Administration Guide
for IronMail 6.5.4
Copyright
© 2008 Secure Computing Corporation. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a
retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation.
Trademarks
Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail,
IronIM, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, Cyberguard, SnapGear, Total
Stream Protection, Webwasher, Strikeback and Web Inspector are trademarks of Secure Computing Corporation, registered in the U.S. Patent
and Trademark Office and in other countries. G2 Enterprise Manager, SmartReporter, SecurityReporter, Application Defenses, Central
Management Control, RemoteAccess, SecureWire, TrustedSource, On-Box, Securing connections between people, applications and networks
and Access Begins with Identity are trademarks of Secure Computing Corporation.
i
9. EXPORT RESTRICTIONS. You agree to comply with all applicable United States export control laws, and regulations, as from time to time
amended, including without limitation, the laws and regulations administered by the United States Department of Commerce and the United
States Department of State. You have been advised that the Software is subject to the U.S. Export Administration Regulations. You shall not
export, import or transfer Software contrary to U.S. or other applicable laws, whether directly or indirectly, and will not cause, approve or
otherwise facilitate others such as agents or any third parties in doing so. You represent and agree that neither the United States Department of
Commerce nor any other federal agency has suspended, revoked or denied your export privileges. You agree not to use or transfer the Software
for end use relating to any nuclear, chemical or biological weapons, or missile technology unless authorized by the U.S. Government by
regulation or specific license.
10. U.S. GOVERNMENT RIGHTS. Any Software or Documentation acquired by or on behalf of a unit or agency of the United States
Government is “commercial computer software” or “commercial computer software documentation” and, absent a written agreement to the
contrary, the Government’s rights with respect to such Software or Documentation are limited by the terms of this Agreement, pursuant to FAR §
12.212(a) and its successor regulations and/or DFARS § 227.7202-1(a) and its successor regulations, as applicable.
11. ENTIRE AGREEMENT. This Agreement is our offer to license the Software and Documentation to you exclusively on the terms set forth in
this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have submitted (or hereafter submit) different,
additional, or other alternative terms to Secure Computing or any reseller or authorized dealer, whether through a purchase order or otherwise,
we object to and reject those terms. Without limiting the generality of the foregoing, to the extent that you have submitted a purchase order for
the Software, any shipment to you of the Software is not an acceptance of your purchase order, but rather is a counteroffer subject to your
acceptance of this Agreement without any objections or modifications by you. To the extent that we are deemed to have formed a contract with
you related to the Software prior to your acceptance of this Agreement, this Agreement shall govern and shall be deemed to be a modification of
any prior terms in their entirety.
12. GENERAL. Any waiver of or modification to the terms of this Agreement will not be effective unless executed in writing and signed by Secure
Computing. If any provision of this Agreement is held to be unenforceable, in whole or in part, such holding shall not affect the validity of the
other provisions of this Agreement. You may not assign this License Agreement or any associated transactions without the written consent of
Secure Computing. This License Agreement shall be governed by and construed in accordance with the laws of California, without regard to its
conflicts of laws provisions.
Publication history
ii
CONTENTS
iii
Table of Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
iv
BEFORE YOU BEGIN
Who should read You should read this addendum if you are responsible for configuring and managing one or
more IronMail® appliances. The addendum assumes you are familiar with networks and
this addendum network terminology. You should also be familiar with the internet and its associated terms and
applications. Please take a few minutes to become acquainted with the documentation.
How this This addendum provides current information about features and functions that have been
added to IronMail or enhanced since the publication of the IronMail 6.5.1 Administration
addendum is Guide. The addendum is comprised of chapters that correspond to major program areas in
organized IronMail, as identified by the tabs at the top of IronMail’s main window, and to the
corresponding sections of the Administration Guide.
How to use this This addendum should have been delivered to you in PDF format. You can navigate through
the addendum by clicking a line in the Table of Contents (each line is a hyperlink to the page it
addendum references).
Figure 2: Index The listings in the Index are also clickable. There, the
navigation pages numbers are links to the locations in the text. You
can navigate with a simple click of your mouse.
Figure 3: Chapter You will also be able to navigate within the text of the PDF
navigation version, using the following aids:
v
Before You Begin
Conventions Names of buttons, tabs, keys, etc., or other items that receive an action from the window will
appear in boldface type. Examples: Submit - Next - Reset.
User interface Within IronMail itself, you will find the ability to set bookmarks. These markers will allow you to
navigate quickly to screens you visit frequently. Using these bookmarks permits easy access
bookmarks to specific screens.
Figure 5: Bookmark list When you click the Bookmarks link at the upper right
of the IronMail window, the Bookmarks list opens. All
bookmarks you have added are listed. The window
also includes commands for saving bookmarks and
for clearing all the bookmarks on the list.
Your first log-in IronMail provides a window that appears the first time a user logs into the Web Administration
interface.
Figure 6: First-time
opening window
The primary section of this window is entitled “What’s New?” Here you will find a list of new
features included in IronMail version 6.5.4. When you click on any item in the list, it expands to
offer a brief explanation of that feature.
vi
CHAPTER Anti-Spam Features
1
In this chapter...
1
Chapter 1: Anti-Spam Features
TrustedSource features
TrustedSource IronMail includes significant features to TrustedSource functionality since IronMail 6.5.1. The
new functionality includes the following:
features
• TrustedSource whitelisting, and
• TrustedSource queries for LDAP rejections.
The information that follows refers to new functionality. Further information about
TrustedSource may be found in Chapter 15 of the IronMail 6.5.1 Administration Guide.
TrustedSource whitelisting
IronMail provides the capability to whitelist IP addresses from TrustedSource reputation
queries. The details surrounding this capability follow.
TS whitelist rules
• The Administrator must be able to add an IP address using the existing whitelisting window
and set TrustedSource as the sub-feature to be whitelisted.
• Anti-Spam and TrustedSource must be the only selections in such a rule.
• SMTPProxy will read IP based rules which have a bypass list value of Anti-Spam/
TrustedSource, and use them when it perfrorms the TrustedSource lookup.
• The Administratore must create a policy including the rules that need to be evaluated.
Policy attributes are not evaluated, so the policy could be global, user based, etc. The
policy indicates explicitly the rules to be used. This allows the Administrator to create
certain rules that may not be used immediately, and helps extend this feature to VIPs in the
future.
• IronMail will not use whitelist rules created on filters other than IP address, and will ignore
the direction (inbound/outbound) in the whitelist rule.
• Just before TrustedSource lookup is initiated, SMTP proxy will look up the address in
memory. If it is present, it will send TrustedSource a special parameter to let it know that
this message should not be flagged.
• IronMail will log the result of TrustedSource lookup, but will not evauate it for further action.
• IronMail will continue processing as if the TrustedSource lookup reports the IP address as
neutral.
To create a TrustedSource whitelist rule, navigate to the Whitelist - Manage Rules window
(Compliance > Whitelist > Create).
Figure 7: Creating a
TrustedSource rule
2
Chapter 1: Anti-Spam Features
TrustedSource features
Field Description
Who Select from the drop down list the type of entity to be whitelisted by this
rule. For a TS rule, the only allowable option is IP Address.
Data In this field, enter the data that defines the particular entity you have
chosen to whitelist. For a TS rule, an IP address is required.
File If you wish, you may import a list of whitelist entries from a file, if the
entries are in the proper format. For format information, see Appendix 5 in
the IronMail 6.5.1 Administration Guide.
Export (hyperlink) If you wish, you may export this file (listing your whitelist entries) to save it
as a backup, etc. Click the Export hyperlink.
Direction Click the appropriate radio button to determine the message direction for
which the rule will apply.
• Inbound
• Outbound
• Both
Queue Select Anti-Spam as the queue for which you want to select processes to
be bypassed.
Bypass When you select queue(s), the processes managed by that queue will
appear in the Bypass list. Select TrustedSource as the rule to bypass.
When you have finished entering the required information, click Submit. The rule will be
created, and will appear on the Whitelist - View Rules window (Compliance > Whitelist >
View).
You may apply the TrustedSource whitelist rule just as you would any other.
Since the LDAP query occurs before TrustedSource, the message will be dropped if all
recipients are rejected. No TrustedSource query will be required.
3
Chapter 1: Anti-Spam Features
Bayesian retraining
Bayesian IronMail improvements involve Bayesian analysis and retraining. They include:
retraining • Better token utilization and management, and
• Improved training, including the handling of smaller datasets.
Specific features are explained below. The information that follows refers to new functionality.
Further information about Bayesian analysis and training may be found in Chapter 17 of the
IronMail 6.5.1 Administration Guide.
Ham retraining
As part of Secure Computing’s ongoing efforts to improve Bayesian training and effectiveness,
Bayesian training is being enhanced to include training on outbound messages. Bayesian
functionality will be trained using all messages being sent outbound from the enterprise, so
long as each message has multiple recipients. Messages destined to a single recipient will not
be used for training.
IronMail also allows you to send “ham,” or legitimate email, to a special email account. This
mail will be used for retraining the Bayesian classifier, similar to the way spam messages have
been supplied in the past.
To configure this feature, enter the ham notification address in the data field on the User Spam
Reporting - Configure window.
If a message is sent to the ham address and that message contains an embedded image, or if
it has an image attached, the image will be added to the list of whitelisted images for the
specific IronMail’s Image Spam Classifier.
Note: Image Spam Classifier requires that SuperQueue be manually restarted before it will
recognize whitelisted items.
IronMail includes a provision to allow you to enable training on outgoing messages (as ham).
As Figure 11 reveals, the Bayesian - Configure window includes a checkbox that allows the
Administrator to enable or disable training. This option may be used to alleviate overemphasis
on spam messages for Bayesian training.
4
Chapter 1: Anti-Spam Features
Bayesian retraining
Administrator-released messages
IronMail provides the ability to specify messages that will be used for Bayesian training, much
as the way EUQ released messages are used.
To specify messages for training, select the messages on the Quarantine Queue Message List
window, then click the button at the top of the window, as indicated in Figure 10. Any
messages you have selected will be used for Bayesian and ISC training.
Bayesian training can be done for additional tokenization methods; Secure Computing can
apply added methods if customers have issues with those available in the GUI.
The content of the drop down list will be managed by the Research group, so that all effective
methods are available to the Administrator. If you encounter spam effectiveness issues and
Support determines that a different Bayes method would help, additional methods can be
made available to you.
5
Chapter 1: Anti-Spam Features
Classifying spam
Classifying spam Two additional spam classification engines are now included in IronMail:
The information that follows refers to new functionality that you may access in SpamProflier.
Further information about SpamProflier may be found in Chapter 14 of the IronMail 6.5.1
Administration Guide.
Note: This feature is not related to the Image Analysis feature already in IronMail. That feature is
primarily concerned with pornographic or objectionable material.
Images may be added to the whitelist and blacklist by informing Support and allowing them to
be added. The lists are not user-configurable, and will be maintained by Secure Computing.
The only user-configurable option for ISC is the ability to enable or disable it from the Spam
Profiler configuration window. ISC is disabled by default.
1 The ISC sorts the images it detects in a message and selects the three largest (the number
of images processed is configurable upon request by Support).
2 It checks the whitelist to look for a match. If it finds a match, it skips the image.
3 The ISC checks size heuristics. If the image is too large or too small, ISC skips it.
4 The Support Vector Machine (SVM) applies algorithms to determine the likelihood that the
image is spam.
5 The ISC checks the blacklist to see if the image matches known spam images.
6 The ISC returns a raw score for the image to the Spam Profiler. By default, the score will
be 0 if the image is determined not to be spam, and 50 points if it is spam. A confidence
value will be applied to the raw score.
Default scores for the Spam Profiler may be reconfigured by Support upon request.
The Image Spam Classifier reduces throughput when processing e-mail messages with
images.
If a message is greater than 100 KB in size, a setting in Spam Queue Properties will cause it
to bypass spam queue and therefore bypass the ISC. The setting is configurable by the
6
Chapter 1: Anti-Spam Features
Classifying spam
DSC is a framework for delivery of fast-reaction detection methods to IronMail to fight spam
outbreaks. The benefits are:
Note: DSC is implemented to deliver better protection from the latest spam outbreaks. It does not
replace TRU, Spam Queue, or any other detection method on IronMail.
DSC will deliver a series of methods that will look at specific heuristics of a file. Whenever
DSC is updated, it will replace or override the previous one, which allows for retirement of
methods no longer necessary. In addition, if a certain method continues to be used, it can
become a candidate for inclusion as an IronMail feature.
DSC runs as the last feature when Spam Queue runs. Spam Queue will pass messages to the
DSC, where they will be compared to the current methods. DSC will then hand the message
back with an associated score to contribute to the Spam Profile score. Every message that
goes through Spam Queue will be sent to DSC. The only exceptions are:
• Messages larger than a preconfigured size, which can vary as necessary for the method;
• Messages that have received TrustedSource scores greater than 100 points or less than -
100 points;
• Messages that have been whitelisted for DSC, as discussed below.
The individual scores from each DSC module will be visible in the X-header of the message,
and in the message log files.
You can enable or disable the DSC on the SpamProfiler - Configure window. It is listed as a
potential contributor to the Spam Profile along with other spam detection features. To enable it,
select the Enable check box. You do not need to supply a threshold or confidence value. It is
disabled by default.
7
Chapter 1: Anti-Spam Features
Classifying spam
Updating DSC
The frequency of DSC updates will be based on research and evaluation of new spam threats.
The updates will be delivered as ThreatResponse Signatures, which can be delivered as
frequently as every twenty minutes. The delivery method will be the same as for any other
ThreatResponse Signature update.
If you have DSC enabled and have configured to allow automatic TRU updates at System >
Updates > Configure Auto Updates, updated DSC files will be installed automatically.
Whitelisting
If you so choose, you can whitelist messages from DSC. You must select Anti-Spam from the
Queue list, then you can select Dynamic Spam Classifier from the Bypass list.
Reporting
The message count stopped by DSC will be included on any report that reports overall spam
(Executive Summary, Domain Executive Summary, Spam Action Summary) or in the totals for
any report that shows messages blocked by SpamProfiler (Overall Spam Summary, Top Spam
Lists).
8
Chapter 1: Anti-Spam Features
Connection Control
Connection IronMail’s connection control functionality has been improved by including LDAP rejections in
the TrustedSource query, and by enabling a TrustedSource query on IP addresses before they
Control are added to the deny list.
The information that follows refers to new functionality. Further information about Connection
Control may be found in Chapter 15 of the IronMail 6.5.1 Administration Guide.
Important: If you wish to use LDAP connection control, and the IronMail appliance is protected by
an Edge appliance, you must add the Edge appliance to the connection control exclude list.
Important: For connection control functionality requiring TrustedSource information, you must have
TrustedSource enabled, and the IP address being checked must not be whiltelisted for
TrustedSource.
Backscatter When hackers create spam or phishing messages using forged (spoofed) source addresses
belonging to a company’s domain, that company can experience denial of service attacks
Protection under certain conditions. Where the fraudulent email’s recipient address doesn’t exist, the
spoofed company can be flooded with email bounces. In the worst cases, a mail loop occurs
when the message is bounced to a non-existent sender address.
The information that follows refers to new functionality. Further information about phishing
threats may be found in Chapter 15 of the IronMail 6.5.1 Administration Guide.
Bounced Address Tag Validation (BATV) is a method for determining whether the return
address specified in a bounced email is valid. The goal is to reject bounced messages to
forged return addresses.
• DSN Bounce Verification will not work if IronMail or a BATV-compatible device with
matching Address Tagging key is not used for outbound mail delivery.
• If there are multiple IronMails on site, they must share the same hash code.
• Recipients of outgoing messages will not be able to see the header code.
• You should allow a delay time to allow the DSNs to filter through your system.
9
Chapter 1: Anti-Spam Features
Backscatter Protection
To configure this feature, navigate to the DSN Bounce Verification Protection - Configure
window (Anti-Spam > Anti-Spam Advanced > DSN Bounce Verification Protection).
Field Description
Enable DSN Select the check box to enable DSN Verification Protection on this
Verification IronMail.
Protection
The protection is disabled by default.
Select Action Select the proper radio button to configure the action IronMail should take
when a message fails bounce protection. Options are:
• Log verification failure - IronMail creates a log entry for the failed
message, but the message will still be received.
• Log and block verification failure - IronMail creates a log entry for
the failure and drops the message.
Address Tagging Enter the text for the tagging key (in plain text) that will be included in the
Key mail recipient addresses that are supported by this IronMail. A minimum
of four characters is required; the maximum number allowed is fourteen
characters.
Note: If multiple BATV-capable devices exist on site, they must all have the
same key.
Incoming DSNs are Specify the number of days before incoming DSNs are considered
considered expired expired, even if otherwise valid, by selecting the number of days from the
after __ days drop down list.
When the configuration options have been properly set, click Submit.
The feature solves the BATV issue by generating a unique hash (the tagging key) and
including it in the header of all outgoing email messages. If a bounced email doesn’t include
this header code, IronMail takes the configured action on that message (log only, or log and
drop).
10
Chapter 1: Anti-Spam Features
Other features
IronMail allows users to have a unique (controlled expiration) link for accessing their
quarantined messages, rather than receiving a new link each time they get EUQ notices. The
Administrator can control the expiration frequency of the links for security purposes, and can
refresh them at any time should the need arise.
To configure the expiration of these links or to refresh them for other reasons, navigate to the
End User Quarantine - Configure window (Anti-Spam > Advanced > End User Quarantine >
Configure).
Configuration of the new functionality requires populating new fields at the bottom of the
window. The rest of the configuration process is unchanged.
Field Description
EUQ Link Expiration Choose the correct radio button to determine the expiration rule you
prefer. Options are:
• Always - the EUQ links will expire immediately (no persistent links)
• Never - the links will never expire, but will remain available
permanently unless refreshed by the Administrator
• A specific number of days - enter the length of time you want the links
to stay active unless they are refreshed by the Administrator.
More...
11
Chapter 1: Anti-Spam Features
Other features
Field Description
EUQ Link From the drop down list, select the particular notification to be sent to
Notification users when the links expire or when they are refreshed.
Note: When the information in these two fields is correctly entered, click
Submit to establish the expiration cycle.
EUQ Link Refresh If you wish to refresh the EUQ links, select the correct radio button to
identify the specific links to be affected. Options are:
• Refresh for All Users - selecting this option will refresh all unique
links associated with this IronMail appliance
• Refresh for Specific Users - selecting this option requires you to
enter one or more complete email addresses in the data field. Multiple
addresses must be entered as a comma-separated list.
Note: When you have determined which links are to be refreshed, click
Refresh.
The notices users are to receive can be configured in the Mail Notification windows. IronMail is
delivered with a default EUQ Link Notification that cannot be edited or deleted. To view the
notice, navigate to the Mail Notification - Manage window (Compliance > Advanced
Compliance > Mail Notification).
You may also add your own custom notice by clicking Add New at the bottom of the screen.
12
Chapter 1: Anti-Spam Features
Other features
Select the type of notification you want to create, then enter the required information, just as
you would for any other type of mail notification. More information about configuring mail
notifications may be found in Chapter 13 of the IronMail 6.5.1 Administration Guide.
The dynamic hop count feature allows you to specify the hop count of messages, identifying
the entities that are to be reported by TrustedSource. The feature is important for companies
that have complex networks, such as multiple paths to their email systems. It tells
TrustedSource what to check and in what position it should occur when reporting a reputation
score.
Dynamic hop count is configured on the Realtime Blackhole List window. The newly-added
segment from the bottom of that window appears in Figure 18.
• Connecting IP, header string and header position - all conditions must be met;
• Connecting IP only - set the hop count for the specified IP; or,
• Header string and header position - set the hop count for matches on the header string and
position, for all IPs. The received header is checked to see if the header string occurs in
the specified header position.
• You must always specify the header string and header position together. You must have
both.
• You cannot specify a header string with a position of 0, which implies the header string is
NULL (matching is done for the connecting IP only).
The actual processing using dynamic hop count occurs in smtpproxy, where the
TrustedSource lookup happens.
IronMail has extended the Dynamic Hop Count functions to additional anti-spam features,
including SenderID, Reverse DNS and System Defined Header Analysis. Settings that were
formerly limited to RBL now apply globally to these features, to ensure they analyze the
correct IP address.
13
Chapter 1: Anti-Spam Features
Other features
IronMail allows you to enter non-ASCII characters as input for the “add header” action in Spam
Profiler. Users whose languages do not support ASCII can take advantage of this action. To
add a header to a message that has been identified as spam, navigate to the Spam Profiler -
Configure window. Select the check box, then enter the name you want to appear as the
added header.
If the subject line is written in a character set that IronMail does not support, it will be
converted to UTF-8.
Further information about IronMail actions and action values may be found in Appendix 8 of
the IronMail 6.5.1 Administration Guide.
14
CHAPTER IntrusionDefender Features
2
In this chapter...
15
Chapter 2: IntrusionDefender Features
LDAP features
LDAP features IronMail’s LDAP functionality has been enhanced to allow secure communication with the
LDAP server, and to allow support for an additional user attribute, User Identification (UID).
The information that follows refers to new functionality. Further information about LDAP may
be found in Chapter 23 of the IronMail 6.5.1 Administration Guide.
Secure LDAP
This feature provides the capability for IronMail to communicate with the LDAP server over a
secure tunnel. Three radio buttons on the LDAP Profile - Add Definition window allow you to
select the mode and set the appropriate port. Three modes are possible:
For Microsoft Active Directory, the port for non-secure communication and for the TLS mode is
3268; the port for SSL communication is 3269. For other platforms, the non-secure/TLS port is
389, and the SSL port is 636.
The proper default port for the selected platform will populate the Port field when you select
the mode.
Note: The Administrator can change the port by simply typing over the default.
16
Chapter 2: IntrusionDefender Features
SMTP on custom TCP ports
Some LDAP platforms, such as Domino, e-Directory and OpenLDAP support the variable. The
UID replaces the user name to the left of the @ sign in the email address. IronMail supports
the variable within the search filter when it queries the LDAP server.
SMTP on custom Since some companies have a need for their mail servers to listen for SMTP traffic on ports
other than port 25, IronMail allows the Administrator to define the destination SMTP ports for
TCP ports mail delivery on the Domain Routing - Add Mapping window. The option is available only for
inbound static and outbound static routes.
The information that follows refers to new functionality. Further information about Domain
Routing may be found in Chapter 22 of the IronMail 6.5.1 Administration Guide.
The process for adding a new static route remains much as it has been, with one change to
the window. The Port field has been added, where you may enter a valid port ID to specify the
custom port you desire.
When the configuration has been entered properly, click Submit. The Domain Routing
Mapping - Manage window will update to show the newly-designated port.
17
Chapter 2: IntrusionDefender Features
SMTP on custom TCP ports
18
CHAPTER Queue Manager Features
3
In this chapter...
Dynamic Quarantine........................................................................................ 20
Enabling and disabling Dynamic Quarantine from the UI........................... 20
TrustedSource score variable in Dynamic Quarantine ............................... 20
Automatic shut-off....................................................................................... 20
19
Chapter 3: Queue Manager Features
Dynamic Quarantine
Dynamic The information that follows refers to new functionality. Further information about Dynamic
Quarantine may be found in Chapter 5 of the IronMail 6.5.1 Administration Guide.
Quarantine
IronMail includes enhancements to Dynamic Quarantine, allowing better Administrative
control and the ability to add rules based on TrustedSource scores. Details are shown below.
• through a TrustedSource lookup that returns a score within a preconfigured range; or,
• using rules that have been deployed as part of a TRUSign package.
IronMail provides the ability to add rules based on a TrustedSource score variable to the
TRUSign rules, in addition to rules based on subject, attachment name, attachment format,
and message size.
Automatic shut-off
Dynamic Quarantine will automatically disable itself if available disk space falls below 30% of
the system’s capacity. This feature is intended to prevent performance degradation or other
problems that may result from inadequate disk space.
20
CHAPTER Compliance Features
4
In this chapter...
21
Chapter 4: Compliance Features
Whitelisting features
Whitelisting The information that follows refers to new functionality. Further information about whitelisting
may be found in Chapter 12 of the IronMail 6.5.1 Administration Guide.
features
IronMail’s whitelisting capabilities have received three refinements, allowing increased
capabilities and expanded administrative options:
If the Exclusive check box is selected, when IronMail receives a message with multiple
recipients and one of the recipients is whitelisted, but the others are not, the message will be
processed as if no one is whitelisted. The other recipients must also be explicitly whitelisted in
order for the message to bypass processing.
22
Chapter 4: Compliance Features
Whitelisting features
Whitelist entries are created on the Whitelist - Manage Rule window. The only change to the
creation process comes with the addition of one check box, labeled Don’t Expire. If the
Administrator selects this check box, the entry will remain until it is manually deleted by the
Administrator.
When the whitelist entry is configured properly, click Submit. The Whitelist - View Rules
window will refresh to include the new entry.
23
Chapter 4: Compliance Features
Whitelisting features
On the Cleanup Schedule - Configure window (Administration > Cleanup Schedule), the
Administrator sets the schedule for deletion of unused rules. The deletion occurs based on the
length of time that has expired since the entry was last used. The last hit date appears on the
View Rules window, as shown in Figure 28.
Field Description
File Type: Choose the Whitelist rules file type from the drop down list. Then click
Select. The window will refresh to appear as it does in the screen shot
above.
Admin Whitelist Enter the length of time in hours that must expire since an Administrator-
Cleanup Interval created rule was last hit. When a rule’s last use is beyond this number of
hours, the rule is set for cleanup.
EUQ Whitelist Enter the length of time in hours that must expire since an End User
Cleanup Interval Quarantine-created rule was last hit. When a rule’s last use is beyond this
number of hours, the rule is set for cleanup.
More...
24
Chapter 4: Compliance Features
Content Analysis Features
Field Description
Frequency Clicking this button enables creation of a fixed-interval schedule for the
Schedule Cleanup cycle. The Administrator may select an interval in hours (1 hour
to 72 hours) between cycles.
Note: You must choose either Frequency Schedule or Detailed Schedule.
Enabling one disables the other.
Detailed Schedule This option allows creation of a specifically detailed schedule for the
Cleanup cycle. The schedule is configured in two steps:
• The left side of the window displays a list of days of the week. Select
the day during which the cleanup cycle is to run. You may select only
one day at a time. However, after you submit the detailed schedule for
one day, you can do it again for another day and the system will
accumulate the daily schedules. It is therefore possible to create
individual detailed schedules for all seven days per week.
• The right side of the window contains check boxes for each of the 24
hours in a day. Clicking a check box enables IronMail to run Auto
Cleanup at that time on the designated day. You may select from 0 to
24 cleanup times per day.
Content Analysis The information that follows refers to new functionality. Further information about Content
Analysis may be found in Chapter 8 of the IronMail 6.5.1 Administration Guide.
Features
Two new features have been added to Content Analysis Dictionaries:
After logging into your IronMail appliance, click on the Compliance tab. In the left column
menu, expand Content Analysis, then click Dictionaries.
25
Chapter 4: Compliance Features
Content Analysis Features
In this example, we will add a new dictionary that will contain the use of the pre-defined
regular expressions.
2 Enter a name for the new dictionary. In this example, we will simply name it “regex_test.”
3 Accept the default settings for the remaining fields, then click Submit.
Figure 32: Dictionaries
updated
26
Chapter 4: Compliance Features
Content Analysis Features
6 From the Content Type pulldown menu, select Regular Expressions. The window will
change and display the following options.
27
Chapter 4: Compliance Features
Content Analysis Features
7 From the Enter Regular Expression field pulldown menu, select the type you want to use.
Figure 36: Predefined In this example, we use the U.S. Social Security Number.
headers
28
Chapter 4: Compliance Features
Content Analysis Features
In this example, we will add a new dictionary that will contain the use of the regular expres-
sions along with the validation algorithms.
2 Click Add New.
Figure 39: Adding a new
dictionary
3 Enter a name for the new dictionary. In this example, we will simply name it
“regex_validation.”
4 Accept the default settings for the remaining fields, then click Submit.
29
Chapter 4: Compliance Features
Content Analysis Features
30
Chapter 4: Compliance Features
Content Analysis Features
7 From the Content Type pulldown menu, select Regular Expressions. The window will
change and display the following options.
Field Description
Enter Regular Select “Custom” then type the regular expression you want to use.
Expression
31
Chapter 4: Compliance Features
Message stamping
Field Description
Validation Algorithm From the pulldown menu, select the validation algorithm to use for
validating your regular expression. Choices are:
• Mod 10 - also known as the Luhn algorithm, a simple checknumber
formula used to validate various ID numbers, including credit card
numbers and Canadian Social Insurance Numbers.
• CUSIP - a 9-character alphanumeric identifier for North American
securities, created by the Committee on Uniform Security
Identification.
• ISIN - international security identifying number, used to identify
securities such as bonds, commercial paper, equities and warrants.
Test Value Enter a value to test against if you wish to test your regular expression.
Weight Enter a value to represent the score contribution for one instance of this
entry.
Include Click the checkbox to include this entry in the dictionary's message scans.
Scan Area Select one or more parts of the message that should be included in the
dictionary's scan for this entry.
Contribution Type Click the radio button to determine whether the entry will be counted only
once per message, no matter how many times it appears, or will
contribute the amount configured as Maximum Contribution.
Side Note Enter any explanatory or identifying text you wish to associate with this
entry.
8 Click Submit.
Message The information that follows refers to new functionality. Further information about Message
Stamping may be found in Chapter 13 of the IronMail 6.5.1 Administration Guide.
stamping
The following character sets have been added to IronMail, to be used for Message Stamping
only:
32
Chapter 4: Compliance Features
Message stamping
• Korean ks_c_5601-1987
– An alternative alias character set my be used - CP949
• Latin9 (ISO) iso-8859-15
• Thai (Windows) win-874
• Turkish (OSO) iso-8859-9
• Turkish (Windows) win-1254
• Unicode (utf7) utf-7
33
Chapter 4: Compliance Features
Message stamping
34
CHAPTER Reporting Features
5
In this chapter...
35
Chapter 5: Reporting Features
Message Blocking
Message The information that follows refers to new functionality. Further information about IronMail
Reports may be found in Chapter 31 of the IronMail 6.5.1 Administration Guide.
Blocking
A Message Blocking report has been added to the list of available reports from IronMail. It is a
PDF report, accessible from the Reports window, as shown in Figure 44.
Clicking on the link for the Message Blocking report will take you to a window where you can
see the most recent report and where you can access others by clicking the appropriate links.
36
Chapter 5: Reporting Features
Message Blocking
In the upper section of the window, you can configure the archiving and transfer method for
the report just as you would for any other. Of particular interest for the Message Blocking
Report, you must also specify the Connection to Message ratio by selecting Industry
Standard or Admin Defined ratio. If you select the Admin Defined setting, you will also
specify the maximum number of messages allowed per connection by entering a number from
1 to100 in the data field.
You may elect to disable the report, create the report, or create and email it by selecting the
desired options associated with the report name as shown.
A sample report
Figure 46 shows a current day’s report as it appears in IronMail. The Reports window allows
you to determine the period of time the report should represent. It provides a simple Total
Messages Summary for quick review, followed by a detailed report that shows messages
blocked by each IronMail feature.
The Detail section tracks both connections and messages blocked by IronMail. Information for
the current day is presented graphically and numerically, including trends over time. The two
numerical tables represent connection-layer blocking and application-layer blocking,
respectively. Connection-layer blocking (the table to the left) is concerned with the
37
Chapter 5: Reporting Features
SNMP polling
connections blocked and the associated messages that were not allowed into IronMail.
Application-layer blocking (the table to the right) shows messages blocked as a result of
IronMail’s actions on messages it processed.
The lower portion of the current report lists available reports for today and the recent past. If
you click View for any available report, you will be allowed to open or save that day’s report in
PDF format, as illustrated in Figure 47.
SNMP polling IronMail includes an SNMP polling feature that provides the capability for a polling station or
package to collect data from the IronMail appliance via the SNMP protocol. This feature is
helpful in mapping alert events to SNMP traps. The IronMail appliance publishes a MIB view
that allows “read only” access to data to be used in processing a variety of queries. There is
NO “write” access permitted, so the data remains secure. The feature allows the Administrator
to set the polling interval.
38
Chapter 5: Reporting Features
SNMP polling
Field Description
Service This field contains the service name. In this case, the name is Internal-
snmpd2, the name of the SNMP polling service.
Click the name to configure the polling time interval.
Auto-Start A red X or green check icon indicates whether or not the service is set to
start automatically when the IronMail appliance is rebooted. If an icon is
green, the service will begin running when IronMail restarts. In addition, if
the icon is green, IronMail’s Health Monitor will restart any service except
SMTPO that has stopped for any reason when it performs its tests on all
appliance subsystems. If an icon is red, the service will not start on
reboot, nor when Health Monitor runs its system tests.
Note: A service can continue to run after its auto-start setting is turned off.
The red and green light icons are hyperlinks. Clicking the icon/hyperlink
toggles the auto-start option on and off.
Running A red or green light icon indicates whether or not the service is currently
running.
In some situations, the Running icon may not refresh when clicked, i.e.
change from green to red. If the icon does not toggle as expected, click
the Mail Services - Configure hyperlink in the left navigation frame of the
Web Administration interface to refresh the page, rather than clicking the
Running icon a second time.
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
service has been running since it was last restarted.
If the “uptime” appears less than expected, it may indicate that the service
was manually stopped and restarted by an administrator, or was stopped
by an administrator and was restarted automatically by IronMail’s Health
Monitor.
If you click the service name, the following window will appear.
On this window, you can set the polling interval by entering a time in seconds. The allowable
range is from 60 to 3600 seconds. This interval defines the wait time between SNMP polling
occurrences.
39
Chapter 5: Reporting Features
SNMP polling
40
Chapter 5: Reporting Features
Syslog additions
Before IronMail’s SNMP traps can provide all the available information to the SNMP service,
you must compile the appropriate IronMail MIB file within your SNMP application. You can
download the MIB you will need for SNMP polling from the Support KnowledgeBase, article
7220. The file you need to download is CT-SNMP-PUBLIC-MIB.txt.
41
Chapter 5: Reporting Features
Syslog additions
42
CHAPTER System Feature
6
In this chapter...
43
Chapter 6: System Feature
Improved TRUSign update process
Improved The information that follows refers to new functionality. Further information about
ThreatResponse updates may be found in Chapter 35 of the IronMail 6.5.1 Administration
TRUSign update Guide.
process
ThreatResponse updates are a critical asset that enable Administrators to ensure they have
the best and latest protection configuration settings for their IronMail appliance. However,
there are situations wherein specific settings should not be overwritten when a new
ThreatResponse Signature (TRUSign) update is installed. For example, a custom Content
Analysis dictionary may have been created to meet the unique needs of the organization.
IronMail provides the capability to block changes to feature configuration when new updates
are installed.
Administrators can lock current configuration settings to be kept as they are, either individually
or as a group.
Important: If you want to protect any of the existing configuration settings in your system, you must
lock those settings prior to installing new TRUSign updates.
Prior to installing any updates, you have the option of locking current settings.
44
Chapter 6: System Feature
Improved TRUSign update process
If you select this option, all your existing rules will remain as they are. None will be overwritten.
Note: Selecting the Locked option on the Auto Updates window overrides the Locked check
boxes on the SpamProfiler - Configure window. Choose one method or the other for locking your
configuration.
You may also lock the current settings for specific features by navigating to the SpamProfiler -
Configure window. As the screen shot shows, most features that appear in SpamProfiler have
a checkbox that allows you to lock them. If you select the check box next to a feature, the
current settings will be maintained, while those for unchecked features will be overwritten.
Special configurations
As Figure 52 illustrates, some features do not offer the locking option on the SpamProfiler
window. Realtime Blackhole Lists, System Defined Header Analysis and User Defined Header
Analysis require their own configuration methods.
Note: Selecting the locking option on the AutoUpdates window will protect the settings for these
features, just as it does for all the others.
As shown in Figure 53, you can configure each zone you add to your RBL as you add it.
Checking the Locked check box causes the entry to be protected when new TRUSign
updates are added.
45
Chapter 6: System Feature
Improved TRUSign update process
For SDHA and UDHA, each filter has its own checkbox by which you can protect the current
configuration. You can select the individual filters from the lists, as you can see in Figure 54.
46
INDEX
A User ID variable 17
I
Image Spam Analysis 6
How ISC works 6
L
LDAP 16
Secure LDAP 16
47
Index
48
Part Number: 86-0948263-A
Software Version: IronMail 6.5.4
Product names used within are trademarks of their respective owners.
© 2008 Secure Computing Corporation. All rights reserved.