networks. The default gateway will then forward the packet on.
A P P E N D I X B : A S S I G N I N G N E T W O R K A N D I P A D D R E S S E S 537
IRONPORT ASYNCOS 4.7 USER GUIDE
Network 2:
The network addresses (network parts of the IP addresses) of two different interfaces cannot be
the same.
This situation presents a conflict in that two different Ethernet interfaces have the same
network address. If a packet from the IronPort appliance is sent to 192.168.1.11, there is no
way to decide which Ethernet interface should be used to deliver the packet. If the two
Ethernet interfaces are connected to two separate physical networks, the packet may be
delivered to the incorrect network and never find its destination. The IronPort appliance will
not allow you to configure your network with conflicts.
You can connect two Ethernet interfaces to the same physical network, but you must construct
IP addresses and netmasks to allow the IronPort appliance to select a unique delivery
interface.
Ethernet IP
Management 192.19.0.100
data1 192.19.1.100
data2 192.19.2.100
538
SUMMARY
Summary
The IronPort appliance must always be able to identify a unique interface over which a packet
will be delivered. To make this decision, the IronPort appliance uses a combination of the
packet’s destination IP address, and the network and IP address settings of its Ethernet
interfaces. The following table summarizes the preceding examples:
A P P E N D I X B : A S S I G N I N G N E T W O R K A N D I P A D D R E S S E S 539
IRONPORT ASYNCOS 4.7 USER GUIDE
ST R A T E GI E S FO R C ON N E CT I NG YOU R I RO N PO R T A P P L I A N CE
Keep these things in mind when connecting your IronPort appliance:
• Administrative traffic (CLI, web interface, log delivery) traffic is usually small compared to
email traffic.
• If a majority of your email uses mail merge, the amount of email traffic being delivered
will be vastly greater than the data being injected.
• If two Ethernet interfaces are connected to the same network switch, but end up talking to
a single interface on another host downstream, or are connected to a network hub where
all data are echoed to all ports, no advantage is gained by using two interfaces.
• SMTP conversations over an interface operating at 1000Base-T will be slightly faster than
ones over the same interfaces operating at 100Base-T, but only under ideal conditions.
• There is no point in optimizing connections to your network if there is a bottleneck in
some other part of your delivery network. Bottlenecks most often occur in the connection
to the Internet and further upstream at your connectivity provider.
The number of IronPort appliance interfaces that you choose to connect and how you address
them should be dictated by the complexity of your underlying network. It is not necessary to
connect multiple interfaces if your network topology or data volumes do not call for it. It is
also possible to keep the connection simple at first as you familiarize yourself with the
gateway and then increase the connectivity as volume and network topology require it.
540
C
APPENDI X
Firewall Information
The following table lists the possible ports that may need to be opened for proper operation of
the IronPort appliance (these are the default values).
Table C-1 Firewall Ports
20/21 TCP In or Out AsyncOS IPs, FTP Server FTP for aggregation of log files.
22 TCP In AsyncOS IPs SSH access to the CLI, aggregation of log files.
22 TCP Out SSH Server SSH aggregation of log files.
22 TCP Out SCP Server SCP Push to log server
23 Telnet In AsyncOS IPs Telnet access to the CLI, aggregation of log
files.
23 Telnet Out Telnet Server Telnet upgrades, aggregation of log files (not
recommended).
25 TCP Out Any SMTP to send email.
25 TCP In AsyncOS IPs SMTP to receive bounced email or if injecting
email from outside firewall.
25 TCP In AsyncOS IPs Brightmail Quarantine (optional)
40125 TCP Out Brightmail Quarantine Brightmail Quarantine (optional)
80 TCP In AsyncOS IPs, HTTP access to the GUI for system
downloads.ironport.com monitoring.
AsyncOS and also Sophos upgrades are
retrieved via HTTP from port 80.
53 UDP In & Out DNS Servers DNS if configured to use Internet root servers
or other DNS servers outside the firewall. Also
for SenderBase queries.
110 TCP Out POP Server POP authentication for end users for IronPort
Spam Quarantine
123 UDP In & Out NTP Server NTP if time servers are outside firewall.
A P P E N D I X C : F I R E W A L L I N F O R M A T I O N 541
IRONPORT ASYNCOS 4.7 USER GUIDE
143 TCP Out IMAP Server IMAP authentication for end users for IronPort
Spam Quarantine
161 UDP In AsyncOS IPs SNMP Queries
162 UDP Out Management Station SNMP Traps
389 LDAP In & Out LDAP Servers LDAP if LDAP directory servers are outside
3268 firewall. LDAP authentication for IronPort
Spam Quarantine
443 TCP In AsyncOS IPs Secure HTTP (https) access to the GUI for
system monitoring.
443 TCP In aztec.brightmail.com Brightmail Rules are downloaded directly over
HTTPS, by default, unless a proxy server is
configured.
443 TCP Out phonehome.senderbase.or Receive/Send Virus Outbreak Filters
g
514 UDP/TCP Out Syslog Server Syslog logging
628 TCP In AsyncOS IPs QMQP if injecting email from outside
firewall.
2222 CCS In & Out AsyncOS IPs Cluster Communication Service (for
Centralized Management).
6025 TCP In & Out AsyncOS IPs IronPort Spam Quarantine
542
D
APPENDIX
Glossary
Allowed Hosts
Computers that are allowed to relay email through the IronPort appliance via a private
listener. Allowed hosts are defined by their hostnames or IP addresses.
Blacklist
A list of known bad senders. By default, senders in the Blacklist sender group of a public
listener are rejected by the parameters set in the $BLOCKED mail flow policy.
Brightmail Anti-Spam
Brightmail’s system for spam detection and filtering. This includes the Brightmail Probe
Network, the Brightmail Logistics and Operations Center (BLOC™), the anti-spam rules, and
the Brightmail software integrated into the IronPort appliance.
CIDR Notation
Classless Inter-Domain Routing. A convenient shorthand for describing a range of IP
addresses within their network contexts using an arbitrary number of bits. Using this notation,
you note the network prefix part of an address by adding a forward slash (/) followed by the
number of bits used for the network part. Thus a Class C network can be described in prefix
notation as 192.168.0.1/24. A CIDR specification of 206.13.1.48/25 would include any
address in which the first 25 bits of the address matched the first 25 bits of 206.13.1.48.
Content Filters
Content-based filters used to process messages during the Per-Recipient Scanning phase of the
work queue in the email pipeline. Content filters are evoked after Message filters, and act on
individual splintered messages.
Conversational Bounce
A bounce that occurs within the SMTP conversation. The two types of conversational bounces
are hard bounces and soft bounces.
A P P E N D I X D : G L O S S A R Y 543
IRONPORT ASYNCOS 4.6 USER GUIDE
Debounce Timeout
The amount of time, in seconds, the system will refrain from sending the identical alert to the
user.
Delayed Bounce
A bounce that occurs within the SMTP conversation. The recipient host accepts the message
for delivery, only to bounce it at a later time.
Delivery
The act of delivering email messages to recipient domains or internal mail hosts from the
IronPort appliance from a specific IP interface. The IronPort appliance can deliver messages
from multiple IP interfaces within same physical machine using Virtual Gateway technology.
Each Virtual Gateway contains a distinct IP address, hostname and domain, and email queue,
and you can configure different mail flow policies and scanning strategies for each.
You can tailor the configuration of the delivery that the IronPort appliance performs, including
the maximum simultaneous connections to remote hosts, the per-Virtual Gateway limit of
maximum simultaneous connections to the host, and whether the conversations to remote
hosts are encrypted.
DNS
Domain Name System. See RFC 1045 and RFC 1035. DNS servers on a network resolve IP
addresses to hostnames, and vice versa.
DoS attack
Denial of Service attack, can also be in the form of DDos (Distributed Denial of Service
Attack). An attack on a network or computer, the primary aim of which is to disrupt access to
a given service.
DSN
Delivery Status Notification, a bounced message.
Email Security Manager
A single, comprehensive dashboard to manage all email security services and applications on
IronPort appliances. Email Security Manager allows you to manage Virus Outbreak Filters,
Anti-Spam, Anti-Virus, and email content policies — on a per-recipient or per-sender basis,
through distinct inbound and outbound policies. See also Content Filters.
Envelope Recipient
The recipient of an email message, as defined in the RCPT TO: SMTP command. Also
sometimes referred to as the “Recipient To” or “Envelope To” address.
Envelope Sender
The sender of an email message, as defined in the MAIL FROM: SMTP command. Also
sometimes referred to as the “Mail From” or “Envelope From” address.
544
GLOSSARY
False Negative
A spam or virus message that was not detected as such.
False Positive
A message falsely categorized as spam or as containing a virus.
Greylist
A list of suspected senders. The IronPort appliance includes a greylist in the form of the
Suspectlist sender group.
The Suspectlist sender group contains a mail flow policy that throttles, or slows, the rate of
incoming mail. If senders are suspicious, you can add them to the Suspectlist sender group,
where the mail flow policy dictates that rate limiting limits the maximum number of messages
per session, maximum recipients per hour, the maximum number of recipients per message,
the maximum message size, and/or the maximum number of concurrent connections you are
willing to accept from a remote host.
GUI
Graphical User Interface. The GUI is the HTML-based alternative to the command line
interface (CLI) for system monitoring and configuration of the IronPort appliance. The GUI is
also the delivery vehicle for the Mail Flow Monitor feature, a powerful web-based console
that provides complete visibility into all enterprise mail traffic of the IronPort appliance.
HAT
Host Access Table. The HAT maintains a set of rules that control incoming connections from
remote hosts for a listener. Every listener has its own HAT. HATs are defined for public and
private listeners, and contain mail flow policies and sender groups.
A P P E N D I X D : G L O S S A R Y 545
IRONPORT ASYNCOS 4.6 USER GUIDE
IDE File
Virus Definition File. An IDE file contains signatures or definitions used by anti-virus software
to detect viruses.
LDAP
Lightweight Directory Access Protocol. A protocol used to access information about people
(including email addresses), organizations, and other resources in an Internet directory or
intranet directory.
Listener
A listener describes an email processing service that will be configured on a particular IP
interface. Listeners only apply to email entering the IronPort appliance — either from the
internal systems within your network or from the Internet. IronPort AsyncOS uses listeners to
specify criteria that messages must meet in order to be accepted and relayed to recipient
hosts. You can think of a listener as an “email injector” or even a “SMTP daemon” running for
each IP address you specify.
IronPort AsyncOS differentiates between public listeners — which by default have the
characteristics for receiving email from the Internet — and private listeners that are intended
to accept email only from internal (groupware, POP/IMAP, and other message generation)
systems.
Log Subscription
Creation of log files that monitor the performance of the IronPort appliance. The log files are
stored in local disk(s) and can also be transferred and stored in a remote system. Typical
attributes of a log subscription include: name, component to monitor (email operations,
server), format, and transfer method.
MAIL FROM
See Envelope Sender.
546
GLOSSARY
MTA
Mail Transfer Agent, or Messaging Transfer Agent. The program responsible for accepting,
routing, and delivering email messages. Upon receiving a message from a Mail User Agent or
another MTA, the MTA stores a message temporarily locally, analyses the recipients, and
routes it to another MTA (routing). It may edit and/or add to the message headers. The IronPort
appliance is an MTA that combines hardware, a hardened operating system, application, and
supporting services to produce a purpose-built, rack-mount server appliance dedicated for
enterprise messaging.
MUA
Mail User Agent. The program that allows the user to compose and read email messages. The
MUA provides the interface between the user and the Message Transfer Agent. Outgoing mail
is eventually handed over to an MTA for delivery.
MX Record
Specifies the MTA on the Internet responsible for accepting mail for a specified domain. A
Mail Exchange record creates a mail route for a domain name. A domain name can have
multiple mail routes, each assigned a priority number. The mail route with the lowest number
identifies the primary server responsible for the domain. Other mail servers listed will be used
as backup.
Non-Conversational Bounce
A bounce that occurs due to a message being returned after the message was accepted for
delivery by the recipient host. These can be soft (4XX) or hard (5XX) bounces. You can
analyze these bounce responses to determine what to do with the recipient messages (e.g. re-
send soft bounced recipient messages and remove hard bounced recipients from database).
NTP
Network Time Protocol. The ntpconfig command configures IronPort AsyncOS to use
Network Time Protocol (NTP) to synchronize the system clock with other computers.
Open Relay
An open relay (sometimes called an “insecure relay” or a “third party” relay) is an SMTP email
server that allows unchecked third-party relay of email messages. By processing email that is
neither for nor from a local user, an open relay makes it possible for an unknown senders to
route large volumes of email (typically spam) through your gateway. The listenerconfig
and systemsetup commands prevent you from unintentionally configuring your system as
an open relay.
Queue
In the IronPort appliance, you can delete, bounce, suspend, or redirect messages in the email
queue. This email queue of messages for destination domains is also referred to as the
delivery queue. The queue of messages waiting to be processed by Brightmail Anti-Spam or
message filter actions is referred to as the work queue. You can view the status of both queues
using the status detail command.
A P P E N D I X D : G L O S S A R Y 547
IRONPORT ASYNCOS 4.6 USER GUIDE
RAT
Recipient Access Table. The Recipient Access Table defines which recipients will be accepted
by a public listener. The table specifies the address (which may be a partial address or
hostname) and whether to accept or reject it. You can optionally include the SMTP response
to the RCPT TO command for that recipient. The RAT typically contains your local domains.
Rate Limiting
Rate limiting limits the maximum number of messages per session, the maximum number of
recipients per message, the maximum message size, the maximum recipients per hour, and
the maximum number of concurrent connections you are willing to accept from a remote
host.
RCPT TO
See Envelope Recipient.
Receiving
The act of receiving email messages on a specific listener configured on an IP interface. The
IronPort appliance configures listeners to receive email messages — either inbound from the
Internet, or outbound from your internal systems.
Reputation Filter
A way of filtering suspicious senders based on their reputation. The SenderBase Reputation
Service provides an accurate, flexible way for you to reject or “throttle” suspected spam based
on the connecting IP address of the remote host.
Sender Group
A sender group is simply a list of senders gathered together for the purposes of handling email
from those senders in the same way (that is, applying a mail flow policy to a group of senders).
A sender group is a list of senders (identified by IP address, IP range, host/domain, SenderBase
Reputation Service classification, SBRS score range, or DNS List query response) separated by
commas in a listener’s Host Access Table (HAT). You assign a name for sender groups, as well
as mail flow policies.
Sophos Anti-Virus
Sophos Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
through a virus detection engine which scans files for viruses, Trojan horses and worms. These
programs come under the generic term of malware, meaning “malicious software.” The
similarities between all types of malware allow anti-virus scanners to detect and remove not
only viruses, but also all types of malicious software.
548
GLOSSARY
Spam
Unwanted, Unsolicited Commercial bulk Email (UCE/UBE). Anti-spam scanning identifies
email messages that are suspected to be spam, according to its filtering rules.
STARTTLS
Transport Layer Security (TLS) is an improved version of the Secure Socket Layer (SSL)
technology. It is a widely used mechanism for encrypting SMTP conversations over the
Internet. The IronPort AsyncOS operating system supports the STARTTLS extension to SMTP
(Secure SMTP over TLS), described in RFC 2487.
TOC
Threat Operations Center. This refers to all the staff, tools, data and facilities involved in
detecting and responding to virus outbreaks.
Whitelist
A list of known good senders. Add senders you trust to the Whitelist sender group. The
$TRUSTED mail flow policy is configured so that email from senders you trust has no rate
limiting enabled, and the content from those senders is not subject to anti-spam scanning.
A P P E N D I X D : G L O S S A R Y 549
IRONPORT ASYNCOS 4.6 USER GUIDE
550
Index
552
DNS 541 for quarantine 370
authoritative server 479 editasipsetmp 228
disabling reverse DNS lookup timeout 480 editing DNS settings via GUI 481
double lookup 91, 117, 145 email
priority 479 clean message 144
servers 40, 51, 520 email injector
setting 40, 51, 520 see listener
splitting 479 end user quarantine
timeout 479 message details 403
timeout for reverse DNS lookups 480 enterprise gateway 23
DNS cache, flushing 480 Enterprise Gateway configuration 75
DNS servers 479 envelope sender DNS verification 118
DNS settings 481 Ethernet interfaces 74, 536
DNS TXT record 407 evaluation key for Brightmail 45, 57, 237, 281
dnsconfig command 478 evaluation key for IronPort Anti-Spam 45, 57, 222
dnsflush command 480 evaluation key for Sophos 58
Domain Keys 406 evaluation key for Virus Outbreak Filters 45, 58
canonicalization 409 exception table
DNS text record 413 adding entries 125
DNS TXT record 409 exit command 22
domain profile 406 explained 118
enabled on a RELAY outgoing mail flow policy 406
enabled via mail flow policy 84 F
exporting domain profiles 414 factory configuration 36
importing domain profiles 415 feature key 450
importing signing keys 412 feature keys
selector 409 adding (GUI) manually 451
signing 406 featurekey command 60, 223, 237, 281
signing key size 408 final entry, in HAT 101, 103
testing a domain profile 414 firewall 516
verification 406 firewall ports 541
verifying signatures 406 footer
Domain Name Service (DNS) adding to messages 342
settings 40, 51, 520 footer stamping 342, 343
domain profile multiple encodings 344
deleting all existing profiles 415 forcing updates 285
exporting 414 FTP 527, 541
importing 415 FTP Access 531
removing domain profiles 415 fully-qualified domain name 92
testing 414
DomainKey-Signature header 407, 409 G
domains 154 gateway configuration 73
dotted decimal form 41, 51 getting started 23
double-DNS verified 146 graph 141, 154
DTD (document type definition) 492 graphical user interface
dummy accounts 212 see GUI
graphs 422
E GUI
Early Expiration accessing 13
553
IRONPORT ASYNCOS 4.7 USER GUIDE
554
end user authentication 388 Outgoing Mail 140
IMAP/POP authentication 398 sender detail listing 145
LDAP authentication 398 summary table 144
LDAP referrals 389 Time Range menu 144
message variables 391 mail flow policies
notification 367 $ACCEPTED 96
priority 383 $BLOCKED 96, 102
receiving multiple notifications 400 $RELAYED 102
stripping "SMTP:" in the LDAP query 388 $THROTTLED 96
testing LDAP settings 389 $TRUSTED 96
testing notifications 399 definition of 91
deleting via GUI 108
K editing via GUI 104, 108
key size 408 for private listener 102
keys 450 for public listener 96
HAT parameters for 81
L in GUI 12, 139, 417
language MAIL FROM 172, 173
specifying a default language for IronPort Spam configuring for notifications 7, 464
Quarantine 386 mail policies 163
last command 463 "Listener" key 178
LDAP 542 adding users 182
mail policy 181 example of anti-spam settings 179
LDAP authentication First Match Wins 166
testing settings (IronPort Spam quarantine) 389 LDAP 181
lifespan 241 ordering content filters 198
listener removing users 182
adding footers 342 mail trend graph 141
configuring 73 mailconfig command 59, 495
definition 74 mailing lists
listenerconfig command 74 notifications 385
loadconfig command 496 malware
log subscription defined 278
Brightmail 246 maximum
IronPort Anti-Spam 229 concurrent connections in HAT 82
Sophos 290 message size in HAT 82
logconfig command 273 messages per connection in HAT 82
logging in to GUI 14 recipients per hour in HAT 83, 213
logical IP interface 41, 50 recipients per hour, in systemsetup 52, 55
lookup recipients per message in HAT 82
DNS A 91, 117 mbox-format log file 229, 246, 290
DNS PTR 91, 117 message filter action variables
using in footers 343
message filter for SBRS 207
M
message splintering
Mail Flow Monitor 139, 141, 159
defined 167
Advanced view 146
message variables
Basic view 146
IronPort Spam quarantine notifications 391
Domains Displayed menu 146
M-Series appliance
mail trend graph 144
555
IRONPORT ASYNCOS 4.7 USER GUIDE
556
R saved spam 265
RAT SBRS
bypassing recipients 130 none 95
bypassing recipients (CLI) 131 testing 212
bypassing recipients (GUI) 130 SBRS see Senderbase Reputation Service Score
rate limiting 102, 104 sbstatus command 213
RCPT TO 151, 172, 173, 354 scp command 533
RCPT TO command 129 secure copy 533
real-time data 426 selecting a notification 347
real-time, changes to HAT 101 sender
reboot command 444 adding senders to sender groups via GUI 108
received header 270 sender group
receiving control, bypass 130 adding via GUI 105
receiving email, configuring to 73 BLACKLIST 101
Recipient Access Table (RAT) deleting via GUI 107
default entries 131 editing via GUI 106
definition 129 SUSPECTLIST 101
editing via CLI 132 UNKNOWNLIST 101
rules 129 WHITELIST 101
syntax 129 Sender Groups 82
reconfigure 36, 518 sender groups
recursive DNS queries 480 adding via GUI 107
redirecting email 42 sender verification
relaying email 80 malformed MAIL FROM and default domain 119
relaying messages 51, 74 sender verification exception table 119
removing 489 SenderBase 83, 102, 541
reports SBO in sender groups 95
archiving 352 SenderBase Affiliate network 205
reputation filtering 203, 215 SenderBase Network Owner Identification Number 92
resetconfig command 446 SenderBase Reputation Score 95, 110, 205, 432
resetcounters command 428 SenderBase Reputation Scores, syntax in CLI 95
resetting 446 SenderBase Reputation Service 139, 154, 204
resume command 445 SenderBase Reputation Service Score 94
Retention Time SenderBase, querying 95
for quarantine 369 separate window icon 143
Reverse DNS Lookup serial connection pinouts 534
disabling 480 serv.fail 118
reverse DNS lookup 85 Service Updates page 485
timeout 479 services for interfaces 527
RFC sethostname command 478
2047 370 setup 23
2821 3 showconfig command 495
821 165 shutdown command 444
822 165 shutting down 444
root servers (DNS) 40, 51, 520 significant bits
routing taking precendence over selected interface 538 set in mail flow policy 83
signing key
S size 408
saveconfig command 496 signing keys
557
IRONPORT ASYNCOS 4.7 USER GUIDE
deleting all existing keys 413 Symantec Brightmail HTTPS proxy 487
removing specific keys 413 synchronizing time 39, 59, 521
SMTP 541 system administration 443
banner host name 82 system clock 39, 59, 521
banner text 81 system monitoring through the GUI 12, 417
code 81 System Overview page 426
HELO command 101 system quarantine 368
messages 75 system setup 23
response 129 system setup wizard 36
testing Brightmail 265 System Status page 428
testing IronPort Anti-Spam 234 system time
SMTP Authentication setting 39, 59, 521
HAT entry 84 systemsetup command 49
SMTP daemon
see injector T
see listener tabs in GUI 15
SMTP Routes TCPREFUSE 81
USEDNS 9 Telnet 18, 527, 541
Sophos testing
evaluation key 45, 58, 281 Brightmail Anti-Spam 264
updates 285 IronPort Anti-Spam 232
Sophos virus scanning Sophos virus engine 298
filters 291 system setup 59
sorting dictionary terms 331 testing HAT variables 86
spam 235 text resources
altering the subject line of 227, 229, 244, 246 content dictionary 327
archiving 227, 229, 244, 246 third-party relay 131
including a custom X-Header in 227, 229, 244, Threat Level Threshold
247 recommended default 305
sending to an alternate address 227, 229, 244, 247 setting 305
sending to an alternate mailhost 227, 229, 244, threat level threshold 311
246 Threat Operations Center (TOC) 142, 302
testing 232, 264 thresholds, in SenderBase Reputation Scores 95
spam message 144 throttling 101, 203, 215
spoofing IP addresses 205 time servers 39, 59, 521
square brackets 18 time zone 488
SSH 18, 541 Time Zone page 488
SSH protocol 498 time zone, setting 39, 59, 521
disabling SSH1 499 time, system 39, 59, 521
SSH1 TLS 388
disabling 499 trace command 212, 431
sshconfig command 498 Trace page 431
stopped by reputation filtering 144 Transport Layer Security (TLS) 84
subnet 41, 51 trustworthiness 95
subpages in GUI 15 turning off 444
supportrequest command 449
SUSPECTLIST sender group 101 U
suspend command 444 unclassified recipients 152
suspicious senders, throttling 101 UNKNOWNLIST sender group 101
558
unsolicited commercial email 204 W
update server 486 web interface
upgrade server 453 enabling 51
upgrades 541 weekly status updates 59
user accounts 460 weight of appliance 27
user accounts, limits 460 WHITELIST sender group 101, 293
user groups 460 whitespace 229, 246, 290
user name 461 who command 462
user password length 462 whoami command 463
user types 460 width of appliance 27
using HAT variables 85 wizard
system setup 23, 36
V word boundary matching 331
verdict cache 241
verifying senders X
exception table 125 X-advertisement header 234, 265
version 428 X-BrightmailFiltered header 249
Virtual Gateway technology 74 X-IronPort-Anti-Spam header 232
virus definition X-IronPort-Anti-Spam-Filtered header 232
automatic update interval 486 X-IronPort-AV header 287
Virus Description Language (VDL) 280 XML 12, 442, 490, 492, 495
virus message 144 XML Status feature 442
Virus Outbreak Filter
rule 304 Y
Virus Outbreak Filters yellow (highlighted) rows in GUI, meaning 147, 152
Adaptive rules defined 303
Adaptive Scanning 310
alerts 318
always rule 312
anti-virus updates 307
bypassed file extensions 314
clear current rules 312
enabling alerts 311
evaluation key 45, 58
multiple scores 307
Outbreak rules defined 302
re-evaluating messages 307, 308
reporting incorrectly quarantined messages 319
setting a threat level threshold 311
skipping 174
SNMP Traps 318
updating rules 312
using without anti-virus scanning 304
virus outbreaks
reporting 305
Virus Threat Level (VTL)
defined 302
559
IRONPORT ASYNCOS 4.7 USER GUIDE
560