McAfee Email Gateway

Administration Guide
version 6.7.2
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD,
MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS,
PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL
PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the
sole property of their respective owners.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE
AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN
THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A
FULL REFUND.

License Attributions
MD5 portions Copyright (C) 1995, Board of Trustees of the University of Illinois (C) Copyright 1993,1994 by Carnegie Mellon University. Copyright (c) 1991
Bell Communications Research, Inc. (Bellcore). Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991.
expat-lite portions Copyright (c) 1998, 1999 James Clark.
Regex portions Copyright 1992, 1993, 1994 Henry Spencer
expat xml parser library portions Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper
mod_mime_magic portions Copyright (c) 1996-1997 Cisco Systems, Inc, Copyright (c) Ian F. Darwin, 1987
mod_imap portions "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com
zb test and ab support portions Copyright (C) Zeus Technology Limited 1996
Cheetah portions Copyright 2001, The Cheetah Development Team: Tavis Rudd, Mike Orr, Ian Bicking, Chuck Esterbrook
Dom4J License portions Copyright 2001-2005 (C) MetaStuff, Ltd.
GIFLIB distribution portions Copyright (c) 1997 Eric S. Raymond
ICONV portions Copyright (C) 2003 Hye-Shik Chang
LibPNG versions 1.2.6, August 15, 2004, through 1.2.39, August 13, 2009 portions Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, Contributing
Authors Cosmin Truta
LibNet portions Copyright (c) 1998 - 2001 Mike D. Schiffman mike@infonexus.com http://www.packetfactory.net/libnet.
M2Crypto portions Copyright (c) 1999-2004 Ng Pheng Siong, Portions copyright (c) 2004-2006 Open Source Applications Foundation., Portions copyright
(c) 2005-2006 Vrije Universiteit Amsterdam.
NetSNMP portions Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work - 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents
of the University of California, Copyright (c) 2001-2003, Networks Associates Technology, Inc., Portions of this code are copyright (c) 2001-2003,
Cambridge Broadband Ltd.., Copyright California 95054, U.S.A.. Copyright (c) 2003-2008, Sparta, Inc. Copyright (c) 2004, Cisco, Inc and Information
Network Center of Beijing University of Posts and Telecommunications. Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com
Author: Bernhard Penz.
Numeric portions Copyright (c) 2005, NumPy Developers.
OpenLDAP portions Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.
OpenSSH portions Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland, Cryptographic attack detector for ssh portions Copyright (c) 1998 CORE
SDI S.A., Buenos Aires, Argentina, ssh-keyscan portions Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>, Rijndael implementation by Vincent
Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain, One component of the ssh source code portions Copyright (c) 1983, 1990, 1992,
1993, 1995 The Regents of the University of California. Remaining components portions copyright holders: Markus Friedl, Theo de Raadt, Niels Provos,
Dug Song, Aaron Campbell, Damien Miller, Kevin Steves, Daniel Kouril, Wesley Griffin, Per Allansson, Nils Nordman, Simon Wilkinson
OpenSSL portions Copyright (c) 1998-2008 The OpenSSL Project. SSL implementations portions Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com).
PIL portions Copyright (c) 1997-2006 by Secret Labs AB Copyright (c) 1995-2006 by Fredrik Lundh
PyASN1 portions Copyright (c) 2005, 2006 Ilya Etingof ilya@glas.net
Python portions Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation;
PySNMP portions Copyright (c) 1999-2006, Ilya Etingof ilya@glas.net
ReportLab portions Copyright (c) 2000-2004, ReportLab Inc.
ripMIME portions Copyright (c) 2000 P.L.Daniels
strace portions Copyright (c) 1991, 1992 Paul Kranenburg pk@cs.few.eur.nl, Copyright (c) 1993 Branko Lankester branko@hacktic.nl, Copyright (c) 1993
Ulrich Pegelow pegelow@moorea.uni-muenster.de, Copyright (c) 1995, 1996 Michael Elizabeth Chastain mec@duracef.shout.net, Copyright (c) 1993,
1994, 1995, 1996 Rick Sladkey jrs@world.std.com, Copyright (C) 1998-2001 Wichert Akkerman wakkerma@deephackmode.org
Tiff portions Copyright (c) 1988-1997 Sam Leffler, Copyright (c) 1991-1997 Silicon Graphics, Inc.

Issued October 2009 / McAfee Email Gateway version 6.7.2

®
Contents
About this Document 15

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Dashboard
1 The Dashboard 19
About the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
Configuring the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
Special navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
The charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 21
System charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 21
Queue charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Dashboard reports and summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Mail IPS status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Health Monitor summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Services status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 24
Connection blocking status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 24
SpamProfiler status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
System utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Updates status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Alert status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
WebMail protection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Encryption status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25

Queue Manager
2 Email Gateway Queues 29
About the queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
SuperQueue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Rip Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Content Extraction Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Anti-Virus Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Content Analysis Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Envelope Analysis Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Anti-Spam Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Corporate Compliance Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Join Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Outbound Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Non-processing queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Quarantine Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Failures Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3 Queue Information 33
About the Queue Information window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Quarantined messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Current messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Queue activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Viewing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Searching messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Quarantined messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Current messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Processed messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

McAfee Email Gateway 6.7.2 Administration Guide 3

 Contents

Compliance Officer searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Dynamic Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Dynamic Quarantine rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Dynamic Quarantine process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing the results of Dynamic Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4 Advanced Queue Manager Topics 49

Configuring queues . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring SuperQueue . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring the sub-queues .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Changing the queue order . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
About quarantine types . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Using the Quarantine Queue . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5 Remote Quarantine 61
About Remote Quarantine . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
Central Quarantine Server . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
Which features use Remote Quarantine? . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
General implementation . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 62
High-level process . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 62
Configuration of the CQS . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 63
Setting quarantine types . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 63
Configuring appliances . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 64
End User Quarantine . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 66
Setting the Cleanup Schedule . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 71
Dual Central Quarantine Servers . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 73
Configuring CQS2 . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 73
If CQS1 fails . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 74

Compliance
6 Compliance Overview 77
About Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Snapshot reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7 Content Analysis 79
About Content Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 79
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 79
Editing and searching an existing dictionary . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Editing the search option . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing dictionary content . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Searching dictionary content . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 83
Adding content . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 84
Editing existing dictionary content . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 86
Adding a new Content Analysis dictionary . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 87
Adding the content . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 88
Managing content rules . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 92
Adding a new rule . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 93
Editing dictionary rules . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 94
Applying content rules . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 95
Adding a new policy . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 96
Editing an existing application . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 97
Dictionary report configuration . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 99
Editing a report configuration . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 99

8 Advanced Compliance 101

About Advanced Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Advance Compliance engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Managing Advanced Content Analysis rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Adding a new rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4 McAfee Email Gateway 6.7.2 Administration Guide

Contents

Editing an existing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Applying Advanced Content Analysis rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Adding a new policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Editing an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Adding a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Editing a category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Training categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configuring categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
View Training Corpus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
The Compliance Trainer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

9 Analyzing Images 117

About Image Analysis . . . . . . . . . . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
What Image Analysis does . . . . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
How Image Analysis works . . . . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Managing Image Analysis rules . . . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Adding an Image Analysis rule . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Editing an Image Analysis rule . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Applying Image Analysis rules . . . . . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Adding a new Image Analysis policy . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Editing an Image Analysis policy . . . . ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

10 Envelope Analysis 125

About Envelope Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Managing Envelope Analysis rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Adding an Envelope Analysis rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Editing an existing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Applying Envelope Analysis rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Adding a new policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Editing an Envelope Analysis policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

11 Whitelisting 135
About whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating new whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating a TrustedSource whitelist rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring whitelist rule expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Viewing whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Editing a whitelist rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Setting automatic cleanup for whitelist entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Searching whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Applying whitelist rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding a new whitelist policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Editing an application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

12 Advanced Topics in Compliance 145

About address masquerading . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Searching for masquerade entries . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Adding new masquerade entries . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Editing masquerade entries . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
About Desktop Encryption Analysis . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Managing encryption rules . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Adding a new Desktop Encryption Analysis rule ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Editing a Desktop Encryption Analysis rule . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Applying Desktop Encryption Analysis rules . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Adding a new application . . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Editing an existing rule application . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
About Off-Hour Delivery . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
About Attachment Analysis . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Managing attachment rules . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Adding a new rule . . . . . . . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Editing attachment rules . . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Applying attachment rules . . . . . . . . . . . . . . . ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

McAfee Email Gateway 6.7.2 Administration Guide 5

 Contents

Adding a new application . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 164

Editing an application . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 166
Dangerous extensions . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 167
About Network DLP Analysis . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 167
Detection capabilities . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 167
How it works . . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 168
Managing DLP Analysis rules . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 169
Editing DLP Analysis rules . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 170
Using DLP Analysis . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 171
About Message Stamping . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 172
Managing Message Stamping rules . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 172
Adding a new rule . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 172
Editing an existing rule . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 173
Applying Message Stamping rules . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 174
Adding a new application . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 174
Editing a Message Stamping application . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 176
About Group Manager . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 177
Adding a new group definition . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 178
Editing an existing group definition . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 179
About Mail Notification . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 180
Adding a notification . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 180
Editing an existing notification . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 181
Allowed variables . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 182
Other email notifications . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 183
Compliance rules updates . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 185

Anti-Spam
13 SpamProfiler 189
About spam protection . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 189
Anti-Spam snapshot . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 189
SpamProfiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 191
Spam profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 191
Configuring the SpamProfiler . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 192
Managing SpamProfiler rules . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 193
Adding a new SpamProfiler rule . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 194
Editing an existing SpamProfiler rule . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 195
Applying SpamProfiler rules . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 195
Adding a new SpamProfiler policy . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 196
Editing a SpamProfiler policy . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 197
Classifying spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 198
Image Spam Classifier (ISC) . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 199
Dynamic Spam Classifier (DSC) . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 199
How to configure DSC and ISC . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Whitelisting DSC and ISC . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Locking your SpamProfiler configuration . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Locking your current configuration settings . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 201
Special configurations . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 201

14 Blocking Threats 203

About threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
About TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Configuring TrustedSource . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
TrustedSource whitelisting . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
TrustedSource queries for LDAP rejections . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Launching TrustedSource . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
The TrustedSource site . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
About Anti-Zombie protection . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Anti-Zombie Snapshot . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
About Anti-Fraud-Phishing protection . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Anti-Fraud-Phishing Snapshot . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

6 McAfee Email Gateway 6.7.2 Administration Guide

Contents

Connection Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

ESP connection control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
LDAP connection control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Configuring Connection Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Exclude List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
The Connection Control Deny List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

15 End User Quarantine 215

About End User Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 215
Configuring End User Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 215
Policy modifications in other features for EUQ Release . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 218
Logging for End User Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 218
Configuring the EUQ web page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 218
Adding a new customization profile . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 219
Editing an existing customization profile . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 220
Editing the stylesheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 220
About the User List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 221
The Mailing List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 223
Quarantine release notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 224
Viewing a list of all quarantined messages . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 225
Quarantine duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 226
Releasing quarantined messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 226
Releasing from the notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 227
Releasing from the quarantined message list . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 227
The release process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 228
About the End User Quarantine Whitelist . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 229
Maintaining EUQ Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 230
Configuring the Whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 231
User defined policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . .. . . . . 233

16 Advanced Topics in Anti-Spam 235

Sender ID lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 235
SID in Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 235
Sender ID and SpamProfiler . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 236
Bayesian filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 237
Tokenization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 238
Bayesian filtering and the SpamProfiler . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 239
Bayesian retraining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 240
Administrator-released messages . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 241
Analyzing headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 241
Regular expression header analysis . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 241
System Defined Header Analysis . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 242
User-Defined Header Analysis . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 247
Deny lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 249
Local Deny List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 249
RBL Drop List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 251
Reverse DNS Drop List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 252
Reverse DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 253
Anti-Spam feature order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 254
User Spam Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 255
Spam Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 257
RealTime Blackhole Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 258
Configuring RealTime Blackhole Lists . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 259
Multiple blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 262
RBL and SpamProfiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 262
DomainKeys Identified Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 262
Domains and selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 262
Configuring DKIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 262
Backscatter protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 264
Configuring DSN Bounce Verification . . . . . . . . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 265
How DSN Bounce Verification Protection works . . . . . . . . . . . . . ... .. .. ... .. ... .. .. ... . . . . 265

McAfee Email Gateway 6.7.2 Administration Guide 7

 Contents

Anti-Virus
17 Anti-Virus Protection 269
About Anti-Virus protection . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 269
Anti-Virus snapshot . . . . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 269
Zero-Day Protection Setting . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 272
Current Anti-Virus information . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 274
Signature engines . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 275
Editing detection behaviors . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 276
Configuring bypass extensions . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 276
Updating signature protection . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 277
Manual signature updates . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 277
Automatic Signature Updates . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 279

Encryption
18 Managing Encryption 283
About Encryption . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 283
Available reports . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 283
Incoming message reports . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 284
Outgoing message reports . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 284
About Secure Web Delivery . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 285
Configuring the Encryption Router . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 286
Certificate management . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 287
Certificates . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 287
PGP certificates . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 292
Managing domains . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 294
External domains . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 294
Internal domains . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 296

19 Advanced Encryption 299

Advanced Encryption tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 299
Advanced Encryption quick snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 300
Incoming message reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 300
Outgoing message report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 301
Secure Web Mail overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 301
Secure Web Delivery configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 303
SWD User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 306
Managing the SWD User List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 306
Adding SWD users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 307
Editing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 309
SWD Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 310
Challenge Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 310
Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 311
Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 312
SWD Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 313
Customization profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 314
Mail notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 317
Certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 319
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 319
Certificate Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 323
PGP certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 326
Server-to-server encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 327
External domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 328
Internal domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 330
Managing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 332

8 McAfee Email Gateway 6.7.2 Administration Guide

 Contents

IntrusionDefender
20 IntrusionDefender Overview 337
About IntrusionDefender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Controlling the gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Gateway threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Quick snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

21 Mail Firewall 341

About mail services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configure mail services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
SMTPI service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
SMTPO service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Global properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Allow Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
About mail routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Domain-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Internal routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
About Mail VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Configuring Mail-VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Configuring the services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
About Domain Require and Deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

22 Lightweight Directory Access Protocol (LDAP) 365

LDAP on Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LDAP operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
LDAP profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
LDAP rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Binding rules and domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
LDAP queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring LDAP profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring LDAP rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Adding a realtime rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Adding a synchronized rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Editing a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
LDAP connection control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Configuring LDAP properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

23 WebMail Protection 385

Configuring WebMail protection . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Configuring WebMail properties . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Signature configuration . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
HTTP routing . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Path-Based routing . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Host based routing . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Portal page routing . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Strong client authentication . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Customizing the WebMail log-in . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Adding a new customization profile . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Editing an existing customization profile . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Editing the stylesheet . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

24 Mail Intrusion Protection Service 401

About application level protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Denial of Service protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Password strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Password cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring Application Level Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Integrity check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Program integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
File system integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

McAfee Email Gateway 6.7.2 Administration Guide 9

 Contents

25 Virtual Hosts 409

About Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 409
Managing Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 410
Configuring Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 411
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 411
Adding a Virtual Host . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 411
Configuring IP addresses and domains . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 412
Configuring internal mail servers . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 414
Editing a Virtual Host . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 423
Deleting a Virtual Host . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 423
Using Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 424
Applying rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 424
Virtual Host administration . . . . . . . . . . . . . . . . . . . . .......... .. .. ... . . . . . . . . . . . . . . . . 425
Creating user accounts for Virtual Host administration .......... .. .. ... . . . . . . . . . . . . . . . . 425

26 Other Intrusion Defenders 427

About DNS Hijack Protection . . . . ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
About Anomaly Detection . . . . . . ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring Anomaly Detection ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Creating anomaly rules . . . . . ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Showing anomaly rules . . . . . ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Reporting
27 Reporting 435
About reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
The Reports window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

28 Message Archives 439

Configuring Message Archives . . . . . . . . . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Adding an archive target - scheduled . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Adding an archive target - immediate . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Editing a message archive . . . . . . . . . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Applying Message Archiving . . . . . . . . . . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Global archiving . . . . . . . . . . . . . . . . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Rule based archiving . . . . . . . . . . . . . . . .. .. ... .. .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

29 Alert Manager 443

About alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
About alert classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Adding an alert class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Editing an Alert Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
About alert mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Adding an alert mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Adding an email mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Adding a pager mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Adding an SNMP alert mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
The Alert Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

30 Advanced Reporting 449

About Reports configuration . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Report descriptions . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
CSV reports . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Understanding the CSV file . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Opening a CSV file in Excel . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
SNMP polling . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
SNMP polling configuration . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Public SNMP variables for Email Gateway . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
About Email Gateway logs . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Log levels . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Log standardization . . . . . . . . . . . . . . . . . . .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

10 McAfee Email Gateway 6.7.2 Administration Guide

 Contents

Mail flow logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 463

Event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 463
Generating reports from logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 466
CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 467
General logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 468
Detailed logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 468
Summary logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 469
Notes on viewing logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 470
Configuring logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 470
Configuring Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 473

Administration
31 Email Gateway Administration 477
User accounts . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 477
About user accounts . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 477
Creating user accounts . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 478
Managing user accounts . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 480
Editing a user account . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 482
Logging onto Email Gateway . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 482
Appliance administrators . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 483
Virtual Host administrators . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 484
Compliance officers . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
ePO Users . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
Configuring password policy . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
Allowed IPs . . . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 487
Configuring WebAdmin settings . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 488
User preferences . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 489
Dashboard preferences . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 489
Queue Manager preferences . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 490
Miscellaneous preferences . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 491
Clustering . . . . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 492
Starting a cluster . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 493
Adding an appliance . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 493
Removing an appliance . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
General administration . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
The Cleanup Schedule . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
Configuring Appliance Certificates . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 495
Changing the Admin Password . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 496

32 Health Monitor 497

Configuring the Health Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Health Monitor’s tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Configuring Email Gateway alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

System
33 System Configuration 503
Appliance configuration . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
ePolicy Orchestrator configuration . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Key concepts . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configuring ePO functions . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configuring IP addresses . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Adding an IP address . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Editing an existing IP address . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Configuring WebAdmin and CLI . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Routing . . . . . . . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Adding a new route . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Editing an existing routing . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
The serial port . . . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
SSH configuration . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

McAfee Email Gateway 6.7.2 Administration Guide 11

 Contents

CLI access link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 512

McAfee support access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 513
System backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 513
Backup now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 513
Scheduled backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 514
Backup data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 515
System restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 516
Granular restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 516
Restore all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 517
Restored data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 518
The Check Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . 519

34 System Updates 521

Available updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Hotfix updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Anti-Virus updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
TRU Optimize packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
TRU Response packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Pre-configuration updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Compliance updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 521
Mail-IPS updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 522
Managing updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 522
Applying the updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 523
Viewing logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 524
Configuring Auto-Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 524
Support scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. . . 525

35 General System Functions 527

UPS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Powering down and restarting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
License Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Resetting keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Control Center communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Storing Control Center keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Control Center attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Control Center SSH configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
FIPS Compliance configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

The Command Line

36 Using the Command Line 537
The command line . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 537
Accessing the CLI from the console . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 537
Accessing the CLI from a secure shell . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 537
The commands . . . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 537
HELP command . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 538
EDIT command . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 538
Connect command . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 539
Capture command . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 540
RUN command . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 541
SET command . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 542
SHOW command . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 543
SYSTEM command . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 551
TAIL command . . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 551
TEST command . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 552
History command . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 552
Reset command . . . . . . . . . . . . . . . . . . .. .. ... .. .. . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 553

12 McAfee Email Gateway 6.7.2 Administration Guide

 Contents

Appendices
A Email Gateway Generated Alerts 557
The subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
The alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

B File Formats for Uploads 569

Whitelist rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
.Mail Firewall - Allow Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Group Manager - Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Attachment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Content Analysis dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Mail Firewall - Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Examples: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

C Actions and Action Codes 577

Email Gateway actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Subject re-write changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Email Gateway action codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580

D Process ID Numbers 587

Process IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 587
Queue IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 588
Feature IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 588
Sub-feature IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 588
Default action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 589
Message delivery modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 590
Message types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 590
Anti-Spam tool IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 591
Summary log actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 591
Message lock values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 591
Message status values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 592
Static rule IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . 592

E Configuring WebMail Protection for MS Exchange 593

Exchange 5.5 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Exchange 2000 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Exchange 2007 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

F Special Tips 597

Special characters in email addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Compressed file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

G Email Gateway Action Order of Precedence 599

About action precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Feature order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Policy level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Threshold preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
General action precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Precedence in specific Email Gateway features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Anti-Spam feature order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Attachment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Content Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Envelope Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

H Text Filtering 605

About text filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Classifying the formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Formats identified by Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

McAfee Email Gateway 6.7.2 Administration Guide 13

 Contents

File types from which Email Gateway can extract content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614

I Compliance Trainer 617

What is Compliance Trainer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Running the Compliance Trainer setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Starting Compliance Trainer the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Using the Compliance Trainer interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Functional areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Insert file area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Are these files confidential? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Adding files to the training list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Training file list actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Loading and sending files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

J Event Logging Elements 633

About events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 633
Event classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 633
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 634
Anti-spam events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 634
Anti-virus events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 635
Attachment Filtering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 636
Bayesian events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 636
Content Filtering events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 637
Corporate Compliance events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 638
Remote quarantine events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 639
Domain Keys Identified Mail events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 639
Dynamic Spam Classifier events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 639
DSpam events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 640
Encryption events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 640
SpamProfiler events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 642
Enterprise Spam events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 642
End User Spam events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 642
General events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 643
Image Analysis events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 644
Image Whitelist events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 644
Image Spam Classifier events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 645
Join Queue events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 645
LDAP events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 646
Mail monitoring events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 647
Address Masquerading events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 647
MIME Handler events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 648
Message Stamping events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 648
Message events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 649
Notification events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 649
Policy management events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 650
Realtime Blackhole List events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 651
Reverse DNS events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 652
RIP Queue events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 652
System Defined Header Analysis events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 654
SMTP authentication events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 654
SMTP Before POP events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 655
SMTPI events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 655
SMTPO events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 658
Sender ID events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 661
SuperQueue events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 662
TrustedSource events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 663
User Defined Header Analysis events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 664
Virtual Host events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 664
White List events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .... . . 665

Index 667

14 McAfee Email Gateway 6.7.2 Administration Guide

 About this Document

The Administration Guide describes the features and capabilities of McAfee Email Gateway version 6.7.2
This guide is intended for network and security administrators. It assumes familiarity with the internet,
email messaging systems, and related terminology.
You can find additional information at the following locations:
• Online Help – Online Help is built into Email Gateway. Click the question mark icon at the upper right of
any window.

• Manuals – View product manuals at http://mysupport.mcafee.com.

• Application Notes – Check configuration-specific instructions at http://mysupport.mcafee.com.

• KnowledgeBase – Visit the KnowledgeBase at http://mysupport.mcafee.com. You’ll find helpful articles,

troubleshooting tips and commands, and the latest documentation.

Conventions
Refer to Table 1 for a list of the text conventions used.

Table 1 Conventions
Convention Description
Courier bold Identifies commands and key words you type at a system prompt
Note: A backslash (\) signals a command that does not fit on the same line. Type the
command as shown, ignoring the backslash.
Courier italic Indicates a placeholder for text you type
<Courier italic> When enclosed in angle brackets (< >), identifies optional text
nnn.nnn.nnn.nnn Indicates a placeholder for an IP address you type
Courier plain Used to show text that appears on a computer screen
Plain text italics Identifies the names of files and directories
Used for emphasis (for example, when introducing a new term)
Plain text bold Identifies buttons, field names, and tabs that require user interaction
[ ] Signals conditional or optional text and instructions (for example, instructions that pertain only
to a specific configuration)
Caution Be careful—in this situation, you might do something that could result in the loss of data or an
unpredictable outcome.
Note Helpful suggestion or a reference to material not covered elsewhere in the manual
Security Alert Information that is critical for maintaining product integrity or security
Tip Time-saving actions; can help you solve a problem

Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes
only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features
might be enabled in screen captures to make them clear; however, not all features are appropriate or desirable
for your setup.

McAfee Email Gateway 6.7.2 Administration Guide 15

 Acronyms

Acronyms
The following acronyms are used throughout this document (Table 2).

Table 2 Acronyms
Acronym Description
URL Uniform Resource Locator

16 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 1

Dashboard

Chapter 1, The Dashboard

1 The Dashboard

Contents
About the Dashboard
The charts
Dashboard reports and summaries

About the Dashboard

When you log onto Email Gateway, the opening window is the Dashboard. This configurable collection of tables and
charts allows you to review the status and the performance of the system and make any decisions that are required.

Configuring the Dashboard

You can determine what summaries or charts appear on your Dashboard, and where
they are located, using the configuration option. The buttons are at the upper right
corner of the window. Click the leftmost button to display the Dashboard Configuration
Preferences window. The window allows you to select the information you want the
Dashboard to display.
The center column of the Configure window lists all portlets (each one representing a reporting mechanism)
that have not been configured to appear on the existing Dashboard. To add one or more portlets to the
Dashboard, click the ones you want to add to highlight them.

Then click the arrow pointing to the panel (Left Panel or Right Panel) where you want the new
information to appear. The portlet will be moved to that panel.
The new portlet is set to appear at the bottom of the panel, by default. If you want to change the placement
of any portlet, highlight it and use the Up or Down button beside the panel. Click Save to record the
change.
Your window will display the Dashboard with the summaries and charts you have configured.
If you want to remove a portlet from the Dashboard, go to the Configure window, highlight the portlet, and
click the arrow pointing to the Available Portlets panel. When you click Finish, the portlet will be
removed from its display panel and added to the Available Portlets list.

Special navigation
You can expand or collapse any of the summaries that appear on the Dashboard, to allow focussing upon
just the data you want to see. At the top right of each header, you will see double arrows, pointing either
upward (when the summary is expanded) or downward (when the summary is collapsed. Clicking the
double arrow icon toggles the summary between its collapsed and expanded states.
During the same login session, the Dashboard summaries will remain expanded or collapsed as you last left
them. If you log out without saving the current configuration, the Dashboard will return to the configuration
you found at login. If you do save the configuration before you log out, the Dashboard will remain as you
last saw it before logout.

McAfee Email Gateway 6.7.2 Administration Guide 19

 The Dashboard
About the Dashboard

Figure 1 The full Dashboard

20 McAfee Email Gateway 6.7.2 Administration Guide

 The Dashboard
The charts

The charts
The charts that can be displayed on the Dashboard are subdivided into two types:
• System charts

• Queue charts

Each type can also be configured to display data for distinct time period, ranging from one hour to one
year. The possible date ranges for each type will be provided as part of the description for the type.
Click any chart to display a larger, more detailed version.

System charts
The System charts include the following displays:
• Filesystem Utilization

• Memory Utilization

• CPU Utilization

• Disk I/O

• Network Traffic

• Network Errors

The period represented by these charts is selected from the Dashboard Configuration window. All system
charts will represent the same time period.

Filesystem utilization
The Filesystem Utilization chart displays utilization in terms of the percentage of capacity used and the
percentage of available inodes used. Each parameter is tracked for three separate partitions on the file
system: /ct, /var, and /tmp.
• % capacity used – These lines represents the percentage of capacity in use by the partitions at any given
point in time over the configured span (one day in this example).

• % inodes used – These lines represent the percentage of available inodes in use by the partitions at any
given point in time over the configured span.

Memory utilization
The Memory Utilization chart shows utilization in megabytes.
• Active – This line represents the megabytes of memory being actively used at any given point over the
configured time span (one day, in this example).

• Inactive – This line tracks the megabytes of memory that have been in use and are not in active use at
this point, but that have not been released to become free memory.

• Free – The free memory line shows the megabytes of memory available for use by any initiated process
at a given point in time.

• Swap Memory – This line only becomes active when no free memory exists (free memory = 0). It traces
the number of megabytes of information that have been temporarily transferred to disk in order to free
up memory for use.
• Swap Free – This line tracks the amount of memory that has been freed by temporarily transferring
information to disk (using Swap Memory).

McAfee Email Gateway 6.7.2 Administration Guide 21

 The Dashboard
The charts

CPU utilization
The chart shows CPU utilization in percentage of capacity. The total of all three percentages at any point in
time should yield 100%.
The chart tracks the following information:
• System – This line presents the percentage of CPU capacity that was in use at the System level (being
used by the system to support the applications in use) at a given point.

• User – This line represents the percentage of CPU capacity that was in use at the Application level (being
used by one or more applications) at a given point in time.

• Idle – This line tracks the percentage of CPU capacity that was not in use at a given point in time during
the period covered by the chart (in this case, one hour).

• Nice – This line represents the percentage of CPU capacity in user mode running niced processes (time
spent on niced tasks in user mode).

• Interrupt – This line tracks the percentage of CPU capacity running in interrupt mode.

Disk I/O
This chart displays disk usage data in terms of the number of bytes per second and the number of
input/output operations per second.
• Bytes/second – This portion of the chart indicates the number of bytes per second of data transfer into
or out of the disk at any given point.

• Operations/second – This line follows the number of data input and/or output operations per second at
any point.

Network traffic
This chart shows network utilization (input and output) in bytes/second and packets/second.
• Bytes Sent – This line shows the number of bytes/second of outbound data on the network at any given
point.

• Bytes Received – this line tracks the number of bytes/second of inbound data on the network at any given
point.

• Packets Sent – This line shows the number of packets/second of outbound data on the network at any
given point.

• Packets Received – This line shows the number of packets/second of outbound data on the network at
any given point.

Network errors
This chart tracks network errors in terms of errors per second for both inbound and outbound data, and collisions per
second.
• Received – The line represents the number of errors per second in outbound traffic (information not
successfully sent).

• Sent – The line represents the number of errors per second in inbound traffic (information not successfully
received).

• Collisions – The line represents the number of requests for resending data that could not be successfully
transmitted.

22 McAfee Email Gateway 6.7.2 Administration Guide

 The Dashboard
Dashboard reports and summaries

Queue charts
The Queue charts show the content and performance of the Email Gateway queues over the configured
time period. The Queue Graphs include:
• Queue Statistics

• Queue Process Statistics

• Queue Action Statistics

Like the System charts, the Queue charts can be configured to represent a variety of time periods, selected
on the Dashboard Configuration window. All Queue charts will reflect the same time period.

Queue statistics
This chart shows the load statistics for each of the queues in Email Gateway: SMTPO, SuperQueue and
Quarantine. The chart shows the number of messages being processed by each of these queues at a given
point in time. In this example, the chart covers the past day.

Queue action statistics

This chart shows Queue Process statistics for each subqueue within SuperQueue for the configured time
period (in this case, one day). However, the information presented is cumulative over the current 24-hour
period, from midnight to midnight. The chart is reset to zero at midnight.

Queue process statistics

The final chart in this group shows the number of messages being acted upon in each subqueue by Email
Gateway for the configured time period (one day again, in this instance). This data is also cumulative, and
increases over the time period from midnight to midnight. This chart is also reset at midnight.

Dashboard reports and summaries

The Dashboard provides a selection of summaries you can select. Your selections will appear on the
Dashboard window at login. The summaries reflect system performance, and so forth, from midnight to the
current moment (when the Dashboard window last refreshed).

Executive summary
The Executive Summary offers an overview of email traffic through Email Gateway, both inbound and
outbound. The summary shows the total messages in and out, then breaks the numbers and percentages
down among good messages, messages identified as spam, messages captured as containing viruses, and
messages that triggered action as a result of Email Gateway policies.

Mail IPS status

The Mail IPS Status summary provides the prior day’s statistics for Application Level and System Level
protection. Each of the monitored parameters is a hyperlink that will open a related window.

Health Monitor summary

The Health Monitor Summary shows the tests that Health Monitor has run, by name and time of test, with
the results. The summary identifies Critical through Restart alerts generated for the past three hours.

McAfee Email Gateway 6.7.2 Administration Guide 23

 The Dashboard
Dashboard reports and summaries

Services status
In this table, you can see the current status (running or not) of all the mail services. The table also
indicates whether or not the service is set to be restarted by Health Monitor when it runs and finds the
services is not running. The information of possibly greatest importance to you is the status - is this mail
service running or not? - and the service uptime - why has SMTPI been running for 3 days and 6 hours,
while SMTPO has only been running for 4 hours? This sort of information might indicate the need to
investigate.
Each Service name is a hyperlink that opens the service properties window for the specific service, allowing
you to verify configuration or make changes as necessary.

Connection blocking status

The Connection Blocking Status table displays the number of connections accepted or rejected from
midnight to the current moment, and the number of rejections by cause. The connections that were blocked
prevented suspicious messages from entering the network at all. The specific statistics reported on this
summary are:
• Connections Rejected by RBL Lookup – This statistic represents the connections blocked because senders
appear on the Realtime Blackhole List.

• Connections Rejected by RDNS Lookup – The number here reflects the connections that were blocked
because they did not pass RDNS lookup.

• Total Connections Accepted –This statistic reflects the number of connections the appliance has accepted
during this reporting period.
Note: The connections accepted can still result in rejections. The totals for LDAP Rejects and SMTP Address
Pattern rejects are included in the total for Connections Accepted, since the rejections occur post-connection.

• Total Connections Blocked – This total reflects the number of connections that were rejected during the
reporting period. This total includes the individual totals for:

• Connection Control

• Rejects by RBL

• Rejects by RDNS

• Rejects by Local Deny List

• Rejects due to DoS Protection

• Rejects by SMTPProxy in load throttling state

• Rejects by Health Monitor when the Deny Connections at Disk/Inodes Usage percentage has been met
or exceeded

• LDAP Rejects – The total represents the number of connections that were blocked due to lack of LDAP
validation.

• SMTP Address Pattern – This total represents the number of connections blocked because of configured
Address Pattern Matching in the Inbound Queue (SMTPI). It also includes:

• mail received from an IP that is not on the Allow Relay list, and is not destined to a hosted internal
domain, and

• mail with a spoofed recipient address.

• Connection Control – The statistic reflects the total connections that were blocked by Connection Control
rules.
Note: Updates to the rejection counts (for example, LDAP Rejections) will not happen instantaneously. A
five-minute interval is required for updates to process and be visible.

24 McAfee Email Gateway 6.7.2 Administration Guide

The Dashboard
Dashboard reports and summaries

Some of the Status names are hyperlinks. Each of them takes you to a related window where more
information is available.

SpamProfiler status
The SpamProfiler Status table shows the number of messages that triggered action by the various
Anti-Spam tools. The information can be used along with other sources to indicate the effectiveness of the
current configuration. The most important number on this summary might be the SpamProfiler total, since
the SpamProfiler (if it is so configured) is the tool that takes the actions.
It is important to remember that the total messages shown on this summary might not add up to the total
number of messages processed. The reason for this difference is that the same message can be identified
for action by more than one tool, and can therefore be counted two or more times.

System utilization
This summary provides information about the main components of the system, showing usage in numerical
terms and as percentages of capacity. It can be helpful to compare this information with the System Graphs
if you would like additional information.

Updates status
The Update Status table reveals the currently installed versions of the Email Gateway software, Threat
Response Updates, and Anti-Virus engines. It also shows any available updates that can be downloaded or
installed, and the current status for all the updates. This table allows you to know at a glance when updates
become available.

Alert status
The Alert Status table displays the number of Alerts generated by Email Gateway for the past three hours.
If you want further information about the alerts, click any of the Alert Type hyperlinks to go directly to the
Alert Viewer window. On that window you can explore the individual alerts.

WebMail protection status

This table reports current statistics (counts) regarding specific actions by the WebMail Protection service.
Each of the Status names is a hyperlink. Clicking any one of them takes you to the WebMail Protection
Properties window, where Iron Web Mail’s behavior can be viewed and configured.

Encryption status
The Encryption Status summary provides an overview of inbound and outbound traffic by secure
transmission method.
Each Component name is a hyperlink that takes you to the opening reports and charts for Encryption,
where you will find more detailed information.

McAfee Email Gateway 6.7.2 Administration Guide 25

 The Dashboard
Dashboard reports and summaries

26 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 2

Queue Manager

Chapter 2, Email Gateway Queues

Chapter 3, Queue Information

Chapter 4, Advanced Queue Manager Topics

Chapter 5, Remote Quarantine

2 Email Gateway Queues

Contents
About the queues
SuperQueue
Outbound Queue
Non-processing queues

About the queues

Queues are a core component of Email Gateway functionality. Email Gateway queues, while not physical
entities like disk partitions, are subsystems that process messages in an ordered fashion. After Email
Gateway SMTPI Service receives a message, it passes it to the SuperQueue for processing. After each
queue subsystem finishes processing the message, it passes it on to the next queue in line. Each queue is
designed to perform very specific tasks. Once all queues have processed the message, the Email Gateway
SMTPO Service delivers it to its final destination—assuming that a queue did not have to quarantine, drop,
or re-route the message.
Figure 2 SuperQueue structure

McAfee Email Gateway 6.7.2 Administration Guide 29

 Email Gateway Queues
SuperQueue

SuperQueue
Email Gateway employs eight features within one queue, the SuperQueue, to process messages between
SMTPI (the inbound queue) and SMTPO (the outbound queue).
Note: Versions prior to 6.7 used separate queues to process mail (RIP Queue, SuperQueue, and Join Queue).

Rip Queue
MIME Ripper (also known as Rip Queue) is the first to process an email, and its task is to “rip” the message
into its constituent MIME parts. SMTPProxy writes the original message to disk; Rip Queue writes copies of
the message parts to disk as part files, and references to the part files in an internal database. Each
subsequent queue examines the message parts. You can configure additional options by clicking MIME
Ripper in Queue Manager | Configure Queues.

Content Extraction Queue

The Content Extraction Queue processes messages before they are examined by the rest of the sub-queues
in the SuperQueue. The Content Extraction Queue runs right after the Rip Queue, and converts proprietary
text files (for example, Word docs) into an ASCII text format that Email Gateway can “read” for the purpose
of enforcing policies such as those configured in Content Analysis (dictionaries) and Attachment Analysis. It
also verifies file types at the binary level. This queue is not visible through the GUI.
Some caution is required when an administrator creates rules (for example, in Attachment Analysis) due to
the functioning of the Content Extraction Queue. If you create a rule with certain extension types (.scr, .pif,
.sea), Content Extraction will see them not as the extension types specified, but as .exe attachments. If the
rules in place are intended to allow .exe attachments, but to capture any of the other specific extension
types, the rules might not function as intended. In the example cited, the three types listed would pass
through Attachment Analysis because they would be seen as .exe files; the file extensions (.scr or .pif) do
not indicate that the files are not executables.
For information about the file formats Content Extraction will process, see Appendix H, Text Filtering, in this
Administration Guide.

Anti-Virus Queue
Anti-Virus Scanning uses the configuration settings in the Anti-Virus program area of Email Gateway when
it processes messages in its queue. The Anti-Virus Scanning feature performs all the actions configured in
Anti-Virus | Configure Signature Engines. You can configure additional options by clicking Anti-Virus in
Queue Manager | Configure Queues.

Content Analysis Queue

Content Analysis enforces the Attachment Analysis, Message Stamping, and Content Analysis policies
created in Email Gateway. Content Analysis performs its tasks according to the following precedence rules:
first it enforces the Attachment Analysis policies, then it enforces the Content Analysis policies, and last it
enforces the Message Stamping policy. You can configure additional options by clicking Content Filtering in
Queue Manager | Configure Queues.

Envelope Analysis Queue

Envelope Analysis enforces the Off-Hour Delivery, Envelope Analysis, and Desktop Encryption Analysis
policies created in Email Gateway. The Envelope Analysis feature performs its tasks according to the
following precedence rules: first it enforces the Desktop Encryption Analysis policies, then it enforces
Envelope Analysis, and last, it enforces Off-Hour Delivery.

30 McAfee Email Gateway 6.7.2 Administration Guide

 Email Gateway Queues
Outbound Queue

Anti-Spam Queue
Anti-Spam uses a variety of anti-spam tools configured in Email Gateway Anti-Spam program area to
inspect messages for characteristics of spam. When a message is found to be spam-like, an
administrator-defined action, such as drop, quarantine, rename, etc,) is performed on it. You can configure
additional options by clicking Anti-Spam in Queue Manager | Configure Queues.

Corporate Compliance Queue

Corporate Compliance enforces content protection including the means to detect potential compromise of
confidential information. The detection is based on specific corporate information that might be confidential
to the enterprise. You can configure additional options by clicking Corporate Compliance in Queue Manager
| Configure Queues.

The Join Queue

MIME Joining Queue is the last to process an email, and its task is to reassemble the message back into a
whole. If any of the features within the SuperQueue performed an action—such as rewriting a Subject line
or deleting offensive words—the Join Queue deletes the original message from the Message Store,
reassembles the message from the Email Gateway-edited parts stored in the database and delivers it to the
SMTPO Service for final delivery, assuming that a feature did not have to quarantine, drop, or re-route the
message.You can configure additional options by clicking MIME Joining in Queue Manager | Configure
Queues.

Outbound Queue
Once a message has passed through SuperQueue without being stopped by a triggered action, it is ready to
be sent on to the intended recipient.
The Outbound Queue is the Email Gateway SMTPO Service, responsible for delivering messages out of the
Email Gateway appliance. The terms SMTPO Service and Outbound Queue are used interchangeably. The
Email Gateway SMTPO Service wakes up at periodic intervals to see which messages have been processed
by all the other queues. You can view the contents of the Outbound Queue—that is, view the messages
ready for delivery, but not yet delivered—and re-prioritize the delivery of either individual messages or all
messages addressed to a specific domain, or delete them.
The queues perform their tasks on messages sequentially. That is, messages do not enter a new queue
until they have successfully passed out of the previous one. Administrators can specify the order or
sequence in which the queues process messages (Queue Manager | Configure Queues).
Email Gateway can scan a maximum of 500 message parts. If a message contains 501 or more parts, Email
Gateway will respond with a MIME Parse Failure and perform the action specified in the MIME Parsing
Failure Action input field of the MIME Ripper window (Queue Manager | Configure Queues | MIME Ripper
hyperlink).

McAfee Email Gateway 6.7.2 Administration Guide 31

 Email Gateway Queues
Non-processing queues

Non-processing queues
Email Gateway also includes two other queues that do not actually process messages, but store them under
specific conditions. These queues are:
• Quarantine Queue, and

• Failures Queue.

Quarantine Queue
The Quarantine Queue is not a message-processing queue, but rather a logical holding area where other
queue services can send messages if certain conditions are met. Whereas the other queues and features
actually process messages in some way, the Quarantine Queue holds messages in a quarantined status. All
messages have status of some kind, such as currently in work or already delivered, and so forth. The
messages in the quarantine queue have a status of paused awaiting other work, or do not deliver yet.
Some Email Gateway rules have a send to Quarantine action if certain message characteristics are found.
Additionally, large e-mails held for Off-Hour Delivery are stored here. Email Gateway Queue Manager allows
administrators to create multiple quarantine queues within the Quarantine Queue to facilitate the
management of its email policies. You can view the contents of the quarantine queues at any time (through
a search function). You can delete, re-prioritize, change the scheduled delivery time, or re-direct to an
alternate address any message in any of the quarantine queues.

Failures Queue
The Failures Queue is used if a message fails Rip, Content Extraction, or Join Queue processing. Messages
generally end up in the Failures Queue because of an inability to parse message attachments or to extract
text content, or because of a Join Queue quarantine action. The specific actions taken for messages in the
Failure Queue depend on options defined for the processing queues on the Configure Queues window in the
Queue Manager.
All messages (messages NOT generated by Email Gateway) pass through the RIP Queue. The RIP Queue
parses the messages into individual parts both in the disk as part files and also in the database as
references to the message parts. Each subsequent queue examines the message parts within the database.
Sometimes a message fails Rip Queue or Content Extraction Queue processing (the message cannot be
broken into its component parts). In the event of a MIME parse failure, the message does not pass through
all the Compliance features. As a result, Attachment Analysis, Content Analysis, Corporate Compliance and
Message Stamping features are not available for messages with MIME parse failures. However MIME parse
failures can pass through all the queues and features that do not need the email message to be broken
down into parts.
When any of the repackage actions are set for messages that are MIME parse failures, the messages pass
through all the configured queues and features that do not need the email message to be parsed.
For MIME parse failures, four actions are available (Drop Message, Deliver to Recipient, Deliver to alternate
address, and Quarantine Message). These actions are specified as the MIME Parse Failure Action on Queue
Manager | Configure Queues.
Additional considerations also apply in the event of MIME parse issues. For example, if the Email Gateway
RIP queue is able to parse the message into parts but JOIN queue is unable to rebuild the message back
from the individual parts for whatever reason, Email Gateway requires a special configuration. For more
information about Email Gateway actions, see Appendix C in this Administration Guide.
Note: The Secure Web Delivery (SWD) feature also requires the message to have valid MIME. For the messages
where RIP queue is unable to parse the message successfully, the SWD option will not be available. This means
the SMTPO process when checking for availability of SWD will also check for validity of the message for MIME.

32 McAfee Email Gateway 6.7.2 Administration Guide

3 Queue Information

Contents
About the Queue Information window
Viewing messages
Searching messages
Dynamic Quarantine

About the Queue Information window

The Queue Information window provides visibility into the current state of each of the queues. The Queue
Information table displays how many messages are currently being processed within each queue, as well as
other useful information. The data displayed on the window is static - each time the page is refreshed, the
numbers of messages currently in the various queues change.
Figure 3 Queue Information window

Note: The recommended way to manually refresh the Queue Information window (or other Email Gateway
window) is to click the associated menu option (in the left menu pane) or hyperlink. Refreshing the window using
the browser Refresh button can cause Email Gateway to logout.

The three charts that appear on the Queue information window provide at-a-glance information about Email
Gateway activities. The charts are supported by the tables and links below them.

Quarantined messages
The Quarantined Message chart and the corresponding table provide information about messages that are
currently quarantined, as well as showing the queues where the quarantines are carried out. The chart
presents the portion of all quarantined messages in each quarantine queue.
All quarantine queues are represented in the chart.

McAfee Email Gateway 6.7.2 Administration Guide 33

 Queue Information
About the Queue Information window

The name of each queue in the Quarantined Message table is a link that will display a message list for the
specific queue. This allows you to investigate the individual messages and to take specific actions on the
messages you select. More information about the message lists is included below.

Current messages
The Current Message chart provides information about the messages that were in either SuperQueue or the
Outbound Queue when you accessed the window.

The Current Message table lists the two queues by name and provides the exact number corresponding to
the chart. Each queue name is a link that permits you to access detailed information about the messages
currently in the queues.

Queue activity
The Queue Activity chart displays graphic information about the number of messages that have passed
through SuperQueue since midnight, comparing the number of messages for each sub-queue that required
no action with the number upon which action was taken.
Figure 4 Queue Activity chart

The numbers of messages processed by the Rip Queue, including both those that triggered action and those
that did not, represent the total messages received since midnight. However, the total messages processed
by each of the other queues might not show the same total, depending upon how your Email Gateway is
configured (bypass functions, enabling or disabling of features, and so forth). The Join Queue will show the
number of message that have been reassembled for delivery; it will not include messages quarantined or
dropped as a result of policies configured on this Email Gateway.

34 McAfee Email Gateway 6.7.2 Administration Guide

 Queue Information
Viewing messages

Viewing messages
To view the messages in the various queues, click the queue name links in either the quarantined message
table or the current message table. Email Gateway will display a message list for the queue you have
clicked.
Note: The examples that follow show messages from selected quarantine queues. Similar information is available
for messages in other accessible queues.

Figure 5 Quarantined Queue Message List

The message list provides information about each message currently in the queue.

Table 3 General message list fields

Field Description
Action Icons The top of the message list contains icons that represent actions you can
take on specific messages. The icons are explained below.
Selection checkbox The checkbox that appears to the left of each message allows you to
select that message for actions you will take using the options at the top
of the window.
Status indicator This column displays envelope icons. A closed envelope indicates the
message has not been read. An open envelope indicates the message has
been read.
Alert indicator This column indicates a virus alert associated with the specific message.
For example, a bug icon indicates the presence of a virus, while a green
check mark indicates the message is free of viruses.
IP This column shows the IP address from which each message was sent.
Clicking the IP address launches a TrustedSource query about this IP
address, allowing you to determine the reputation for that IP address.
See Chapter 14, Blocking Threats, for more information.
Virtual Hosts If the message was destined for a specific Virtual Host managed by this
Email Gateway, the name of that host will appear in this column.
Otherwise, the column will display the Default virtual host.
ID This column shows the unique system-generated message ID assigned to
the message. The ID is a hyperlink that will reveal details about the
message.

McAfee Email Gateway 6.7.2 Administration Guide 35

 Queue Information
Viewing messages

Table 3 General message list fields (continued)

Field Description
From This column shows the email address for the sender of the message.
To This column displays the email address or addresses to which the
message was sent.
Subject This column shows the subject line of each message.

The following message action icons are used in many of the message lists you can access from the Queue
Information window.

Table 4 Message action icons

Icon Description
Back button Clicking this icon on a message list takes you back one level, to the prior
window.

Search Clicking this icon will open the message search fields, which will vary
button depending upon the queue within which you want to search. Search
functions are discussed in more detail below.

Delete Clicking this button will delete any message or messages you have
message selected.

Release Clicking this button releases the selected message or messages from
message quarantine.

Schedule Clicking this button opens fields that allow you to schedule a specific time
delivery for the selected message or messages to be delivered.

To set the schedule, select the date and time information from the
drop-down lists, then click Set Date/Time.
Forward Clicking this button will forward the selected message or messages to the
message address you specify. The necessary field will display.

Type the email address and click Forward.

Copy Clicking this button will send a copy of the message or messages to the
message address you specify. The necessary field will display.

Type the email address and click Forward.

Bayesian Clicking this icon will cause Email Gateway to copy the selected message
training or messages to the proper email address where they can be used for
Bayesian training as “ham” messages.

User Clicking this button will open the user preferences window for Queue
preference Manager. This window permits you to configure the appearance of the
window Queue Manager window.
For more information, see Chapter 31, Email Gateway Administration.
Save This icon will appear for a single individual message you have selected to
message see. Clicking the button allows you to save the message to the location
you specify.

Print This icon will appear for a single individual message you have selected to
message see. Clicking the button allows you to save the message to the location
you specify.

When you click the message ID in this example for any message on the list, Email Gateway will display
details for that quarantined message.

36 McAfee Email Gateway 6.7.2 Administration Guide

Queue Information
Viewing messages

Figure 6 Message Detail tab

Table 5 Message Detail fields

Field Description
Action icons The top of the window displays the available action icons for the message
you are investigating.
Message ID This field displays the unique message ID for the message.
Current queue This field shows the queue where the message is currently located.
Queue order This field shows the order of the queues that have processed the
message.
Status This field shows the processing status for the message (for example, not
yet processed, processed, and so forth).
Size The size of the message displays in this field.
Date This field shows the date and time the message was received.
Scheduled date This field displays the scheduled date and time the message is to be
released.
From This field contains the sender’s email address.
To This field contains the email address or addresses for the recipient or
recipients of this message.
Subject This field shows the content of the subject line.
IP address The IP address of the sender shows in this field.
Direction This field indicates the message flow direction for the message, inbound
or outbound.
Encrypted message If the message is encrypted, a green check mark appears in this field.
Otherwise, the field contains a red X.
Message quarantined This field indicates one or more quarantine queues to which the message
to has been quarantined.
Dynamic quarantine This field indicates, by a Yes or a No, whether or not Dynamic Quarantine
has been enabled.
View status An open envelope icon in this field indicates the message has been read.
A closed envelope icon indicates that it has not been read.
Off-hour If the message has been quarantined for off-hour delivery, a green check
mark will show in this field. If not, a red X will appear.
Validated by EUQ This field will indicate whether or not the message qualified for End User
notification process Quarantine notification and possible release.

The Message Part tab on the message detail window displays the message part information.

McAfee Email Gateway 6.7.2 Administration Guide 37

 Queue Information
Viewing messages

Figure 7 Message Part tab

Table 6 Message Part fields

Field Description

Action icons The icons for allowable actions appear at the top of the window.

Header information The second panel of the window displays the header information for the
message, including:
• Sender address
• Recipients address or addresses
• The subject, and
• The date and time the message was received.

Message body The third panel shows the actual message body. You can scroll to read the
message in its entirety.

Attachments The lower panel of the window provides information about any
attachments associated with the message, including:
• The name of the attachment
• The size of the attachment
• The type of attachment (for example, image and format, document
and format, and so forth)
• A download button that allows you to download the attachment.

The Action Taken tab allows you to see the actions that were taken on the message and the order in which
they were taken. The details include specific features that took action and the rules that triggered the
action.

38 McAfee Email Gateway 6.7.2 Administration Guide

Queue Information
Viewing messages

Figure 8 Action Taken tab

The Message Log tab displays the message log for the message you have selected, if per-message logging
has been enabled. Otherwise, the window will display a message saying the log does not exist, and
directing you to the Global properties window (IntrusionDefender | Mail Firewall | Configure Mail
Services | Global).
Figure 9 Message Log tab

The Message Rules tab window shows appropriate rules based on the queue where a message is
quarantined. From this tab you can create new rules for messages like the current one, or create whitelist
rules if the type of messages should not be quarantined in the future.

McAfee Email Gateway 6.7.2 Administration Guide 39

 Queue Information
Searching messages

Figure 10 Message Rules tab

Table 7 Message Rules fields

Field Description
Action icons The top of the window displays the available action icons for the message
you are investigating.
Create Rules The first two columns in the lower portion of the window designate the
fields and the field values for which you can create rules. The fields include
Mail From, Email To, From Domain, To Domain, Based on Subject, and
Based on IP Address.
Envelope Analysis Rule If it is possible for you to create a rule based on any of the named items,
a clickable icon will appear in this column. When you click an icon, the
window expands to show the fields you need to create the rule.
Whitelist rule If it is possible for you to create a whitelist rule based on any of the named
items, a clickable icon will appear in this column. When you click an icon,
the window expands to show the fields you need to create the rule.

Searching messages
If you have even minimal information about a message, you can locate it within its current queue by using
the search options available through Queue Search in the left menu. The parameters you can enter will
vary depending upon the message type you are seeking. You can find:
• Messages currently in Email Gateway queues (being processed)

• Messages that are in quarantine (regular quarantine or outbound quarantine)

• Messages that are in the process of being delivered (in the outbound queue)

• Messages that have been processed.

Email Gateway adds specific information to the RFC821 and RFC822 headers to facilitate quicker and more
specific searches and better information gathering. The added information includes:
• Message ID – Added to the RFC821 received information

• Whitelist entry, if applicable – Added to the RFC822 from header, in an X-header

• ESP score – added to the RFC822 from header, in an X-header

• Applied policies – Added to the RFC822 from header, in an X-header

• Actions taken – Added to the RFC822 from header, in an X-header

Note: Much of the RFC822 data shown above is included in a single X-header containing information about the
message from the Email Gateway's logs.

You can use the search function to investigate specific messages for various reasons, such as suspected
false positives or messages that should have been caught. Depending upon where the message is located,
you can take appropriate actions. You can:
• View the message

40 McAfee Email Gateway 6.7.2 Administration Guide

Queue Information
Searching messages

• Delete the message

• Schedule it for delivery

• Release the message

• Forward the message

• Copy the message

• Use it for Bayesian retraining

• Save the message

• Print the message

You can type partial information in the Email Gateway search input fields. For example, a search for
“dscott” will find dscott@domain.com. If you type search values in more than one input field, Email
Gateway will not locate the message unless all the values you type are found.
The results of the search are displayed in a Search Results window in the main body of the page. If more
than one message matching the search criteria is found, they appear in separate rows of the Search Results
table. Clicking a message’s Subject hyperlink within the table opens a secondary window from which
various administrative actions can be taken, depending on whether or not the message is still on the Email
Gateway appliance.

Quarantined messages
To search for quarantined messages within a queue other than the Outbound Queue, provide search information on
the Queue Search window.
Figure 11 Queue Search window

Select the Quarantined message type, then supply as much information as you can.

Table 8 Queue Search fields

Field Description
Message Type Selecting the type of the message you wish to find based on the
message’s current processing status will enable the correct parameters
for the search. In this case, Quarantined has been specified.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the “Select” checkbox for the hosts
you want to include.
Quarantine Type Select the quarantine type that applies to the message from the pick list.

McAfee Email Gateway 6.7.2 Administration Guide 41

 Queue Information
Searching messages

Table 8 Queue Search fields (continued)

Field Description
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message/
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
Fuzzy Search - conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for cat in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
Exact Search - conducts a search for data that precisely matches the
search parameters you entered.

Advanced search options

The Queue Search window offers additional options when you click Advanced Search. The window
expands to show more search data fields.
Note: The advanced search fields are identical for all searches regardless of message type.

Table 9 Advanced Search fields

Field Description
Search Clause Click the appropriate radio button to determine the relationship among
advanced search parameters.
• And – The messages must meet all your provided advanced search
parameters.
• Or – The message must meet at least one of your advanced search
parameters.
Size Provide the proper information to allow Email Gateway to search for
messages by size.
• Condition – Select the size condition (greater than, equal to, between,
and so forth) you want to use from the drop-down list.
• Parameters – Type the size or size range that will define the messages
(type a number and select B, KB, MB, and so forth). For a size range,
type minimum and maximum sizes.
IP Address Type the IP address from which the message was sent.
Date Type or select a date or dates. You can search for messages received on
a single day or for a range of dates. For a range, set the beginning and
ending dates for your search.

When you have provided the information, click Search. A message list containing only the results of your
search will display.
You can use this listing to further investigate any of the messages that met your search criteria, as
explained earlier in this chapter.

Quarantined outbound messages

If you select the Quarantined Outbound message type, the search window is almost identical to the
regular quarantined search window, but the search is conducted within the Outbound queue.

42 McAfee Email Gateway 6.7.2 Administration Guide

Queue Information
Searching messages

Table 10 Quarantined outbound message search fields

Field Description
Message Type Selecting the type of the message you wish to find based on the
message’s current processing status will enable the correct parameters
for the search. In this case, Quarantined has been specified.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the Select checkbox for the hosts
you want to include.
Domain Name Type the name of the domain to which the message is to be sent.
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message/
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
Fuzzy Search – Conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for “cat” in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
Exact Search – Conducts a search for data that precisely matches the
search parameters you entered.

Current messages
Selecting either the Current In-Queue or the Current Outbound message type offers input fields for
entering search criteria. To search for current (not quarantined) messages, provide search parameters.

In SuperQueue
Select Current In-Queue, then provide the search parameters.

Table 11 Current message search fields

Field Description
Message Type Selecting the type of the message you wish to find based on the
message’s current processing status will enable the correct parameters
for the search.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the Select checkbox for the hosts
you want to include.
Pause Queue select the checkbox to pause the queue’s processing during your search.
This will allow you to take action on the messages Email Gateway finds, if
you so desire.
Queue Type Select the quarantine queue you want to search.
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message.
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
Fuzzy Search – Conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for cat in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
Exact Search – Conducts a search for data that precisely matches the
search parameters you entered.

McAfee Email Gateway 6.7.2 Administration Guide 43

 Queue Information
Searching messages

Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter.

When you have entered the search parameters, click Search. The results will display as shown. In this
case, Skip to Detail was specified.

In the Outbound Queue

You can also conduct a separate search for a message in the Outbound Queue, since that queue is not
included in the Current In-Queues search. Navigate to Queue Manager | Queue Search, select Current
Outbound, and provide the search parameters you want to use.

Table 12 Current outbound message search fields

Field Description
Message Type From the drop-down list, select the type of message to be sought, based
on current processing status.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the Select checkbox for the hosts
you want to include.
Pause Queue select the checkbox to pause the queue’s processing during your search.
This will allow you to take action on the messages Email Gateway finds, if
you so desire.
Domain Name Type the name of the domain to which the message was addressed.
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message.
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
• Fuzzy Search – Conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for cat in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
• Exact Search – Conducts a search for data that precisely matches the
search parameters you entered.

Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter.

When you have entered the parameters, click Search. A window appears showing the results of the search.
You can view the messages that were in the Outbound Queue at the time you accessed the window by
clicking the Domain link you want to expand. The number of messages currently in the queue for that
domain and the number of delivery attempts that have been made also show on the window. If you want to
take any action on messages, you must click Pause to temporarily stop the Outbound Queue.

Processed messages
The search window for Processed messages offers fields for entering search criteria for messages that have
already been processed but which have not yet been delivered, and allow you to specify the search type to
be conducted.

Table 13 Processed message search fields

Field Description
Message Type From the drop-down list, select the type of message to be sought, based
on current processing status.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the Select checkbox for the hosts
you want to include.

44 McAfee Email Gateway 6.7.2 Administration Guide

 Queue Information
Dynamic Quarantine

Table 13 Processed message search fields (continued)

Field Description
Message Status You can search for messages that have been dropped, delivered, or both.
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message.
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
• Fuzzy Search – Conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for cat in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
• Exact Search – Conducts a search for data that precisely matches the
search parameters you entered.

Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter

When you have entered the search criteria, click Search.

Compliance Officer searches

Email Gateway allows you to create a special type of User Account for the enterprise’s compliance
officer(s). This user type has specific access to message search functions that allow research and data
collection related to Corporate Compliance issues. The officer is responsible for monitoring message activity
that can present potential violations of Corporate Compliance policy.
When a compliance officer logs into Email Gateway, the opening window is unlike the normal one most
users see. Instead, the window displays the message search fields from the Queue Information window,
and a list of the specific quarantine queues to which the compliance officer user type has been granted
access (Queue Manager | Queue Manager Advanced | Quarantine Types). The Officer has no access to
any other queues. The search functions for those queues are the same as for quarantined messages, as
discussed earlier.

Dynamic Quarantine
Currently, the most destructive delivery mechanism used by spammers, virus writers, and other attackers
of network systems is the zombie machine. Dynamic Quarantine is intended to ward off attacks sent by
zombie machines. Dynamic Quarantine provides a method for early detection of a potential viral outbreak
from a surge of unknown senders; this functionality will temporarily quarantine messages while reputation
information is gathered and analyzed using TrustedSource.
TrustedSource tracks all IP addresses that send email from around the world, monitoring sending behavior
and patterns. It uses this information to formulate very accurate, granular reputation scores for each
address. Then Email Gateway uses these scores to assess threats from inbound messages and take
appropriate action, when necessary.
The problem is that most zombie machines have never sent spam or malicious email, so Trusted Source
might have insufficient information to provide an accurate risk determination. The messages are classified
as “suspicious.”
Defensive signatures against spam or virus attacks can be developed once the threat is recognized, and the
signatures can be deployed to email security systems. However, this can take hours, leaving the networks
vulnerable in the meantime. Dynamic Quarantine provides an additional layer of defense to protect
networks from these suspicious messages. It allows TrustedSource time to gather more information and
formulate an accurate reputation score.

McAfee Email Gateway 6.7.2 Administration Guide 45

 Queue Information
Dynamic Quarantine

Dynamic Quarantine rules

Dynamic Quarantine works with TrustedSource by temporarily holding suspicious messages until an
accurate assessment of the threats posed by the messages can be determined. This gives TrustedSource
time to see if multiple copies, either identical or similar to the current message, are being seen by Email
Gateway appliances around the world. TrustedSource can then provide a reliable reputation score.
Dynamic Quarantine uses two types of rules. First, the TrustedSource lookup for each message (in
SMTPProxy) provides a score that can be used by the Spam Profiler. Threat Response Updates (TRU) can
create Dynamic Quarantine rules based on the returned values. Hourly time granularity is possible.
Secondly, the TRU process itself can create and install rules that operate on the message’s format type,
message size, attachment name parameters, and so forth. The rules can be combined with Boolean
operators as part of the TRU package, and can define the quarantine periods with per-hour granularity.
All the rules are checked every fifteen minutes to see if any messages are eligible for release.
Note: End User Quarantine functions can’t be configured for the Dynamic Quarantine queue.

Dynamic Quarantine process overview

Email Gateway includes the ability to enable or disable Dynamic Quarantine from the UI. Customers have
the capability to opt out of the feature if they so choose by simply selecting or deselecting a checkbox on
the TrustedSource - Configure window.
Dynamic Quarantine is disabled by default.
Dynamic Quarantine follows this logical process to allow TrustedSource extra time to provide accurate
reputation information.

46 McAfee Email Gateway 6.7.2 Administration Guide

Queue Information
Dynamic Quarantine

Figure 12 Dynamic quarantine process

1 When a message enters Email Gateway, a TrustedSource lookup is performed in SMTPProxy.

TrustedSource returns a score, and the message is handled accordingly. Bad messages are dropped, and
others are passed for further analysis.

2 Inside SuperQueue, RIP Queue breaks the message into its component parts, such as the header,
message body, any attachments, and so forth.
Note: Messages can still be quarantined by the Content Extraction Queue even after the first TrustedSource
lookup.

3 Email Gateway examines the parts. Based on this analysis, it applies the rules to determine if the message
should go to Dynamic Quarantine. The rules will determine how long the quarantine period should be.

4 When the quarantine period expires, another TrustedSource lookup occurs to see if updated reputation
information is now available. Multiple Email Gateways might have encountered the same message,
generally indicating an attack.

• If TrustedSource identifies the sender as good, the message is released from Dynamic Quarantine. The
message will still be inspected by all configured Email Gateway processes.
• If the sender is bad, the message is dropped.

McAfee Email Gateway 6.7.2 Administration Guide 47

 Queue Information
Dynamic Quarantine

• If TrustedSource still considers the message “suspicious,” it will remain in quarantine for an additional
period, as determined by the rules.
Note: When you release a message from Dynamic Quarantine, the second TrustedSource lookup does not
occur. The message will be delivered unless it contains a virus.

The TrustedSource reputation score from this second lookup replaces the earlier score; the score from
this lookup is supplied to the Anti-Spam Queue for Spam Profiler’s calculations, replacing the score
from the previous lookup.

5 When the second quarantine period expires, the message will be released to be inspected by the Email
Gateway configured processes. No further TrustedSource lookup is performed. During the quarantine
periods, updates might have been provided as new Anti-Virus signatures or new TRU packages, allowing
Email Gateway to deal with the new threats.

TrustedSource score variable in Dynamic Quarantine

There are two methods for sending a message to Dynamic Quarantine:
• Through a TrustedSource lookup that returns a score within a preconfigured range; or,

• Using rules that have been deployed as part of a TRUSign package.

Email Gateway provides the ability to add rules based on a TrustedSource score variable to the TRUSign
rules, in addition to rules based on subject, attachment name, attachment format, and message size.

Automatic shut-off
Dynamic Quarantine will automatically disable itself if available disk space falls below 30% of the system’s
capacity. This feature is intended to prevent performance degradation or other problems that can result
from inadequate disk space.

Viewing the results of Dynamic Quarantine

You can view the current status of the Dynamic Quarantine Queue, from the Dashboard or from the Queue
Information Window, in the same way you can see any of the other Quarantine Queues. If you click the
Queue Information link on the Dashboard, the Queue Information window appears. This window shows the
number of messages currently located in Email Gateway queues.
Clicking the Dynamic Quarantine link on this window will display a list of the messages currently in the
Dynamic Quarantine queue. A special icon identifies the message as Dynamically Quarantined.
If you need information about a particular message, all you need to do is click the message ID in this list.
The resulting window offers details about the message. You can release the message from this window by
sending it to the next processing queue in line, or to whatever queue has been configured in the Queue
Order for extended Dynamic Quarantine.
Note: The message cannot be sent directly to the Outbound Queue from this window. It cannot be delivered until
it has passed through the next process. This prevents the message from bypassing Anti-Virus processing.

48 McAfee Email Gateway 6.7.2 Administration Guide

4 Advanced Queue Manager Topics

Contents
Configuring queues
Changing the queue order
About quarantine types
Using the Quarantine Queue

Configuring queues
The Configure Queues window is used to stop and start SuperQueue, establish the order in which Email
Gateway queues process messages, and configure individual queue options.
Figure 13 Queues - Configure window

Table 14 Queues - Configure fields

Field Description
Service This column contains the names of the Email Gateway queues where Email
Gateway processes messages. Each queue name is a hyperlink that allows
configuration of that queue.
Auto-Start A red X or green check icon indicates whether or not SuperQueue is set to
start automatically when the Email Gateway appliance is rebooted. If the
icon is green, the queue will begin running when Email Gateway restarts.
In addition, if the icon is green, Email Gateway Health Monitor will restart
SuperQueue if it has stopped for any reason when it performs its tests on
all appliance subsystems. If an icon is red, SuperQueue will not start on
reboot, nor when Health Monitor runs its system tests. The queue can
continue to run after the Auto-Start option is off.
The red and green icons are hyperlinks. Clicking the hyperlink toggles the
auto-start option on and off.

McAfee Email Gateway 6.7.2 Administration Guide 49

 Advanced Queue Manager Topics
Configuring queues

Table 14 Queues - Configure fields (continued)

Field Description
Running A red or green light icon indicates whether the queue is stopped or
currently running.
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
queue has been running since it was last restarted.
(Days Hours Mins
Secs) If the “uptime” appears less than expected, it might indicate that the
queue was manually stopped and restarted by you, or was stopped by you
and was restarted automatically by Email Gateway Health Monitor.

Each queue name (Service) is a hyperlink that displays a window for that queue. The new window allows
configuration of the associated Queue.

Configuring SuperQueue
Figure 14 SuperQueue Configuration window

Table 15 SuperQueue Configuration fields

Name Value
General
Log Level Select a Log Level from the pick list. Options are:
• Information - captures general process flow information, such as the
order of features through which messages flow, and so forth.
• Error – Captures information only about errors that might require
Administrative action, or assistance from McAfee Support. This is the
default setting.
• Critical – Captures information about an urgent condition, such as a
general database failure
• Detailed – Captures process flow information in great detail, including
information at the program level. Useful for analyzing problems, and
so forth. Most verbose setting.
Parsing
Treat Empty MIME If the Content Extraction Queue identifies a MIME part with a size of 0,
Part As Unknown this option determines how that part will be treated. If the option is
enabled, the part will be treated as an “unknown.” If it is disabled, the
part will be treated as the extension type indicated by its part headers.

50 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Queue Manager Topics
Configuring queues

Table 15 SuperQueue Configuration fields (continued)

Name Value
Search Limit Type a number to represent the portion in kilobytes of a message each
enabled feature will scan. If no indications of spam, and so forth, are
found within that limit, the feature will stop processing and send the
message to the next feature. An entry of 0 indicates no limit. The entire
message will be searched.
Remote Quarantine
Specify Remote Select this checkbox to enable or disable the use of a Centralized
Quarantine System Quarantine Server. If enabled, you must also supply the hostname or IP
address for the CQS below.
If you intend to use CQS, this setting MUST be enabled on all feeder Email
Gateways. It is NOT enabled on the CQS appliance itself.
Remote Quarantine If you enabled the Remote Quarantine System above, type the hostname
System or the IP address for the Centralized Quarantine Server.
If you intend to use CQS, this parameter MUST be entered on all feeder
Email Gateways. It is NOT entered on the CQS appliance itself.
Special Handling
Decode Hex String Checking this enables Email Gateway to decode URLs of this type.
URLs Spammers replace the letters in a URL with their equivalent hex code.
When you click the link, the browser will decode the hex codes back to
their original form. Email Gateway decodes the URL to see it in plain text,
then finds it in the URL dictionary.
Decode Hex Dotted Checking this enables Email Gateway to decode URLs of this type.
URLs
Spammers encode the IP address in its hexadecimal form based on a
calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL dictionary.
Decode Octal Dotted Checking this enables Email Gateway to decode URLs of this type.
URLs
Spammers represent the IP address in octal form, base 8. Email Gateway
decodes the URL and finds it in the URL dictionary.
Decode Hex IP URLs Checking this enables Email Gateway to decode URLs of this type.
Spammers encode the IP address in its hexadecimal form as a non-dotted
hex IP. Email Gateway decodes the URL and finds it in the URL dictionary.
Decode Decimal IP Checking this enables Email Gateway to decode URLs of this type.
URLs
Spammers encode the IP address as a non-dotted decimal IP based on a
calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL dictionary.
Decode Character Checking this enables Email Gateway to decode URLs of this type.
Entity Encoded URLs
Spammers use this method to represent characters in the HTML
document in one of three ways:
• As decimal numbers
• As hexadecimal numbers
• As names, in some cases
Only a few characters have names, but any character can be
represented by a decimal number or a hex number. Email Gateway
supports decoding of decimal and hexadecimal representations of
character entities as listed in the table below.
Enable Fail-Open Enabling this option causes Email Gateway to bypass Realtime Blackhole
DNS Bypass List, Reverse DNS lookup, Sender ID lookup and System-Defined Header
Analysis when it is processing messages in DNS Bypass (single thread)
mode.

The encoded URLs that Email Gateway decodes are explained in the following table

McAfee Email Gateway 6.7.2 Administration Guide 51

 Advanced Queue Manager Topics
Configuring queues

Table 16 Decoded URL types

Encoding Type Explanation
Hexadecimal string Spammers replace the letters in a URL with their equivalent hex code.
URLs When you click the link, the browser will decode the hex codes back to
their original form. Email Gateway decodes the URL to see it in plain text,
then finds it in the URL dictionary.
Example: http://hotmail.com can be represented as:
http://%77%77%77%2E%68%6F%74%6D%%61%69%6C%2E%63%
6F%6D
Hexadecimal dotted Spammers encode the IP address in its hexadecimal form based on a
IP URLs calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL Dictionary.
Example: the hexadecimal number for 207.178.42.40 is
0xCF.0xB2.0x2A.0x28, so
http://207.178.42.40 can be represented as
http://0xCF.0xB2.0x2A.0x28
Hexadecimal IP Spammers encode the IP address in its hexadecimal form as a non-dotted
URLs hex IP. Email Gateway decodes the URL and finds it in the URL Dictionary.
Example: http://207.178.42.40 can be represented as
http://0xCFB22A28. It can be further obscured by adding any number of
hexadecimal digits in front of the encoded URL, for example,
http://0x9AF0800CFB22A28
Decimal IP URLs Spammers encode the IP address as a non-dotted decimal IP, based on a
calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL Dictionary.
Example: the calculated code for 206.159.40.2 is 3466536962, so
http://206.159.40.2 can be represented as http://3466536962
Octal dotted IP URLs Spammers represent the IP address in octal form, base 8. Email Gateway
decodes the URL and finds it in the URL Dictionary.
Example: http://207.178.42.40 can be represented as:
http://0317.0262.052.050, or
http://000317.0000262.00052.0050
Character Entity Spammers use this method to represent characters in the HTML
Encoded URLs document in one of three ways:
• As decimal numbers
• As hexadecimal numbers
• As names, in some cases.
Only a few characters have names, but any character can be
represented by a decimal number or hex number. Email Gateway
supports decoding of decimal representations of character entities.
Example: http://www.hotmail.com can be represented as:
http://&#119;&#119;&#119;&#46;&#104;&#111;&#116;&#109;&#9
7;&#105;&#108;&#46;&#99;&#111;&#109;

Configuring the sub-queues

SuperQueue includes seven sub-queues that represent the processes for which it is responsible.
• MIME Ripper

• Anti-Virus

• Content Analysis

• Envelope Analysis

• Anti-Spam

• Corporate Compliance

• MIME Joiner

52 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Queue Manager Topics
Configuring queues

Five of those sub-queues are configured by clicking the appropriate hyperlink on the Queues - Configure
window.

Configuring MIME Ripper

Figure 15 internal Queue - MiME Ripping Configuration window

Table 17 MIME Ripping Configuration fields

Field Description
Parsing
MIME Parsing Failure Select the appropriate action you want Email Gateway to take in the event
Action MIME Ripper cannot parse a message. Options are:
• Drop message
• Deliver to recipient
• Deliver to an alternate address
• Quarantine
MIME Parsing Failure Type the address or addresses (comma delimited) to which Email
Alternate Gateway is to send messages that fail MIME parsing.
Address(es)
Hop & Loop
Mail Hop Limit Type a number from 1 to 20 to represent the number of mail hops allowed
before the message is received by Email Gateway.
Mail Loop Action Select the action to be taken if MIME Ripper encounters messages that
are stuck in a mail loop. Options are:
• Drop message
• Quarantine
Central Quarantine
Central Quarantine Select this checkbox if you want to use this particular Email Gateway
Server appliance as a Central Quarantine Server.
Email Gateways for List the IP addresses (comma-separated list) for all Email Gateways that
Remote Quarantine will be able to remotely quarantine messages on this server.
Enable Secondary If you want to take advantage of a second (backup) CQS, select this
Central Quarantine checkbox. For more details about using a CQS, see the “Remote
Server Quarantine” chapter later in this section of the Administration Guide.
Secondary Central Type the IP address for the secondary CQS.
Quarantine Server

McAfee Email Gateway 6.7.2 Administration Guide 53

 Advanced Queue Manager Topics
Configuring queues

Table 17 MIME Ripping Configuration fields (continued)

Field Description
Special Handling
Bypass outbound Checking this checkbox enables outbound messages to bypass the
messages for Anti-Spam sub-queue processes. Outbound messages from Email
Anti-Spam Gateway hosted domains will not be evaluated for spam.
SLS bypass for read Checking this checkbox enables read receipts and delivery receipts to
and delivery receipts bypass SLS functionality.
Enhanced UU Selecting this checkbox enables MIME Ripper to parse messages that are
encoding handling not MIME-compliant but contain UU encoding and break them into parts
that can be understood and processed by Email Gateway.
Enhanced TNEF Selecting this checkbox enables MIME Ripper to parse messages that are
encoding handling not MIME-compliant but contain TNEF encoding and break them into parts
that can be understood and processed by Email Gateway.
Enable Content Enable this option to allow the Content Analysis engine to look into an
Scanning for encrypted message to find the PGP header and/or footer.
Encrypted Messages
This option is used ONLY with PGP Universal encryption.
Enable the ability to If you enable this option, Email Gateway will conduct the header search
convert the MIME on the header file that has been converted to UTF-8; otherwise, the
framework file to search will be conducted while the file remains in its original format.
UTF-8
Identify format EPE Enabling this option allows MIME Ripper to recognize and process
messages Encryption Plus Secure Export format. If this is disabled, the
.epe files will be treated as .exe files.

When the information is correct, click Submit to record the configuration.

Configuring the Anti-Virus Queue

Clicking the Virus Scan name hyperlink opens the Virus Scan Properties window. You can set the Alert
Types for the specific conditions.
Figure 16 Queue - Anti-Virus Configuration window

Table 18 Anti-Virus Configuration fields

Field Description
Alert Type for Select the alert level that is to be generated when Email Gateway detects
Cleaned Messages a virus and cleans the message. The available alert types, in descending
order of severity, are:
• Restart
• Shutdown
• Critical
• Error
• Warning
• Notification
• Information
• No Alert
Alert Type for Virus Select the alert level that is to be generated when Email Gateway detects
Detection a virus.

54 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Queue Manager Topics
Configuring queues

Table 18 Anti-Virus Configuration fields (continued)

Field Description
Alert Type for File Select the alert level that is to be generated when Email Gateway detects
Encryption Errors a password protected (encrypted) message.
Alert Type for Select the alert level that is to be generated when Email Gateway detects
Sweep Errors a sweep error.

Configuring the Content Analysis Queue

Clicking the Content Filtering name hyperlink opens the Queue - Content Filtering Properties window. Here
you can enable or disable checking for message stamping on incoming messages. If the message is already
stamped, it will not be stamped again. If no stamp exists, and Message Stamping is enabled, the message
will be stamped. You can also set the line length for the stamped message by entering a number of
characters in the data field.
Figure 17 Queue - Content Filtering Properties window

Configuring the Anti-Spam Queue

Clicking the Anti-Spam name hyperlink opens the Queue - Anti-Spam Properties window.
Figure 18 Queue - Anti-Spam Configuration window

Table 19 Anti-Spam Configuration fields

Field Description
Anti-Spam Tools
Scan All Services When this option is enabled (checked), messages are scanned by all
configured services. This can impact queue throughput. If the option is
disabled, a message is flagged by the first service that detects it; no
further scanning is done.
Dictionary Filtering If MIME parse failure occurs, enabled dictionaries cannot contribute to the
Default Confidence Spam Profiler. Type a number from 1 to 100 to be used as the default
dictionary contribution in cases of MIME parse failure.
Bayesian Engine If MIME parse failure occurs, the Bayesian engine cannot contribute to the
Default Confidence Spam Profiler. Type a number from 1 to 100 to be used as the default
Bayesian contribution in cases of MIME parse failure.

McAfee Email Gateway 6.7.2 Administration Guide 55

 Advanced Queue Manager Topics
Configuring queues

Table 19 Anti-Spam Configuration fields (continued)

Field Description
RBL IP Hop Number Type a value to specify the mail hop number at which Email Gateway will
do the RBL lookup. Email Gateway will perform the lookup on the IP
address at that hop. If the number you type exceeds the number of hops
for any message, the RBL lookup will occur on the first mail hop IP
address.
Cumulative To and Type a number from 2 to 10000 to serve as the threshold for SDHA’s rule,
CC Address “Check cumulative To + CC.” Messages that have a total number of “To”
Threshold and “CC” recipients that is equal to or greater than this number will trigger
the SDHA rule.
Special Handling
SLS Bypass Size Type a number representing the size, in bytes, to serve as a minimum
Limit (bytes) message size for SLS lookup. Messages that are smaller than this
configured size will bypass SLS lookup. A value of zero (0) turns the
feature off.
Spam Bypass Size Type a number from 0 to 1000000 to represent the maximum size limit
Limit (bytes) for anti-spam scanning. Messages of sizes greater than or equal to that
size will bypass the Anti-Spam Queue. A value of zero (0) turns the
feature off.

Envelope Analysis and Corporate Compliance Queues

The Envelope Analysis Queue and the Corporate Compliance Queue have no configurable properties.
Therefore, there are no properties windows to view.

Configuring MIME Joiner

Figure 19 Internal Queue - MIME Joining Configuration window

Table 20 MIME Joining Configuration fields

Name Value
Special Handling
Join Queue Remove Select a parameter from the drop-down list to enable the queue to remove
Received Headers RFC 822 headers from particular messages. The options are:
• Disabled – Turns off this functionality
• All Messages – The queue will remove headers from both inbound and
outbound messages
• Inbound Messages – The queue will remove headers from inbound
messages only
• Outbound Messages – The queue will remove headers from outbound
messages only
MIME Re-Building Select a parameter from the drop-down list to specify what Email Gateway
Failure Action will do if a message fails the rebuilding process. The options are:
• Drop – Drop the message
• Quarantine – Write the failed message to the Failures Queue
• Deliver Original Message – Retrieve the unparsed copy of the original
message and deliver that to the recipient

56 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Queue Manager Topics
Changing the queue order

Table 20 MIME Joining Configuration fields (continued)

Name Value
Enhanced UU Selecting this checkbox allows Email Gateway to reconstruct messages
encoding handling that are not MIME-compliant but that contain UU format encoding.
Enhanced TNEF Selecting this checkbox allows Email Gateway to reconstruct messages
encoding handling that are not MIME-compliant but that contain TNEF encoding.
Join Queue Remove If you enable this option, the disposition notification in the RFC 822
Disposition headers of messages will be removed. Select the message type from the
Notification drop-down list. Options are:
• Disabled (the option is turned off)
• Inbound Messages
• Outbound Messages
• All Messages

Changing the queue order

The order Email Gateway Queues should follow in processing messages is configurable, should you wish to
vary from the original Best Practices. The order for MIME Ripper, Content Extraction, SuperQueue and
MIME Joiner are not configurable, but the five other sub-queues within SuperQueue are.
The window allows you set the order of processing for the sub-queues within the Super Queue.
Figure 20 Queues - Configure window

Caution: In network configurations that use a Centralized Quarantine Server (CQS), the processing order, rules
and policies must be configured exactly the same way on all Email Gateway appliances. If this is not done, the
CQS will not function properly.

You can change the queue order by selecting the desired change from the pick list found on the Queues -
Configure window. If a desired change will conflict with an existing setting, other changes must be enacted
at the same time to define the complete order.

McAfee Email Gateway 6.7.2 Administration Guide 57

 Advanced Queue Manager Topics
About quarantine types

Table 21 Queue order fields

Field Description
Service This column lists the names of all the queues included in Email Gateway.
Change/Remove For each of the configurable sub-queues within Super Queue, this field
Queue Order contains a drop-down list that allows establishing the order in which the
queues will process messages. The options are:
• Remove – Leave this sub-queue out of the processing order
• Change to first position
• Change to second position
• Change to third position
• Change to fourth position
• Change to fifth position
Each of the last five options selects the order for the associated queue.
Queue Position This field shows the processing order of all configured queues.

For example, assume you want to move the Corporate Compliance Queue to second position. Anti-Spam is
already in second position, but you can move it to fifth position. You must change both Corporate
Compliance to position 2 and Anti-Spam to position 5 at the same time (the same Submit entry). Email
Gateway will allow you to change any or all sub-queues at once, so long as the change you are making does
not result in position conflicts.
When the order has been established, click Submit to save the changes. The window refreshes to show the
order selected.

About quarantine types

By default, Email Gateway provides the following quarantine types:
• Content Analysis

• Attachment Analysis

• Envelope Analysis

• Anti Virus

• Desktop Encryption Analysis

• Outbound (SMTPO Service)

• Anti-Spam

• Off Hour

• Failures

• Image Analysis

• Corporate Compliance

Whenever an email policy configured with a quarantine action is created, you can specify to which
quarantine queue the policy sends the message. This greatly eases the management of Email Gateway
policies—you can look in one place to see the results of that policy, without the interference of other
messages that might also be quarantined. In addition to using the default quarantine queues, you are
encouraged to create your own, even more granular, quarantine queues. For example, when testing a new
policy, you might set the quarantine action to send to the test quarantine queue. As messages accumulate
in that queue, you can see exactly how effective the policy is.

58 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Queue Manager Topics
About quarantine types

Figure 21 Quarantine Types - Manage window

Table 22 Quarantine Types - Manage fields

Field Description
ID This column lists the unique, system-generated ID number for each
quarantine type.
Quarantine Type This column lists all existing quarantine types by name.
Name
The quarantine types can be assigned to various quarantine queues.
In Use The icons in this column indicate if the quarantine type is currently in use
or not. A green checkmark indicates the type is in use (at least one policy
has been defined that will send quarantined messages to it), while a red
X indicates it is not.
Queue Name This column shows the name of the queue to which each quarantine type
is assigned.
# of Rules Created For all active quarantine types, this column shows the number of rules
that have been configured to use that type.
Granular Schedule Icons in this column indicate if the quarantine type has been configured
for a granular Cleanup Schedule. A green check indicates that granular
cleanup has been scheduled for this type; a red X indicates that it has not.
Compliance Officer A check mark in this column indicates if the quarantine type has been
assigned to the compliance officer role for viewing or not. If the box is
checked, the quarantine type has been assigned. N/A in this column
means the quarantine type cannot be assigned to a compliance officer.
If the quarantine type is in use and the type is assigned to the compliance
officer, the box will be unavailable. It cannot be un-checked until the
quarantine type is no longer in use.
Delete For each manually created quarantine type, a delete box exists. Checking
the delete box and then clicking Submit will delete that type. The Delete
hyperlink will delete all manually created quarantine types, but not the
defaults.
Quarantine types that are in use cannot be deleted until the associated
rules are deleted.
Add New Type (data To add a manually-created quarantine type, type the name for the type
field) in the data field. If the new type is to be available to the compliance
officer, select the checkbox. If you do not check the compliance officer
box now, you can still select it later.
When you click Submit, the new quarantine type will be added.

McAfee Email Gateway 6.7.2 Administration Guide 59

 Advanced Queue Manager Topics
Using the Quarantine Queue

After you type the name for the new queue, click Submit. The window will refresh with the new queue
shown at the bottom. At this point, the new queue is not in use, as indicated by the red X in the In Use
column. In order to put it into use, you must configure a new rule that specifies the queue.
The new queue will be specified when you click Submit. This places the new queue in use. When you
navigate back to the Quarantine Types window, the In Use column now contains a green check mark.

Using the Quarantine Queue

The Quarantine Queue (and its subordinate user-defined quarantine queues) is one of the most functional parts of
the Email Gateway queue architecture. Its purpose is to allow the testing of email policies, to provide visual
verification that a message is spam, and to offer a way to temporarily hold messages on disk without deleting them.
Use a quarantine queue to test a Email Gateway policy by configuring the policy’s action to quarantine messages to
a testpolicy quarantine queue. Allow Email Gateway to enforce that policy for one to two hours or days. When
messages begin appearing in the testpolicy quarantine queue, verify that the intended messages are being detected.
One of the most critical elements of an anti-spam strategy is creating a whitelist of legitimate email addresses and
domains that Email Gateway spam-blocking tools think are generating spam. Configure the spam-blocking tools to
quarantine suspected spam messages to a spam quarantine queue for several days. You can visually inspect the
contents of that quarantine queue for the presence of false positives, and thus begin developing a whitelist. For even
finer granularity, consider creating separate quarantine queues for User Defined Header Analysis, System Defined
Header Analysis, and any other spam tools being tested. Configure their actions to quarantine suspected spam to
their respective quarantine queues. In this way, it is easy to know exactly which messages (and/or false positives)
each tool is detecting.
And finally, many administrators in high-volume email environments (50,000+ messages per day) will configure
anti-spam or content filtering policies to quarantine messages for three to five days, and be deleted automatically
afterward. When daily mail volumes make the visual inspection of the quarantine queue impractical, this approach
allows them to search for messages if end users ask about them, and push out of the quarantine queue those
messages that were inadvertently stopped. Those domains or addresses can then be whitelisted, if appropriate.

60 McAfee Email Gateway 6.7.2 Administration Guide

5 Remote Quarantine

Contents
About Remote Quarantine
Central Quarantine Server
Configuration of the CQS
Dual Central Quarantine Servers

About Remote Quarantine

In enterprises that have multiple Email Gateway appliances and high email message volumes (perhaps
200K - 400K messages per day) and where you want to quarantine messages for up to 30 days, enabling
that quarantining to be handled by a separate appliance reduces the disk space requirements on the Email
Gateway appliances that are in mail flow. It also reduces the likelihood that users will receive multiple
quarantine notifications if they receive mail from more than one appliance. To accomplish this result,
McAfee deploys an appliance called Central Quarantine Server (CQS).
In Email Gateway, when a message is remotely quarantined by a queue, it will be identified for remote
quarantine, but will proceed through all other queues. All the other queues will perform their configured
actions other than Copy Message, Forward Message or Secure Delivery on the initial Email Gateway. If the
message has not been dropped, it will proceed through the Email Gateway Join Queue. From there it will be
sent to the CQS. If the message has been identified for Copy, Forward or Secure Delivery, that will be done
by the Join Queue on the CQS.
Note: All actions will be carried out in the order of priority. See Appendix G, Email Gateway Action Order of
Precedence.

Tip: If CQS is to quarantine messages in multiple queues, you must set the action for each associated feature as
Remote Quarantine. Features set to Quarantine will quarantine messages locally rather than on the CQS.

Central Quarantine Server

The Central Quarantine Sever (CQS) is a Email Gateway appliance configured with at least 2 gigabytes of
RAM and abundant usable hard drive space (at least 280 gigabytes). It is configured to receive messages
from multiple Email Gateway appliances, known as feeders, and to quarantine those messages according to
the queues associated with the Remote Quarantine action.
McAfee has determined that the Central Quarantine Server can quarantine millions of messages. Queue
Information access degrades with approximately 1 million messages quarantined, and becomes
time-consuming at approximately 1.8 million messages.
Note: The purpose of the server is strictly to house all quarantined email. It is NOT designed to be put into mail
flow.

Mail processes on the CQS will accept messages from the original Email Gateway appliances and will send
messages that have been released by the end users. The appliance should not accept any mail from the
Internet or from internal mail servers.

Which features use Remote Quarantine?

The features on the mail flow Email Gateway appliances that support the Remote Quarantine action are:
• Compliance | Envelope Analysis
• Compliance | Advanced | Desktop Encryption Control

McAfee Email Gateway 6.7.2 Administration Guide 61

 Remote Quarantine
Central Quarantine Server

• Compliance | Advanced | Attachment Analysis

• Compliance | Content Analysis
• Compliance | Advanced Content Analysis
• Compliance | Image Analysis
• Anti-Spam | Advanced | Reverse DNS
• Anti-Spam | Advanced | Realtime Blackhole List
• Anti-Spam | Advanced | Statistical Lookup Service
• Anti-Spam | Advanced | System Defined Header Analysis
• Anti-Spam | Advanced | User Defined Header Analysis
• Anti-Spam | SpamProfiler

General implementation
Implementation of the basic requirements for CQS requires the following conditions to be considered:
• All the Email Gateway appliances must be running Email Gateway (Secure Mail) 6.5.1 or later.

• The Email Gateway appliances that are in mail flow must be configured to take the Remote Quarantine
action in order to route messages to the CQS that they otherwise would have quarantined. The
configuration must be set for every sub-feature that would have normally been configured for Quarantine
under Compliance and Anti-Spam.
Note: Sub-features set to Quarantine rather than Remote Quarantine will quarantine messages locally.

• The End User Quarantine feature MUST NOT be configured on any of the mail flow appliances. It should
only be configured on the CQS.

• The CQS must be configured with Allow Relay entries that allow it to accept mail from all the feeder Email
Gateway appliances.

• All Queues that are enabled on the mail flow appliances must also be enabled on the CQS.

• The CQS should be configured to deliver email messages to the same internal mail servers as the feeder
Email Gateways.

• The CQS should be configured to quarantine the messages it receives from the feeder Email Gateways.
Generally, you can accomplish this by configuring the same rules on the CQS as on the feeder Email
Gateways, but with an action of Quarantine rather than Remote Quarantine.
• The CQS should be configured to use 0 (zero) as the number of days to quarantine messages. This will
have to be set for each sub-feature that has the Quarantine action. The zero setting prevents the
messages from being delivered after their retention time expires, and allows the Cleanup Schedule to
determine when the messages should be deleted. The Cleanup Schedule should be set for the maximum
number of days any quarantined message should be kept.

• The End User Quarantine notification feature must be configured on the CQS only.

High-level process
The CQS receives forwarded (Remote Quarantined) messages from each of its feeder Email Gateway
appliances. The MIME Ripper on CQS identifies these messages as having been processed and quarantined
by the prior Email Gateway, so rather than passing the messages through the configured processes, it
sends the messages to the quarantine queues specified by the feeder Email Gateways. CQS recognizes the
action value (the number of days of quarantine) associated with each remote quarantined message (a
number from 0 through 15) and uses that value to determine how long the message should be held in the
assigned queue.

62 McAfee Email Gateway 6.7.2 Administration Guide

 Remote Quarantine
Configuration of the CQS

If the action value is 0, the message will be deleted from the queue the next time the Cleanup Schedule
runs after the message has remained in quarantine longer than the Cleanup Interval. If the action value is
a number between 1 and 15, the message will be held for that many days in the assigned queue. If it has
not been deleted or released by the end user (using the End User Quarantine feature) before that time
expires, the message will be delivered.
For more information about the Cleanup Schedule, see Chapter 31, Email Gateway Administration.

Configuration of the CQS

Configuration of the Central Quarantine Server actually involves specific combinations of configuration
parameters on the CQS itself and on the Email Gateway appliances that will forward messages to it. If you
do not follow the configuration requirements, CQS will not function properly.

Setting quarantine types

You must set up any desired quarantine types to meet your enterprise’s needs. The same quarantine types
must exist on both the mail flow Email Gateways and the CQS.
Email Gateway provides the following Quarantine Types by default:
• Content Analysis

• Attachment Analysis

• Envelope Analysis

• Anti Virus

• Desktop Encryption Analysis

• Outbound (SMTPO Service)

• Anti-Spam

• Off Hour

• Failures

• Image Analysis

• Corporate Compliance

Whenever you configure an email policy with Quarantine action, specify which quarantine queue receives
the message. This capability makes it much easier to monitor the results of the policy without having to
search through messages unnecessarily. You can also create more granular quarantine queues. As
messages accumulate in the queue, you can monitor the policy’s effectiveness.
Any new queues you create on one appliance must also be created on all the feeder Email Gateways and
the CQS, and all queues must exist with exactly the same names on all appliances. The feeder Email
Gateways determine the queue into which each message will be quarantined and the desired processing
order. If the queues and the queue order are not the same on the CQS, the messages will not be processed
as expected.
For more information, see “Quarantine Types” in Chapter 4, Advanced Queue Manager Topics.
Note: If you creates a quarantine queue on one appliance and want to copy and paste it to all other appliances,
including the CQS, it is absolutely essential that no spaces be added before and/or after the queue name.

A quarantine name variation will be difficult to detect visually, but will cause the queues not to match. If
that does happen, you will notice mail from a feeder appliance being identified and quarantined, but not
showing up in the corresponding queue on the CQS. If this happens, one way to find the “missing” message
is to look at the Queue Information window on the CQS.

McAfee Email Gateway 6.7.2 Administration Guide 63

 Remote Quarantine
Configuration of the CQS

If you look at the information on the Queue Information window, you will find totals representing the
number of messages in each of the quarantine sub-queues. If the total for the last line in the Quarantined
Messages table (Total) is larger than the sum of the totals in the other lines, this indicates that a message
has been sent to CQS and has been placed in a zero (0) quarantine queue. The only solution is to search for
the message (visually) and take action to release it, forward it, or drop it. You cannot move it to another
queue.

Configuring appliances
Specific configuration options are required on both the feeder Email Gateways and the CQS to allow the
enterprise to take advantage of the CQS functions.

Configuring the Email Gateway appliances

On the mail flow appliances, enable the appliances to use the remote quarantine system on the
SuperQueue configuration window.
Figure 22 SuperQueue Configuration window

Check Specify Remote Quarantine System and then type the IP address for the CQS in the Remote
Quarantine System data field. This enables the Remote Quarantine action on the feeder Email Gateway.
For more information about setting the SuperQueue Properties, see Chapter 4, Advanced Queue Manager
Topics.

Configuring the CQS

To configure the appliance to be used as the Central Quarantine Server, check Central Quarantine Server
on the MIME Ripper configuration window.
Note: You must also list the feeder Email Gateways by IP address.

64 McAfee Email Gateway 6.7.2 Administration Guide

Remote Quarantine
Configuration of the CQS

Figure 23 Internal Queue - MIME Ripping Configuration window

This enables the appliance to serve as the CQS.

For more information regarding the configuration of MIME Ripper Properties, see Chapter 4, Advanced
Queue Manager Topics.
To complete the connection between the mail flow appliances and the CQS, add the IP addresses of all
feeder Email Gateways to the CQS’s Allow Relay list.
Figure 24 Allow Relay - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 65

 Remote Quarantine
Configuration of the CQS

Table 23 Allow Relay - Configure fields

Field Description
Table Headers The table in the upper portion of the window displays subnets through
which messages can be relayed to external domains. The information
shown includes:
• IP Subnet – The IP address for an approved mail server
• Side Note – Any information entered to define or describe the subnet
• Delete – A checkbox (or hyperlink) that allows deletion of any (or all)
IP subnets
Adding a Subnet The fields in the lower portion of the window allow you to add a new IP
subnet to the Allow Relay list.
IP Subnet In this data field, type the IP address for a Email Gateway-hosted server
that you want to add to the relay list.
Side Note for IP Type descriptive text as desired to identify the IP subnet you are adding.
Add IP Subnets If a file contains a list of IP subnets in text format, they can be uploaded
from a FIle into the Allow Relay List. The import file should contain one or more lines
in the following format:
• IP_subnet | IP_sidenote.
• IP-subnet is a 32-bit (four octet) IP address or classful subnet (one that
has structure in compliance with TCP classes A, B, or C). This value is
required.
• IP-sidenote is an alphanumeric comment. This value is optional.
Character Set From the drop-down list, select the character set that is to be used for
communicating with the IP address.
Commands Click the desired button:
• Submit – Writes changes to the database; executes changes
• Reset – Returns the window to the state it was in when it opened

Note: When an IP address is placed on the Allow Relay list, it will not be evaluated for Denial of Service attacks.
This is a potential liability.

End User Quarantine

End User Quarantine and EUQ Whitelisting should be enabled ONLY on the Central Quarantine Server.

On the feeder Email Gateways

Leave End User Quarantine disabled on all the mail flow appliances.
The feeder Email Gateway, if it is properly configured to deliver notifications, will notify the users that
messages have been remotely quarantined.

On the CQS
Enable and configure End User Quarantine. One particular parameter that is important on the CQS is the
number of messages that can be sent to the end user in a single notification email. McAfee recommends
that no more than 1,000 messages be sent in a single notification.
Note: A single user can receive more than one notification email in the same notifications period if the number of
messages quarantined exceeds the limit you set. This is expected behavior.

66 McAfee Email Gateway 6.7.2 Administration Guide

Remote Quarantine
Configuration of the CQS

Figure 25 End User Quarantine - Configure window

Table 24 End User Quarantine - Configure fields

Field Description
Enable End User Select the checkbox to enable notifications to end users when messages
Quarantine intended for them have been quarantined.
Virtual Hostname Type a virtual hostname (secondary) for the CQS appliance. Email
Gateway listens for the hostname when end users send quarantine
release requests. The hostname appears in the link the end user accesses
to take action upon quarantined messages. It allows Email Gateway to
accommodate more than just SMTP connections and lets the end users
communicate with Email Gateway and CQS.
Virtual IP Address Type a virtual IP address (secondary) for the CQS appliance. Email
Gateway listens for the IP address when end users send quarantine
release requests.
Port Type the port number through which end user requests are to be returned
to the CQS.
Secure Click the proper radio button (Yes or No) to indicate if messages are to
be sent and received securely between the browser and the CQS.
Certificate Select from the pick list of Security Certificates the installed certificate to
be used in securing the requests from the browser to the CQS.
EUQ Notification From the drop-down list, select the template to be used for End User
Template Quarantine notifications.
Details in Click the appropriate radio button to enable or suppress message details
Notification in notifications. Clicking Yes displays the details. Notifications to users will
include both the link to the table and the list of messages quarantined.
Clicking No disables the details so the user only receives the link to the
quarantined message table.
Messages in One Type a number between 1 and 1,000 to represent the maximum number
Notification of messages that can be included in one notification.

McAfee Email Gateway 6.7.2 Administration Guide 67

 Remote Quarantine
Configuration of the CQS

Table 24 End User Quarantine - Configure fields (continued)

Field Description
Frequency Schedule Clicking this button enables creation of a fixed-interval schedule for
notifications. You can select an interval in hours (1 hour to 72 hours)
between notification cycles.
You must choose either Frequency Schedule or Detailed Schedule.
Enabling one disables the other.
Detailed Schedule This option allows creation of a specifically detailed schedule for
processing the EUQ notifications. The schedule is configured in two steps:
The left side of the window displays a list of days of the week. Select the
day during which notices are to be sent. You can select only one day at a
time. However, after you submit the detailed schedule for one day, you
can do it again for another day and the system will accumulate the daily
schedules. It is therefore possible to create individual detailed schedules
for all seven days per week.
The right side of the window contains checkboxes for each of the 24 hours
in a day. Selecting a checkbox enables the CQS to send notifications at
that time on the designated day. You can select from 0 to 24 notification
times per day.
Commands Click the desired button:
Submit – Writes changes to the database; executes changes
Reset – Returns the window to the state it was in when it opened

The next step is to set up the User List on the CQS by adding users to whom EUQ notices will be sent and
for what associated quarantines they should be generated.

The End User Quarantine User List

This table lists the active policies for end users or groups to be notified when they have messages in
configured quarantine queues. It displays the user type, associated data, inclusion or exclusion by the
policy, and the quarantine queue types to be monitored for association with notification policies.
Figure 26 End User Quarantine User List - Manage window

Click Add New to add a new user or group; click Delete to delete an existing one. Users on the list can not
be edited; they can only be added or deleted. To change an existing user, delete the current version, then
add the user again with different information.

68 McAfee Email Gateway 6.7.2 Administration Guide

Remote Quarantine
Configuration of the CQS

Figure 27 End User Quarantine Data - Add window

Table 25 End User Quarantine Data - Add fields

Field Description
Apply to All Virtual If the new user definition is to apply to all virtual hosts, select the
Hosts checkbox.
Apply To Select Global, Domain Group, Domain, User Group or Email Address
to define the entity to which this policy will apply. If Domain Group or User
Group is selected, select the name of the particular group from the
enabled pick list. If Domain or Email Address is chosen, type the domain
name or the user’s email address in the Data space. Global requires no
additional data.
Data Type the email address or domain name associated with the choice made
above, if required.
Exclude Check this box if you want the new policy to apply to everyone except the
user or group you are defining.
User Type Click Sender, Recipient or Both to further identify the user type
identified in the Apply To selection.
For example, if you select Domain as the Apply To selection and Both as
the user type, the policy will apply to both senders to and recipients from
the identified domain.
Quarantine Queue Select (highlight) one or more quarantine queues for which the users are
to receive notifications.
Commands Click the desired button:
Submit – Writes changes to the database; executes changes
Reset – Returns the window to the state it was in when it opened
Cancel – Closes the window without saving any changes

When users have been added, they will appear on the End User Quarantine User List window.
Finally, set up EUQ Whitelisting.

End user whitelists

End User Whitelisting allows users to request whitelist rules and policies that apply only to themselves.
They base their requests on quarantined messages for which they have received notifications. When users
receive notification of a quarantined message for which they want a whitelist entry, they submit a request
to whitelist either the email address or the domain (based on the WebAdmin EUQ Whitelisting configuration
setting) associated with the quarantined message from the quarantined message list. The request is
initiated by clicking the link associated with the EUQ notification, finding the desired message, selecting its
associated whitelist checkbox, and then submitting the request.

McAfee Email Gateway 6.7.2 Administration Guide 69

 Remote Quarantine
Configuration of the CQS

You can configure End User Quarantine Whitelist functionality from the GUI. McAfee recommends that you
define at least one bypassed feature (you might want to specify an unused feature for this). Then configure
the whitelist synchronization by entering the feeder Email Gateways to the Send To list on CQS. It is not
necessary to add the Email Gateways to the Received From list, since CQS is the only appliance configured
for End User Quarantine.
Figure 28 End User Quarantine Whitelist - Configure window

Table 26 End User Quarantine Whitelist - Configure fields

Field Description
Enable EUQ Select the checkbox to enable the End User Whitelist feature, allowing end
Whitelist users to request whitelist entries.
Direction Click the appropriate radio button to indicate the message direction for
entries included in the whitelist: inbound, outbound or both.
Queue and Bypass Selecting a queue from the list to the left of the window populates the
Bypass list to the right with the name of features belonging to that queue
that can be bypassed. You can select multiple queues to accumulate their
features in the Bypass list, then select (highlight) one or more features to
be bypassed by the whitelist entries.
Synchronize The two tables (Send To and Receive From) contain IP addresses for the
Email Gateways that need to maintain the same end-user whitelists.
Synchronization ensures the whitelists recognized by each Email Gateway
are identical.
Add New Add new IP addresses to the synchronization lists by entering the
addresses in the respective data fields. Clicking Submit records the
additions.
Filter Type Click the filter type for this whitelist. The entries can be whitelisted based
upon either email addresses or domains.

70 McAfee Email Gateway 6.7.2 Administration Guide

Remote Quarantine
Configuration of the CQS

Table 26 End User Quarantine Whitelist - Configure fields (continued)

Field Description
Whitelist Mode Click the mode for creation of entries for this whitelist. Options are:
• Automatic – Email Gateway will automatically create a whitelist entry
for each request it receives. This is NOT the recommended mode of
operation.
• Manual – An administrator must create the entries from each request.
This allows you to monitor the entries and to determine if custom
application is in order (for example, if more than one user has
requested the same whitelist entry). This is the preferred mode.
Auto Cleanup Selecting this checkbox enables Email Gateway to eliminate rules that
have not been applied for the configured delete period. If Auto Cleanup is
not enabled, the table of rules will continue to grow until it ultimately
degrades performance.
Auto Delete Period Type a time in days that rules should remain in effect without being
deleted if they have not been applied. Unused rules older than the
configured period will be deleted by the Auto Cleanup function.
Frequency Schedule Clicking this button enables creation of a fixed-interval schedule for
synchronization. You can select an interval in hours (1 hour to 72 hours)
between cycles.
You must choose either Frequency Schedule or Detailed Schedule.
Enabling one disables the other.
Detailed Schedule This option allows creation of a specifically detailed schedule for
synchronization. The schedule is configured in two steps:
The left side of the window displays a list of days of the week. Select the
day during which the cleanup cycle is to run. You can select only one day
at a time. However, after you submit the detailed schedule for one day,
you can do it again for another day and the system will accumulate the
daily schedules. It is therefore possible to create individual detailed
schedules for all seven days per week.
The right side of the window contains checkboxes for each of the 24 hours
in a day. Selecting a checkbox enables the CQS to run Auto Cleanup at
that time on the designated day. You can select from 0 to 24 notification
times per day.
Commands Click the desired button:
Submit – Writes changes to the database; executes changes
Reset – Returns the window to the state it was in when it opened

Setting the Cleanup Schedule

The Cleanup Schedule on each mail flow Email Gateway operates independently from the schedule on CQS.
For Central Quarantine functionality, the Cleanup Schedule on CQS is the pertinent one. The configuration
of the Cleanup Interval determines how long messages will be kept in quarantine if they are not released or
deleted. The Frequency Schedule determines how often the Cleanup Cycle runs.
To set up the Cleanup Schedule, navigate to Administration | Cleanup Schedule. For detailed information
about the configuration options for the Cleanup Schedule in general, and for quarantine data in particular,
see the Cleanup Schedule section of Chapter 31, Email Gateway Administration.

McAfee Email Gateway 6.7.2 Administration Guide 71

 Remote Quarantine
Configuration of the CQS

Figure 29 Cleanup Schedule - Configure window

Table 27 Cleanup Schedule - Configure fields

Field Description
File Type From the pick list, select the type of file for which you are configuring a
cleanup schedule. Options are:
• Database
• Statistics
• Log Files
• Temporary Files
• IDS Statistics
• Quarantine Data
• Spam Notification
• SWD Viewed
• SWD Non-Viewed
Highlight the type and click the Select button.
Cleanup Interval Specify the number of hours or days (by entering the number and
selecting from the pick list) that this particular kind of file should remain
in the database. Email Gateway converts day entries into hours internally.
Frequency Schedule Clicking this button enables creation of a fixed-interval schedule for the
Cleanup cycle. You can select an interval in hours (1 hour to 72 hours)
between cycles.
You must choose either Frequency Schedule or Detailed Schedule.
Enabling one disables the other.
Detailed Schedule This option allows creation of a specifically detailed schedule for the
Cleanup cycle. The schedule is configured in two steps:
The left side of the window displays a list of days of the week. Select the
day during which the cleanup cycle is to run. You can select only one day
at a time. However, after you submit the detailed schedule for one day,
you can do it again for another day and the system will accumulate the
daily schedules. It is therefore possible to create individual detailed
schedules for all seven days per week.
The right side of the window contains checkboxes for each of the 24 hours
in a day. Selecting a checkbox enables the CQS to run Auto Cleanup at
that time on the designated day. You can select from 0 to 24 notification
times per day.
Commands Click the desired button:
Submit – Writes changes to the database; executes changes
Reset – Returns the window to the state it was in when it opened

The Central Quarantine Server should now be ready to fulfill its purpose.

72 McAfee Email Gateway 6.7.2 Administration Guide

 Remote Quarantine
Dual Central Quarantine Servers

Dual Central Quarantine Servers

In order to ensure proper functionality under unusual circumstances, you can choose to configure a second
CQS (CQS2). This server will be used to store all quarantined messages at a remote location, to allow them
to be processed should the primary CQS (CQS1) fail. CQS1 will forward copies of all messages it receives
directly to CQS2 before processing them itself.
The diagram below illustrated the flow of messages:
Figure 30 Dual CQS Flow

Configuring CQS2
To use a second Central Quarantine Server as backup, you must configure specific properties on both CQS1
and CQS2.

On CQS1
Configure the second CQS in MIME Ripper Properties on CQS1. Check Enable Secondary Central
Quarantine Server, and type the IP address in the Secondary Central Quarantine Server data field.

On CQS2
In order to ensure proper storage and processing of messages, configure CQS2 exactly the same as CQS1,
with two exceptions:

End User Quarantine

Do NOT enable End User Quarantine Notification on CQS2. CQS1 remains the only server that can notify
end users of their quarantined messages.

SMTPO
Disable the Outbound Queue and ensure it is not running. All messages are to remain on CQS2 until they
are deleted according to the Cleanup Schedule.

McAfee Email Gateway 6.7.2 Administration Guide 73

 Remote Quarantine
Dual Central Quarantine Servers

If CQS1 fails
If CQS1 should fail for any reason, the two servers reverse roles. McAfee Support will reconfigure CQS2 to
process messages in place of CQS1. Support will perform the reconfiguration as follows:
• Reconfigure all feeder Email Gateways to send their “Remote Quarantine” messages to CQS2;

• Enable End User Quarantine notifications on CQS2;

• Disable End User Quarantine notifications on CQS1;

• Configure CQS2 to send copies of messages to CQS1 (optional, depending upon the status of CQS1); and,

• Configure CQS1 NOT to send copies of messages to CQS2.

• Delete historic messages from the SMTPO Queue on CQS2.

• Restart SMTPO.

74 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 3

Compliance

Chapter 6, Compliance Overview

Chapter 7, Content Analysis

Chapter 8, Advanced Compliance

Chapter 9, Analyzing Images

Chapter 10, Envelope Analysis

Chapter 11, Whitelisting

Chapter 12, Advanced Topics in Compliance

6 Compliance Overview

Contents
About Compliance
Snapshot reports

About Compliance
In Email Gateway you can create policies based on keywords or phrases within email messages and
attachments. You can use compliance features as tools to block spam, as well as to enforce acceptable
email usage. Email Gateway can enforce Compliance policies for email messages, as well as for many text
file attachment formats.

Snapshot reports
The Quick Snapshots provide an overview of processes and actions within the Compliance area. The reports
reflect inbound and outbound email traffic, and provide both historical information and current actions.
The reports are divided into three panels. The top panel tracks the following message trend data over a
defined time period:
• Messages cleared

• Messages dropped

• Messages quarantined

• Messages modified

Use the historical trend data to detect changes over time. The time period varies according to the amount
of data accumulated.
• If the appliance has data for less than a week, the trend data is plotted daily.

• If the data represents from 1 to 12 weeks, the trends are monitored on a weekly basis. The dates
displayed represent the beginning date for each week.

• If the data covers more than 12 weeks, the trends continue to be plotted on a weekly basis, showing the
most recent 12 weeks.

The middle panel tracks the same trends in graphic form, for the current day since midnight. The
associated table shows the numbers of messages processed.
The lower panel shows detailed message actions by feature since midnight.
Note: The number of cleared messages shown on this summary report might not match the total reflected in the
upper two panels for the same day. Those panels report all messages processed by the system, while the
summary reflects only messages processed within the compliance program area. However, all the panels reflect
actions triggered within Compliance.

McAfee Email Gateway 6.7.2 Administration Guide 77

 Compliance Overview
Snapshot reports

Figure 31 Compliance Quick Snapshot - Daily Compliance - Inbound reports

78 McAfee Email Gateway 6.7.2 Administration Guide

7 Content Analysis

Contents
About Content Analysis
Dictionaries
Editing and searching an existing dictionary
Editing existing dictionary content
Managing content rules
Applying content rules
Dictionary report configuration

About Content Analysis

Content Analysis focuses on the content of email messages. You can configure rules and policies to
determine the way Email Gateway handles specific kinds of content.
To create Content Analysis policies, follow three steps:
1 Create dictionaries containing words or phrases that are disallowed.

2 Create rules based on dictionary thresholds indicating that multiple dictionary words are detected in a
message.

3 Creating policies to apply rules users and groups.

Dictionaries
Caution: Before you implement Content Analysis policies, pay careful attention to the dictionary entries and their
weights. Careless use of dictionary words, weights, and thresholds can lead to Email Gateway taking action on
legitimate email. For example, the presence of “breast” in a pornography dictionary might act on a message
describing a chicken breast served at a meal, or a newsletter about breast cancer awareness month. Likewise
users within the company might have the personal names “Lust,” “Dick,” “Beaver,” or “Lolita” — words that might
appear in a pornography dictionary.

Email Gateway ships with six default dictionaries:

• SOX Compliance

• HIPAA Compliance

• HIPAA 04182005

• GLBA Compliance

• Regular Expressions

• Malicious Mobile Code

Use the Content Analysis - Manage Dictionaries window to create and edit dictionaries. You can add your
own dictionaries to the default dictionaries to enforce policies and fight spam. Search Types permit a search
for dictionary words anywhere within a message when they are embedded within another word or text
string, or bounded by white space or other characters. You can filter content on raw email messages or on
extracted text, ignoring tags that spammers use to hide content from spam detection software.

McAfee Email Gateway 6.7.2 Administration Guide 79

 Content Analysis
Dictionaries

Do not delete the original (default) entries in the any system-generated dictionary. In most cases, the
delete option does not exist.
To manage your configured dictionaries, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Dictionaries.

3 View your dictionaries, and make any allowed changes to complete the screen (see Table 28).

4 Click Submit to accept your changes.

Figure 32 Content Analysis - Manage Dictionaries window

Table 28 Content Analysis - Manage Dictionaries fields

Field Description
ID This column displays the unique ID number for each dictionary. Logs and
reports provides statistics about each rule. When a message triggers a
policy, the report or log provides information about the message and the
dictionary ID that causes action on the message.
Dictionary ID numbers are serially incremented. If you delete a
dictionary, Email Gateway does not re-use its ID.
Dictionary This column reports the dictionary name. When you create dictionaries,
you must name them.
The dictionary name is a hyperlink that opens a browser window where
you can edit the dictionary.
Search Option This column lists your selected search type:
• Original Part, including any embedded tags or URLs
• Extracted Text, tags
• Both processes, using the method that has the most dictionary hits
This entry is a hyperlink that allows you to edit this option.
System An “X” in this column indicates the dictionary is system-generated.
System-generated dictionaries cannot be deleted.
SpamProfiler Select this checkbox if you want the particular dictionary to contribute to
the Spam Profiler score. Save your selection by clicking Submit.
Delete Click the Delete checkbox to delete any manually created dictionary.
Click Submit.
You can click the Delete column heading to mark all manually-created
dictionaries for deletion.

You can view, search and edit the content of any dictionary by clicking the name of that dictionary. You can
also edit the Search Option by clicking that hyperlink.

80 McAfee Email Gateway 6.7.2 Administration Guide

 Content Analysis
Editing and searching an existing dictionary

Editing and searching an existing dictionary

Use the Content Analysis - Manage Dictionaries window:
• To enable or disable a dictionary’s contribution to the Spam Profiler

• To delete the dictionary so long as that dictionary was manually created

• To navigate to other windows for more extensive editing

• To edit the search option

• To manage dictionary content

Editing the search option

To edit the search option, do the following:
1 Click the Search Option hyperlink for any dictionary on the Content Analysis - Manage Dictionaries
window. The Content Analysis - Edit Dictionary window appears.
Figure 33 Content Analysis - Edit Dictionary window

2 Select one of the following search options from the drop-down list:

• Extracted Text – The dictionary searches the extracted text and ignore any embedded tags or URLs.

• Original Part File – The dictionary searches any embedded tags or URLs in the message.

• Both – The dictionary searches both extracted text and the original part file, and uses the option that
produces the most hits.

3 Click Submit to record the change.

Viewing dictionary content

To view dictionary content:
1 Click the name of a dictionary on the Content Analysis - Manage Dictionaries window. The Content
Analysis - Manage Dictionary Content window displays.

2 View the content, or make changes to complete the window (see Table 29).

3 When you have finished, click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 81

 Content Analysis
Editing and searching an existing dictionary

Figure 34 Content Analysis - Manage Dictionary Content window

Table 29 Content Analysis - Manage Dictionary Content fields

Field Description
Search Dictionary This portion of the window provides search functions.
Search Criteria You can search the dictionary for a specific entry. To conduct a search,
type a word or phrase, URL or Regular Expression, whichever is
appropriate for the dictionary.
Content Type Select from the drop-down list the type of entry you want to find. Options
are:
• Words or phrases
• URLs
• Regular Expressions
Page Navigation Use the navigation fields at the lower right of the section on fields to move
to the next page of content information, the previous page, or a specific
page (by entering a page number in the field).
Existing Content The table in the lower portion of the window lists the current dictionary
entries.
Word or Phrase This column contains the specific entries (words or phrases, URLs, or
regular expressions).
Weight This column displays the weight assigned to each entry. The weight field
is editable.
Include Include the entry in dictionary searches by selecting the Include
checkbox beside each entry, or exclude it by leaving the box unselected.
Clicking the Include hyperlink at the top of the column includes or
excludes every entry on the page.
Search Type This column shows the search type for each entry in the dictionary.
Options are:
• Word Boundary – Identify the entry only if it is bounded on both sides
by white spaces.
• Substring – Look for the entry without white spaces to identify it as
part of a longer character string.

82 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Editing and searching an existing dictionary

Table 29 Content Analysis - Manage Dictionary Content fields (continued)

Field Description
Scan This column shows which parts of a message are scanned for the word or
phrase: the header, the body, and/or any attachments.
Delete Select the Delete checkbox to delete the associated entry.
Note: The Delete box does not appear for system-generated entries.
Upload from File To add a list of entries at once, upload the list from a file. Type the file
name and complete path to the file, or browse to it.
For information about the required format for uploading entries, see
Appendix B, File Formats for Uploads.
Character Set Select the character set used for encoding entries or searching for entries.
Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character sets for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
You can use only those character sets supported by both Autonomy and
ICONV in a dictionary. Autonomy converts the email to UTF-8, and ICONV
converts the dictionary to UTF-8.
Export You can store a backup copy of this dictionary by exporting it to an
accessible directory.

Searching dictionary content

To locate a specific word or phase in a dictionary:
1 Click the name of a dictionary on the Content Analysis - Manage Dictionaries window. The Content
Analysis - Manage Dictionary Content window displays.

2 Do one of the following:

• Scroll the pages to find the word or phrase

• Navigate to the correct page using the page navigation fields

• Use the search options to find a specific entry (see Table 30). Your search results will display.
Note: If the entry is present, the window will show it as it appears on the Dictionary Content window. If it is
not present, the content window appears but shows no entries.

3 When you are finished, click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 83

 Content Analysis
Editing and searching an existing dictionary

Table 30 Content Analysis - Manage Dictionary Content search fields

Field Description
Search Criteria You can search for a specific word or phrase within the dictionary by
typing the word or phrase in the data field.
Content Type Select from the drop-down list the type of entry you want to find. Choose
from:
• Words or phrases
• URLs
• Regular Expressions
When you have entered the data, click Search to execute the search.

Adding content
To add an entry to the dictionary:
1 Click the name of a dictionary on the Content Analysis - Manage Dictionaries window. The Content
Analysis - Manage Dictionary Content window displays.

2 Click Add New at the bottom of the window. The Add to Dictionary window appears.

3 Provide the information to complete the window (see Table 31).

4 Click Submit. The Dictionary Content window updates to show the new entry.

Figure 35 Add to Dictionary window

Table 31 Add to Dictionary fields

Field Description
Dictionary Name The name of the dictionary appears at the top of the window. The name
is not editable.
Content Type Select from the drop-down list the type of entry you want to insert.
Options are:
• Words or phrases
• URLs
• Regular Expressions
The Add Dictionary Content window varies by content type. For more
information, see Adding a new Content Analysis dictionary.
Search Type Click the kind of search to be executed for this entry. Options are:
• Word Boundary – Identify the entry only if it is bounded on both sides
by white spaces.
• Substring – Look for the entry without white spaces to identify it as
part of a longer character string.
Search Text Type the entry exactly as it is to appear in this dictionary.
Weight Type a the weight assigned to one occurrence of this entry.

84 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Editing and searching an existing dictionary

Table 31 Add to Dictionary fields (continued)

Field Description
Include Select the checkbox to include the entry in searches. Leaving the box
unselected excludes the entry.
Scan Area Enable Email Gateway to scan the message header, the message body,
and/or any attachments. You can click one, two or all of these options.
Contribution Type Click the radio buttons associated to determine how Email Gateway
applies the score for this entry. Options are:
• Count Once – Score the entry only once, applying the weight
configured above, no matter how many times the entry appears in a
message.
• Maximum Contribution – Type the highest contribution score allowed
for the entry. If you type a number other than zero in the data field,
Email Gateway accuu.ates scores for the entry based upon the number
of times it appears, until it reaches your configured maximum. If you
type a zero, Email Gateway accumulates the scores for all
appearances.

URL filtering and decoding

One content type that can be included in Content Analysis Dictionaries is the URL. When dictionaries search
for URLs, the message is tokenized by ignoring white spaces, comments, HTML tags, and so forth, and the
URLs are extracted.
Spammers often attempt to avoid detection by spam-blocking tools by obscuring URLs with various
encoding techniques. Email Gateway can decode specific types of URLs so spam (and spammers) can be
detected. The following table shows the types of URLs Email Gateway can decode.

Table 32 URLs decoded

Encoding Type Explanation
Hexadecimal string Spammers replace the letters in a URL with the equivalent hex code.
URLs When you click the link, the browser decodes the hex code back to its
original form. Email Gateway decodes the URL to plain text, then finds it
in the URL dictionary.
Example: http://hotmail.com can be represented as:
http://%77%77%77%2E%68%6F%74%6D%%61%69%6C%2E%63%
6F%6D
Hexadecimal dotted Spammers encode the IP address in hexadecimal form based on a
IP URLs calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL Dictionary.
Example: the hexadecimal number for 207.178.42.40 is
0xCF.0xB2.0x2A.0x28, so
http://207.178.42.40 can be represented as
http://0xCF.0xB2.0x2A.0x28
Hexadecimal IP Spammers encode the IP address in hexadecimal form as a non-dotted
URLs hex IP. Email Gateway decodes the URL and finds it in the URL Dictionary.
Example: http://207.178.42.40 can be represented as
http://0xCFB22A28. It can be further obscured by adding an number of
hexadecimal digits in front of the encoded URL, for example,
http://0x9AF0800CFB22A28
Decimal IP URLs Spammers encode the IP address as a non-dotted decimal IP, based on a
calculation from the original IP address. Email Gateway decodes the URL
and finds it in the URL Dictionary.
Example: the calculated code for 206.159.40.2 is 3466536962, so
http://206.159.40.2 can be represented as http://3466536962

McAfee Email Gateway 6.7.2 Administration Guide 85

 Content Analysis
Editing and searching an existing dictionary

Table 32 URLs decoded (continued)

Encoding Type Explanation
Octal dotted IP URLs Spammers represent the IP address in octal form, base 8. Email Gateway
decodes the URL and finds it in the URL Dictionary.
Example: http://207.178.42.40 can be represented as:
http://0317.0262.052.050, or
http://000317.0000262.00052.0050
Character Entity Spammers use this method to represent characters in the HTML
Encoded URLs document in one of three ways:
• as decimal numbers
• as hexadecimal numbers
• as names, in some cases.
Only a few characters have names, but any character can be represented
by a decimal number or hex number. Email Gateway decodes decimal and
hexadecimal representations of character entities.
Example: http://www.hotmail.com can be represented as:
http://&#119;&#119;&#119;&#46;&#104;&#111;&#116;&#109;&#9
7;&#105;&#108;&#46;&#99;&#111;&#109;

Editing existing dictionary content

To edit existing content, do the following:
To add an entry to the dictionary:
1 Click the name of a dictionary on the Content Analysis - Manage Dictionaries window. The Content
Analysis - Manage Dictionary Content window displays.

2 Select the entry to edit. The Edit Dictionary Content window appears.

3 Provide the information to complete the window (see Table 33).

4 Click Submit. The Dictionary Content window updates to show the new entry.

Figure 36 Edit Dictionary Content window

Table 33 Edit Dictionary Content fields

Field Description
Dictionary Name This field contains the name of the dictionary associated with the entry.
The name is not editable.
Content Type Change the content type for the entry by selecting a new type from the
drop-down list.
Search Type Select the kind of search to execute for this entry. Options are:
• Word Boundary– Identify the entry only if it is bounded on both sides
by white spaces.
• Substring – Look for the entry without white spaces to identify it as
part of a longer character string.

86 McAfee Email Gateway 6.7.2 Administration Guide

 Content Analysis
Adding a new Content Analysis dictionary

Table 33 Edit Dictionary Content fields (continued)

Field Description
Search Text Change the existing entry or type a new one.
Weight Change the current weight assigned to this entry by typing a new one.
Include Select the checkbox to include this entry in dictionary searches. Deselect
it to exclude the entry.
Scan Area Select checkboxes to enable Email Gateway to scan the message header,
the message body, and/or any attachments. You can select one, two or
all of these options.
Contribution Type Click the radio buttons to determine how Email Gateway will apply the
score for this entry. Options are:
• Count Once – Score the entry only once, applying the weight
configured above, no matter how many times it appears in a message.
• Maximum Contribution – Type the highest contribution to be scored for
the entry. If you type a number other than zero, Email Gateway
accumulates scores for this entry based upon the number of times it
appears, until it reaches your configured maximum. If you type a zero,
Email Gateway will accumulate the scores for all the appearances of
the entry.

Adding a new Content Analysis dictionary

You can create new dictionaries that meet the needs of the enterprise. To add a new dictionary, do the
following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Dictionaries. The Content Analysis - Manage Dictionaries window
appears.

3 Click Add New at the bottom of the window. The Add New Dictionary window appears.

4 Provide the information to complete the window (seeTable 34).

5 Click Submit. The new dictionary appears in the Manage Dictionaries window.

Figure 37 Content Analysis - Add Dictionary window

Table 34 Content Analysis - Add Dictionary fields

Field Description
New Dictionary Type the name of the new dictionary.
Name
Contribute Toward Click the appropriate radio button to enable or disable the dictionary’s
SpamProfiler contribution to the SpamProfiler score.
Search Option for Click the search option. Options are:
HTML Parts
• Extracted Text – Search the extracted text and ignore any embedded
tags or URLs.
• Original Part File – Search includes any embedded tags or URLs in the
message.
• Both – search both extracted text and the original part file, and use
the option that produces the most hits.

McAfee Email Gateway 6.7.2 Administration Guide 87

 Content Analysis
Adding a new Content Analysis dictionary

Adding the content

When you first create a new dictionary, it is empty. You must add appropriate content. You can add:
• Words and phrases,

• URLs, or

• Regular expressions

The Add to Dictionary screens for each will vary to fit the type of content you wish to create.

Adding words or phrases

To add a word or phrase to the dictionary:
1 Click the name of the new dictionary on the Content Analysis - Manage Dictionaries window. The Manage
Dictionary Content window appears.

2 Click Add New at the bottom of the window. The Add to Dictionary window appears.

3 Provide the information to complete the window (see Table 35).

4 Click Submit.

Figure 38 Add to Dictionary window

Table 35 Add to Dictionary (word or phrase) fields

Field Description
Dictionary Name The name of the dictionary appears at the top of the window. The field is
not editable.
Content Type Select Words or Phrases from the drop-down list.
Search Type Click the kind of search for this entry. Options are:
• Word Boundary – Identify the entry only if it is bounded on both sides
by white spaces.
• Substring – Look for the entry without white spaces, identifying it as
part of a longer character string.
Search Text The actual entry as it appears in this dictionary.
Weight Type a the weight to be assigned to one occurrence of this entry.
Include Select the checkbox to include the entry in searches. Leaving the box
unselected excludes the entry.

88 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Adding a new Content Analysis dictionary

Table 35 Add to Dictionary (word or phrase) fields (continued)

Field Description
Scan Area Select checkboxes to enable Email Gateway to scan the message header,
the message body, and/or any attachments. You can select one, two or
all of these options.
Contribution Type Click radio buttons to determine how Email Gateway applies the score for
this entry. Options are:
• Count Once – Score the entry only once, applying the weight
configured above, no matter how many times the entry appears.
• Maximum Contribution –Type a number to determine the highest
contribution for the entry. If you type a number other than zero, Email
Gateway accumulates scores based upon the number of times the
entry appears, until it reaches your configured maximum. If you type
a zero, Email Gateway accumulates the scores for all the appearances
of the entry.

Adding URLs
To add a URL to the dictionary:
1 Click the name of the new dictionary on the Content Analysis - Manage Dictionaries window. The Manage
Dictionary Content window appears.

2 Click Add New at the bottom of the window. The Add to Dictionary window appears.

3 Provide the information to complete the window (see Table 36).

4 Click Submit.

Table 36 Add to Dictionary (URL) fields

Field Description
Dictionary Name The name of the dictionary appears at the top of the window. The field is
not editable.
Content Type Select URLs from the drop-down list.
Search Type Select the kind of search for this entry. Options are:
• URL – Look for just the URL as shown
• URL with Path Information – Look for the complete path associated
with the URL.
Type URL Type the IP address or hostname for the URL.
Weight Type a the weight to be assigned to one occurrence of this entry.
Include Select the checkbox to include the entry in searches. Leaving the box
unselected excludes the entry.
Scan Area Select checkboxes to enable Email Gateway to scan the message header,
the message body, and/or any attachments. You can select one, two or
all of these options.
Contribution Type Click a radio buttons to determine how Email Gateway applies the score
for this entry. Options are:
• Count Once – Score the entry only once, applying the weight
configured above, no matter how many times it appears in a message.
• Maximum Contribution – Type the highest contribution allowed for the
entry. If you type a number other than zero, Email Gateway
accumulates scores based upon the number of times it appears, until
it reaches your configured maximum. If you type a zero, Email
Gateway accumulates the scores for all the appearances of the entry.

Adding Regular Expressions

To add Regular Expressions to the dictionary:
1 Click the name of the new dictionary on the Content Analysis - Manage Dictionaries window. The Manage
Dictionary Content window appears.

2 Click Add New at the bottom of the window. The Add to Dictionary window appears.

McAfee Email Gateway 6.7.2 Administration Guide 89

 Content Analysis
Adding a new Content Analysis dictionary

3 Provide the information to complete the window (see Table 37).

4 Click Submit.

Figure 39 Add to Dictionary (Regular Expressions) window

Table 37 Add to Dictionary (Regular Expression) fields

Field Description
Dictionary Name The name of the dictionary appears at the top of the window. The field is
not editable.
Content Type Select Regular Expressions from the drop-down list.
Search Type Click the kind of search for this entry. Options are:
• Word Boundary – Identify the entry only if it is bounded on both sides
by white spaces.
• Substring – Look for the entry without white spaces, identifying it as
part of a longer character string.
Enter Regular Select the type of regular expression from the drop-down list. Options
Expression are:
• Custom
• US SSN
• Canadian SiN
Then type the regular expression as it appears in the dictionary.
Regular Expression Select one or more of the Regular Expression flags to be considered in
Flags searches. Options are:
• IGNORECASE – Perform case-insensitive matching.
• LOCALE – Make search characters dependent upon the current locale.
• MULTILINE – The pattern characters “^” and “$” matches multiple
lines.
• DOTALL – The “.” special character matches any character at all,
including a new line.
• UNICODE – Search characters are dependent upon the Unicode
character properties database.
• VERBOSE – Allows regular expressions that look more like normal
language.

90 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Adding a new Content Analysis dictionary

Table 37 Add to Dictionary (Regular Expression) fields (continued)

Field Description
Validation From the pull-down menu, select the validation algorithm to use with
Algorithms your regular expression. Choices are:
• Mod 10 – Also known as the Luhn algorithm, a simple checknumber
formula used to validate various ID numbers, including credit card
numbers and Canadian Social Insurance Numbers.
• CUSIP – A 9-character alphanumeric identifier for North American
securities, created by the Committee on Uniform Security
Identification.
• ISIN – International security identifying number, used to identify
securities such as bonds, commercial paper, equities and warrants.
Note: This field is enabled only when you select Custom from the
drop-down list.
Test Value Type a data string that to use to test the regular expression.
Click the Test Regular Expression button to run the test.
Weight Type a number to represent the weight to be assigned to one occurrence
of this entry.
Include Select the checkbox to include the entry in searches. Leaving the box
unselected excludes the entry.
Scan Area Select checkboxes to enable Email Gateway to scan the message header,
the message body, and/or any attachments. You can select one, two or
all of these options.
Contribution Type Click a radio button to determine how Email Gateway applies the score
for this entry. Options are:
• Count Once – Score the entry only once, applying the weight
configured above, no matter how many times it appears in a message.
• Maximum Contribution – Type the highest contribution to be scored
for the entry. If you type a number other than zero, Email Gateway
accumulates scores for the entry based upon the number of times it
appears, until it reaches your configured maximum. If you type a zero,
Email Gateway accumulates the scores for all the appearances of the
entry.
Side Note Type a text note that explains the Regular Expression, perhaps
identifying the data it should detect.

Testing a regular expression

To test the regular expression before you save it to the dictionary, do the following:
1 In the Test Value field, type a data string that contains characters the RegEx should detect.

2 Click the Test Regular Expression button. Email Gateway runs the expression against the data string

• If the regular expression detects data in the string, the window confirms that fact.

• If the expression and the test value don’t match, you can revise the entry and retest before submitting
it.

Using the pre-defined regular expressions

Two pre-defined regular expressions specifically identify US Social Security Numbers and Canadian Social
Insurance Numbers.
You can use the pre-defined regular expressions two ways,
• Add them to an existing compliance dictionary

• Create a new compliance dictionary that contains the pre-defined regular expressions.

McAfee Email Gateway 6.7.2 Administration Guide 91

 Content Analysis
Managing content rules

Managing content rules

You can use the configured dictionaries to establish content rules. These rules define the thresholds and
actions for any of the dictionaries.
To view your configured rules, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.

3 View your rules (see Table 38). You can also delete rules from this window.

4 Click Submit when you are finished.

Figure 40 Content Analysis - Manage Rules window

Table 38 Content Analysis - Manage Rules fields

Field Description
ID The unique ID number for each rule appears in this column.
The ID number is also a hyperlink that allows you to edit the rule.
Dictionary This column shows all dictionaries for which rules are configured.
Threshold This column shows the assigned threshold for each dictionary. When a
dictionary search returns a score equal to or greater than this number,
the rule triggers the configured action.
Per Attachment If the rule applies to only a single attachment (message part) that
breaches the threshold, this column contains a check mark.
Action This column shows the action to be taken for each rule.
Action Value If a configured action requires an associated value, that value appears in
this column. Examples include the number of days a message is kept in
quarantine, or the IP address to which messages are forwarded.
Notify A Yes or No in this column indicates if notifications are sent when the rule
is triggered.
Archive If messages that trigger this rule are archived, the column contain a Yes.
If archiving is not enabled, No will appear.
Delete To delete a rule, select the Delete checkbox and then click Submit. No
other editing of existing rules is possible from this window.

92 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Managing content rules

Adding a new rule

To add a new rule, do the following:

1 Click the Compliance tab.

2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.

3 Click Add New at the bottom of the window. The Content Analysis - Add Rule window appears.

4 Provide the information to complete the window (see Table 39).

5 Click Submit. The Manage Dictionary Rules window updates to include the new rule.

Figure 41 Content Analysis - Add Rule window

Table 39 Content Analysis - Add Rule fields

Field Description
Dictionary From the drop-down list, select the dictionary for which you want to
configure a rule.
Threshold Type a the threshold value that will trigger this rule.
Per Attachment Select the checkbox to apply the rule only to attachments to messages.
Action Form the drop-down list, select the action to take when a message
triggers this rule.
Action Value If the action requires additional information, type the required value in
the data field.
Alternative Action If this option is enabled, you can select an alternative action from the
drop-down list.
Alternative Action If the alternative action requires additional information, type the value in
Value this data field.
Quarantine Type If Quarantine is the selected action for this rule, select the quarantine
type from the list.
Notification In the second portion of the windows, you can configure notifications
Email Gateway sends when the rule is triggered.

McAfee Email Gateway 6.7.2 Administration Guide 93

 Content Analysis
Managing content rules

Table 39 Content Analysis - Add Rule fields (continued)

Field Description
Notification Select checkboxes to send notifications to one or more recipients when
Recipients this rule is triggered. You can select:
• The Sender of the message;
• The Recipient of the message; and/or
• Additional Recipients. You can type up to three email addresses for
additional recipients.
Notification For each recipient, select the template for the notification. Configure the
Templates templates at Compliance | Compliance Advanced | Mail
Notifications.
Message Archival In the lower portion of the window, configure archiving of messages that
trigger this rule.
Archive Messages Select the checkbox to enable Email Gateway to archive the messages.
You must also select a target (location where the archive will be located).
If no archives exist, configure one at Reporting | Message Archive |
Add New.

Editing dictionary rules

To edit an existing rule:
1 Click the Compliance tab.

2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.

3 Click the ID for the rule. The Content Analysis - Edit Rule window appears.

4 Provide the information to complete the window (see Table 40).

5 Click Submit. The Manage Dictionary Rules window updates.

Table 40 Content Analysis - Edit Dictionary fields

Field Description
ID The unique ID number for the rule appears in this field. The field is not
editable.
Dictionary From the drop-down list, select the name(s) of one or more dictionaries
you want to use in applying this rule.
Threshold Type a number to represent the threshold value that triggers this rule.
Per Attachment Select the checkbox to apply the rule only to message attachments.
Action From the drop-down list, select from the action to take when a message
triggers this rule.
Action Value If the action requires additional information, type the required value.
Alternative Action If this option is enabled, you can select alternative action to be taken if
the configured action fails.
Alternative Action If the alternative action requires additional information, type the value in
Value this data field.
Quarantine Type If Quarantine is the selected action, select the quarantine type from the
drop-down list.
Notification In the second portion of the windows, you can configure notifications
Email Gateway sends when the rule is triggered.
Notification Select checkboxes to send notifications to one or more recipients when
Recipients this rule is triggered. You can select:
• The Sender of the message;
• The Recipient of the message; and/or
• Additional Recipients. You can type up to three email addresses for
additional recipients.

94 McAfee Email Gateway 6.7.2 Administration Guide

 Content Analysis
Applying content rules

Table 40 Content Analysis - Edit Dictionary fields (continued)

Field Description
Notification For each recipient, select the template for the notification. Configure the
Templates templates at Compliance | Compliance Advanced | Mail
Notifications.
Message Archival In the lower portion of the window, configure archiving of messages that
trigger this rule.
Archive Messages Select the checkbox to enable Email Gateway to archive the messages.
You must also select a target (location where the archive will be located).
If no archives exist, configure one at Reporting | Message Archive |
Add New.

Applying content rules

Once Content Analysis rules have been configured, you can apply to email traffic.
To view existing applications of rules (policies):
1 Click the Compliance tab.

2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.

3 View your rules (see Table 41). You can also delete rules from this window.

4 Click Submit when you are finished.

Figure 42 Content Analysis - Apply Rules window

Table 41 Content Analysis - Apply Rules fields

Field Description
Enable Content Use the checkbox to enable or disable Content Analysis.
Analysis
Ensure that the Content Analysis Queue is set to Auto-Start, is running,
and has an assigned queue position.
See Configuring queues and Changing the queue order in Chapter 4,
Advanced Queue Manager Topics.
Edit File Extension Click this hyperlink to display all text file types Email Gateway scans. You
List can enable or disable specific file types as required. Email Gateway
examines all message parts with the enabled extensions for dictionary
words.

McAfee Email Gateway 6.7.2 Administration Guide 95

 Content Analysis
Applying content rules

Table 41 Content Analysis - Apply Rules fields (continued)

Field Description
Applicable Rules The lower portion of the window displays the configured rules. Enable one
or more of them to create a working policy.
Apply ID This column lists the unique ID number for each rule.
Apply To The column shows the user or group to whom the rule applies.
Exclude a check mark appears in this column if the rule is intended to exclude the
user or group.
Message Direction This column indicates the direction of the scanned messages: inbound,
outbound, or both.
Delete Click the Delete box for any rule and click Submit to remove it.

Adding a new policy

To add a new Content Analysis policy:
1 Click the Compliance tab.

2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.

3 Click Add New. The Content Analysis - Add Apply Rule window appears.

4 Provide the information to complete the window (see Table 42).

5 Click Submit. The Apply Rules window updates to add the new policy.

Figure 43 Content Analysis - Add Apply Rule window

96 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Applying content rules

Table 42 Content Analysis - Add Apply Rule fields

Field Description
Apply to All Virtual This checkbox appears only if the administrator adding the policy is an
Hosts appliance-level administrator logged onto the Default Virtual Host.
Selecting the checkbox applies the policy to all Virtual Hosts on the
appliance.
The option does not appear for Virtual Host administrators or
appliance-level administrators logged onto a Virtual Host.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – Apply the policy to all users.
• Domain Group – Apply the policy to a pre-defined group of domains;
select the group from the drop-down list.
• Domain – Apply the policy to a named domain.
• User Group – Apply the policy to a pre-defined user group. Select the
group from the drop-down list.
• Email Address – Apply the policy to a specific user.
Data This field is enabled only when you click Domain or Email Address. Type
the domain name or email address, as required.
Exclude Select this checkbox to apply the policy to everyone except the defined
entity.
Direction Click the proper radio button to select the mail flow direction for the
policy. Options are:
• Inbound
• Outbound
• Both
Existing rules The lower portion of the window shows all configured rules. You must
select one or more rules that will apply to create a policy.
ID The unique ID numbers for all rules appear in this column.
The ID number is also a hyperlink that allows you to edit the rule.
Dictionary This column shows the names of dictionaries for which rules are
configured.
Threshold When a dictionary search returns a score equal to or greater than the
threshold, it triggers the configured action.
Per Attachment If the rule applies only to a single attachment (message part) that
breaches the threshold, a check mark appears in this column.
Action This column shows the action to be taken for each rule.
Action Value This column shows required value for configured actions, such as the
number of days a message is kept in quarantine, or the IP address for
forwarded messages.
Notify This column contains a Yes or No to indicate if notifications are sent when
a message triggers the rule.
Archive This column contains a Yes if message archiving is enabled. If archiving
is not enabled, No will appear.
Enable Click the Enable checkbox and then click Submit to apply the rule.

Editing an existing application

To edit an existing rule, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.

3 Click the ID hyperlink for that policy. The Content Analysis - Edit Rule window appears.

4 Provide the information to complete the window (see Table 42).

5 Click Submit. The Content Analysis - Apply Rules window updates.

McAfee Email Gateway 6.7.2 Administration Guide 97

 Content Analysis
Dictionary report configuration

Dictionary report configuration

You can configure regular reports that reflect the actions taken by specific dictionaries. Four such reports
are generated by default:
• Policy Compliance Report – AV Keyword Blocking

• Policy Compliance Report – SOX Financial

• Policy Compliance Report – GLBA

• Policy Compliance Report – HIPAA

These reports are generated every night as part of the Daily Reports. They provide statistics about the
actions triggered by messages scanned by the dictionaries, and reflect other statistics like the top 10
senders and top 10 recipients of offending messages that.
To see the list of configured Dictionary Reports, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.

3 View your reports (see Table 43). You can also delete reports (other then the default reports) from this
window.

4 When you finish, click Submit.

Figure 44 Content Analysis - Configure Reports window

Table 43 Content Analysis - Configure Reports fields

Field Description
Reports This column lists the names of all currently configured reports.
Delete You can select the Delete checkbox and click Submit to delete
user-created reports.
Adding New Use the data fields at the bottom of the window to create a new dictionary
Reports report.
Report Name Type a name for the new report.
Report Description You can type descriptive text for the report.

98 McAfee Email Gateway 6.7.2 Administration Guide

Content Analysis
Dictionary report configuration

Adding a report
To add a new report, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.

3 Complete the two data fields at the bottom of the window (see Table 43).

4 Click Submit. A window listing available dictionaries appears.

5 Click one or more dictionaries to include their results in the report (see Table 44).

6 Click Submit. The Configure Reports window updates to add the new report.

Figure 45 Content Analysis - Configure Reports (Add New) window

Table 44 Content Analysis - Configure Reports (Add New) fields

Field Description
Report Name The name of the new report displays at the top of the window.
Dictionary This column lists all available dictionaries.
Enable Select the Enable checkbox to include the associated dictionary in the
report.

Editing a report configuration

To edit an existing report, do the following:
1 Click the Compliance tab.

2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.

3 Click the name of the report you want to edit. A window listing all included dictionaries appears.

4 Enable or disable any dictionaries (see Table 45).

5 Click Submit to save the modified configuration.

McAfee Email Gateway 6.7.2 Administration Guide 99

 Content Analysis
Dictionary report configuration

Figure 46 Content Analysis - Configure Reports window

Table 45 Content Analysis - Configure Reports fields

Field Description
Report Name The name of the report you are editing appears at the top of the window.
Dictionary This column lists all available dictionaries.
Enable Select or deselect the Enable checkbox to include or exclude the
associated dictionary in the report.

100 McAfee Email Gateway 6.7.2 Administration Guide

8 Advanced Compliance

Contents
About Advanced Compliance
Managing Advanced Content Analysis rules
Applying Advanced Content Analysis rules
Categories
The Compliance Trainer

About Advanced Compliance

Email Gateway Advanced Compliance DLP (Data Loss Prevention) functionality provides the ability to
perform advanced content detection of intellectual or confidential information. The Advanced Compliance
module consists of both Content Analysis and Advanced Content Analysis.
Note: The Advanced Compliance DLP functionality is strongly recommended for outbound content detection only

Content Analysis detects compliance violations or personal identifiers by matching exact dictionary items
(such as keywords or regular expression patterns) within email. For more information, see Chapter 7,
Content Analysis.
Advanced Content Analysis detects sensitive content within email by training on confidential documents
such as legal agreements, financial documents, or research information. Advanced Content Analysis
includes both exact and fuzzy matching technologies to ensure intellectual property is not lost.
• Exact document matching – The detection of 'exact' or 'identical' content from a document, such as a
phrase, sentence, paragraph or page.

• Fuzzy document matching – The detection of like or similar content from a document based on words,
phrases or word patterns.

Advanced Content Analysis introduces the concept of Categories of information. By thoughtfully creating
these categories and training them to recognize specific content patterns, you enable Email Gateway to
detect and act upon messages that pose risks to confidential information.

Advance Compliance engines

Advanced Compliance consists of four engines:
• Content Analysis – Content Analysis provides for the exact matching of keywords or personal identifiers
within an email. Keywords and personal identifiers are contained within pre-defined or customer-created
Dictionaries. Although Content Analysis has traditionally been part of the Email Gateway offering, the
Advanced Compliance functionality adds the ability to use Boolean combinations of Dictionaries (for
example, Dictionary1 AND Dictionary2).

• Fingerprinting – Fingerprinting identifies exact matches of small pieces of the documents you train
(sentences, paragraphs, pages) to the contents of an email message, based on the same technology used
within TrustedSource to identify spam message reputation.

Example: An email sent with the following conditions will be detected by Fingerprinting:

• An attachment that is the exact document that was trained; or

• An attachment that is an edited version of a trained document; or

• An attachment or body of message that contains excerpts of a trained document.

McAfee Email Gateway 6.7.2 Administration Guide 101

 Advanced Compliance
About Advanced Compliance

This is true even if content of the email or attachment is in a different format than the original
documents (for example, the original trained document was a Word document and the attachment is a
Power Point document).

• Adaptive Lexical Analysis – This technology utilizes fuzzy matching algorithms to detect similarities
between the contents of an email (both email body and attachments) and the trained document. Adaptive
Lexical Analysis requires training of both sensitive and non-sensitive documents. Adaptive Lexical Analysis
uses advanced statistical analysis (extracting lexical tokens from words, phrases, and word patterns) to
determine if an email contains either confidential or non-confidential content.

Example: If the trained document has the following sentence, “The quick brown fox ran through the
green garden,” Lexical Analysis would identify an email containing the sentence “The brown fox
hopped through the green garden” as a fuzzy match.

• Clustering – This technology is best utilized if you have a narrow category or type of content you wish to
detect, such as sensitive HIPAA documents. Clustering utilizes fuzzy matching to find likeness of a whole
document to the trained corpus of documents that are part of a category. It uses a large scale analysis
of word frequencies. This engine is effective at detecting content even if it is substantially reordered,
scrambled, or appears in entirely different documents than those trained. However, Clustering requires
very diligent training of documents to create a proper corpus for detection to prevent risk of false
positives. Clustering is recommended only in situations where narrow categories of documents can be
defined and stringent consideration is put into selecting documents to train upon.

Key concepts
Advanced Content Analysis uses sophisticated techniques to analyze email messages for the presence of
confidential content. The following concepts, as defined for Advanced Content Analysis, are important:
• A category defines a type of content that is to be monitored by Advanced Content Analysis. Categories
can be defined for any type of content, but might operate more effectively if all content is related to a
common compliance issue, such as medical or financial information, or product design specifications.
Categories can be associated with dictionaries or documents.

• The default category is always present in Advanced Content Analysis, and it can not be deleted. The
primary role for this category is to maintain rules that will trigger adaptive lexical analysis. The Adaptive
Lexical Analysis engine does not understand categories; it only understands whether content is
confidential or not confidential. The Adaptive Lexical Analysis engine will only trigger rules defined against
the default category.

• Confidential – In the product UI, synonymous with Non-Compliant, denotes data that does contain
content/data that should be protected from inappropriate exposure. Confidential data is data that will
trigger policy.

• Non-Confidential – In the product UI, synonymous with Compliant, denotes data that does not
contain content/data that needs to be protected from inappropriate exposure. Non-Confidential data
is data that will not trigger policy.

• Category Training provides the method to increase the effectiveness of categories by submitting both
confidential and non-confidential documents to serve as examples. You must identify the category you
wish to train, then submit the documents. A confidential document contains material you want Email
Gateway to act upon via rules defined against that category. A non-confidential document contains
material that might be germane to the category, but does not contain confidential information. This will
help the Compliance engines to better discern between confidential and non-confidential material within
the category.

When building a training corpus, try to select documents that represent the category, avoiding
material that might bridge categories or that contains extraneous or irrelevant information. Try to
maintain a 50-50% ratio between confidential and non-confidential information in all categories.
McAfee limits the total corpus size to 30 MB of extracted text (an average novel is roughly 500 KB of
extracted text) due to the extreme computational requirements of this technology.

102 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Compliance
Managing Advanced Content Analysis rules

Note: The size of an average novel is approximate; it was derived by checking data for extracted text for a few
novels using Project Gutenburg. For example:

• Alice’s Adventures in Wonderland – 163 KB

• The Scarlet Letter – 505 KB

• Dracula – 854 KB

• Beasts of Tarzan – 371 KB

• Sensitivity is a setting for each of the three advanced detection engines (Fingerprinting, Adaptive Lexical
Analysis, and Clustering) which varies how much data must be matched for the engine to return a decision
of confidential (non-compliant) vs. non-confidential (compliant). To set sensitivity, navigate to
Compliance | Content Analysis Advanced | Configure Categories.

Managing Advanced Content Analysis rules

The Manage Rules window shows information about the existing Advanced Content Analysis rules. From
this window you can delete rules, or open additional screens to add new rules or edit existing ones.
To view existing rules, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.

3 View your rules, and make any allowed changes to complete the screen (see Table 46).

4 Click Submit to accept your changes.

Figure 47 Content Analysis Advanced - Manage Rules window

Table 46 Content Analysis Advanced - Manage Rules fields

Field Description
ID This column displays the unique ID generated for each rule. The ID
number is also a hyperlink that opens a detail window, where you can edit
the rule.
Category This column lists the category assigned to each rule. Categories determine
the types of content that will trigger the rules.
Action The action taken by Email Gateway for messages with content that
represents a confidential violation shows in this column.
Action Value If the selected action requires any additional data in order to complete the
configuration, that data displays in this column.

McAfee Email Gateway 6.7.2 Administration Guide 103

 Advanced Compliance
Managing Advanced Content Analysis rules

Table 46 Content Analysis Advanced - Manage Rules fields (continued)

Field Description
Notify A Yes in this column indicates that the rule has been configured to
generate notifications when it is triggered. If it is not so configured, the
column shows a No.
Archive The value in this column indicates whether or not messages that trigger
this rule are archived.
Delete Select this checkbox to delete any rule when you subsequently click
Submit. Click the Delete heading to be select all rules for deletion.

Adding a new rule

To add a new Advanced Content Analysis, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.

3 Click Add New the bottom of the window. The Add Rule window appears.

4 Provide the information to complete the window (see Table 47).

5 Click Submit. The Manage Rules window updates.

Figure 48 Content Analysis Advanced - Add Rule window

Table 47 Content Analysis Advanced - Add Rule fields

Field Description
Category Select the category for the rule from the drop-down list.
You can create new categories at Compliance | Content Analysis
Advanced | Categories | Add New.
Action Select the action Email Gateway takes when this rule is triggered.
Action Value If the specified action requires additional data, type that information (for
example, the number of days messages should remain in quarantine, or
the email address to which copies should be sent).
Quarantine Type If you selected Quarantine as the action, specify a Quarantine Type from
the drop-down list.
Notifications You can configure notifications to be generated by this rule, if desired.
Click the arrow on the Notification bar to collapse or expand this panel.

104 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Managing Advanced Content Analysis rules

Table 47 Content Analysis Advanced - Add Rule fields (continued)

Field Description
Notification Select the individuals who will receive the notices for this rule. You can
Recipients select one or more of the following:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each recipient, select the template for the notification.
Templates You can configure notification templates at Compliance | Compliance
Advanced | Mail Notification.
Message Archival Use the fields at the bottom of the window to configure message
archiving. Click the arrow on the Message Archival bar to collapse or
expand this panel.
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this
You must select a target in order to archive messages.
rule.
Select Target From the drop-down list, select the target location where these messages
are stored.
If no archive target is available, you can configure targets at Reporting
| Message Archive | Add New.

Editing an existing rule

To edit an existing Advanced Content Analysis rule, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.

3 Click the rule ID number on the Manage Rules window. The Edit Rule window appears.

4 Provide the information to complete the window (see Table 48).

5 Click Submit to save your new configuration.

Table 48 Content Analysis Advanced - Edit Rule fields

Field Description
Category This field displays the name of the Category you are editing. The field is
not editable.
Action Select the action Email Gateway takes when this rule is triggered.
Action Value If additional the specified action requires additional action, type that
information (for example, the number of days messages should remain in
quarantine, or the email address to which copies should be sent).
Quarantine Type If Quarantine is the action you selected, you must also specify a
Quarantine Type from the list.
Notifications You can configure notifications to be generated by this rule, if desired.
Notification Select the individuals who receive the notices for this rule. You can select
Recipients one or more of the following:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each recipient, select the template for that notification.
Templates
You can configure notification templates at Compliance | Compliance
Advanced | Mail Notification.

McAfee Email Gateway 6.7.2 Administration Guide 105

 Advanced Compliance
Applying Advanced Content Analysis rules

Table 48 Content Analysis Advanced - Edit Rule fields (continued)

Field Description
Message Archival Use the fields at the bottom of the window to configure message
archiving.
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this
You must select a target in order to archive messages.
rule.
Select Target Select the target location where these messages are stored.
If the desired archive target is not available, configure targets at
Reporting | Message Archive | Add New.

Applying Advanced Content Analysis rules

When you have configured the Advanced Content Analysis rules, they are available to be applied. The Apply
Rules window displays all existing Advanced Content Analysis policies. From this window you can delete
policies or open additional screens to add new policies and edit existing ones.
To view your configured policies, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.

3 View your policies, and make any allowed changes (see Table 49).

4 When you are finished, click Submit. The Apply Rules window updates.

Figure 49 Content Analysis Advanced - Apply Rules window

Table 49 Content Analysis Advanced - Apply Rules fields

Field Description
Enable Content Select the checkbox to enable Advanced Content Analysis on this Email
Analysis Advanced Gateway.
Apply ID This column contains the unique ID number that identifies each
configured policy. The ID is a hyperlink that allows you to edit the policy.

106 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Applying Advanced Content Analysis rules

Table 49 Content Analysis Advanced - Apply Rules fields (continued)

Field Description
Apply To This column displays the entity to which the policy applies. Options are:
• Global
• Domain
• Domain Group
• User Group
• Email Address
These selections apply whether the policy is configured at the appliance
level or for specified Virtual Hosts.
Exclude If this policy applies to everyone except the defined entity, that fact is
indicated by True in this column. Otherwise, the value is False.
Message Direction This column indicates if the policy applies to inbound messages, outbound
messages, or both.
Delete Select the Delete checkbox to delete the policy when you click Submit.

Adding a new policy

To add a new application of rules, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.

3 Click Add New at the bottom of the Apply Rules window. The Add Apply Rule window appears.

4 Provide the information to complete the window (see Table 50).

5 Click Submit to add your new rule to the Apply Rules window.

Figure 50 Content Analysis Advanced - Add Apply Rule window

McAfee Email Gateway 6.7.2 Administration Guide 107

 Advanced Compliance
Applying Advanced Content Analysis rules

Table 50 Content Analysis Advanced - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Some selections require
additional data. Options are:
• Global - the policy applies to all users.
• Domain Group - the policy applies to a pre-defined group of domains.
Select the group from the drop-down list.
• Domain - the policy applies to a named domain.
• User Group - the policy applies to a pre-defined user group. Select the
group from the drop-down list.
• Email Address - the policy applies to a specific user, identified by the
email address.
Data If you selected Domain or Email Address, type the domain name or email
address in the data field.
Exclude If you want the policy to apply to everyone except the defined entity,
select the checkbox.
Direction Click the mail flow direction for the policy. Options are:
• Inbound
• Outbound
• Both
Configured Rules To create a policy, select one or more rules from the list in the lower
panel.
ID This column contains the rule ID. The rule ID is a hyperlink that will take
you to the Edit Rules window.
Category This column lists the Category for each rule.
Action This column shows the configured action for each rule.
Action Value Any associated action appears beside the selected action.
Notify This column indicates whether or not Email Gateway sends notifications
when messages trigger the rule.
Archive This column show whether messages that trigger the rule are archived.
Enable Select the Enable checkbox to enable the rule for this policy. You must
enable at least one rule.

Note: You can configure Virtual Hosts at Intrusion Defender | Virtual Hosts. More detailed information is
available in Chapter 25, Virtual Hosts.

Editing an existing policy

To edit an existing Advanced Content Analysis policy, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.

3 Click the ID hyperlink on the Apply Rules page. The Edit Apply Rule window appears.

4 Provide the information to complete the window (see Table 51).

5 Click Submit to save your new configuration.

108 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Applying Advanced Content Analysis rules

Table 51 Content Analysis Advanced - Edit Apply Rule fields

Field Description
Apply to all Virtual If the administrator editing the policy is an appliance-level administrator
Hosts and is logged into the Default Virtual Host, this checkbox appears. If the
administrator selects it, the policy will apply to all Virtual Hosts on the
appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data. Options are:
• Global - the policy applies to all users.
• Domain Group - the policy applies to a pre-defined group of domains.
Select the group from the drop-down list.
• Domain - the policy applies to a named domain.
• User Group - the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address - the policy applies to a specific user, identified by the
email address.
Data If you selected either Domain or Email Address as the application, type
the domain name or email address in the data field.
Exclude If you want the policy to apply to everyone except the defined entity,
Select the checkbox.
Direction Click the radio button to select the mail flow direction for the policy.
Options are:
• Inbound
• Outbound
• Both
Configured Rules Select one or more rules that will apply. The lower panel of the window
shows all existing rules.
ID This column contains the rule ID. The rule ID is a hyperlink that will take
you to the Edit Rules window.
Category This column lists the Category to which each rule belongs.
Action The selected action for each rule displays in this column.
Action Value Any associated action value appears beside the selected action.
Notify This column indicates whether or not notifications are sent when
messages trigger the rule.
Archive This column indicates if messages that trigger the rule are archived.
Enable Select the Enable checkbox to enable the rule for this policy. You must
enable at least one rule.

McAfee Email Gateway 6.7.2 Administration Guide 109

 Advanced Compliance
Categories

Categories
Advanced Content Analysis employs categories in defining and applying rules. The Manage Categories
window lists the categories and allows access to edit the existing categories and define new ones.
To view existing categories, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.

3 View the categories, and make any allowed changes (see Table 52).

4 When you have finished, click Submit. the Manage Categories window updates.

Figure 51 Content Analysis Advanced - Manage Categories window

Table 52 Content Analysis Advanced - Manage Categories fields

Field Description
ID This column displays the unique ID for each configured category. The ID
is a hyperlink that allows you to edit the category.
Category The name of each category shows in this column.
Documents Trained This column indicates the number of relevant documents, and their size
as Not Confidential in MB, that violate compliance rules. Documents in this group are used to
train the category about information that should trigger action.
Documents Trained This column indicates the number of relevant documents, and their size
as Confidential in MB, that do not violate rules. Documents in this group train the
category about information that can be allowed to pass.
Delete Select the Delete checkbox and then click Submit to delete a category.
The Default Category cannot be deleted.

110 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Categories

The window also contains a hyperlink that allows you to export Categories to the training tool. The training
tool is a 32-bit Windows program that allows you to train categories. Detailed information is provided at
The Compliance Trainer.

Exporting categories
When you click Export, a message appears on your window. The Categories file will be exported as a text
document. You can click Open to see the contents of the file, or click Save and then navigate to the
location where you want to store the file. The Categories are then available to import into the training tool.

Adding a category
To add a new Category, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.

3 Click Add New at the bottom of the window. The Add Category window appears.

4 Provide the information to complete the window (see Table 53).

5 Click Submit to save your new category.

Figure 52 Content Analysis Advanced - Add Category window

Table 53 Content Analysis Advanced - Add Category fields

Field Description
Category Name Type a unique name for the new category. You might find it helpful to use
a name that associates with the types of information the category should
detect.
Configuring You can configure the new category to use existing dictionaries to detect
Dictionaries confidential content in email messages. You can also configure Categories
without using dictionaries.
You can move dictionaries into or out of one of the selection lists using the
left and right arrows. You can move them from one selection list to the
other with the up and down arrows.

McAfee Email Gateway 6.7.2 Administration Guide 111

 Advanced Compliance
Categories

Table 53 Content Analysis Advanced - Add Category fields (continued)

Field Description
Dictionaries The list on the left contains the names of all configured dictionaries. Select
one or more to move into one of the Match lists.
The global dictionary threshold requires the score for each dictionary to
exceed the threshold to trigger a rule. CCQ does not maintain an
aggregate score.
Match ALL of Messages that trigger action for this category must contain matches for all
dictionaries below dictionaries in this list.
Match AT LEAST one Messages that trigger action for the category must contain matches for at
of dictionaries below least one of the listed dictionaries.

Editing a category
To edit an existing category, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.

3 Click the category ID. The Edit Category window appears.

4 Provide the information to complete the window (see Table 54).

• Highlight a dictionary.

• Move it to the appropriate box.

5 Click Submit to save the revised configuration.

Table 54 Content Analysis Advanced - Edit Category fields

Field Description
Category Name The name of the category appears at the top of the window. The name is
not editable.
Configuring You can configure the new category to use existing dictionaries to detect
Dictionaries confidential content in email messages. You can also configure Categories
without using dictionaries.
You can move dictionaries into or out of one of the selection lists using
the left and right arrows. You can move them from one selection list to
the other with the up and down arrows.
Dictionaries The list on the left contains the names of all configured dictionaries. Select
one or more to move into one of the Match lists.
The global dictionary threshold requires the score for each dictionary to
exceed the threshold to trigger a rule. CCQ does not maintain an
aggregate score.
Match ALL of Messages that trigger action for this category must contain matches for
dictionaries below all dictionaries in this list.
Match AT LEAST one Messages that trigger action for the category must contain matches for at
of dictionaries below least one of the listed dictionaries.

Training categories
Categories can be trained to increase their effectiveness. This can be done on the Email Gateway itself, or
using the Compliance Trainer.
To train categories on the Email Gateway, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Train Categories. The Content Analysis Advanced - Train
Category window appears.

112 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Categories

3 Provide the information to complete the window (see Table 55).

4 Click Submit to train the category.

Figure 53 Content Compliance Advanced - Train Category window

Table 55 Content Compliance Advanced - Train Category fields

Field Description
Enable Category Select the checkbox to enable Category Training on this Email Gateway.
Training
When you enable training on the Email Gateway itself, you also enable
training with the Compliance Trainer. You must enable training and type
the email address in the field below in order to permit training by either
method.
Email Address Type the email address where documents are sent to be used for training.
Category Select the Category that is to be trained from the drop-down list.
Clear Trained Data Click this button to clear all training data for the Category. The Category
is reset to its untrained state.
You do NOT have to clear previous training data in order to perform
additional training. The training is cumulative. Clear the data only when
you need to begin again with the particular training.
Clear Pending Data Click this button to clear all training data that has been submitted, but has
not been used for training. Clearing the data prevents its use.
Training Document Upload the document you want to use to train this Category.
Is Document Click the radio button to indicate whether the document is to be
Confidential considered confidential or non-confidential for training purposes.

Note: The bottom portion of the window shows a graphic overview of the training corpus (see View Training
Corpus).

McAfee Email Gateway 6.7.2 Administration Guide 113

 Advanced Compliance
Categories

Configuring categories
Advanced Content Analysis Categories are trained individually on the Email Gateway, but they are
configured as a group.
To configure categories, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click Configure Categories. The Content Analysis Advanced -
Configure window appears.

3 Provide the information to complete the window (see Table 56).

4 Click Submit to record the configuration.

Figure 54 Content Compliance Advanced - Configure window

Table 56 Content Compliance Advanced - Configure fields

Field Description
Add X Header To add an X-header to messages that trigger rules using this Category,
select the checkbox.
Content Filtering Set the threshold that must be met or exceeded to trigger rules from this
Dictionaries category. Acceptable values range from 0 to 100 points.
The threshold you set here applies to ALL dictionaries. You cannot set
different thresholds for each.
Lexical Analysis Select the checkbox to enable lexical analysis for all categories. Then
select the sensitivity level for clustering. Options are:
• Low
• Medium
• High
Sensitivity levels determine how accurately the category detects the kind
of information configured. Settings should be based on such experiences
as the level of false positives, or allowing too much confidential
information to pass. McAfee recommends you begin with sensitivity set to
Medium. If false positives result, reduce to Low sensitivity. If detection
is inadequate, increase to High.

114 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Compliance
Categories

Table 56 Content Compliance Advanced - Configure fields (continued)

Field Description
Clustering Select the checkbox to enable clustering for all categories. Then select the
sensitivity level for clustering. Options are:
• Low
• Medium
• High
Fingerprinting Select the checkbox to enable fingerprinting for all categories. Then select
the sensitivity level for clustering. Options are:
• Low
• Medium
• High

View Training Corpus

The Training Corpus window provides summary information about categories and the documents used to
train them. Together, all the documents that have been used (or scheduled for use) in training categories
constitute the body of information called the Training Corpus.
To view the training corpus, do the following:
1 Click the Compliance tab.

2 Click Content Analysis Advanced, then click View Training Corpus. The Content Analysis Advanced -
Training Corpus window appears.

3 View the window, and make any allowed changes (see Table 57).

4 When you have finished, click Submit The Training Corpus window updates.

Figure 55 Content Analysis Advanced - Training Corpus window

The upper portion of this window is a table that lists individual categories and provides information about
their associated documents.

McAfee Email Gateway 6.7.2 Administration Guide 115

 Advanced Compliance
The Compliance Trainer

Table 57 Content Analysis Advanced - Training Corpus fields

Field Description
Category This column lists each category that has been associated with a document
for training, whether the training has been completed or not.
Document Name The name of each specific document that has been used for training, or
is intended to be, shows in this column.
Type This column indicates how the document is classified for training
purposes: Confidential or Non-Confidential.
Text Size (MB/%) This column indicates the size of the raw text for each document, and the
percentage of the total Corpus that it occupies.
This is the text size as extracted by the Content Extraction Queue; it does
not include graphics.
Added/Trained Date The column lists the date and time the documents were trained. For
and Time pending documents, this is the date and time they were added for
training.
Status This column displays the status for each document that has been
submitted: In use (trained) or Pending (untrained).

The lower portion of the window is a graph that provides a quick snapshot of the entire Training Corpus.
The graph shows the portion of the Corpus for three parameters:
• In-use – this is the portion of the total Corpus occupied by data retained from the training of documents.

• Pending – this section of the graph represents the portion occupied by documents that are scheduled for
use in training Categories.

• Free – the graph also shows the portion of the Corpus that is currently not occupied by training
information (available space).

The Compliance Trainer

Categories can also be trained using the Compliance Trainer, a Windows-based application that can be
installed on individual workstations. You can then use the trainer to select files and send them to a specified
host and email address. These files will be used to train the categories.

For detailed information about the Compliance Trainer, see Appendix I, Compliance Trainer.

116 McAfee Email Gateway 6.7.2 Administration Guide

9 Analyzing Images

Contents
About Image Analysis
Managing Image Analysis rules
Applying Image Analysis rules

About Image Analysis

Inappropriate images transmitted via email are a major concern for enterprises. In fact, McAfee Research
has found that 10 percent of all email messages either contain pornographic content or are related to such
content, most of which consists of .gif or .jpg files. These messages create a risk for legal action as
violations of compliance standards and regulations. The Email Gateway Image Analysis capability is
designed to detect and stop these violations.
You can use the Image Analysis module to detect pornographic or sexually offensive images in email based
on content and attachments. It is a fully integrated add-on module for Email Gateway.

What Image Analysis does

Image Analysis is based on a sophisticated composition analysis engine that can detect over 85 different
image types and characteristics. It can detect pornographic or offensive images in either message content
or message attachments. Once this content is identified, Email Gateway can act upon it, using the rules and
policy configurations that you set. You can implement customized tolerance options across users, groups or
domains.
Image composition analysis is a process that analyzes the composition of images to find attributes that
might indicate the image might be pornographic. It uses a sophisticated process of thousands of
algorithms. These algorithms consider such factors as faces, skin, edges, backgrounds, environments,
roughness or smoothness, pattern recognition, luminosity, and other elements to provide reliable
information to distinguish pornography from non-offensive images.

How Image Analysis works

Image Analysis scans all images included in any email message. For rules that are configured to act on the
entire message, it takes the highest image score it encounters and applies that to the entire message. For
rules configured to act on attachments or message parts, it treats each image separately and acts on each
score.
While Image Analysis is unlikely to catch every occurrence of objectionable material in email traffic, it alerts
you to most of it and helps you detect trends or persistent problems. For inbound mail, it identifies
individuals, group, domains or locations that receive mail with sexually offensive content. In outbound mail,
it reveals those who send such content. Both inbound and outbound porn or suggestive content pose a
serious problem for the enterprise.
You have no control over the actual algorithms used by Image Analysis. You can, however, create rules
using Image Analysis results, and apply them by creating Email Gateway policies. This allows you to set the
thresholds at which rules and actions are triggered. Current experience suggests that a threshold of
approximately 70 points catches most porn. Your own experience helps you refine your thresholds.
For messages to be treated as a whole, or for messages containing attachments, Image Analysis scores
each message or image that triggers a rule. Then Email Gateway takes action on the message or image
based on the most severe action configured (in accordance with regular action precedence). For more
information about action precedences, see Appendix G, Email Gateway Action Order of Precedence.

McAfee Email Gateway 6.7.2 Administration Guide 117

 Analyzing Images
Managing Image Analysis rules

Possible false positives

There are some things that give Image Analysis problems, such as fuzzy or unclear images, things like
curvaceous sand dunes, potentially suggestive human poses or arrangements of fruit, and even some
flowers. Pictures of animals and babies also present problems on occasion. Even considering these factors,
Image Analysis still detects the vast majority of pornographic and sexually offensive images.

Managing Image Analysis rules

All configured Image Analysis rules appear on the Image Analysis - Manage Rules window.
To view your existing rules, do the following:
1 Click the Compliance tab.

2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.

3 View your rules, and make any allowed changes to complete the screen (see Table 58).

4 Click Submit to accept your changes.

Figure 56 Image Analysis - Manage Rules window

Table 58 Image Analysis - Manage Rules fields

Field Description
ID This column displays the unique ID generated for each rule. The ID
number is also a hyperlink that opens a detail window, where you can edit
the rule.
Threshold This column shows the threshold point for this rule. When Email Gateway
scans a message and reaches this point value, the message triggers the
rule.
Action The action selected for each rule shows in this column.
Action Value If the selected action requires any additional data in order to complete
the configuration, that data displays in this column.
Notify This column indicates if the rule is configured to generate notifications
when it is triggered.”
Archive The value in this column indicates whether or not messages that trigger
this rule are archived.
Delete Select this checkbox to cause the rule to be deleted when you
subsequently click Submit. Clicking the Delete heading will cause all
rules to be deleted.

118 McAfee Email Gateway 6.7.2 Administration Guide

Analyzing Images
Managing Image Analysis rules

Adding an Image Analysis rule

To add a new Image Analysis Rule, do the following:
1 Click the Compliance tab.

2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.

3 Click Add New at the bottom of the Manage Rules window. The Add Rule window appears.

4 Provide the information to complete the window (see Table 59).

5 Click Submit. The Manage Rules window updates to add the rule.

Figure 57 Image Analysis - Add Rule window

Table 59 Image Analysis - Add Rule fields

Field Description
Threshold Type the threshold point for this rule. When Email Gateway scans a
message and reaches this point value, the message triggers the rule.
Action Select the action Email Gateway takes when this rule is triggered.
Action Value Type any additional configuration data required for the specified action
(for example, the number of days messages should remain in quarantine,
or the email address to which copies should be sent).
Quarantine Type If Quarantine is the selected action, specify a Quarantine Type from the
drop-down list.
Notifications You can configure notifications to be generated by this rule, if desired.
Notification Select one or more of the checkboxes to select the individuals who will
Recipients receive the notices for this rule. You can select:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel or
administrators)
For each additional recipient, specify the email address.
Notification Select the template to be used for each notification.
Templates
You can configure notification templates at Compliance | Compliance
Advanced | Mail Notification.
Message Archival Use the fields at the bottom of the window to configure message
archiving.

McAfee Email Gateway 6.7.2 Administration Guide 119

 Analyzing Images
Applying Image Analysis rules

Table 59 Image Analysis - Add Rule fields (continued)

Field Description
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this You must select a target in order to archive messages.
rule.
Select Target Select the target location where these messages are to be stored.
If no archive target is available, you can configure targets at Reporting
| Message Archive | Add New.

Editing an Image Analysis rule

To edit an existing rule, do the following:
1 Click the Compliance tab.

2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.

3 Click the rule ID hyperlink for any rule. The Edit Rule window appears.

4 Provide the information to complete the window (see Table 60).

5 Click Submit. The Manage Rules window updates to add the rule.

Table 60 Image Analysis - Edit Rule fields

Field Description
Threshold The threshold for this rule displays at the top of the window. This value is
not editable.
Action Select the action Email Gateway takes when this rule is triggered.
Action Value Type any additional configuration data required for the specified action
(for example, the number of days messages should remain in quarantine,
or the email address to which copies should be sent).
Quarantine Type If you selected Quarantine as the action, specify a Quarantine Type from
the drop-down list.
Notifications You can configure notifications to be generated by this rule, if desired.
Notification Select one or more of the checkboxes to select the individuals who will
Recipients receive the notices for this rule. You can select:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification Select the template to be used for each notification.
Templates You can configure notification templates at Compliance | Compliance
Advanced | Mail Notification.
Message Archival Use the fields at the bottom of the window to configure message
archiving.
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this
You must select a target in order to archive messages.
rule.
Select Target Select the target location where these messages are to be stored.
If no archive target is available, you can configure targets at Reporting
| Message Archive| Add New.

Applying Image Analysis rules

After you have configured Image Analysis rules, you are ready to use them to create specific policies for
detecting messages containing inappropriate images and taking action on them. All configured policies
appear on the Image Analysis - Apply Rules window.

120 McAfee Email Gateway 6.7.2 Administration Guide

Analyzing Images
Applying Image Analysis rules

To view configured policies, do the following:

1 Click the Compliance tab.

2 Click Image Analysis, then click Apply Rules. The Image Analysis - Apply Rules window appears.

3 View the policies, and make any allowable changes (see Table 61).

4 Click Submit to save your changes.

Figure 58 Image Analysis - Apply Rules window

Table 61 Image Analysis - Apply Rules fields

Field Description
Enable Image Select the checkbox to enable image analysis on this Email Gateway.
Analysis
Apply ID This column contains the unique ID number that identifies each
configured policy. The ID is a hyperlink that allows you to edit the policy.
Apply To This column displays the entity to which the policy applies. Options are:
• Global
• Domain
• Domain Group
• User Group
• Email Address
These selections apply whether the policy is configured at the Appliance
level or for specified Virtual Hosts.
Exclude This column indicates if this policy is designed to apply specific rules to
everyone except the defined entity.
Message Direction The value indicates if the policy applies to inbound messages, outbound
messages, or both.
Delete Select the Delete checkbox to delete the policy when you click Submit.

Adding a new Image Analysis policy

Ton create a new Image Analysis policy, do the following:
1 Click the Compliance tab.

2 Click Image Analysis, then click Apply Rules. The Image Analysis - Apply Rules window appears.

3 Click Add New at the bottom of the window. The Add Apply Rule window appears.

4 Provide the information to complete the window (see Table 62).

McAfee Email Gateway 6.7.2 Administration Guide 121

 Analyzing Images
Applying Image Analysis rules

5 Click Submit. The Manage Rules window updates to add the rule.

by clicking Add New at the bottom of the Apply Rules window. The Add Apply Rule window appears.
Figure 59 Image Analysis - Add Apply Rule window

Table 62 Image Analysis - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data. Options are:
• Global - the policy applies to all users.
• Domain Group - the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain - the policy applies to a named domain.
• User Group - the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address - the policy applies to a specific user, identified by the
email address.
Data If you selected Domain or Email Address, type the domain name or email
address in the data field.
Exclude If you want the policy to apply to everyone except the defined entity,
select the checkbox.
Direction Click the proper radio button to select the mail flow direction to which the
policy will apply. Options are:
• Inbound
• Outbound
• Both
Configured Rules Select one or more of the existing rules to apply with this policy.

122 McAfee Email Gateway 6.7.2 Administration Guide

Analyzing Images
Applying Image Analysis rules

Table 62 Image Analysis - Add Apply Rule fields (continued)

Field Description
ID This column contains the rule ID. The rule ID is a hyperlink permits you
to edit the rule.
Threshold This column displays the threshold for each rule.
Action The action that Email Gateway takes for each rule displays in this column.
Action Value Any associated action value appears beside the action.
Notify This column indicates if the rule generates notifications.
Archive This column indicates whether or not the rule archives messages that
trigger it.
Enable Select the Enable checkbox to enable at least one rule for this policy.

Note: You can configure Virtual Hosts at Intrusion Defender | Virtual Hosts. More detailed information is
available in Chapter 25, Virtual Hosts.

Editing an Image Analysis policy

To edit an existing Image Analysis policy, do the following:
1 Click the Compliance tab.

2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.

3 Click the rule ID on the Manage Rules window. The Edit Apply Rule window appears.

4 Provide the information to complete the window (see Table 63).

5 Click Submit. The Manage Rules window updates.

Table 63 Image Analysis - Edit Apply Rule fields

Field Description
Apply to all Virtual If the administrator editing the policy is an appliance-level administrator
Hosts and is logged into the Default Virtual Host, this checkbox appears. If the
administrator selects it, the policy will apply to all Virtual Hosts on the
appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group - the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data If you selected Domain or Email Address as the application entity, type
the domain name or email address in the data field.
Exclude If you want the policy to apply to everyone except the defined entity,
select the checkbox.
Direction Click the radio button to select the mail flow direction for the policy.
Options are:
• Inbound
• Outbound
• Both
Configured Rules Select one or more rules to apply with this policy.

McAfee Email Gateway 6.7.2 Administration Guide 123

 Analyzing Images
Applying Image Analysis rules

Table 63 Image Analysis - Edit Apply Rule fields (continued)

Field Description
ID This column contains the rule ID. The ID is a hyperlink that permits you
to edit the rule.
Threshold This column displays the threshold for each rule.
Action This column shows the action that Email Gateway takes for each rule.
Action Value Any associated action value appears beside the selected action.
Notify This column indicates if the rule generates notifications.
Archive This column indicates whether or not the rule archives messages that
trigger it.
Enable Select the Enable checkbox to enable at least one rule for this policy.

124 McAfee Email Gateway 6.7.2 Administration Guide

10 Envelope Analysis
Contents
About Envelope Analysis
Managing Envelope Analysis rules
Applying Envelope Analysis rules

About Envelope Analysis

While Content Analysis directs its focus primarily on the content of email messages, Envelope Analysis is
concerned with the “package” that represents the message. The focus is on senders and receivers of the
messages, and on such factors as message size.

Managing Envelope Analysis rules

Use the Envelope Analysis - Manage Rules window to view existing envelope analysis rules.
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.

3 View your rules, and make any allowed changes to complete the screen (see Table 64).

4 Click Submit to accept your changes.

Figure 60 Envelope Analysis - Manage Rules window

McAfee Email Gateway 6.7.2 Administration Guide 125

 Envelope Analysis
Managing Envelope Analysis rules

Table 64 Envelope Analysis - Manage Rules fields

Field Description
ID This column lists the unique ID number for each configured rule.
Monitored Field This column displays the message field that is monitored by this rule.
Options are:
• Sender – if the message’s FROM address matches the user, group or
domain identified in the Data field, Email Gateway takes the configured
action upon messages sent from these users.
• Recipient – if the message’s TO address matches the user, group or
domain identified in the Data field, Email Gateway takes the configured
action upon messages addressed to these users.
• Subject – if the message’s subject line contains the text string
specified in the Data field, Email Gateway takes the specified action.
The search is a sub-string search, which means Email Gateway detects
the string in combinations. For example, a rule for “Holiday Cheer” also
applies to “Christmas Holiday Cheer” and “Holiday cheerfulness.”
• Size – This selection indicates rules based on message size or size
conditions. Messages that meet the configured conditions are treated
according to these rule.
Type If you selected Sender or Recipient for the rule, you also selected the type
of entity to be monitored. Options are:
• User – the rule detects an individual user.
• Group – the rule looks for defined group.
• Domain – the rule applies to this specific domain.
Condition If Size is the monitored field, this column shows conditions set for
evaluating the size of the message (for example, greater than, equal to,
between). The actual parameters display in the Data column.
Data Each monitored field requires some identifying information.
• Sender or Recipient – email address, group name, or domain name.
• Subject – all or part of the actual subject line
• Size – the numbers and units of measure that match the condition (for
example, 4 MB).
Action This column lists the action taken if this rule is triggered.
Action Value Some actions require additional data, such as the number of days
messages should remain in quarantine, or the email address for
forwarding messages. That information appears in this column.
Notify This column indicates whether or not Email Gateway generates
notifications when this rule is triggered.
Archive This column indicates whether or not messages that trigger this rule are
archived.
Delete Select the Delete checkbox and then click Submit to delete the
associated rule.

The only change you can make on this window is the deletion of rules. You can, however, add new rules or
edit existing ones by navigating to additional windows.

Adding an Envelope Analysis rule

To add a new Envelope Analysis rule, do the following:
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.

3 Click Add New at the bottom of the Manage Rules window. The Add Rule window appears.

4 Provide the information to complete the window (see Table 65).

5 Click Submit to add the rule.

126 McAfee Email Gateway 6.7.2 Administration Guide

Envelope Analysis
Managing Envelope Analysis rules

Figure 61 Envelope Analysis - Add Rule window

Table 65 Envelope Analysis - Add Rule fields

Field Description
Monitored Field Select the message field you want this rule to monitor. Options are:
• Sender
• Recipient
• Subject
• Size
Type Select the type of entity monitored if you chose Sender or Recipient.
• User – the rule is meant to detect an individual user.
• Group – the rule is intended to look for defined group.
• Domain – the rule is meant for this specific domain.
A rule can be applied to only one user, group or domain. To apply rules to
more than one entity, create separate rules for each.
Data selection If the sender or recipient is a group, select a defined group from the
drop-down list.
Condition If you selected Size, select the condition the rule detects from the
drop-down list. Options are:
• Less than
• Greater than
• Equal
• Other than
• Between
• Less than or equal to
• Greater than or equal to
Data In this data field, type the associated data to identify the specific field and
type. Options are:
• For User, type the email address or IP address
• For Domain, type the fully qualified domain name
• For Subject, type all or part of the subject line
• For Size, type the numbers and select the units of measure that
correspond with the condition you selected.

McAfee Email Gateway 6.7.2 Administration Guide 127

 Envelope Analysis
Managing Envelope Analysis rules

Table 65 Envelope Analysis - Add Rule fields (continued)

Field Description
Action Select the action Email Gateway to takes when this rule is triggered.
• Forward Message
• Subject Rewrite
• Copy Message
• Log
• Re-Route
• Drop Message
• Quarantine
• Remote Quarantine
• Secure Delivery
Quarantine Type If you chose Quarantine or Remote Quarantine as the action, select the
desired Quarantine Type.
For more information, see About quarantine types in Chapter 4, Advanced
Queue Manager Topics.
Action Value Type any necessary information associated with your choice of actions.
For example, forwarding or copying a message requires an email address;
subject rewrite requires text to replace the subject line; quarantine
demands a number of days that messages remains in quarantine.
For more information about actions, see Appendix C, Actions and Action
Codes.
Notifications You can configure notifications to be generated by this rule, if desired.
Notification Select the checkboxes to determine who will receive the notices for this
Recipients rule. You can select one or more of the following:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, specify the email address.
Notification Select the template to use for each notification.
Templates
Configure notification templates at Compliance | Compliance
Advanced | Mail Notification.
Message Archival Use the fields at the bottom of the window to configure message
archiving.
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this You must select a target in order to archive messages.
rule.
Select Target From the drop-down list, select the target where these messages are
stored.
If no archive target is available, you can configure targets at Reporting
| Message Archive | Add New.

Editing an existing rule

To edit a rule, do the following:
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.

3 Click the ID the rule. The Edit Rule window appears.

4 Provide the information to complete the window (see Table 66).

5 Click Submit. The Manage Rules window updates.

128 McAfee Email Gateway 6.7.2 Administration Guide

Envelope Analysis
Managing Envelope Analysis rules

Table 66 Envelope Analysis - Edit Rule fields

Field Description
ID The unique ID of the rule you are editing appears at the top of the
window. This field is not editable.
Monitored Field Select the message field you want this rule to monitor. Options are:
• Sender
• Recipient
• Subject
• Size
Type Select the type of entity monitored if you chose Sender or Recipient.
• User – the rule is meant to detect an individual user.
• Group – the rule is intended to look for defined group.
• Domain – the rule is meant for this specific domain.
A rule can be applied to only one user, group or domain. To apply rules to
more than one entity, create separate rules for each.
Data selection If the sender or recipient is a group, select a defined group from the
drop-down list.
Condition If you selected Size, select the condition the rule detects from the
drop-down list. Options are:
• Less than
• Greater than
• Equal
• Other than
• Between
• Less than or equal to
• Greater than or equal to
Data In this data field, type the associated data to identify the specific field and
type. Options are:
• For User, type the email address or IP address
• For Domain, type the fully qualified domain name
• For Subject, type all or part of the subject line
• For Size, type the numbers and select the units of measure that
correspond with the condition you selected.
Action Select the action Email Gateway to takes when this rule is triggered.
• Forward as Attachment
• Forward Message
• Subject Rewrite
• Copy as Attachment
• Copy Message
• Log
• Re-Route
• Drop Message
• Quarantine
• Remote Quarantine
• Secure Delivery
Quarantine Type If you chose Quarantine or Remote Quarantine as the action, select the
desired Quarantine Type.
For more information, see About quarantine types in Chapter 4, Advanced
Queue Manager Topics.
Action Value Type any necessary information associated with your choice of actions.
For example, forwarding or copying a message requires an email address;
subject rewrite requires text to replace the subject line; quarantine
demands a number of days that messages remains in quarantine.
For more information about actions, see Appendix C, Actions and Action
Codes.

McAfee Email Gateway 6.7.2 Administration Guide 129

 Envelope Analysis
Applying Envelope Analysis rules

Table 66 Envelope Analysis - Edit Rule fields (continued)

Field Description
Notifications You can configure notifications to be generated by this rule, if desired.
Notification Select the checkboxes to determine who will receive the notices for this
Recipients rule. You can select one or more of the following:
• The Sender of the message
• The intended Recipient of the message
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, specify the email address.
Notification Select the template to use for each notification.
Templates
Configure notification templates at Compliance | Compliance
Advanced | Mail Notification.
Message Archival Use the fields at the bottom of the window to configure message
archiving.
Archive Messages Select the checkbox to archive messages that trigger this rule.
triggered by this
You must select a target in order to archive messages.
rule.
Select Target From the drop-down list, select the target where these messages are
stored.
If no archive target is available, you can configure targets at Reporting
| Message Archive | Add New.

Applying Envelope Analysis rules

Once rules have been created and added to the Manage Rules window, they are ready to be applied.
To view existing applications of rules (policies), do the following:
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.

3 View your rules, and make any allowed changes to complete the screen (see Table 67).

4 Click Submit to accept your changes.

Figure 62 Envelope Analysis - Apply Rules window

130 McAfee Email Gateway 6.7.2 Administration Guide

Envelope Analysis
Applying Envelope Analysis rules

Table 67 Envelope Analysis - Apply Rules fields

Field Description
Enable Envelope Select the checkbox at the top of the window to enable or disable
Analysis Envelope Analysis.
Envelope Analysis policies are processed in the Content Analysis Queue.
That queue must be set to Auto-Start, be running, and have an assigned
queue position if Envelope Analysis is to work. See Configuring queues
and Changing the queue order in Chapter 4, Advanced Queue Manager
Topics.
Apply ID This column lists the unique ID number for each policy.
Apply To The column shows the user or group to whom the rule applies.
Exclude If the rule is intended to exclude the particular user or group, a check
mark appears in this column.
System Defined An entry in this column indicates a system-defined policy. System defined
policies can not be deleted.
Message Direction This column indicates the messages direction that is scanned: inbound,
outbound, or both.
Delete Select the Delete box for any rule, then click Submit to remove the rule.

Adding a new policy

To add a new rule application (policy), do the following:
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.

3 Click Add New at the bottom of the window. The Add Rule window appears.

4 Provide the information to complete the window (see Table 68).

5 Click Submit to add the policy.

Figure 63 Envelope Analysis - Add Rule window

McAfee Email Gateway 6.7.2 Administration Guide 131

 Envelope Analysis
Applying Envelope Analysis rules

Table 68 Envelope Analysis - Add Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy applies. Selections might require
additional data. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you selected User Group, select the group from the drop-down list.
If you selected Domain Group, select the group from the drop-down list.
Data If you have select Email Address, type that email address in the data field.
If you chose Domain, type the domain name in the field.
Exclude Select this checkbox to apply the new rule to everyone except the defined
entity.
Direction Click the appropriate radio button to identify the message direction for
this policy. Options are:
• Inbound – If the specified user or group is inside the Email Gateway
network, the policy applies to all messages originating outside the
domain addressed to that user. If the user or group is outside the
domain, the policy applies to all messages coming into the network
from that user or group.
• Outbound – If the specified user or group is inside the Email Gateway
hosted domain, the policy applies to all messages originating from
those users and addressed to anyone outside the domain. If the user
or group is outside the domain, the policy applies to all messages
originating within the network addressed to that user or group.
• Both – The policy applies to all messages addressed to or received
from the specified user or group.
Applicable Rules You must enable one or more rules to create a working application.
ID This column lists the unique ID number for each configured rule.
Monitored Field This column displays the message field monitored by this rule. Options
are:
• Sender
• Recipient
• Subject
• Size
Type If Sender or Recipient was selected, this column displays the type of
entity being monitored. Options are:
• User – the rule detects an individual user.
• Group – the rule looks for defined group.
• Domain – the rule applies to this specific domain.
Condition If Size is the monitored field, this column shows the condition set for
evaluating the size of the message (for example, greater than, equal to,
between, and so forth). The actual parameters will display in the Data
column.

132 McAfee Email Gateway 6.7.2 Administration Guide

Envelope Analysis
Applying Envelope Analysis rules

Table 68 Envelope Analysis - Add Rule fields (continued)

Field Description
Data Each monitored field requires some identifying information.
• Sender or Recipient – email address, group name, or domain name.
• Subject – all or part of the actual subject line
• Size – the numbers and units of measure that match the condition (for
example, 4 MB).
Action This column lists the action taken if this rule is triggered.
For more information about actions, see Appendix C, Actions and Action
Codes in this.
Action Value Some actions require additional data, such as the number of days
messages should remain in quarantine, or the email address for
forwarding messages. That information appears in this column.
Notify This column indicates if Email Gateway generates notifications when this
rule is triggered.
Archive This column indicates whether or not Email Gateway archives messages
that trigger the rule.
Enable Select the Enable checkbox, then clicking Submit to enable the rule.

Editing an Envelope Analysis policy

To edit an existing policy, do the following:
1 Click the Compliance tab.

2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.

3 Click the ID for the rule. The Edit Rule window appears.

4 Provide the information to complete the window (see Table 69).

5 Click Submit to save your changes.

Table 69 Envelope Analysis - Edit Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy applies. Selections might require
additional data. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you selected User Group, select the group from the drop-down list.
If you selected Domain Group, select the group from the drop-down list.
Data If you have select Email Address, type that email address in the data field.
If you chose Domain, type the domain name in the field.
Exclude Select this checkbox to apply the new rule to everyone except the defined
entity.

McAfee Email Gateway 6.7.2 Administration Guide 133

 Envelope Analysis
Applying Envelope Analysis rules

Table 69 Envelope Analysis - Edit Apply Rule fields (continued)

Field Description
Direction Click the appropriate radio button to identify the message direction for
this policy. Options are:
• Inbound – If the specified user or group is inside the Email Gateway
network, the policy applies to all messages originating outside the
domain addressed to that user. If the user or group is outside the
domain, the policy applies to all messages coming into the network
from that user or group.
• Outbound – If the specified user or group is inside the Email Gateway
hosted domain, the policy applies to all messages originating from
those users and addressed to anyone outside the domain. If the user
or group is outside the domain, the policy applies to all messages
originating within the network addressed to that user or group.
• Both – The policy applies to all messages addressed to or received
from the specified user or group.
Applicable Rules The lower portion of the window displays the configured rules. You must
enable one or more of them to create a working application.
ID This column lists the unique ID number for each configured rule.
Monitored Field This column displays the message field monitored by this rule. Options
are:
• Sender
• Recipient
• Subject
• Size
Type If Sender or Recipient was selected, this column displays the type of entity
being monitored. Options are:
• User – the rule detects an individual user.
• Group – the rule looks for defined group.
• Domain – the rule applies to this specific domain.
Condition If Size is the monitored field, this column shows the condition set for
evaluating the size of the message (for example, greater than, equal to,
between, and so forth). The actual parameters will display in the Data
column.
Data Each monitored field requires some identifying information.
• Sender or Recipient – email address, group name, or domain name.
• Subject – all or part of the actual subject line
• Size – the numbers and units of measure that match the condition (for
example, 4 MB).
Action This column lists the action taken if this rule is triggered.
For more information about actions, see Appendix C, Actions and Action
Codes in this.
Action Value Some actions require additional data, such as the number of days
messages should remain in quarantine, or the email address for
forwarding messages. That information appears in this column.
Notify This column indicates if Email Gateway generates notifications when this
rule is triggered.
Archive This column indicates whether or not Email Gateway archives messages
that trigger the rule.
Enable Select the Enable checkbox, then clicking Submit to enable the rule.

134 McAfee Email Gateway 6.7.2 Administration Guide

11 Whitelisting
Contents
About whitelisting
Viewing whitelists
Searching whitelists
Applying whitelist rules

About whitelisting
Whitelisting allows you to exempt specific portions of your email traffic from some or all of Email Gateway
processing. You can specify domains, email addresses, or IP addresses that belong to trusted senders.
Whitelisting can reduce the volume of traffic Email Gateway must process and improve overall processing of
email.

Creating new whitelists

The Whitelist - Manage Rule window provides the capability for you to create a new whitelist rule. Email
Gateway has no default whitelist rules, so none will exist until you create one.
Figure 64 Whitelist - Manage Rule window

Use the options in the table below to allow individuals, domains or IP addresses to bypass specific Email
Gateway processes.

McAfee Email Gateway 6.7.2 Administration Guide 135

 Whitelisting
About whitelisting

Table 70 Whitelist - Manage Rule fields

Field Description
Who Select from the drop-down list the type of entity to be whitelisted by this
rule. Options are:
• From Domain
• To Domain
• From Email
• To Email
• IP Address
Exclusive Select this check box to apply the rule to only the entity defined in the
Who field. If any recipient of the message is configured for this rule, the
message will bypass any features so configured in the rule.
The exclusive option applies at the rule level, and applies automatically
for the specified entity type when you create policies.
Data In this field, type the data that defines the particular entity you have
chosen to whitelist. Type the domain name, the email address or the IP
address, whichever is appropriate.
File If you wish, you can import a list of whitelist entries from a file, if the
entries are in the proper format. For format information, see Appendix B,
File Formats for Uploads.”
Export (hyperlink) If you wish, you can export this file (listing your whitelist entries) to save
it as a backup, and so forth. Click the Export hyperlink.
Direction Click the appropriate radio button to determine the message direction for
which the rule will apply.
• Inbound
• Outbound
• Both
Don’t Expire If you want this whitelist rule to remain enabled despite the length of time
since it was last triggered, select the checkbox.
Queue Select one or more queues for which you want to choose processes to be
bypassed (click or shift-click queue names).
Bypass When you select queue(s), the processes managed by that queue will
appear in the Bypass list. Select those you want the rule to bypass (click
or shift-click functions).

When the rule is configured as you wish, click Submit to save the rule.

Creating a TrustedSource whitelist rule

Email Gateway includes TrustedSource as an Anti-Spam process that can be bypassed if the Who selection
is an IP address. If anything other than IP address is selected, TrustedSource will not appear in the Bypass
list.
Note: TrustedSource must be the only feature selected for the whitelist rule.

Configuring whitelist rule expiration

If whitelist rules continue to accumulate on an Email Gateway appliance, they can eventually degrade
performance. Email Gateway allows you to configure automatic expiration and deletion of whitelist rules
that are no longer in use. Your expiration preference shows on the Manage Rule window. If Don’t Expire is
checked for an entry, the only way to delete it is to check the Delete box and then click Submit. If,
however, the option is deselected, you can navigate to the Cleanup Schedule feature and create
cleanup/expiration rules that automatically delete unused whitelist entries. For more information, see
Setting automatic cleanup for whitelist entries, below.

136 McAfee Email Gateway 6.7.2 Administration Guide

 Whitelisting
Viewing whitelists

Viewing whitelists
The Whitelist - View Rules window allows you to see all the rules that are currently configured. From this
window you can delete rules or navigate to a window where you can edit existing rules.
Figure 65 Whitelist - View Rules window

Table 71 Whitelist - View Rules fields

Field Description
ID This column displays the unique ID for each whitelist rule. Each ID is also
a hyperlink that allows you to edit the rule.
Who This column shows the type of entity for which the rule is configured.
Options are:
• From Domain
• To Domain
• From Email
• To Email
• IP Address
Data The identifying data for the Who entity type displays here (domain name,
email address or IP address).
Where This column displays the message direction to which the rule applies
(inbound, outbound, or both).
Queue Bypass List This double column shows the queues and functions that are bypassed by
the rule.
• The left column lists the Queues that are bypassed.
• The right column lists the bypassed features within the queue or
queues.
Last Hit Date Shows the last date when this rule was triggered. Each date is also
marked with one of three flags:
• Green – this rule is within the expiration time frame set by you.
• Yellow – this rule is nearing the expiration time set by you.
• Red – this rule is outside the time frame set by you.
Don’t Expire A check mark indicates this whitelist rule has been configured to prevent
it from expiring.
Delete Selecting the checkbox and then clicking Submit will cause the associate
rule to be deleted.

McAfee Email Gateway 6.7.2 Administration Guide 137

 Whitelisting
Viewing whitelists

Table 71 Whitelist - View Rules fields (continued)

Field Description
Delete All < n > This checkbox will cause all the configured rules to be deleted when you
Whitelist Rules click Submit. The actual number of rules appears in the text as a
variable.
Navigation At the bottom of the View window and to the right, you will find navigation
fields to allow you to move to the next page of content information, the
previous page, or a specific page (by entering a page number in the field).

When the whitelist entry is configured properly, click Submit. The Whitelist - View Rules window will refresh
to include the new or revised entry.

Editing a whitelist rule

If you want to edit an existing whitelist rule, select that rule’s ID number on the View Whitelist Rules
window. The rule will populate the Whitelist - Manage Rule window, where you can make any changes.

Table 72 Whitelist - Manage Rule fields

Field Description
Who Select from the drop-down list the type of entity to be whitelisted by this
rule. Options are:
• From Domain
• To Domain
• From Email
• To Email
• IP Address
Data In this field, type the data that defines the particular entity you have
chosen. Type the domain name, the email address or the IP address,
whichever is appropriate.
Direction Click the appropriate radio button to determine the message direction for
which the rule will apply.
• Inbound
• Outbound
• Both
Export (hyperlink) If you wish, you can export this file (listing your whitelist entries) to save
it as a backup, and so forth. Click the Export hyperlink.
Queue Select one or more queues for which you want to select processes to be
bypassed (click or shift-click queue names).
Bypass When you select queue(s), the processes managed by that queue will
appear in the Bypass list. Select those you want the rule to bypass (click
or shift-click functions).

When you have modified the rule as you intended, click Submit. The View Whitelist Rules window will
update.

Setting automatic cleanup for whitelist entries

On the Cleanup Schedule - Configure window (Administration | Cleanup Schedule), you can set the
schedule for deletion of unused rules. The deletion occurs based on the length of time that has expired
since the entry was last used. The last hit date appears on the View Rules window.

138 McAfee Email Gateway 6.7.2 Administration Guide

 Whitelisting
Searching whitelists

Table 73 Cleanup Schedule - Configure fields

Field Description
File Type: Choose the Whitelist rules file type from the drop-down list. Then click
Select. The window will refresh.
Admin Whitelist Type the length of time in hours that must expire since an
Cleanup Interval administrator-created rule was last hit. When a rule’s last use is beyond
this number of hours, the rule is set for cleanup.
EUQ Whitelist Type the length of time in hours that must expire since an End User
Cleanup Interval Quarantine-created rule was last hit. When a rule’s last use is beyond this
number of hours, the rule is set for cleanup.
Frequency Schedule Clicking this button enables creation of a fixed-interval schedule for the
Cleanup cycle. You can select an interval in hours (1 hour to 72 hours)
between cycles.
You must choose either Frequency Schedule or Detailed Schedule.
Enabling one disables the other.
Detailed Schedule This option allows creation of a specifically detailed schedule for the
Cleanup cycle. The schedule is configured in two steps:
• The left side of the window displays a list of days of the week. Select
the day during which the cleanup cycle is to run. You can select only
one day at a time. However, after you submit the detailed schedule for
one day, you can do it again for another day and the system will
accumulate the daily schedules. It is therefore possible to create
individual detailed schedules for all seven days per week.
• The right side of the window contains checkboxes for each of the 24
hours in a day. Selecting a checkbox enables Email Gateway to run
Auto Cleanup at that time on the designated day. You can select from
0 to 24 cleanup times per day.

When the cleanup schedule is correctly configured, click Submit.

Searching whitelists
Email Gateway provides the ability to search the whitelists for specific rules or for applications of the rules.
You can begin a search by navigating to the Search Whitelist window.
Figure 66 Whitelist - Search Rules window

Supply the parameters to be used in conducting the search. It might be helpful to narrow the search by
providing all the information you have to limit the potential results.

McAfee Email Gateway 6.7.2 Administration Guide 139

 Whitelisting
Searching whitelists

Table 74 Whitelist - Search Rules fields

Field Description
Search Criteria Select the type of rules or policies to be searched. Options are:
• Admin Generated - this search will seek only whitelist rules or policies
created by the administrator.
• End User Generated - if user-generated whitelist rules are allowed, the
search will locate those rules or policies.
End users can request that email senders be whitelisted when they
release messages using the End User Quarantine feature. See Chapter 15
of this Administration Guide.
Data Type the identifying information for the entity you select in the choice
options below (IP address, email address, domain name or group name).
Rules If you want the search to seek rules, click the Rules radio button. You
must also check the entity type that will match the data entered above.
For example, if you entered a domain name in the Data field, you must
select Domain on the Rules line.
Policies If you want the search to return applications of rules (policies), click the
Policies radio button. You must also check the entity type that will match
the data you entered in the Data field.

Note: You can conduct a search for Rules or Policies, but not both in the same search instance.

When the search parameters have been entered, click Submit to see the search results.
Figure 67 Search Result window

140 McAfee Email Gateway 6.7.2 Administration Guide

 Whitelisting
Applying whitelist rules

Applying whitelist rules

Once you have created whitelist rules, they are ready to be applied. To view any existing applications
(policies), navigate to the Whitelist - Apply Rules window.
Figure 68 Whitelist - Apply Rules window

Table 75 Whitelist - Apply Rules fields

Field Description
Apply ID Each whitelist rule application is assigned a unique ID number. This
column shows the IDs of existing rules.
Apply To This column shows the type of entity to which this policy applies. Options
are:
• Global
• Domain Group
• Domain
• User Group
• Email Address
Exclude If the application was configured to exclude the entity listed in Apply To,
this column will contain an indicator.
Delete If you select the checkbox and the click Submit, the application will be
deleted.

Adding a new whitelist policy

If you want to add a new whitelist policy, click Add New at the bottom of the Apply Rules window. The Add
Apply Rules window appears.

McAfee Email Gateway 6.7.2 Administration Guide 141

 Whitelisting
Applying whitelist rules

Figure 69 Whitelist - Add Apply Rule window

Configure the new application by supplying the necessary parameters.

Table 76 Whitelist - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data Selections If you chose User Group as the Apply To entity, select the name of an
existing group from the enabled pick list.
If you chose Domain Group above, select the name of an existing domain
group from the enabled pick list.
Data If you chose Domain or Email Address as the Apply To entity, type the
domain name or the email address in this field.
Exclude If you want to apply the rule to everyone except the defined entity, select
the Exclude checkbox.
Available Rules The lower portion of the window lists all configured whitelist rules. You
must enable one or more of them to create a working application.

142 McAfee Email Gateway 6.7.2 Administration Guide

Whitelisting
Applying whitelist rules

Table 76 Whitelist - Add Apply Rule fields (continued)

Field Description
ID This column displays the unique ID for each whitelist rule. Each ID is also
a hyperlink that allows you to edit the rule.
Who This column shows the type of entity for which the rule is configured.
Options are:
• From Domain
• To Domain
• From Email
• To Email
• IP Address
Data The identifying data for the Who entity type displays here (domain name,
email address or IP address).
Where This column displays the message direction to which the rule applies
(inbound, outbound, or both).
Queue Bypass This double column shows the queues and functions that are bypassed by
the rule.
The left column lists the Queues that are bypassed.
The right column lists the bypassed features within the queue or queues.
Last Hit Date This column shows the last date when this rule was triggered. Each date
is also marked with one of three flags:
• Green – this rule is within the expiration time frame set by you.
• Yellow – this rule is nearing the expiration time set by you.
• Red – this rule is outside the time frame set by you.
Don’t Expire A check mark indicates this whitelist rule has been configured to prevent
it from expiring.
Enable Select the checkbox to enable this specific rule for this application.
Selecting the checkbox again (unselecting it) disables the rule.

When you have completed the configuration, click Submit to add the application. The Whitelist - Apply
Rules window will update to show the new application.

Editing an application
You can also edit existing applications as necessary. Click the Apply ID for the particular application to
open the Edit Whitelist Rule window.

Table 77 Edit Whitelist Rule fields

Field Description
Apply to all Virtual If the administrator editing the policy is an appliance-level administrator
Hosts and is logged into the Default Virtual Host, this checkbox appears. If the
administrator selects it, the policy will apply to all Virtual Hosts on the
appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.

McAfee Email Gateway 6.7.2 Administration Guide 143

 Whitelisting
Applying whitelist rules

Table 77 Edit Whitelist Rule fields (continued)

Field Description
Data Selections If you chose User Group as the Apply To entity, select the name of an
existing group from the enabled pick list.
If you chose Domain Group above, select the name of an existing domain
group from the enabled pick list.
Data If you chose Domain or Email Address as the Apply To entity, type the
domain name or the email address in this field.
Exclude If you want to apply the rule to everyone except the defined entity, select
the Exclude checkbox.
Available Rules The lower portion of the window lists all configured whitelist rules. You
must enable one or more of them to create a working application.
ID This column displays the unique ID for each whitelist rule. Each ID is also
a hyperlink that allows you to edit the rule.
Who This column shows the type of entity for which the rule is configured.
Options are:
• From Domain
• To Domain
• From Email
• To Email
• IP Address
Data The identifying data for the Who entity type displays here (domain name,
email address or IP address).
Where This column displays the message direction to which the rule applies
(inbound, outbound, or both).
Queue Bypass List This double column shows the queues and functions that are bypassed by
the rule.
The left column lists the Queues that are bypassed.
The right column lists the bypassed features within the queue or queues.
Last Hit Date This column shows the last date when this rule was triggered. Each date
is also marked with one of three flags:
• Green – this rule is within the expiration time frame set by you.
• Yellow – this rule is nearing the expiration time set by you.
• Red – this rule is outside the time frame set by you.
Don’t Expire A check mark indicates this whitelist rule has been configured to prevent
it from expiring.
Enable Select the checkbox to enable this specific rule for this application.
Selecting the checkbox again (deselecting it) disables the rule.
Enable All < n > Select the checkbox and then clicking Submit will enable all configured
Whitelist Rules rules in this application. The actual number of rules appears as a variable.

When you have made the necessary changes, click Submit. The Apply Whitelist - Apply Rules window will
update.

144 McAfee Email Gateway 6.7.2 Administration Guide

12 Advanced Topics in Compliance
Contents
About address masquerading
About Desktop Encryption Analysis
About Off-Hour Delivery
About Attachment Analysis
About Network DLP Analysis
About Message Stamping
About Group Manager
About Mail Notification
Compliance rules updates

About address masquerading

Address Masquerading allows you to map one domain name or email address to another for either inbound
or outbound messages. This option eases the transition when a domain name or email address changes for
any reason. Masquerading can also help protect users and domains by not revealing actual identification
information.
You can create and manage masquerading entries from the Address Masquerades - Manage window.
Figure 70 Address Masquerades - Manage window

McAfee Email Gateway 6.7.2 Administration Guide 145

 Advanced Topics in Compliance
About address masquerading

Table 78 Address Masquerade - Manage fields

Field Description
Masquerade The upper portion of the window contains the possible parameters that
Search can be used to search for existing masquerade entries. They will be
discussed in greater detail below.
Enable Select this checkbox to enable Email Gateway to perform address
Masquerading masquerading based on the entries that have been configured.
Configured The lower portion of the window is a table displaying all the address
Masquerades masquerade entries that are currently configured on the Email Gateway
appliance.
Original Name This column displays the original domain name or email address for which
the specific masquerade was configured. The name is also a link that
allows editing of the entry.
New Name This column shows the new name to be used to masquerade the original
name.
Masquerade Type The type of masquerade configured for each specific entry appears in this
column. Options are:
• Domain
• Email
Direction This column displays the selected mail flow direction to which the
masquerade will apply. Options are:
• Inbound
• Outbound
• Both
RFC Headers The RFC headers to which the masquerade will apply appear this column.
If the number of headers require more space than the column width, the
list will appear truncated. The complete list for a specific entry will appear
as a pop-up window when the mouse rolls over the truncated list.
Delete Selecting this checkbox and subsequently clicking Submit will cause the
associated entry to be deleted. Clicking the “Delete” column heading
(link) selects all entries on the page.
Delete All _ Addr Selecting this checkbox and subsequently clicking Submit will delete the
Masquerades entire list of masquerade entries on all pages. The total number of entries
configured displays as a variable in the label text.
Page Navigation The lower right side of the window contains information about the number
of pages containing masquerade entries, with both directional arrows and
commands that allow you to navigate through the pages or to a specific
page.
File You can upload a list of masquerade entries from a file by entering the
complete path to that file or browsing to it.
Export Clicking this link will allow you to export the current list of masquerade
entries to a text file, to be stored outside Email Gateway and to serve as
a backup copy. Clicking the link displays a dialog box requesting your
preferences, and allowing you to navigate to your selected storage
location.

Searching for masquerade entries

As the number of masquerades configured grows, it becomes more difficult to find specific entries unless a
search option is available. The upper portion of the Address Masquerades - Manage window provides just
such an option. Enter as much information as possible about the entry to narrow the search.

Table 79 Searching for masquerades

Field Description
Masquerade Type If you know the masquerade type (Domain or Email) that was used to
configure the entry, select it from the list. Otherwise, you can choose All
to have Email Gateway search all masquerades regardless of type.
Original Name Type the original domain name or email address that is configured for
masquerading.

146 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About address masquerading

Table 79 Searching for masquerades (continued)

Field Description
New Name Type the new name for the masqueraded entity.
Direction Click the mail flow direction for the entry.
RFC Headers You can further limit the search by clicking one or more of the possible
RFC headers to which the masquerade applies.

When you have entered the search parameters, click the Search button to execute the search. Email
Gateway will return a list of all masquerade entries that match the parameters, or display a message saying
that no entries were found.

Adding new masquerade entries

Adding a new masquerade entry begins with clicking the Add New button at the bottom of the Address
Masquerades - Manage window. You can type either a domain masquerade or an email address
masquerade. The Add Masquerade window will refresh to match the type of masquerade you want to
configure, offering the appropriate fields.

Adding a new domain

To add a new domain to the Address Masquerading list, select Domain as the Masquerade Type on the
window.
Figure 71 Address Masquerades - Add Masquerade window

Table 80 Address Masquerades - Add Masquerade fields

Field Description
Masquerade Type Select Domain as the Masquerade Type.
Original Domain Type the original domain name that you wish to masquerade.
Name
New Domain Name Type the new domain name that should appear in lieu of the original name
in the headers you select below.

McAfee Email Gateway 6.7.2 Administration Guide 147

 Advanced Topics in Compliance
About address masquerading

Table 80 Address Masquerades - Add Masquerade fields (continued)

Field Description
Direction Select the direction for mail flow to which this masquerade will apply.
Options are:
• Inbound
• Outbound
• Both
RFC Headers Select the checkboxes to choose one or more RFC Header type to which
the masquerade will apply. You can choose:
• From 821
• To 821
• From 822
• Reply To 822
• To 822
• CC 822
• Disposition Notification To
• Return Receipt From
The New Name will appear in the place of the original name in the headers
you select.

When the information is correct, click Submit. The Address Masquerading window will update.

Using wild cards

Wild cards can be used in Domain Address Masquerading. An asterisk (*) can be placed at the beginning or
the end of a domain name to indicate that any text in front of or any text following the literal domain name
will be used. When an asterisk is at the beginning of a domain name, Email Gateway re-writes the text
string that follows it. When an asterisk is at the end of a domain name, Email Gateway re-writes the text
string that is in front of it.
Note: If you use an asterisk in both the old domain name and the new domain name, the asterisk MUST be in the
same place in both names - at the front, or at the end.

Note: When you use inbound address masquerading, you must create an entry in the Domain-Based Routing
Table for the new domain name, and ensure the associated internal mail server is configured to accept mail from
the new domain. Otherwise, incoming mail will be rejected with a 571 Cannot relay error.

Table 81 Domain masquerade examples

Original Domain Affects these domains New Domain Name New name will be ...
Name ...
*name.com myname.com *www.com mywww.com
yourname.com yourwww.com
hisname.com hiswww.com
*trust.com mytrust.com *name.com myname.com
yourtrust.com yourname.com
ciphertrust.com ciphername.com
trust.* trust.com name.* name.com
trust.net name.net
trust.org name.org

Adding a new email address

To add a new email address to the Address Masquerades - Manage window, select Email as the
Masquerade Type.

148 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Compliance
About Desktop Encryption Analysis

Table 82 Address Masquerades - Add Masquerade fields

Field Description
Masquerade Type Select Email as the Masquerade Type.
Original Email Name Type the original address that you wish to masquerade.
New Email Name Type the new email name that should appear in lieu of the original name
in the headers you select below.
Direction Select the direction for mail flow to which this masquerade will apply.
Options are:
• Inbound
• Outbound
• Both
RFC Headers Select the checkboxes to choose one or more RFC Header type to which
the masquerade will apply. You can choose:
• From 821
• To 821
• From 822
• Reply To 822
• To 822
• CC 822
• Disposition Notification To
• Return Receipt From
The New Name will appear in the place of the original name in the headers
you select.

When the information is correct, click Submit. The Address Masquerades - Manage window will update.
Note: Wild cards can not be used in masquerading email addresses. They can only be used for domain
masquerading.

Editing masquerade entries

To edit a configured masquerade entry, click the Original Name link in the Address Masquerades - Manage
window. An Edit Masquerade window will appear showing the current configuration for the selected entry.
Make any changes to the selected masquerade entry, and then click Submit. The new configuration will be
saved.

About Desktop Encryption Analysis

Email Gateway Desktop Encryption Analysis allows client-based encryption and digital signatures. These
features can guarantee that email really came from the stated sender and that no one has altered the
message. The drawback is that, just as this encryption protects the messages, it also protects viruses,
malicious code and confidential information sent by unscrupulous employees. The Boundary to Boundary
screens for secure delivery allow you to specify the domains for which Email Gateway shall require or deny
the use of encryption (see About Domain Require and Deny in this Administration Guide) and to manage
the Security Certificates required by the encryption protocols.
Email Gateway allows you to create policies that monitor specific messages that pass through the email
system. These policies are based on rules that look at every message’s sender or receiver email address
and check if the email address or domain is identified in a Desktop Encryption Analysis policy, or if the
individual is a member of a group specified in the policy. Email Gateway performs one of several actions
whenever a configured address or domain is detected.

Managing encryption rules

Any existing Desktop Encryption Analysis rules appear on the Desktop Encryption Analysis - Manage Rules
window.

McAfee Email Gateway 6.7.2 Administration Guide 149

 Advanced Topics in Compliance
About Desktop Encryption Analysis

Figure 72 Desktop Encryption Analysis - Manage Rules window

Table 83 Desktop Encryption Analysis - Manage Rules fields

Field Description
ID This column shows the unique, system-generated ID number assigned to
each rule.
Monitored Field The monitored field for each rule shows in this column. Options are:
• Sender
• Recipient
Type This column lists the entity type associated with the associated rule.
Options are:
• User
• Group
• Domain
Data This column displays the email address, group name or domain name that
identifies the specific entity.
Action The action Email Gateway will take if this rule is triggered appears in this
column.
Action Value If the action requires an additional value, such as the number of days a
message should stay in quarantine, the value appears here.
Notify A Yes or a No in this column indicates whether or not the rule is configured
to generate notices.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Delete Selecting the checkbox and then clicking Submit will cause the rule to be
deleted.

150 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Desktop Encryption Analysis

Adding a new Desktop Encryption Analysis rule

To add a new Desktop Encryption Analysis rule, click Add New at the bottom of the window. The Add Rule
window will appear.
Figure 73 Desktop Encryption Analysis - Add Rule window

Table 84 Desktop Encryption Analysis - Add Rule fields

Field Description
Monitored Field Select the message field to be monitored by this rule. Options are:
• Sender
• Recipient
Type Select the type of entity to which the rule will apply. Options are:
• User
• Group
• Domain
Data To define the specific entity, select an existing group name from the pick
list, or type the email address for a user or the domain name for a domain.
Action Select from the drop-down list the action you want Email Gateway to take
when this rule is triggered.
Quarantine Type If Quarantine or Remote Quarantine is selected as the action, you must
select the Quarantine Type for the action.
Action Value Some actions require additional information, such as an email address for
forwarding messages, or the number of days a message should stay in
quarantine.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.

McAfee Email Gateway 6.7.2 Administration Guide 151

 Advanced Topics in Compliance
About Desktop Encryption Analysis

Table 84 Desktop Encryption Analysis - Add Rule fields (continued)

Field Description
Notification For each individual who is to receive notification, select the template to
Templates be used for that notification.
You can configure notification templates by navigating to Compliance |
Compliance Advanced | Mail Notification.
Message Archival The fields at the bottom of the window are used to configure message
archiving.
Archive Messages Selecting the checkbox will enable Email Gateway to archive messages
triggered by this that trigger this rule.
rule.
You must select a target in order to archive messages.
Select Target From the drop-down list, select the target location where these messages
are to be stored.
If no archive target is available, you can configure targets by navigating
to Reporting | Message Archive | Add New.

When you have entered or selected the information correctly, click Submit. The Manage Rules window will
update to show the new addition.

Editing a Desktop Encryption Analysis rule

To edit an existing rule, click the ID hyperlink for that rule on the Desktop Encryption Analysis - Manage
Rules window. The Edit Rule window appears, populated with the information about the rule you intend to
edit.

Table 85 Desktop Encryption Analysis - Edit Rule fields

Field Description
ID This field shows the Rule ID for the rule being edited. This field is not
editable.
Monitored Field Select the message field to be monitored by this rule. Options are:
• Sender
• Recipient.
Type Select the type of entity to which the rule will apply. Options are:
• User
• Group
• Domain
Data To define the specific entity, select an existing group name from the pick
list, or type the email address for a user or the domain name for a domain.
Action Select from the drop-down list the action you want Email Gateway to take
when this rule is triggered.
Quarantine Type If Quarantine or Remote Quarantine is selected as the action, you must
select the Quarantine Type for the action.
Action Value Some actions require additional information, such as an email address for
forwarding messages, or the number of days a message should stay in
quarantine.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.

152 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Desktop Encryption Analysis

Table 85 Desktop Encryption Analysis - Edit Rule fields (continued)

Field Description
Notification For each individual who is to receive notification, select the template to be
Templates used for that notification.
You can configure notification templates by navigating to Compliance |
Compliance Advanced | Mail Notification.
Message Archival The fields at the bottom of the window are used to configure message
archiving.
Archive Messages Selecting the checkbox will enable Email Gateway to archive messages
triggered by this that trigger this rule.
rule.
You must select a target in order to archive messages.
Select Target From the drop-down list, select the target location where these messages
are to be stored.
If no archive target is available, you can configure targets by navigating
to Reporting | Message Archive | Add New.

Make changes to the data as necessary, then click Submit. The window will update to include your
changes.

Applying Desktop Encryption Analysis rules

After Desktop Encryption Analysis rules have been configured and/or edited, they are ready to be applied to
the organization’s email traffic.
Existing applications (policies) appear on the Desktop Encryption Analysis - Apply Rules window.
Figure 74 Desktop Encryption Analysis - Apply Rules window

Table 86 Desktop Encryption Analysis - Apply Rules fields

Field Description
Enable Desktop Select the checkbox to enable Desktop Encryption Analysis processing.
Encryption Selecting the box allows you to toggle the service on and off.
Compliance
Apply ID This column shows the unique, system-generated number assigned to
each desktop encryption application.

McAfee Email Gateway 6.7.2 Administration Guide 153

 Advanced Topics in Compliance
About Desktop Encryption Analysis

Table 86 Desktop Encryption Analysis - Apply Rules fields (continued)

Field Description
Apply To This column displays the entity type to which the policy applies. Options
are:
• Global
• Domain Group
• Domain
• User Group
• Email address
Exclude If this policy is configured to apply to everyone except the entity defined,
an X will appear in this column.
Message Direction This field displays the message direction to which the application will
apply. Options are:
• Inbound
• Outbound
• Both
Delete Selecting the checkbox and then clicking Submit will cause the
application to be deleted.

Adding a new application

To add a new Desktop Encryption Analysis application, click Add New at the bottom of the Desktop
Encryption Analysis - Apply Rules window. The Add Apply Rule window will display.
Figure 75 Desktop Encryption Analysis - Add Apply Rule window

154 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Desktop Encryption Analysis

Table 87 Desktop Encryption Analysis - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you chose user group or domain group above, select the name of an
existing group from the enabled pick list.
Data If you chose domain or email address as the “Apply To” entity, type the
domain name or email address to identify the specific entity.
Exclude If you want this policy to apply to everyone except the entity you define,
select the checkbox.
Direction Click the radio button to determine the message direction to which this
policy will apply. Options are:
• Inbound
• Outbound
• Both
Available Rules The lower portion of the window lists all configured rules. You must enable
one or more of them to configure a working application.
ID This column lists the unique ID number for each available rule.
Monitored Field This column shows the monitored field the rule will scan. Options are:
• Sender
• Recipient
Type This column lists the entity type associated with the associated rule.
Options are:
• User
• Group
• Domain
Data This column displays the email address, group name or domain name that
identifies the specific entity.
Action The action Email Gateway will take if this rule is triggered appears in this
column.
Action Value If the action requires an additional value, such as the number of days a
message should stay in quarantine, the value appears here.
Notify A Yes or a No in this column indicates whether or not the rule is configured
to generate notices.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Enable Select the checkbox to enable the associated rule for this application.

When the information has been entered correctly, click Submit. The Desktop Encryption Analysis - Apply
Rules window will update.

McAfee Email Gateway 6.7.2 Administration Guide 155

 Advanced Topics in Compliance
About Desktop Encryption Analysis

Editing an existing rule application

You can edit an existing application as necessary. Click the Apply ID hyperlink to open the Desktop
Encryption Analysis - Add Apply Rule window that contains the configuration for the rule you want to edit.

Table 88 Desktop Encryption Analysis - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the type of entity for which the application is being configured.
Options are:
• Global
• Domain Group
• Domain
• User Group[
• Email address
Data selections If you chose User Group or Domain Group above, select the name of an
existing group from the enabled pick list.
Data If you chose domain or Email Address as the “Apply To” entity, type the
domain name or email address to identify the specific entity.
Exclude If you want this policy to apply to everyone except the entity you define,
select the checkbox.
Direction Click the radio button to determine the message direction to which this
policy will apply. Options are:
• Inbound
• Outbound
• Both
Available Rules The lower portion of the window lists all configured rules. You must
enable one or more of them to configure a working application.
ID This column lists the unique ID number for each available rule.
Monitored Field This column shows the monitored field the rule will scan. Options are:
• Sender
• Recipient
Type This column lists the entity type associated with the associated rule.
Options are:
• User
• Group
• Domain
Data This column displays the email address, group name or domain name
that identifies the specific entity.
Action The action Email Gateway will take if this rule is triggered appears in this
column.
Action Value If the action requires an additional value, such as the number of days a
message should stay in quarantine, the value appears here.
Notify A Yes or a No in this column indicates whether or not the rule is
configured to generate notices.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Enable Select the checkbox to enable the associated rule for this application.

After you have made the changes you desire, click Submit. The Desktop Encryption Analysis - Apply Rules
window will update to include your changes.

156 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Compliance
About Off-Hour Delivery

About Off-Hour Delivery

You can create policies that delay delivery of large messages until a specified hour. This prevents the
available resources from being compromised during peak work hours by messages with large file
attachments. Messages that meet the size specified are held in quarantine temporarily.
Figure 76 Off Hour Delivery - Configure window

Table 89 Off Hour Delivery - Configure fields

Field Description
Enable Off Hour Select the checkbox to enable off-hour delivery.
Delivery - Configure
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To From the pick list, select the type of entity to which the policy will apply.
Options are:
• Email Address – applies the policy to one individual user (for multiple
users, create a group).
• User Group – applies the policy to a group consisting of a list of
individual users.
• Domain Group – applies he policy to a group consisting of a list of
domains.
• Domain – applies the policy to a single domain (to apply the rule to
multiple domains, first create a domain group).
• Global – applies the policy to all users.
See About Group Manager later in this chapter.
Data selection If you chose User Group or Domain Group above, select the name of an
existing group from the enabled pick list.
Data If you chose Domain or Email Address as the “Apply To” entity, type the
domain name or email address to identify the specific entity.
Exclude If you want this policy to apply to everyone except the entity you define,
select the checkbox.

McAfee Email Gateway 6.7.2 Administration Guide 157

 Advanced Topics in Compliance
About Attachment Analysis

Table 89 Off Hour Delivery - Configure fields (continued)

Field Description
Size (MB) Type a number to represent the minimum size in megabytes for messages
that will trigger Off-Hour Delivery.
Begin Time Select the time of day (hours and minutes) from the pick lists to define
the time of day that begins the Off-Hour Delivery period.
End Time Select the time of day (hours and minutes) from the pick lists to define
the time of day that ends the Off-Hour Delivery period.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each individual who is to receive notification, select the template to be
Templates used. See Mail Notification later in this chapter.

Note: If Email Gateway does not finish delivering all large messages before the End Time, unsent messages will
remain in the queue until the next Begin Time. You can manually “push” messages out of the queue.

When the information is entered correctly, click Submit. Off-Hour Delivery will occur on a daily basis, as
you have configured it.

About Attachment Analysis

Attachments, including files such as Word documents, PDFs, and executable files that are included with
(attached to) email messages can carry threats like spam or viruses. Email Gateway Attachment Analysis
functionality allows you to configure and apply rules and policies to prevent these attachments from
entering the network and to circumvent the threats.
In addition to regular attachments, Email Gateway also performs attachment scanning on the contents of
attached zip files. When text is extracted from these files, Email Gateway subjects this text to inspection of
the content. Zip files contained in other attached zip files are filtered down to a pre-configured level of
zipping, set to ten levels by default.

Managing attachment rules

Existing rules for processing message attachments display in the Attachment Analysis - Manage Rules
window. Each rule represents a list of one or more file extensions or file names that Email Gateway is to
detect in order to take action on messages with attachments.

158 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Attachment Analysis

Figure 77 Attachment Analysis - Manage Rules window

Table 90 Attachment Analysis - Manage Rules fields

Field Description
ID This column shows the unique, system-generated ID number for each
configured rule.
Extension The configured extension are listed by extension type in this column.
File If the associated extension is a file name, that fact is indicated by a Yes
in this column. Otherwise, a No appears.
Action This column lists the action that has been configured for each associated
extension.
Action Value If the selected action requires additional data for proper configuration,
that information will appear here.
Notify A Yes in this column indicates that the rule is configured to generate
notifications when it is triggered. A No indicates that notices have not
been configured.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Delete Selecting the checkbox and then clicking Submit will cause the rule to be
deleted.
Add List From File You can upload a list of rules from a file by entering the complete path to
the file or by browsing to it.

McAfee Email Gateway 6.7.2 Administration Guide 159

 Advanced Topics in Compliance
About Attachment Analysis

Table 90 Attachment Analysis - Manage Rules fields (continued)

Field Description
Character Set Select the character set to be used for encoding entries for this dictionary
or searching for entries. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character sets for Japanese, combining several
standards
• is0-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Export To export a copy of the configured rules to serve as a backup, click the
Export hyperlink.

Adding a new rule

To add a new Attachment Analysis rule, click Add New at the bottom of the Manage Rules window. The
Add Rule window will appear.
Figure 78 Attachment Analysis - Add Rule window

160 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Attachment Analysis

Table 91 Attachment Analysis - Add Rule fields

Field Description
Extension/Filename Type the extension or filename that will be the trigger for this rule.
Default Select this option if you want to define a rule that will be triggered if an
extension does not match any other configured rule. Ensure that this rule
is included in the Apply Rules list.
File If the extension or name entered above indicates a file, select this
checkbox.
Password Protected/ Selecting this checkbox enables Email Gateway to scan attachments that
Encrypted are password protected or encrypted.
Action Select from the pick list the action you want Email Gateway to take when
a message triggers this rule.
Action Value If the action you have chosen requires additional information, type the
required value in the data field.
Alternative Action Some actions allow you to configure an alternative action to be taken if
the configured action fails. If you want to specify an alternative action,
select it from the pick list.
Alternative Action If the alternative action requires additional information, type the value in
Value this data field.
Quarantine Type If Quarantine is the selected action for this rule, select the quarantine
type from the list.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each individual who is to receive notification, select the template to be
Templates used for that notification.
You can configure notification templates by navigating to Compliance |
Compliance Advanced | Mail Notification.
Message Archival The fields at the bottom of the window are used to configure message
archiving.
Archive Messages Selecting the checkbox will enable Email Gateway to archive messages
triggered by this that trigger this rule.
rule. You must select a target in order to archive messages.
Select Target From the drop-down list, select the target location where these messages
are to be stored.
If no archive target is available, you can configure targets by navigating
to Reporting | Message Archive | Add New.

When you have entered the correct information, click Submit. The Attachment Analysis Rule Management
window updates.

Multiple rules
When a message conforms to more than one rule, more than one action can be taken on that message. In
some situations, not all actions can be performed. Policy attribute comparison is used to resolve conflicting
actions. In the comparison, a system-defined policy supersedes a user-defined policy, a policy applied to a
user supersedes a policy applied to a group, and a higher action code supersedes a lower one. For example,
if both secure delivery and forward actions can apply to one message, secure delivery takes precedence
because the forward action could cause the original message to be deleted so that it could not be delivered
securely. More information about actions and action precedence is available in Appendix C, Actions and
Action Codes and Appendix G, Email Gateway Action Order of Precedence of this Administration Guide.

McAfee Email Gateway 6.7.2 Administration Guide 161

 Advanced Topics in Compliance
About Attachment Analysis

Policy attribute comparison is also used to resolve conflicts when the actions belong to different policies,
following the same guidelines used when the action codes belong to the same policy. For example, when
multiple quarantine rules with finite quarantine days can be applied, policy attribute comparison selects one
of them by comparing the quarantine periods.
Policy attribute comparison can resolve conflicts when multiple actions directed at specific message parts
are configured for the same attachment extension or file name. Only one part-level action can be applied,
such as either drop part or rename, drop part or pass through. This also applies when two rename actions
are defined for the same extension, since the part can only be renamed to one new name or the other.
Policy attribute comparison is performed between two rules when either of them is one of the following:
• Reroute

• Drop

• Quarantine forever

If one of the actions is any of the above, one action will be performed and all other actions will be ignored,
since the message is no longer available for additional action.

File types within a zip file

Zip files within attachments or sent as attachments can be filtered down to a pre-configured number of
levels of zipping. Rules can be configured that will govern the way email messages are processed
depending upon the types of files contained within the zip files. You can specify an action based on the
attachment type. Email Gateway does not modify the zip file, but it can treat the entire message or the
attachment by applying rules based on the contents of the attachment.

Editing attachment rules

If you want to edit an existing rule, click the ID hyperlink on the Manage Rules window. An Edit Rule
window will display.
Table 92 Attachment Analysis - Edit Rule fields
Field Description
Extension/Filename Type the extension or filename that will be the trigger for this rule.
Default Select this option if you want to define a rule that will be triggered if an
extension does not match any other configured rule. Ensure that this rule
is included in the Apply Rules list.
File If the extension or name entered above indicates a file, select this
checkbox.
Password Protected/ Selecting this checkbox enables Email Gateway to scan attachments that
Encrypted are password protected or encrypted.
Action Select from the pick list the action you want Email Gateway to take when
a message triggers this rule.
Action Value If the action you have chosen requires additional information, type the
required value in the data field.
Alternative Action Some actions allow you to configure an alternative action to be taken if
the configured action fails. If you want to specify an alternative action,
select it from the pick list.
Alternative Action If the alternative action requires additional information, type the value in
Value this data field.
Quarantine Type If Quarantine is the selected action for this rule, select the quarantine
type from the list.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.

162 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Attachment Analysis

Table 92 Attachment Analysis - Edit Rule fields (continued)

Field Description
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each individual who is to receive notification, select the template to
Templates be used for that notification.
You can configure notification templates by navigating to Compliance |
Compliance Advanced | Mail Notification.
Message Archival The fields at the bottom of the window are used to configure message
archiving.
Archive Messages Selecting the checkbox will enable Email Gateway to archive messages
triggered by this that trigger this rule.
rule.
You must select a target in order to archive messages.
Select Target From the drop-down list, select the target location where these messages
are to be stored.
If no archive target is available, you can configure targets by navigating
to Reporting | Message Archive | Add New.

When all the fields are entered correctly, click Submit to record your changes.

Applying attachment rules

When you have created Attachment Analysis Rules, they are ready to be applied. This process begins when
you navigate to the Attachment Analysis - Apply Rules window.
Figure 79 Attachment Analysis - Apply Rules window
At

McAfee Email Gateway 6.7.2 Administration Guide 163

 Advanced Topics in Compliance
About Attachment Analysis

Table 93 Attachment Analysis - Apply Rules fields

Field Description
Enable Attachment Select the checkbox to enable Attachment Analysis processing.
Analysis
Text Exclusion list Clicking the hyperlink opens the Attachment Analysis File Extensions List,
showing the extensions that will be bypassed by configured policies.
Email Gateway recognizes 7-bit ASCII formatted files (typically files with
.txt as their file extension), even if the file contains an extension other
than .txt. If an Attachment Analysis policy is created for .txt files, Email
Gateway will enforce the policy on all 7-bit ASCII file attachments
regardless of their extensions. To exclude a 7-bit ASCII file from
triggering the application, type its file extension in the Text Exclusion List.
To add an extension to the list, type the extension in the New Extension
Name field, then click Submit. Delete extensions by selecting the
associated Delete checkbox and clicking Submit.
Unknown Extension Clicking the hyperlink opens the Attachment Analysis Unknown Extension
List List.
If an extension is not recognized by the Content Extraction Queue, Email
Gateway treats that attachment as an unknown file type and assigns it the
unknown (unk) extension. The attachment is processed according to the
rules configured for the unknown file type. If there are extensions for
which you want to create rules but do not wish to have treated as
unknowns, you can add those extensions to this list.
To add an extension to the list, type the extension in the New Extension
Name data field, then click Submit. Delete extensions by selecting the
associated Delete checkbox and clicking Submit.
Configured The lower portion of the window lists all the configured Attachment
Applications Analysis Applications.
Apply ID The unique, system-generated ID number for each application appears in
this column.
Apply to This column displays the entity to which the policy applies.
Exclude If the policy is meant to apply to everyone except the defined entity, an
X in this column communicates that fact.
System Defined If the policy is system-defined rather than user-defined, this column will
display an X.
Message Direction The configured message direction for this application is listed in this
column. Options are:
• Inbound
• Outbound
• Both
Delete Selecting the checkbox and then clicking Submit will cause the
application to be deleted.

Adding a new application

You can add a new application (policy) to the list by clicking Add New at the bottom of the Attachment
Analysis - Apply Rules window. The Attachment Analysis - Add Apply Rule window appears.

164 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Attachment Analysis

Figure 80 Attachment Analysis - Add Apply Rule window

Table 94 Attachment Analysis - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you selected Domain Group or User Group above, select the name of
the group from the enabled pick list.
Data If you chose Domain or Email address, type the domain name or the email
address to which the policy will apply.
Exclude If you want the new application to apply to everyone except the entity you
are describing, select the checkbox.
Direction Select the message direction for messages to be scanned by this
application. Options are:
• Inbound
• Outbound
• Both
Available Rules The lower portion of the window shows all currently configured
Attachment Analysis rules. You must enable at least one of them to create
a working application.

McAfee Email Gateway 6.7.2 Administration Guide 165

 Advanced Topics in Compliance
About Attachment Analysis

Table 94 Attachment Analysis - Add Apply Rule fields (continued)

Field Description
ID This column shows the unique, system-generated ID number for each
configured rule.
Extension The configured extensions are listed by extension type in this column.
File If the associated extension is a file name, that fact is indicated by a Yes
in this column. Otherwise, a No appears.
Action This column lists the action that has been configured for each associated
extension.
Action Value If the selected action requires additional data for proper configuration,
that information will appear here.
Notify A Yes in this column indicates that the rule is configured to generate
notifications when it is triggered. A No indicates that notices have not
been configured.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Enable Select the checkbox to enable this rule for this application. Deselecting
the checkbox disables the rule, but does not delete it.

When you have completed the necessary information, click Submit. The Attachment Analysis - Apply Rules
window will update to include the new application.

Editing an application
You can edit an existing application when it becomes necessary or desirable. Click on the application’s
Apply ID hyperlink to open the Attachment Analysis - Edit Apply Rules window, populated with the current
configuration information.

Table 95 Attachment Analysis - Edit Apply Rule fields

Field Description
Apply to all Virtual If the administrator editing the policy is an appliance-level administrator
Hosts and is logged into the Default Virtual Host, this checkbox appears. If the
administrator selects it, the policy will apply to all Virtual Hosts on the
appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you selected Domain Group or User Group above, select the name of
the group from the enabled pick list.
Data If you chose Domain or Email address, type the domain name or the email
address to which the policy will apply.
Exclude If you want the new application to apply to everyone except the entity you
are describing, select the checkbox.
Direction Select the message direction for messages to be scanned by this
application. Options are:
• Inbound
• Outbound
• Both

166 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Compliance
About Network DLP Analysis

Table 95 Attachment Analysis - Edit Apply Rule fields (continued)

Field Description
Available Rules The lower portion of the window shows all currently configured
Attachment Analysis rules. You must enable at least one of them to create
a working application.
ID This column shows the unique, system-generated ID number for each
configured rule.
Extension The configured extension are listed by extension type in this column.
File If the associated extension is a file name, that fact is indicated by a Yes
in this column. Otherwise, a No appears.
Action This column lists the action that has been configured for each associated
extension.
Action Value If the selected action requires additional data for proper configuration,
that information will appear here.
Notify A Yes in this column indicates that the rule is configured to generate
notifications when it is triggered. A No indicates that notices have not
been configured.
Archive The value in this column indicates whether or not messages that trigger
this rule are to be archived.
Enable Select the checkbox to enable this rule for this application. Deselecting
the checkbox disables the rule, but does not delete it.

Make the desired changes and click Submit. The Attachment Analysis - Apply Rules window will refresh.

Dangerous extensions
The following extension types are capable of executing code: att, bat, chm, cmd, com, cpl, eml, exe, hta,
htm, html, ins, isp, js, jse, lnk, mp3, msi, msp, pif, req, scr, sct, shs, vbe, vbs, wav, wsc, wsf, wsh. Add
these extensions only after they have been reviewed to ensure they are not used legitimately within your
environment.

About Network DLP Analysis

DLP Analysis is a data loss prevention solution that helps network administrators catch and prevent
sensitive data from leaving the company network. It is accessible under Advanced Compliance in the left
menu in Email Gateway.

Detection capabilities
The detection capabilities of DLP Analysis include:
• Finding encrypted traffic

• Finding covert email

• Finding confidential documents

• Finding FTP traffic containing source code

• Getting statistics on web sites visited

• Identifying disgruntled employees

• Investigating a user's online activity

• Finding data leaked in the past

• Finding traffic to gambling or adult-oriented web sites

• Finding transmission of financial information

McAfee Email Gateway 6.7.2 Administration Guide 167

 Advanced Topics in Compliance
About Network DLP Analysis

• Finding postings to social networking sites

• Finding transmission of information to foreign nationals

• Tuning a rule to exclude approved business practices

• Finding unencrypted user account information

• Scanning for sensitive data

• Preventing release of privacy information

• Finding sensitive data moved to insecure locations

How it works
The following diagram illustrates the high-level flow for DLP Analysis.
Figure 81 Network DLP Analysis flow diagram

1 Client sends email to Email Gateway

2 You creates a rule on Email Gateway which takes a DLP action based on some conditions. Taking a DLP
action means that Email Gateway will submit the message for a DLP scan.

3 Depending on how you configured DLP Analysis policies, different results might be possible:

a DLP Analysis scans the message and adds a header ‘X-RCIS-Action’.

b DLP Analysis can take any of the following six actions:

• ALLOW (X-RCIS-Action: ALLOW)

• BLOCK (X-RCIS-Action: BLOCK)

• REDIRECT (X-RCIS-Action: REDIR)

• ENCRYPT (X-RCIS-Action: ENCRYPT)

• BOUNCE (X-RCIS-Action: BOUNCE)

• QUARANTINE (X-RCIS-Action: QUART)

168 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Network DLP Analysis

Note: The DLP Analysis feature has its own quarantine queue. Messages quarantined by DLP Scan are held
there. For more information, see About quarantine types in Chapter 4 of the Administration Guide.

c DLP Analysis sends this scanned message (containing the added header) back to Email Gateway.

d DLP Analysis sends back a notification message to Email Gateway; this notification contains the ALLOW
header, permitting the message to be routed to SuperQueue.
Note: Generally, DLP Analysis takes actions which are accompanied by notification messages. Email
Gateway can also send other notifications about DLP scan actions, created using an additional notification
template, Network DLP Notification. See About Mail Notification, later in this chapter.

4 Email Gateway scans the incoming messages. If incoming message is from DLP Analysis, then Email
Gateway considers this ‘round 2’ of the process.

a During round 2, Email Gateway skips all normal checks such as address pattern matching, LDAP
validations, and so forth, and sends the message directly to SuperQueue.

b Depending on the action you set for DLP Analysis, the configured action will be taken.

5 If delivery of the message is allowed, Email Gateway forwards it to the email server.

Managing DLP Analysis rules

The Network DLP Analysis - Manage Rules window lists all the configured rules for then Network DLP
feature.
Figure 82 Network DLP Analysis - Manage Rules window

Table 96 Network DLP Analysis - Manage Rules fields

Field Description
Enable Network DLP Select the checkbox to enable Network DLP Analysis.
Analysis
Header This column displays the header name that will be included by DLP Analysis in the S-RCIS-Action
header for each rule that can be triggered.
Note: Each header is a link to allow editing of the details for the corresponding rule.
Action The action assigned to each rule displays in this column.
Action Value If the selected action requires additional data for proper configuration, that information will
appear here.

McAfee Email Gateway 6.7.2 Administration Guide 169

 Advanced Topics in Compliance
About Network DLP Analysis

Table 96 Network DLP Analysis - Manage Rules fields

Field Description
Notify A Yes in this column indicates that the rule is configured to generate notifications when it is
triggered. A No indicates that notices have not been configured.
Archive The value in this column indicates whether or not messages that trigger this rule are to be
archived.

If you have made any changes to the existing rules, click Submit to save your configuration.
You can not add or delete rules in Network DLP Analysis, but you can edit the existing rules.

Editing DLP Analysis rules

When you select the header for any rule, the Network DLP Analysis - Edit Rule window displays.
Figure 83 Network DLP Analysis - Edit Rule window

Table 97 Network DLP Analysis - Edit Rules fields

Field Description
ID This field shows the system-generated ID number for this rule. The ID field in not editable.
Header This field displays the header assigned to this rule. The header is not editable.
Action Select the action you wish to configure for this rule from the drop-down list.
Quarantine Type If Quarantine or Remote Quarantine is the selected action for this rule, select the quarantine
type from the list.
Action Value If the action you have chosen requires additional information, type the required value in the
data field.
Notifications
Notification The three checkboxes allow you to select the individuals who will receive the notices Email
Recipients Gateway generates for this rule. You can select one or more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel, administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each individual who is to receive notification, select the template to be used for that
Templates notification.
You can configure notification templates by navigating to Compliance | Compliance Advanced |
Mail Notification.
Message Archival

170 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Network DLP Analysis

Table 97 Network DLP Analysis - Edit Rules fields

Field Description
Archive Messages Selecting the checkbox will enable Email Gateway to archive messages that trigger this rule.
triggered by this rule. You must select a target in order to archive messages.
Select Target From the drop-down list, select the target location where these messages are to be stored.
If no archive target is available, you can configure targets by navigating to Reporting | Message
Archive |Add New.

Using DLP Analysis

DLP Scan can be set as an action from the GUI, on specific Add Rule windows in the Compliance tab. Select
DLP Scan from the Action drop-down list. The action will be recorded along with all other actions during
round 1 of the message process (see How it works, above). Depending upon action precedence, the DLP
Analysis will scan the message. For more information about action precedence, see Appendix G, Email
Gateway Action Order of Precedence in this Administration Guide.

Prerequisites
• A Reconnex Prevent DLP host must be available and properly configured, and its IP address must be
provided to the Email Gateway; otherwise, the DLP Scan action cannot be used as intended.

• The Mail Monitoring Queue must be included in the queue order on the Email Gateway appliance (Queue
Manager | Configure Queues).

• Network DLP Analysis must be enabled (Compliance | Advanced Compliance | Network DLP Analysis).

Features that support DLP Analysis

The DLP Analysis action is available for the following features:
• Attachment Analysis

• Content Analysis

• Envelope Analysis

• Advanced Content Analysis

• Image Analysis

Tandem actions
The DLP Scan action is not mutually exclusive, and can be performed in tandem with the following actions:
• Quarantine

• Forward

• Subject rewrite

• Copy

• Log

This does not change action precedence. For example, if both Quarantine and DLP Scan actions are
configured, the Quarantine action will take precedence. DLP Scan will be performed after the message has
been released from quarantine.
During round 2 of message processing, Email Gateway sends the DLP message directly to SuperQueue for
processing.

McAfee Email Gateway 6.7.2 Administration Guide 171

 Advanced Topics in Compliance
About Message Stamping

About Message Stamping

Email Gateway offers the ability to add footer messages at the end of either incoming or outgoing
messages sent in plain text format. Administrators can create various policies that are applied to individuals
and groups for any of the domains Email Gateway hosts. Thus, all outgoing messages from members of the
engineering group in XYZ domain (if hosted by Email Gateway) can be stamped with one message, while
messages from the sales group at XYZ domain can be stamped with another message. Likewise, incoming
messages can be stamped with pertinent information.

Managing Message Stamping rules

The Message Stamping - Manage Rules window contains one entry by default until additional Message
Stamping rules are created. The word “DEFAULT” signifies the default domain that Email Gateway hosts
(you specified a default domain when running the Initial Configuration Wizard when Email Gateway was
first installed). Thereafter, if Email Gateway hosts multiple domains, any one of them can be designated as
the default. The default domain is the domain (the address) from which Email Gateway will send its
notification alerts and Delivery Status Notifications.
Figure 84 Message Stamping - Manage Rules window

Table 98 Message Stamping - Manage Rules fields

Field Description
ID This column shows the unique ID number for each configured Message
Stamping rule. The Default rule is always numbered 1.
Domain This column lists the domain to which each specific rule applies.
Footer Text The footer text that will be stamped on messages by this rule shows in
this column.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
rule to be deleted.

Adding a new rule

To add a new rule to the list, begin by clicking Add New at the bottom of the window. The Add Rule window
will appear. The window contains two tabs, one to add a rule for plain messages and the other to add a rule
for secure messages. The data fields are the same for both types.

172 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Message Stamping

Figure 85 Message Stamping - Add Rule window

Table 99 Message Stamping - Add Rule fields

Field Description
Domain Name Type the domain name for the domain from which stamped messages are
to be sent. This must be a domain hosted by this Email Gateway.
Stamp Location Select the location on the email page where you would like the stamped
message to appear: top of the page, or bottom of the page.
Stamp for Text Part Type the text for the stamped message as you would like it to appear in
the text part of the email message.
Stamp for HTML Part Type the text for the stamped message as you would like it to appear in
the HTML part of the email message.

When the information is correctly entered, click Submit. The Message Stamping - Manage Rules window
will refresh to display the new rule.

Editing an existing rule

To edit an existing rule, click the ID hyperlink for the rule you wish to edit. The Edit Rule window appears,
populated with the current information about the rule.

Table 100 Message Stamping - Edit Rule fields

Field Description
ID The unique, system-generated ID number for the rule appears at the top
of the window. This field is not editable.
Domain Name The existing domain name appears in the data field. Any domain name
except Default can be edited.
Stamp Location Select the location on the email page where you would like the stamped
message to appear: top of the page, or bottom of the page.
Stamp for Text Part: The current stamped text message that is added to the footer of the email
appears in this data field. You can change or replace this text.
Stamp for HTML The current HTML message that is added to the footer of the email
Part: appears in this data field. You can change or replace this text.

When you have made the desired changes, click Submit. the Message Stamping Rule Management window
updates.

McAfee Email Gateway 6.7.2 Administration Guide 173

 Advanced Topics in Compliance
About Message Stamping

Applying Message Stamping rules

After rules have been configured, they are ready to be applied. This requires determining the users and
groups who will receive the stamped messages.
Existing rule applications (policies) are listed on the Message Stamping - Apply Rules window.
Figure 86 Message Stamping - Apply Rules window

Table 101 Message Stamping - Apply Rules fields

Field Description
Enable Message You can toggle the Message Stamping functions on and off by selecting
Stamping and deselecting this checkbox.
Apply ID The unique ID for each application shows in this column. Each ID is a
hyperlink that will allow you to edit the policy.
Apply To This column displays the email address, domain name or group name to
which stamped messages will be sent in compliance with this policy.
Exclude If the policy is to apply to everyone except the identified entity, and X will
appear in this column.
Message Direction The direction for messages that will be stamped shows in this column.
Options are:
• Inbound
• Outbound
Delete Selecting the checkbox and subsequently clicking Submit will cause this
application to be deleted.

If you have changed the enabling of Message Stamping or elected to delete a policy, click Submit.

Adding a new application

To add a new application (policy), click Add New at the bottom of the window. The Message Stamping -
Add Apply Rule window displays.

174 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Message Stamping

Figure 87 Message Stamping - Add Apply Rule window

Table 102 Message Stamping - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you chose Domain Group or User Group as the Apply To type, select the
name of a configured domain group or user group from whichever pick list
is enabled.
Data If you chose Domain or Email Address as the entity type, type the domain
name or the email address in the data field.
The two data options above define the users or groups who will received
the stamped messages.
Exclude If you want the application to apply to everyone except the entity you
defined, select the checkbox.
Direction Click the radio button to determine the direction of messages to be
stamped. Options are:
• Inbound
• Outbound

McAfee Email Gateway 6.7.2 Administration Guide 175

 Advanced Topics in Compliance
About Message Stamping

Table 102 Message Stamping - Add Apply Rule fields (continued)

Field Description
Available Rules The lower portion of the window shows all configured Message Stamping
rules. You must enable one of them to create a working application.
ID The unique ID number for the rule appears in this column.
Domain The domain assigned to the rule is listed in this column.
Footer Text This column shows the footer text that will be stamped in compliance with
this rule.
Enable Select the checkbox to enable this rule for this policy. Select it again to
disable the rule (deselect it).

When you have completed the configuration information, click Submit. The Message Stamping - Apply
Rules window will update to show the new application.

Editing a Message Stamping application

To edit an existing application, begin by clicking the Apply ID hyperlink for that application. The Message
Stamping - Edit Rule window appears, populated with the current configuration for the application.

Table 103 Message Stamping - Edit Rule fields

Field Description
Apply to all Virtual If the administrator editing the policy is an appliance-level administrator
Hosts and is logged into the Default Virtual Host, this checkbox appears. If the
administrator selects it, the policy will apply to all Virtual Hosts on the
appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the policy will apply. Selections might require
additional data, below. Options are:
• Global – the policy applies to all users.
• Domain Group – the policy applies to a pre-defined group of domains.
Select the group from the list below.
• Domain – the policy applies to a named domain.
• User Group – the policy applies to a pre-defined user group. Select the
group from the enabled list.
• Email Address – the policy applies to a specific user, identified by the
email address.
Data selections If you chose Domain Group or User Group as the Apply To type, select the
name of a configured domain group or user group from whichever pick list
is enabled.
Data If you chose Domain or Email Address as the entity type, type the domain
name or the email address in the data field.
The two data options above define the users or groups who will received
the stamped messages.
Exclude If you want the application to apply to everyone except the entity you
defined, select the checkbox.
Direction Click the radio button to determine the direction of messages to be
stamped. Options are:
• Inbound
• Outbound
Available Rules The lower portion of the window shows all configured Message Stamping
rules. You must enable one of them to create a working application.
ID The unique ID number for the rule appears in this column.
Domain The domain assigned to the rule is listed in this column.

176 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Compliance
About Group Manager

Table 103 Message Stamping - Edit Rule fields (continued)

Field Description
Footer Text This column shows the footer text that will be stamped in compliance with
this rule.
Enable Select the checkbox to enable this rule for this policy. Select it again to
disable the rule (deselect it).

When you have made the changes you wish, click Submit. The Message Stamping - Manage Rules window
will update to include your changes.

About Group Manager

Email Gateway offers a variety of tools for both creating and enforcing email policy—policies ranging from
delaying delivery of large message till off-peak hours, to forwarding or blind copying messages addressed
to specific individuals or domains, to disallowing adult or colorful words in corporate email. These various
policies can be applied to individual users, or to groups of users—including domains. The Group Manager
program area is where you can specify or create groups of users for the purpose of policy enforcement.
Existing groups are listed on the Group Definition - Manage window. The “Global” group is always present
by default, and can not be deleted.
Figure 88 Group Definition - Manage window

Table 104 Group Definition - Manage fields

Field Description
ID This column shows the unique system-defined identification number for
each definition.
Domain Based If a group is domain-based (consisting of a list of domains rather than
individual users), an X in this column indicates that fact.
Groups This column lists the names of any existing groups.
Delete For any configured group, other than Global, selecting the checkbox and
subsequently clicking Submit will cause the group definition to be
deleted.
Upload from File You can upload a comma-separated list of either user groups or
domain-based groups from a file by entering the complete path to the file
or by navigating to it.

McAfee Email Gateway 6.7.2 Administration Guide 177

 Advanced Topics in Compliance
About Group Manager

Table 104 Group Definition - Manage fields (continued)

Field Description
Character Set Select the character set to be used for encoding entries for this dictionary
or searching for entries. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character sets for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Export You can store a backup copy of your group definition list by clicking the
Export hyperlink.

If you make changes to this window, click Submit to save the changes.

Adding a new group definition

To add a new group to the list of defined groups, click Add New at the bottom of the Group Definition
window. The Group Definition - Add window will display.
Figure 89 Group Definition - Add window

Table 105 Group Definition - Add fields

Field Description
Group Name Type the name for the new group you are defining.
Domain-based If the group is to be domain-based, select the checkbox.
New User Addresses Type or upload the user addresses names to be included in this group
- Comma-Separated definition.
List If you are adding a domain-based group, the field description changes to
New Domain Names followed by Comma Separated List.

When you have the information entered correctly, click Submit. The Group Definition window will update to
add your new group.

178 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Group Manager

Editing an existing group definition

You can also edit any existing group definition by clicking the Group name on the Group Definition window.
The Group Definition - Edit window will appear, populated with the information about the group you have
selected.
Figure 90 Group Definition - Edit window

Table 106 Group Definition - Edit fields

Field Description
Group Name The group name appears in the data field at the top of the window.
Navigation Just below the group name, you will find navigation fields to allow you to
move to the next page of content information, the previous page, or a
specific page (by entering a page number in the field and clicking Go).
User Address The table lists the user addresses that are included in this group. The
addresses are not editable, but you can delete them and type new
addresses on this window.
If this is a domain-based group, the list contains the domains included.
They can be deleted, but not edited, and new domains can be added.
Delete Selecting the checkbox and then clicking Submit will cause the
associated user address to be deleted from the group.
Delete All < n > Selecting this checkbox and subsequently clicking Submit will delete all
User Addresses user addresses from the group. The actual number of addresses in the
group appears as variable.
New User You can add new users by entering user addresses in a comma-separated
Address(es) - list.
Comma-Separated
List

When you have completed the changes you want to make, click Submit. The Edit Group Definition window
updates to show the new configuration.
Editing a domain-based group is like editing a user group. The screens are slightly different. To edit the
definition, click the Group hyperlink. When you have made the required changes, click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 179

 Advanced Topics in Compliance
About Mail Notification

About Mail Notification

Many of Email Gateway policies provide an option to notify users if an Email Gateway policy performs an
action on an email. The Mail Notifications - Manage page is where you can see the existing template list and
begin to personalize the notification email that Email Gateway delivers to the user.
Navigate to the Mail Notifications - Manage window.
Figure 91 Mail Notifications - Manage window

Table 107 Mail Notifications - Manage fields

Field Description
ID This column lists the unique, system-generated ID numbers assigned to
each notification template.
Notification The name of each existing template appears in this column. Each
Template Name template name is a hyperlink that will allow you to edit any user-created
template.
System Defined If the associated template was generated by the system, this will be
indicated by a check mark in this column. System-Defined templates can
not be altered or deleted.
Delete If the associated template was created by an administrator or user, and
is not System-Defined, a checkbox will appear in this column. Selecting
the checkbox and then clicking Submit will cause a user-defined template
to be deleted.

Adding a notification
Email Gateway provides templates (listed later in this section) covering the policies that support user
notification. Selecting a template for an Email Gateway policy populates text fields in the lower half of the
page with sample text. The sample text can be edited and personalized as required.
To create a new notification, click Add New on the Mail Notifications - Manage window.

180 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Mail Notification

Figure 92 Mail Notifications - New window

Table 108 Mail Notifications - New fields

Field Description
Type: From the drop-down list, select the kind of notification you want to create.
The types are associated with key Email Gateway features, such as
Anti-Spam or Content Analysis.
Template Name Type an appropriate name for the new template you are adding.
From This field will contain the source of the notification, normally the process
that triggers the notice.
Subject The subject line will identify the kind of notice being sent. You can add
any of the allowed tags from the list by highlighting the tag, placing the
cursor in the subject line where you want the tag to appear and clicking
the Add To Subject button.
Body Type the body text for the new template. Add the necessary tags to the
message by selecting the tag, placing the cursor where you want the
information to appear, and clicking the Add To Body button.
Allowed tags list The list of available tags for the type of notice you are configuring displays
to the right of the body text field.
Attach Original You have the option of including the original message that triggered the
Message notice along with the notification. If you want that to occur for this
template, select the checkbox.

When you have entered the necessary data, click Submit. The Mail Notifications - Manage window will
refresh to include your new template.

Editing an existing notification

You can edit a user-defined template by selecting the ID or the template name on the Mail Notifications -
Manage window. The Mail Notifications - Edit window will appear.

McAfee Email Gateway 6.7.2 Administration Guide 181

 Advanced Topics in Compliance
About Mail Notification

Table 109 Mail Notifications - Edit fields

Field Description
Type The notification type that was created or generated when the template
was configured appears in the data field. That field is not enabled for
editing.
Template Name The name of the template you are editing appears in this field. You can
edit it or replace it by entering a new name.
From This field will contain the source of the notification, normally the process
that triggers the notice.
Subject The subject line will identify the kind of notice being sent. You can add
any of the allowed tags from the list by highlighting the tag, placing the
cursor in the subject line where you want the tag to appear and clicking
the Add To Subject button.
Body Type the body text for the new template. Add the necessary tags to the
message by selecting the tag, placing the cursor where you want the
information to appear, and clicking the Add To Body button.
Allowed tags list The list of available tags for the type of notice you are configuring displays
to the right of the body text field.
Attach Original You have the option of including the original message that triggered the
Message notice along with the notification. If you want that to occur for this
template, select the checkbox.

When you have entered the necessary data, click Submit. The Mail Notifications - Manage window will
refresh to include your updated template.

Allowed variables
The variables that can be used for custom notifications will vary according to the type of notice being
configured. The variables are shown below.

Variables shared by most templates:

<$DATE$> - The date and time the message was processed.
<$SUBJECT$> - Subject of the message that triggered this policy.
<$POLICY$> - Name of the policy that was triggered.
<$RECIPIENTS$> - Recipients of the original message.
<$SENDER$> - Name and email address of the original sender.
<$SIZE$> - Size of the original message.
<$ATTACHMENTS$> - Names of the attachments in the original message.
<$REASON$> - The reason the policy was triggered.
<$SERVER$> - Name of the Email Gateway sending the notification.

Envelope Analysis and Encryption Analysis templates:

<$Data$> will be the email address, domain, or group that required the action.
<$Action$> will be a brief description of the policy’s action.

Off-Hour Delivery template:

<$Message Size$> will be the actual size of the message in bytes.
<$Limit$> will be the Off-Hour Delivery limit in bytes. (This value will return
nnnnnnn.0.)
<$Delay in Hours$> will be the number of hours until the next “Begin Time” arrives.

182 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Compliance
About Mail Notification

Attachment Analysis template:

<$Data$> will be a file name or file extension.
<$Action$> will be a brief description of the policy’s action.

Content Analysis template:

<$Data$> will be the name of a dictionary.
<$Action$> will be a brief description of the policy’s action.

Secure Web Delivery template:

You can configure the SWD notification to convey information for Pull Encryption, for Push Encryption, or for
both, using the proper tags:
<$PULL_T$> <$/PULL_T$> Information between these tags will be visible to viewers
receiving Pull Encrypted messages.
<$PUSH_T$> <$/PUSH_T$> Information between these tags will be visible to viewers
receiving Pull Encrypted messages.
Note: Information before or after these two sets of tags will be visible to viewers receiving any type.

Caution: The Pull tags must come before the Push tags when you customize the notifications.

<$From$> will be the From address of the message sender.

<$SLink$> will be the Email Gateway-generated HTTPS hyperlink the user will click to
retrieve the message.

Zero-Day Protection template:

<$Virus Name$> will be the name of the detected virus.
<$Virus Engine$> will be the name of the virus scanning engine (for example, Authentium
or McAfee).

SMTPO—invalid domain template:

<<$Domain$>> will be the name of the domain the message was addressed to.

SMTPO—invalid domain, and domain name same as host name templates:

<<$Domain$>> will be the name of the domain the message was addressed to.

SMTPO—domain unreachable template:

<$Delivery Attempts$> will be the number of attempts Email Gateway has tried to deliver
the message.

SMTPO - domain unreachable no more attempts:

Email Gateway will make no further attempts to deliver the message.

User Quarantine Release:

Email Gateway will notify the user that the message(s) have been quarantined.

Other email notifications

Email Gateway generates a number of additional email notifications. The following messages are not
configurable:
• Forwarded: When an Email Gateway policy has a forward action, it sends a message on to a forwarding
email address and the original recipient does not receive the message. The message will be sent from
forwarded@default_domain.com.

McAfee Email Gateway 6.7.2 Administration Guide 183

 Advanced Topics in Compliance
About Mail Notification

• Forwarded as Attachment: When an Email Gateway policy has a forward as attachment action, it
creates a new email envelope, with the original message as an attachment. The message will be sent from
fwd-attach@default_domain.com.

• Copy: When an Email Gateway policy has a copy action, it creates a new email envelope with the original
message as an attachment. The message will be sent from copied@default_domain.com.

• Copied as Attachment: When an Email Gateway policy has a copy as attachment action, Email Gateway
creates a new email envelope with the original message as an attachment. The message will be sent from
copied-attach@default_domain.com.

• Delivery Status Notification (DSN): If Email Gateway is unable to deliver an email, and DSN is enabled
in the SMTPO Service, it generates a new email to the sender. The DSN is sent from
dsn@default_domain.com.
Note: Delivery Status Notifications might lose some fidelity with the Template if they are delivered to a Domino
server. When the Domino SMTP listener receives a DSN, it recognizes it as DSN and reformats it to the Domino
standard format. Then it places it in the server mail.box for delivery. The Notes form is also changed from
memo to NonDelivery Report.

• Reports: If configured to do so, Email Gateway e-mails its daily Reports. They are sent from
reports@default_domain.com.

• User-reported Spam to HQ: If configured to do so, Email Gateway creates an email to McAfee’s spam
collection address, with user-reported spam as an attachment. The email is sent from
userreports@default_domain.com.

• Enterprise Spam to HQ: If configured to do so, Email Gateway creates an email to McAfee’s spam
collection address, with enterprise-reported spam as an attachment. The email is sent from
enterprise@default_domain.com.

Email Gateway provides templates for customized email notifications when policies are enforced (for
example, policies concerning Off-Hour Delivery, or enforcement of Envelope Analysis and Content Analysis
rules, and so forth). A notification message generated by Email Gateway is delivered by SMTPO to SMTPI
services. The message generated by Email Gateway bypasses all the queues. At this point, the message
has an RFC821 From address.
SMTP then sends the notifications to SMTPO for delivery to the intended recipient. When SMTPO delivers
these outbound messages to the actual host for the recipient domain, the RFC821 From address is blank.
All Email Gateway notifications are handled in this way. This approach prevents a possible looping email
condition that can occur if generated notifications are sent with a From Address that is not reachable.

184 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Compliance
Compliance rules updates

Compliance rules updates

Clicking Compliance Rules Updates from the left menu takes you to the Updates window.
Figure 93 Updates window

For information about applying your updates, see Managing updates in Chapter 35 of this Administration
Guide.

McAfee Email Gateway 6.7.2 Administration Guide 185

 Advanced Topics in Compliance
Compliance rules updates

186 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 4

Anti-Spam

Chapter 13, SpamProfiler

Chapter 14, Blocking Threats

Chapter 15, End User Quarantine

Chapter 16, Advanced Topics in Anti-Spam

13 SpamProfiler
Contents
About spam protection
Configuring the SpamProfiler
Managing SpamProfiler rules
Applying SpamProfiler rules
Classifying spam
Locking your SpamProfiler configuration

About spam protection

Email Gateway offers an anti-spam solution that blocks spam at the gateway. Because Email Gateway uses
a suite of individual spam-blocking tools, spam entering the Email Gateway appliance isn’t examined just
once, but by all of the tools at its disposal. On the one hand, Email Gateway anti-spam strategy can be
visualized as a funnel: a lot of spam enters the network at the wide opening of the funnel. The first of the
Email Gateway spam-blocking tools can detect and stop a large percentage of that spam. Any spam making
it past the first tool is then detected by the next spam-blocking tool. After that tool does its job, a little
more spam can make its way through Email Gateway spam-detecting processes. And each step reduces the
numbers of spam messages that slip past, finally reducing the total number entering the network to a
trickle of the original amount.
Another way of understanding how Email Gateway blocks spam is to realize that each of the Email Gateway
separate spam-blocking tools is good at detecting particular kinds of spam. Because there is wide variety in
how spam is constructed and delivered, a multi-tool strategy like this is able to cast a wide net, detecting
more spam than single-approach anti-spam tools can.
Unlike many anti-spam solutions that offer only a “turn me on” option, Email Gateway lets administrators
have total control, at a granular level, over how rigid or relaxed its anti-spam tools are as they individually
react to suspected spam messages. Further, administrators can configure Email Gateway to take a “high
level” approach to spam-detection by requiring more than one spam tool to think a message is spam before
it is finally treated as such.

Anti-Spam snapshot
The opening window for Anti-Spam is the Quick Snapshot window, showing reports of both historical and
current statistics. The quick snapshots provide an easily understood overview of processes and actions with
the Anti-Spam program area.

McAfee Email Gateway 6.7.2 Administration Guide 189

 SpamProfiler
About spam protection

Figure 94 Anti-Spam Quick Snapshot

The report window is separated into three panels.

Message trend
The top panel shows historical data for a defined time period, tracking the following actions:
• Messages that triggered actions by the SpamProfiler

• Messages stopped by Connection Control

• Messages that triggered Recipient Rejections

• Messages acted upon by other Anti-Spam tools

The historical trend data is intended to allow you to detect changes over time. The time period covered by
the historical graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data is plotted daily.

• If the data represents from 1 to 12 weeks, the trends is monitored on a weekly basis. The dates displayed
represent the beginning date (Sunday) for each week.

• If the data covers more than 12 weeks, the trends will still be plotted on a weekly basis, showing the most
recent 12 weeks.

Message actions
The middle panel contains a pie chart and a table that show actions taken by specific Anti-Spam tools from
midnight to the current update time.
The current data tracks the following actions for the SpamProfiler, Connection Control, Recipient Rejections
and other spam tools:
• Dropped messages

• Quarantined messages

190 McAfee Email Gateway 6.7.2 Administration Guide

SpamProfiler
About spam protection

• Messages that triggered other actions

End user summary

The bottom panel contains a table that reports the number of messages released by recipients using the
End User Quarantine functionality (messages falsely suspected of being spam), and messages reported as
spam by the recipients (spam messages that were not detected).
Like the current data above, this information concerns messages released or reported since midnight.

SpamProfiler
The Email Gateway SpamProfiler allows a high level of spam protection while keeping false positives to a
minimum. Prior to the SpamProfiler, spam-fighting tools were limited; no matter how many detection
techniques were present, they all acted independently. Email Gateway uses a broad array of detection tools
to analyze messages for spam. Then SpamProfiler aggregates the results of these multiple tools to calculate
the probability that a message is spam. The result is much more trustworthy than the result from any spam
detection tool alone.
Email Gateway provides two methods of spam-detection:

Tool-based
Tool-based spam detection is based on emails being processed sequentially by each enabled spam-blocking
tool. Once an individual tool thinks a message is spam, the specified action is taken and no other tools
examine it.
Note: If SpamProfiler is not enabled, Email Gateway defaults to tool-based spam detection.

Confidence-based
Confidence-based spam detection is based on having all enabled spam-blocking tools examine a message.
Email is not considered spam until all spam tools have each returned their respective determination. Each
tool is “weighted” by the Email Gateway administrator as to its reliability in detecting spam, and returns a
“probability score” for each message. SpamProfiler polls each enabled tool, then adds together each tool's
probability score and takes action only if the aggregate score reaches or exceeds an administrator-defined
threshold. Confidence-based spam detection is enabled and configured in the SpamProfiler.
Note: Spam tools must be enabled individually before they can be included in SpamProfiler calculations.

Spam profile
The spam profile is the result calculated from the contributed scores from all enabled spam tools. You can
determine which tools and which dictionaries contribute to the profile. This is configured at Anti-Spam |
SpamProfiler | Configure.
SpamProfiler can receive contributions from Content Analysis and many of the Anti-Spam tools. These
contributions are totaled to calculate the aggregate value used as the Spam Profile. The contributors are
identified in the table below. Some contributors require a confidence level and/or a threshold.

Table 110 Tools that contribute to the Spam Profile

Contributor Requires Confidence Requires Threshold
Value Value
Real Time Blackhole List
System Defined Header Analysis
User Defined Header Analysis
Sender ID
Reverse DNS X
Bayesian Engine - Spam X
Bayesian Engine - Ham X
DomainKeys Identified Mail (DKIM) X
TrustedSource

McAfee Email Gateway 6.7.2 Administration Guide 191

 SpamProfiler
Configuring the SpamProfiler

Table 110 Tools that contribute to the Spam Profile (continued)

Contributor Requires Confidence Requires Threshold
Value Value
Dynamic Spam Classifier
Image Spam Classifier
Content Analysis Dictionaries X X
Dictionaries as provided by TRUs X X
URL Real-Time Signatures X X

Configuring the SpamProfiler

To configure the SpamProfiler, navigate to the Configure SpamProfiler - Configure window.
Figure 95 SpamProfiler - Configure window

Table 111 SpamProfiler - Configure fields

Field Description
Add X Header for Select the checkbox to configure Email Gateway to add an X-header to the
SpamProfiler subject line of any message determined to be spam by the SpamProfiler.
If a message is forwarded from one Email Gateway appliance to another,
the X-header will be overwritten by the last Email Gateway in the series.
Information from prior Email Gateway appliances will be lost.
When the X-header is added, the Sender ID is added to the 822 header.
If the header contains more than 72 characters, the text will wrap to the
next line. The wrapped portion text will be preceded by the control
characters \r\n\t. They will appear where the header is shown.
SpamProfiler X Type the text for the X header.
Header Name
SpamProfiler The table in the lower portion of the window provides information about
Rules all currently configured SpamProfiler contributors.
Spam Features/ This column lists all the potential contributors to the Spam Profile.
Dictionaries
Confidence Value For those features or dictionaries that require a confidence value, this
(%) column contains data fields. Currently-configured values appear in the
fields; you can edit the values by simply changing them.
Threshold For features or dictionaries that require accumulation of enough points to
trigger the contribution, data fields hold the currently-configured
threshold values. You can edit the values by simply changing them.

192 McAfee Email Gateway 6.7.2 Administration Guide

 SpamProfiler
Managing SpamProfiler rules

Table 111 SpamProfiler - Configure fields (continued)

Field Description
Locked A check mark in this column indicates the associated feature is locked so
that your configuration will not be overwritten when a new threat
response update is installed. For more information, see “Locking your
SpamProfiler configuration,” later in this chapter.
Enable This column holds a checkbox for each feature or dictionary. You can
enable each one by selecting its checkbox.

If you make changes to the existing configuration, click Submit to record the changes.

Managing SpamProfiler rules

All currently-configured SpamProfiler rules appear on the SpamProfiler - Manage Rules window.
Figure 96 SpamProfiler - Manage Rules window

Table 112 SpamProfiler - Manage Rules fields

Field Description
ID This column displays the system-generated ID number for the rule.
Aggregate Value The configured threshold value for the rule shows in this column.
Action This field lists the action that should be taken as a result of triggering each
rule.
Action Value Certain actions require additional values, such as email addresses for
forwarded messages or a number of days quarantined mail should remain
in quarantine before it is released. That value will show in this column.
Quarantine Type If “Quarantine” or “Remote Quarantine” is selected as the action, this
column will show the quarantine type for messages that trigger the rule.
Delete Selecting the checkbox will cause the rule to be deleted when you click
Submit. Clicking the Delete hyperlink will toggle deletion on or off for all
rules.

McAfee Email Gateway 6.7.2 Administration Guide 193

 SpamProfiler
Managing SpamProfiler rules

Adding a new SpamProfiler rule

To add a new SpamProfiler rule, click Add New at the bottom of the Manage Rules window. The Add Rule
window will appear.
Figure 97 SpamProfiler - Add Rule window

Table 113 SpamProfiler - Add Rule fields

Field Description
Aggregate Value Type a value for the Spam Profile to represent the accumulated score that
will cause a message to trigger the rule.
Action Select the action Email Gateway is to take when the rule is triggered.
Action Value Certain actions require additional values, such as email addresses for
forwarded messages or a number of days quarantined mail should remain
in quarantine before it is released. Type the required value in the data
field.
Quarantine Type If Quarantine or Remote Quarantine is selected as the action, you
must select the quarantine type for messages that trigger the rule.
Notification The lower portion of the window permits configuration of email
notifications that Email Gateway will send when a message triggers the
rule.
Notification You can select one or more recipients who will be notified when this rule
Recipients is triggered. You can select:
• The Sender of the message;
• The Recipient of the message; and/or
• Additional Recipients, such as perhaps an administrator. You can type
up to three email addresses for additional recipients.
Notification For each recipient, you must select the template to be used for the
Templates notification message. The templates can be configured by navigating to
Compliance | Compliance Advanced | Mail Notifications.
Message Archival The lower portion of the window provides the means to configure
archiving of the messages that trigger this rule.
Archive Messages Select the checkbox to enable Email Gateway to archive the messages
that trigger this rule. You must also select a target (location where the
archive will be located). If no archives exist, you must first configure one.
Navigate to Reporting | Message Archive | Add New to create a new
archive.

When the configuration data for the new rule is complete, click Submit. The SpamProfiler - Manage Rules
window will update to include the new rule.

194 McAfee Email Gateway 6.7.2 Administration Guide

 SpamProfiler
Applying SpamProfiler rules

Editing an existing SpamProfiler rule

To edit an existing rule, click that rule’s ID hyperlink in the SpamProfiler - Manage Rules window. The Add
Rule window will appear, populated with the existing configuration data.

Table 114 Spam Profiler - Add Rule fields

Field
Aggregate Value
Action
Action Value
Quarantine Type
Message Archival
Archive Messages
Description
Type a value for the Spam Profile to represent the accumulated score that
will cause a message to trigger the rule.
Select the action Email Gateway is to take when the rule is triggered.
Certain actions require additional values, such as email addresses for
forwarded messages or a number of days quarantined mail should remain
in quarantine before it is released. Type the required value in the data
field.
If Quarantine or Remote Quarantine is selected as the action, you
must select the quarantine type for messages that trigger the rule.
The lower portion of the window provides the means to configure
archiving of the messages that trigger this rule.
Select the checkbox to enable Email Gateway to archive the messages
that trigger this rule. You must also select a target (location where the
archive will be located). If no archives exist, you must first configure one.
Navigate to Reporting | Message Archive | Add New to create a new
archive.

When you have finished editing the configuration, click Submit.

Non-ASCII characters for Add Header options

Email Gateway allows you to type non-ASCII characters as input for the add header action in Spam Profiler.
Users whose languages do not support ASCII can take advantage of this action. To add a header to a
message that has been identified as spam, navigate to the Spam Profiler - Configure window. Type an
aggregate value, select Add Header, then type the name you want to appear as the added header. Click
Submit.

Applying SpamProfiler rules

When SpamProfiler rules have been created, they are ready to be applied. Existing rule applications
(policies) appear in the SpamProfiler - Apply Rules window.
Figure 98 SpamProfiler - Apply Rules window

McAfee Email Gateway 6.7.2 Administration Guide 195

 SpamProfiler
Applying SpamProfiler rules

Table 115 SpamProfiler - Apply Rules fields

Field Description
Enable SpamProfiler Select the checkbox to enable (or disable) the SpamProfiler.
Existing The main body of the window is a table showing details about existing
Applications SpamProfiler policies.
Apply ID This column shows the unique, system-generated ID number for each
application.
Apply To This column shows the entity type to which rules have been applied.
Options are:
• Global
• Domain Group
• Domain
• User Group
• Email Address
Data This column shows the identifying information for the specific entity to
which the policy applies.
Message The message direction (message path) to which the policy applies
appears in this column.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
application to be deleted from the system.

From this window, you can open secondary screens to edit SpamProfiler policies or to add new policies.

Adding a new SpamProfiler policy

To add a new policy, click Add New at the bottom of the SpamProfiler - Apply Rules window. The Add Apply
Rule window will appear.
Figure 99 SpamProflier - Add Apply Rule window

196 McAfee Email Gateway 6.7.2 Administration Guide

SpamProfiler
Applying SpamProfiler rules

Table 116 SpamProfiler - Add Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the rule will apply. Options are:
• Email Address – apply this rule only to the configured user
• Domain – apply this rule to the identified domain
• User Group – apply the rule to a defined user group
• Domain Group – apply the rule to a defined group consisting of
domains
• Global – apply the rule to everyone.
Apply To Selections If you have selected User Group to apply the rule, select the defined group
from the enabled pick list.
If you selected Domain Group, select the group from the other enabled
pick list.
Data If you have select Email Address as the entity for this application, type
that email address in the data field.
If you chose Domain as the application entity, type the domain name in
the field.
Message Path Click the appropriate radio button do identify the message direction to
which this policy will apply. Options are:
• From
• To
• Either
Existing Rules The lower portion of the window shows available rules that can be applied
with this policy.
ID This column displays the system-generated ID number for the rule.
Aggregate Value The configured threshold value for the rule shows in this column.
Action This field lists the action that should be taken as a result of triggering this
rule.
Action Value Certain actions require additional values, such as email addresses for
forwarded messages or a number of days quarantined mail should remain
in quarantine before it is released. That value will show in this column.
Quarantine Type If Quarantine or Remote Quarantine is selected as the action, this
column will show the quarantine type for messages that trigger the rule.
Enable Select the checkbox to enable the specific rule for inclusion in this policy.
Clicking the Enable hyperlink enables or disables all policies.

When you have entered the required configuration data, click Submit. The SpamProfiler - Apply Rules
window will update to include the new policy.

Editing a SpamProfiler policy

To edit an existing SpamProfiler policy, click the Apply ID hyperlink for that policy. The SpamProfiler - Edit
Apply Rule window appears, populated with the existing configuration information for the policy you
selected.

McAfee Email Gateway 6.7.2 Administration Guide 197

 SpamProfiler
Classifying spam

Table 117 SpamProfiler - Edit Apply Rule fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the entity to which the rule will apply. Options are:
• Email Address – apply this rule only to the configured user
• Domain – apply this rule to the identified domain
• User Group – apply the rule to a defined user group
• Domain Group – apply the rule to a defined group consisting of
domains
• Global – apply the rule to everyone.
Data selections If you select Domain Group or User Group as the “Apply To” type, select
the appropriate group name from the enabled drop-down list.
Data If Domain or Email Address is the “Apply To” type, type the domain name
or the email address.
Message Path Select the path or direction for messages to be scanned by this policy.
Options are:
• From
• To
• Either
Available Rules The table in the lower portion of the window contains data about
SpamProfiler rules that can be used in the current application.
ID This column lists the ID numbers of SpamProfiler rules that can be applied
by this policy.
Aggregate Value This column shows the aggregate values configured for the available
rules.
Action The action associated with each rule shows in this column.
Action Value If the action requires an additional value of some type, that value appears
in this column.
Quarantine Type For Quarantine or Remote Quarantine actions, the quarantine type
displays here.
Enable To enable a rule for use by the policy, select the checkbox. Selecting it
again (deselecting it) disables the rule. Clicking the Enable hyperlink
enables or disables all policies.

When the modifications are completed, click Submit to record the changes.

Classifying spam
Two additional spam classification engines are included in Email Gateway:
• Image Spam Classifier

• Dynamic Spam Classifier

On the SpamProflier - Configure window, you can enable or disable these engines. You cannot provide any
more configuration options; Technical Support maintains Image Spam Classifier, and TRU Signature
updates maintain Dynamic Spam Classifier.

198 McAfee Email Gateway 6.7.2 Administration Guide

SpamProfiler
Classifying spam

Image Spam Classifier (ISC)

The Image Spam Classifier is a solution for identifying image spam. Image spam incorporates text content
into common graphic encodings, such as GIF, JPEG and PNG, using graphic features such as animation and
transparency to obscure the text from detection.
Note: This feature is not related to the Image Analysis feature already in Email Gateway. That feature is primarily
concerned with pornographic or objectionable material.

The Image Spam Classifier includes two additional features:

• It includes a whitelist designed to improve performance by quickly recognizing and bypassing
customer-supplied images that might appear in messages, such as corporate logos, signature
embellishments, and so forth

• It also includes a blacklist designed to improve effectiveness by catching images similar to those known
to evade detection by ISC.

Images can be added to the whitelist and blacklist by informing Support and allowing them to be added.
The lists are not user-configurable, and will be maintained by McAfee.
The only user-configurable option for ISC is the ability to enable or disable it from the Spam Profiler
configuration window. ISC is disabled by default.

How Image Spam Classifier works

The high-level process for the ISC is as follows:
1 The ISC sorts the images it detects in a message and selects the three largest (the number of images
processed is configurable upon request by Support).

2 It checks the whitelist to look for a match. If it finds a match, it skips the image.

3 The ISC checks size heuristics. If the image is too large or too small, ISC skips it.

4 The Support Vector Machine (SVM) applies algorithms to determine the likelihood that the image is spam.

5 The ISC checks the blacklist to see if the image matches known spam images.

6 The ISC returns a raw score for the image to the Spam Profiler. By default, the score will be 0 if the image
is determined not to be spam, and 50 points if it is spam. A confidence value will be applied to the raw
score.

Default scores for the Spam Profiler can be reconfigured by Support upon request.

Important notes about the ISC

The Image Spam Classifier reduces throughput when processing email messages with images.
If a message is greater than 100 KB in size, a setting in Spam Queue Properties will cause it to bypass
spam queue and therefore bypass the ISC. The setting is configurable via the anti-spam bypass feature.

Dynamic Spam Classifier (DSC)

Because spammers change techniques more quickly than specific solutions can be provided to the field,
McAfee provides a method for delivering increased spam protection that is not contingent upon a new
release of Email Gateway. Dynamic Spam Classifier (DSC) is a technology that can implement new spam
detection techniques within Email Gateway in a timely manner.
DSC is a framework for delivery of fast-reaction detection methods to Email Gateway to fight spam
outbreaks. The benefits are:
• Flexibility and timeliness in delivering spam updates independently of Email Gateway release cycles;

• Deliverability using ThreatResponse Signature updates methods;

• Ability to tailor methods for specific outbreaks, and to retire methods that are no longer needed; and,

• No dependence upon existing spam features in Email Gateway.

McAfee Email Gateway 6.7.2 Administration Guide 199

 SpamProfiler
Locking your SpamProfiler configuration

Note: DSC is implemented to deliver better protection from the latest spam outbreaks. It does not replace TRU,
Spam Queue, or any other detection method on Email Gateway.

How DSC works

DSC will deliver a series of methods that will look at specific heuristics of a file. Whenever DSC is updated,
the update will replace or override the previous version, which allows for retirement of methods no longer
necessary. In addition, if a certain method continues to be used, it can become a candidate for inclusion as
a Email Gateway feature.
DSC runs as the last feature when Spam Queue runs. Spam Queue will pass messages to the DSC, where
they will be compared to the current methods. DSC will then hand the message back with an associated
score to contribute to the Spam Profile score. Every message that goes through Spam Queue will be sent to
DSC. The only exceptions are:
• Messages larger than a preconfigured size, which can vary as necessary for the method;

• Messages that have received TrustedSource scores greater than 100 points or less than -100 points;

• Messages that have been whitelisted for DSC, as discussed below.

The individual scores from each DSC module will be visible in the X-header of the message, and in the
message log files.

Updating DSC
The frequency of DSC updates is based on research and evaluation of new spam threats. The updates will
be delivered as ThreatResponse Signatures, which can be delivered as frequently as every twenty minutes.
The delivery method will be the same as for any other ThreatResponse Signature update.
If you have DSC enabled and have configured to allow automatic TRU updates at System | Updates |
Configure Auto Updates, updated DSC files will be installed automatically.

Reporting
The message count stopped by DSC will be included on any report that reports overall spam (Executive
Summary, Domain Executive Summary, Spam Action Summary) or in the totals for any report that shows
messages blocked by SpamProfiler (Overall Spam Summary, Top Spam Lists).

How to configure DSC and ISC

You can enable or disable the ISC or DSC on the SpamProfiler - Configure window. They are listed as
potential contributors to the Spam Profile along with other spam detection features. To enable them, select
the Enable checkbox. You do not need to supply a threshold or confidence value. They are disabled by
default.

Whitelisting DSC and ISC

If you so choose, you can whitelist messages from DSC or ISC. You must select Anti-Spam from the
Queue list in the Whitelist - Manage Rule window, then you can select Dynamic Spam Classifier or
Image Spam Classifier from the Bypass list.

Locking your SpamProfiler configuration

ThreatResponse updates are a critical asset that enable administrators to ensure they have the best and
latest protection configuration settings for their Email Gateway appliance. However, there are situations
wherein specific settings should not be overwritten when a new ThreatResponse Signature (TRUSign)
update is installed. For example, a custom Content Analysis dictionary might have been created to meet
the unique needs of the organization. Email Gateway provides the capability to block changes to feature
configuration when new updates are installed.

200 McAfee Email Gateway 6.7.2 Administration Guide

SpamProfiler
Locking your SpamProfiler configuration

Locking your current configuration settings

You can lock your current settings by either of two methods. You can navigate to the Configure Auto
Updates window and lock all existing configurations by selecting the Locked checkbox associated with the
ThreatResponse Updates service.
If you select this option, all your existing rules will remain as they are. None will be overwritten.
Note: Selecting the Locked option on the Auto Updates window overrides the Locked checkboxes on the
SpamProfiler - Configure window. Choose one method or the other for locking your configuration.

You can also lock the current settings for specific features by navigating to the SpamProfiler - Configure
window. Most features that appear in SpamProfiler have a checkbox that allows you to lock them. If you
select the checkbox next to a feature, the current settings will be maintained, while those for deselected
features will be overwritten.

Special configurations
Some features do not offer the locking option on the SpamProfiler window. Realtime Blackhole Lists,
System Defined Header Analysis and User Defined Header Analysis require their own configuration
methods.
Note: Selecting the locking option on the AutoUpdates window will protect the settings for these features, just as
it does for all the others.

You can configure each zone you add to your RBL as you add it. Checking the Locked checkbox causes the
entry to be protected when new TRUSign updates are added.
For SDHA and UDHA, each filter has its own checkbox by which you can protect the current configuration.
You can select the individual filters from the lists.

McAfee Email Gateway 6.7.2 Administration Guide 201

 SpamProfiler
Locking your SpamProfiler configuration

202 McAfee Email Gateway 6.7.2 Administration Guide

14 Blocking Threats
Contents
About threats
About TrustedSource
About Anti-Zombie protection
About Anti-Fraud-Phishing protection
Connection Control

About threats
Email Gateway (Secure Mail) provides comprehensive protection for the email gateway, including robust
functionality for a variety of threats. In addition to spam, these threats include:
• Phishing attacks

• Zombies

• Fraud

• High volumes demands on the network

Email Gateway protects businesses from all manner of email threats. It provides a simple, comprehensive
security solution.

About TrustedSource
McAfee TrustedSource is a global threat correlation engine and intelligence base of global messaging and
communication behavior, including reputation, volume, and trends, including email, web traffic and
malware. TrustedSource ensures the safety and security of all Internet communications from the firewall to
the PDA, sharpening the intelligence gathering and applications.

How it works
When Email Gateway receives a message, it sends the sender information to the TrustedSource database
as a real-time query from SMTPI, the first process to receive each message. SMTPI reads the message and
connection-level meta data and generates confusion-resistant fingerprints, which are sent to
TrustedSource. When TrustedSource receives the data, it evaluates the reputation of the sender and the
fingerprints in real-time to return an overall reputation score for the message to Email Gateway. Unlike
simple blacklists that identify spamming IPs based on human reports of spam or spamtrap information,
TrustedSource automatically analyzes data and develops behavioral real-time sending patterns for
legitimate and malicious sending behaviors by correlating information from millions of sources and
aggregating it into a precise reputation score for each message.

Configuring TrustedSource
You must configure TrustedSource functions on two different Email Gateway screens:
• The TrustedSource – Configure window;

• The SpamProfiler – Configure Window.

Each of these program areas controls specific and separate TrustedSource options.

McAfee Email Gateway 6.7.2 Administration Guide 203

 Blocking Threats
About TrustedSource

On TrustedSource - Configure
Navigate to the TrustedSource - Configure window to enable TrustedSource and set essential action
options.
Figure 100 TrustedSource - Configure window

Table 118 TrustedSource - Configure fields

Field Description
Enable Selecting this option configures Email Gateway to query the
TrustedSource TrustedSource server to rate incoming e-mails based on a number of
factors. On this same window, you can also configure the actions you
want Email Gateway to take for messages that represent Low Risk,
Significant Risk or Confirmed Spam.
Enable Dynamic Selecting this option enables Dynamic Quarantine. This action allows
Quarantine Email Gateway to temporarily quarantine suspect messages to allow
TrustedSource time to gather more accurate reputation data.
Anti-Spam Actions The table in the lower portion of the window provides options for
configuring the way Email Gateway will treat messages that score at
specific list levels.
The thresholds for Low Risk, Significant Risk and Confirmed Spam are not
configurable. Any updates to those parameters will be provided as part of
Email Gateway TRU Optimize update process.
Launch This link takes you the TrustedSource web site, which will be discussed
TrustedSource later in this chapter.
Risk Levels TrustedSource is designed to identify email traffic at three risk levels:
• Low Risk – messages that meet the criteria for this level pose very
little risk of spam.
• Significant Risk – messages at this level display some characteristics
of spam messages, but the senders have not been identified as
confirmed spammers. One example of such messages that are not
spam might be mass mailings (newsletters, and so forth) sent by a
single sender.
• Confirmed Spam – messages at this level are known to be from
confirmed spammers, and should be treated as spam.
Possible Actions You can select any one of three actions for each of the risk levels:
• Allow – selecting this option allows the messages to be delivered to the
subsequent queues for processing, without changes. This option is
often selected for low risk email traffic.
• Subject Rewrite – selecting this option causes Email Gateway to
rewrite the subject of the message, then pass it on to subsequent
queues. This option allows you to type the text to be used to replace
the original subject.
• Drop – this option causes Email Gateway to drop messages that
receive the required score for the associated risk level.

When you have completed the information, click Submit.

204 McAfee Email Gateway 6.7.2 Administration Guide

Blocking Threats
About TrustedSource

On SpamProfiler - Configure
Enabling TrustedSource and setting a Drop action for any risk level will cause the spam messages to be
dropped before they can enter the system. Therefore, they don’t use any Email Gateway processing
bandwidth. Setting other actions based on TrustedSource scores and enabling TrustedSource to contribute
to the Spam Profiler score creates one more source of protection for the messaging network.
Unless a sender’s score reaches a spam threshold you have set that is configured with a drop action for
such spam, Spam Profiler will use the score as part of the information it accumulates to create its own
score. SpamProfiler will take action if a rule exists and the message meets or exceeds the associated
threshold.
The SpamProfiler - Configure window allows you to include TrustedSource’s contribution to the
SpamProfiler score, or exclude it.
TrustedSource is included as a potential contributing feature. To enable the contribution, select the Enable
checkbox. You do not have the option to set a confidence level.
When you have configured the option as you wish, click Submit to record the configuration.
For more information about SpamProfiler configuration, see “Configuring the SpamProfiler” in Chapter 13,
SpamProfiler of this Administration Guide.

TrustedSource whitelisting
Email Gateway provides the capability to whitelist IP addresses from TrustedSource reputation queries. The
details surrounding this capability follow.

TS whitelist rules
• Your must be able to add an IP address using the existing whitelisting window and set TrustedSource as
the sub-feature to be whitelisted.

• Anti-Spam and TrustedSource must be the only selections in such a rule.

• SMTPProxy reads IP-based rules which have a bypass list value of Anti-Spam/TrustedSource, and uses
them when it performs the TrustedSource lookup.

• You must create a policy including the rules that need to be evaluated. Policy attributes are not evaluated,
so the policy could be global, user based, and so forth. The policy indicates explicitly the rules to be used.
This allows you to create certain rules that might not be used immediately, and helps extend this feature
to VIPs in the future.

• Email Gateway will not use whitelist rules created on filters other than IP addresses, and will ignore the
direction (inbound/outbound) in the whitelist rule.

• Just before it initiates TrustedSource lookup, SMTP proxy will look up the address in memory. If it is
present, it will send TrustedSource a special parameter to communicate that this message should not be
flagged.

• Email Gateway logs the result of TrustedSource lookup, but does not evaluate it for further action.

• Email Gateway continues processing as if the TrustedSource lookup reports the IP address as neutral.

Configuring a TrustedSouce whitelist rule

To create a TrustedSource whitelist rule, navigate to the Whitelist - Manage Rules window (Compliance |
Whitelist | Create).

Table 119 Whitelist - Manage Rules fields

Field Description
Who Select from the drop-down list the type of entity to be whitelisted by this
rule. For a TS rule, the only allowable option is IP Address.
Data In this field, type the data that defines the particular entity you have
chosen to whitelist. For a TS rule, an IP address is required.

McAfee Email Gateway 6.7.2 Administration Guide 205

 Blocking Threats
About TrustedSource

Table 119 Whitelist - Manage Rules fields (continued)

Field Description
File If you wish, you can import a list of whitelist entries from a file, if the
entries are in the proper format. For format information, see Appendix B
in this Administration Guide.
Export (hyperlink) If you wish, you can export this file (listing your whitelist entries) to save
it as a backup, and so forth. Click the Export hyperlink and follow the
resulting directions.
Direction Click the appropriate radio button to determine the message direction for
which the rule will apply.
• Inbound
• Outbound
• Both
Queue Select Anti-Spam as the queue for which you want to select processes
to be bypassed.
Bypass When you select queue(s), the processes managed by that queue appear
in the Bypass list. Select TrustedSource as the rule to bypass.

When you have finished entering the required information, click Submit. The rule will be created, and will
appear on the Whitelist - View Rules window (Compliance | Whitelist | View).

TrustedSource queries for LDAP rejections

Email Gateway includes a field in the TrustedSource query it sends, which allows TrustedSource to capture
partial LDAP rejections. The query will return proper information about an IP address if one or more
recipients on the email are rejected. Such emails are likely to be malicious.
Since the LDAP query occurs before TrustedSource, the message will be dropped if all recipients are
rejected. No TrustedSource query will be required.

Launching TrustedSource
You can navigate directly to the TrustedSource website by clicking the link on the TrustedSource -
Configure window. The link takes you to TrustedSource where you can explore the information provided.
You can also access TrustedSource directly by navigating to www.trustedsource.org.

The TrustedSource site

The TrustedSouce site opens by default to the Home tab. From there you can navigate through the
remaining tabs to acquire reputation information and use the other resources.

The TrustedSource site is divided into seven tabs, each of which can be accessed from the opening window.
Note: This section is not intended to provide in-depth information about the TrustedSource website, but to serve
as a brief introduction. The latest information about the site and the features of TrustedSource are amply
provided by the site itself. You are invited to explore there. Information is updated continually. You can launch
the site from Email Gateway as explained above, or browse to www.trustedsource.org.

206 McAfee Email Gateway 6.7.2 Administration Guide

 Blocking Threats
About Anti-Zombie protection

About Anti-Zombie protection

A zombie is a computer that has been compromised by attackers, usually for the purpose of sending spam
and viruses to millions of recipients. Hackers create zombies by using Trojan horses, which are malicious
programs disguised as legitimate email attachments or file downloads. Once it is installed on the victim’s
computer, the payload from the Trojan allows the remote hacker to take control of the machine and use it
for his own purposes. Email Gateway combats zombie attacks through TrustedSource, Connection Control,
and Zero-Day Protection, among other tools.

Anti-Zombie Snapshot
Email Gateway reports its detection of zombies as part of email traffic on the Quick Snapshot window.
Figure 101 Anti-Zombie Quick Snapshot window

The window is divided into two panels, each containing a trend chart. The upper chart tracks today’s
activity, while the lower one presents historical data.

Hourly Trend
The upper graph tracks the Anti-Zombie activities for this Email Gateway for up to 24 hours.
The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative. It tracks the number of messages determined to be from zombie servers.

Message Trend
The lower graph shows historical information for up to 365 days.
The time period actually shown on the historical graph will vary dynamically according to the amount of
data that has been accumulated.
• If the appliance has data for less than a week, the trend data are plotted daily.

• If the data represents from 1 to 12 weeks, the trends are monitored on a weekly basis.

• If the data covers more than 12 weeks, trends are plotted on a monthly basis, for up to one year (365
days).

McAfee Email Gateway 6.7.2 Administration Guide 207

 Blocking Threats
About Anti-Fraud-Phishing protection

About Anti-Fraud-Phishing protection

Phishing is a form of online fraud that is intended to fool a victim into revealing sensitive financial or
personal information to a bogus website that appears to be a tried and true online brand. Normally, the
victim is asked to provide the information in completing a form on the fraudulent site, which relays the
information to the creators of the fraud.
On a slightly broader scale, fraud can be considered as any malicious misrepresentation of the identity of
senders of the email message, aimed at obtaining sensitive or confidential information from enterprises.
Email Gateway protection defends against phishing and other attempts to defraud either individuals or
companies.

Anti-Fraud-Phishing Snapshot
Email Gateway reports detection of fraud as part of email traffic on the Quick Snapshot window.
Figure 102 Anti-Fraud-Phishing Quick Snapshot window

The window is divided into four panels, each containing a trend chart. The upper chart tracks today’s
activity, while the second one presents historical data. The bottom two charts report both good messages
and fraudulent ones based on specific protocols used by the senders.

Hourly Trend
The message action chart tracks today’s counts of fraudulent messages of three kinds:
• Failed Header Analysis Checks – messages detected by header analysis filters (forged “From” email
address, forged From domain name, mismatched EHLO domain and “From” domain, and forged routing
domain)

• Failed Sender ID Checks – messages detected by SPF/Sender ID lookups

• Failed DKIM Fraud Checks – messages detected by DomainKeys Identified Mail

208 McAfee Email Gateway 6.7.2 Administration Guide

 Blocking Threats
Connection Control

The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative.

Message Trend
The second graph tracks historical data for the same three parameters as the graph above, but the time
period can cover up to 365 days.
The time period actually shown on the historical graph will vary according to the amount of data that has
been accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.

• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis.

• If the data covers more than 12 weeks, trends will be plotted on a monthly basis, for up to one year (365
days).

Sender ID Hourly Trend

The third graph tracks both “good” and fraud emails based on SPF/SenderID anti-fraud protection
(messages that passed, and messages that failed) for the past 24 hours.
The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative.

DKIM Hourly Trend

The bottom graph tracks both “good” and fraud emails based on DKIM fraud protection for the past 24
hours.
The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative.

Connection Control
Connection Control is a Email Gateway feature that dramatically reduces the number of spam messages
that must be processed by the appliance. It does this through two processes:
• ESP Connection Control rejection

• LDAP Connection Control rules

ESP connection control

Connection Control reviews the recent ESP score history of every IP address that sends messages through
the Email Gateway appliance and then denies connections from any IP addresses whose history reveals
they are likely to be spammers. These IP addresses are added to the Connection Control Deny List. The
number of messages that must be processed is therefore reduced because future messages from the
denied IP addresses never get into the network.
The review and possible denial of connections result from two system-defined rules in the Email Gateway
Anomaly Detection Engine. These rules are disabled by default; you must enable them.
• The first rule runs every hour and calculates the average Spam Profile score for each IP address over the
past three hours. If the IP address has more than 10 messages with an average ESP score of 100 points
or higher (beginning with the eleventh such message), the IP address is denied connection to Email
Gateway for a period of four days.

• The second rule runs every 24 hours and calculates the average ESP score for each IP address for the
past 24 hours. If the IP address has sent more than 10 messages with an average ESP score of 100 points
or higher (beginning with the eleventh such message), the IP address is denied connection to Email
Gateway for a period of four days.

McAfee Email Gateway 6.7.2 Administration Guide 209

 Blocking Threats
Connection Control

LDAP connection control

LDAP rejections for any IP address that meets or exceeds a defined threshold will be subjected to a
TrustedSource query. If the query produces a reputation score greater than zero, the IP address will be
added to the Connection Control deny list.
LDAP rejection results from two additional rules in the Anomaly Detection Engine. The first rule is enabled
by default, and the second one is disabled.
• The first rule causes TrustedSource to detect the defined number of messages within the past hour from
the same IP address that have an LDAP rejection. IP addresses that trigger this rule are added to the deny
list for four days.

• The second rule causes TrustedSource to detect the defined number of messages within the past 24 hours
from the same IP address that have an LDAP rejection. IP addresses that trigger this rule are added to
the deny list for four days.
Note: If you wish to use LDAP connection control, and the Email Gateway appliance is protected by an Edge
appliance, you must add the Edge appliance to the connection control exclude list.

Configuring Connection Control

Figure 103 Connection Control - Manage Anomaly Rules window

The rules are defined to eliminate false positives by requiring that the IP address has sent enough
messages and that these messages have a high enough average ESP score to warrant denial. If the total
count of all messages is high enough, but the ESP average is NOT high enough, the IP address will not be
denied. Correspondingly, if the ESP average is high, but the messages count is low, the IP address will not
be denied.
Should a false positive ever occur, it can be corrected by deleting the IP address from the Connection
Control Deny List. Additionally, IP addresses can be “whitelisted” by placing them on the Connection
Control Exclude List.

ESP configuration options

The detection periods, threshold values, cycle periods, and actions for the two rules are not configurable.
The only configurable options are:

210 McAfee Email Gateway 6.7.2 Administration Guide

Blocking Threats
Connection Control

• Enabling or disabling each of the two rules

• Changing the minimum average ESP score required to qualify for Connection Control

• Selecting the Alert Type from the drop-down list.

Changes to the default configuration can be made by the Email Gateway Threat Response Updates (TRUs).

LDAP configuration options

The detection periods actions and action durations for the LDAP rules are not configurable. The only
configurable options are:
• Setting the threshold value (the number of LDAP rejections within the associated time period)

• Selecting the Alert Type from the drop-down list

Special requirements
In order for Connection Control to work, the following conditions MUST be met:
• SpamProfiler must be enabled;

• The Email Gateway utilizing the Connection Control must be the first hop into the network; and,

• Any host (such as a secondary MX) forwarding mail to the Email Gateway appliance, but that should not
be subjected to Connection Control analysis, must be added to the Allow Relay list for the Email Gateway.

Cleanup Cycle
When the denial period expires for a denied IP address, the cleanup cycle will remove that IP address from
the Connection Control Deny List, and connections from that IP address will be accepted again. However,
the IP address will be denied again if the IP address fails any subsequent Connection Control checks.

Exclude List
From time to time, administrators might want to exclude specific IP addresses from Connection Control
processing. This can be accomplished using the Connection Control Exclude List. IP addresses listed on that
window will be exempt from Connection Control scrutiny.
Figure 104 Connection Control Exclude List - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 211

 Blocking Threats
Connection Control

Table 120 Connection Control Exclude List - Configure fields

Field Description
IP Address This column shows the IP addresses that are currently exempt from
Connection Control processing.
Side Note If any explanatory or identifying side notes were created for the IP
addresses, those notes appear in this column.
Delete Selecting the checkbox and then clicking Submit will cause the IP address
to be removed from the Exclude List.
Adding new IPs The data fields at the bottom of the window allow you to add new IP
addresses to the Exclude List.
Add an IP Address Type the new IP address you wish to add.
Side Note for IP Add any identifying or explanatory notes that can help others identify the
IP address.
Add IP Address from If the IP address(es) reside in a file, you can retrieve them by entering the
a File path to the file or by browsing to it.
Character Set Select the character set that was used for encoding the list of addresses.
Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• is0-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.
Export To store a backup copy of the Exclude List, click the Export hyperlink.

Adding an IP address
To add an IP address to the exclusion list, complete the information in the data fields at the bottom of the
Connection Control Exclude List window, then click Submit. The window will refresh to add the new IP
address.

212 McAfee Email Gateway 6.7.2 Administration Guide

Blocking Threats
Connection Control

The Connection Control Deny List

When Connection Control determines an IP address should be blocked in accordance with the currently
configured rules, the IP address is added to the Connection Control Deny List.
Figure 105 Connection Control Deny List - Configure window

Table 121 Connection Control Deny List - Configure fields

Field Description
IP Address This column will list the IP addresses that are currently blocked from
sending messages to the network. At the end of the preconfigured
number of days, they will be removed from the Deny List.
Connection Control The entry in this column identifies the reason for the IP’s rejection.
Type Options are:
• ESP rejection
• LDAP rejection
Delete Select the checkbox and then click Submit to remove an IP address from
the list. This is useful in the event a false positive should occur.

Connection control deny list IP verification

As a method for reducing false positives, all IP addresses will be checked by TrustedSource before they are
added to the Connection Control deny list. The query is performed after Spam Profiler determines the
address qualifies for the deny list, but before it is actually added to the list.
Note: For connection control functionality requiring TrustedSource information, you must have TrustedSource
enabled, and the IP address being checked must not be whitelisted for TrustedSource.

McAfee Email Gateway 6.7.2 Administration Guide 213

 Blocking Threats
Connection Control

214 McAfee Email Gateway 6.7.2 Administration Guide

15 End User Quarantine
Contents
About End User Quarantine
Configuring the EUQ web page
About the User List
The Mailing List
Quarantine release notification
Releasing quarantined messages
About the End User Quarantine Whitelist

About End User Quarantine

Email Gateway can send notifications via email to internal end users when messages are quarantined
because they have triggered a Email Gateway policy. The notifications list the end user messages that are
in the quarantine queue at a given point in time. By clicking the Message ID on a notification email, or by
making selections from a message list window, users can release their messages for further processing.
End User Quarantine Release can help to reduce the burden of releasing quarantined messages that might
have been “false positives.” It lets users manually and visually inspect the contents of the Email Gateway
Quarantine Queues for the purpose of identifying and releasing email that was improperly identified as
spam.
You can create End User Quarantine Release policies based on a single user, a single domain, a group of
users or a group of domains and assign a list of quarantine queues that are included or excluded in the
notification and release process.

Configuring End User Quarantine

You can configure notifications to end users about quarantined messages and specify how often Email
Gateway should check for quarantined messages.
By default, Email Gateway listens for SMTP connections addressed to the IP address specified in system
configuration. To use End User Quarantine (EUQ) Release, you must create a new “listening mechanism” so
Email Gateway can also listen for connections from end users when they release, delete or whitelist
quarantined messages. For this reason, this feature requires the creation of a “virtual” hostname and IP
address for Email Gateway.
Specify a virtual IP address and hostname using the Configure End User Quarantine window so the EUQ
Release can listen for the HTTPS request (on port 443). The virtual hostname is contained in the link sent to
end users to enable them to return the request for release of quarantined messages. It allows Email
Gateway to accommodate more than just SMTP connections and lets end users communicate with Email
Gateway for EUQ Release.
Note: Be certain you do NOT use the underscore character ( _ ) in the virtual hostname you create. If you do use
this character and the user clicks the view all messages link, the window will display a blank list even if there
are quarantined messages that should be listed.

McAfee Email Gateway 6.7.2 Administration Guide 215

 End User Quarantine
About End User Quarantine

Figure 106 End User Quarantine - Configure window

Note: The End User Quarantine Configuration window does not use international languages as selected in Email
Gateway. By default, EUQ renders the screens based on the language setting for the browser you are using, not
the Email Gateway locale.

Table 122 End User Quarantine - Configure fields

Field Description
Enable End User Select the checkbox to enable End User Quarantine.
Quarantine
Virtual Hostname Type the virtual hostname for the Email Gateway appliance. Email
Gateway will listen for this hostname when end users send release, delete
or whitelist requests.
Virtual IP Address Type a virtual IP address for the Email Gateway appliance.
Port Type the port number through which requests are to be returned to Email
Gateway. Normally, this is port 443.
Secure Click the appropriate radio button to indicate if messages are to be sent
and received securely. Options are:
• Yes
• No
Certificate From the drop-down list, select the certificate to use in encrypting EUQ
notices and responses.
EUQ Notification From the pick list, select the template you wish to use to define the
Template appearance of the EUQ Notifications Email Gateway will send.
Details in Click the radio button to enable or suppress details in the notifications
Notification received by users. Options include:
• Yes – display both the link to the table of quarantined messages and
a list of the messages currently in quarantine.
• No – display the link only, not the list of messages.

216 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
About End User Quarantine

Table 122 End User Quarantine - Configure fields (continued)

Field Description
Messages in One Type a number to represent the maximum number of messages that can
Notification be included in one notification messages.
Notification Options: Select one of the following options to govern notifications regarding
messages that have been quarantined in more than one queue:
• Do not notify – do not include the message in any notification to the
user.
• Notify without allowing release – notify the user of the message in
multiple queues, but do not allow release.
• Notify and allow release – notify the user of the message and allow
it to be released at the user’s discretion.
Frequency Schedule Click the radio button to create a notification schedule based on
frequency. Then choose the frequency from the drop-down list.
Detailed Schedule Click this radio button to disable the frequency schedule and enable a
schedule you must configure based on days and times. Select a day of the
week from the list to the left of the window, then select the checkboxes
for any hours of the day when EUQ should check for messages and send
notices.
To configure more than one day (up to all seven days of the week), select
another day and repeat your selection of times. Repeat this process until
you have completed the schedule to be followed by EUQ. Your configured
days will be saved when you click Submit.
Detailed schedules must be configured one day at a time. If you want to
configure more than one day, select another day and repeat the process
of selecting times.
The times of day for one day do not have to match the selected times on
other days; the days are configured independently.
Link Expiration Email Gateway allows users to have a unique (controlled expiration) link
for accessing their quarantined messages, rather than receiving a new
link each time they get EUQ notices. You can control the expiration
frequency of the links for security purposes, and can refresh them at any
time should the need arise.
EUQ LInk Choose the correct radio button to determine the expiration rule you
Expiration: prefer. Options are:
• Always – the EUQ links will expire immediately (no persistent links)
• Never – the links will never expire, but will remain available
permanently unless refreshed by the administrator
A specific number of days - type the length of time you want the links to
stay active unless they are refreshed by the administrator.
EUQ Link From the drop-down list, select the particular notification to be sent to
Notification: users when the links expire or when they are refreshed.
When the information in these two fields is correctly entered, click
Submit to establish the expiration cycle.
EUQ Link Refresh: If you wish to refresh the EUQ links, click the correct radio button to
identify the specific links to be affected. Options are:
• Refresh for All Users – clicking this option will refresh all unique links
associated with this Email Gateway appliance
• Refresh for Specific Users – clicking this option requires you to type
one or more complete email addresses in the data field. Multiple
addresses must be entered as a comma-separated list.
When you have determined which links are to be refreshed, click
Refresh.

You do NOT need to click Submit before selecting a second or subsequent day in your detailed schedule;
however, if you do, then the next detailed schedule you create will be added to the prior one.
When you have entered the information correctly, click Submit to configure End User Quarantine.

McAfee Email Gateway 6.7.2 Administration Guide 217

 End User Quarantine
Configuring the EUQ web page

Policy modifications in other features for EUQ Release

The point of EUQ Release Notification is to enable end users to manually and visually inspect the headers
(From, To and Subject) of quarantined messages. In various Email Gateway features, you can type a data
value for the quarantine action to indicate how many days a message will be quarantined before Email
Gateway delivers it. If users or groups do not release the messages on the Quarantine Release Notification,
the messages are released or cleaned up (removed) according to the delivery schedule for the queue. Any
messages quarantined for a specified number of days are automatically submitted for processing in the
next queue at the end of the quarantine period. To prevent the automatic processing and delivery of
quarantined messages, you must set the quarantine value to zero. Any message with a quarantine value of
zero is automatically deleted according to the Cleanup Schedule for Quarantine Data.
Caution: EUQR is the only policy where Email Gateway compares the entire recipient address to the domain
named in a group. Envelope Analysis, Desktop Encrypted Compliance, Content Analysis, Attachment Analysis,
and Off-Hour Delivery policies can be applied to any recipient address whose domain matches the domain
identified in a domain-based group.

Logging for End User Quarantine

The two logs pertaining to the EUQ Release process that are visible to administrators are listed below.
These logs, which are viewable in the WebAdmin interface and the Command Line interface, are useful for
creating whitelist entries based on the messages released by end users. The logs are:
• End User Quarantine Release: The eusrquarantine.log shows the EUQ configuration and provides useful
data on the message count, timestamp when the notifications were generated, and the total number of
messages, for all users, that were quarantined since Email Gateway last generated a notification. Use the
eusrquarantine.log to review the notified user count and sleep time if frequency schedule changes are
needed in EUQ configuration.

• Internal - Quarantine Release WebAdmin: The ct_euser.log lists the messages released by end users.
To search the log and display a list of messages that users released from the quarantine queues, use the
following command:

show log ct_euser > grep “Released Message”

Configuring the EUQ web page

You can customize the message list - by adding a logo, for example - the user sees when clicking the link
on the EUQ notice. Navigate to the configuration window (Anti-Spam | Anti-Spam Advanced | End User
Quarantine | Customization Profile).
Figure 107 End User Quarantine Pages - Customize window

218 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
Configuring the EUQ web page

If you select a profile by clicking the Name link, the End User Quarantine Pages - Customize window
refreshes to show current information about the page.

Adding a new customization profile

To add a new customization profile, do the following:
1 On the WebMail Login - Customize window, click Add New. The first portion of the customization window
appears.

2 Provide the information to complete the window (see Table 123).

Figure 108 Customize EUQ Pages - Add window

Table 123 End User Quarantine Pages - Customize fields

Field Description
Name Enter a name for the new profile.
Description Enter a brief description of the profile to communicate its intended use.

3 Click Submit. The window will refresh to display the full customization options.

Figure 109 Customize EUQ Pages - Add window (expanded)

McAfee Email Gateway 6.7.2 Administration Guide 219

 End User Quarantine
Configuring the EUQ web page

Table 124 Customizing Specific Pages

Field Description
Enable Select this check box to enable use of this customization profile.
ID: This field shows the profile’s unique ID number.
Name: This field shows the profile name.
Type This field displays the kind of page being customized (End User
Quarantine).
Description: This field contains the descriptive information you entered when the
addition began.
Resource Upload: Browse to the folder that contains the logo, graphic or file you want to
apply to your customization. Select the item you want to use. Select the
check box to apply your selection to the associated asset.
Note: You can select different logos or graphics to use with different
assets.

Caution: Uploaded files and URLs are case-sensitive. The file name in the
CSS must match the actual file name exactly.
Web The lower left portion of the window lists all currently configured assets.
Customization Each asset type is collapsible and can be expanded to show lists.
Assets
Mail List Expand this asset type to view all configured assets for the mail list page.
Click the name link for any listed asset to show a preview of the
customized page in the lower right section of the window.
Style Sheet Expand this asset type to view all configured assets for the stylesheet.
Click the name link to show the stylesheet.

4 Provide the information to complete the window (see Table 124).

5 When you have finished setting up the configuration, click Submit.

Editing an existing customization profile

To edit a customization profile, do the following:
1 Click the profile name on the Customize window. The expanded customize window for that profile
appears.

2 Provide the information to complete the window (see Table 124).

3 When you have finished setting up the configuration, click Submit.

Editing the stylesheet

You can also customize the current style sheet for the mail list from the End User Quarantine Pages -
Customize window. You should undertake this only if you are familiar with HTML code. The file may be
edited, but its filename must remain the same.
To edit the css file, do the following:
1 On the Customize window, expand Style Sheet.

2 Click the css filename. A preview appears in the preview window.

3 Click Download Default Resource. Depending on your browser, a save window appears.

4 Save the css file to a convenient location.

5 Open the css file, edit it to suit your needs, then save it.

6 Return to the Customize window and, from the Browse field, navigate to your edited css file and select it.

7 Click Submit. Your file will be renamed and then be used by the system.

220 McAfee Email Gateway 6.7.2 Administration Guide

 End User Quarantine
About the User List

Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.

Deleting resource files

You can delete a file you have associated with an asset. To delete a resource file:
1 Select the Delete check box next to the file name.

2 Click Submit. The file is removed from the Assets list.

Deleting a customization profile

To delete a customization profile:
1 Check the Delete box next the profile you want to remove.

2 Click Submit. The profile will be deleted.

About the User List

This table lists the active polices for end users or groups to be notified if they have messages in a
configured quarantine queue. It displays the kind of entity to which the rule will be applied (Global, Domain,
Group or User), associated data (group name, domain name or individual email address), whether it is an
include or exclude policy, the user type (Sender, Recipient or Both) and the Quarantine Types associated
with the policy. The table also permits deletion of policies from the list.
In certain situations, a user on the End User Quarantine User List can be a member of a group governed by
one rule and, at the same time, have a slightly different rule applied to him/her. For example, a user might
be a member of a group allowed to release messages from a Content Analysis queue, but there can also be
a separate entry for that individual user permitting that user to release from ALL queues. In this case,
user-based rules take precedence over domain, group-based or global rules.
Figure 110 End User Quarantine User List - Manage window

Table 125 End User Quarantine User List - Manage fields

Field Description
Who This column shows the type of entity for which the policy is configured.
Options are:
• Global
• Domain
• Group
• User
Data This column lists the identity of the specific entity associated with the
Who selection.

McAfee Email Gateway 6.7.2 Administration Guide 221

 End User Quarantine
About the User List

Table 125 End User Quarantine User List - Manage fields (continued)
Field Description
Include If the user, domain or group is to be included in the policy (is to receive
notifications based upon this rule), this column will display an X.
Type The user who will receive notifications can be the recipient of the
messages, a sender of messages or both. This column indicates the
configuration for the associated entity.
Quarantine Type This column shows the quarantine type or types for which this user will
receive notifications.
Delete If you need to delete a user from this list, select the checkbox and then
click Submit. Clicking the Delete hyperlink will cause all users to be
deleted.

To add a new user to the User List, click Add New at the bottom of the End User Quarantine User List. The
End User Quarantine Data - Add window will appear.
Figure 111 End User Quarantine Data - Add window

Table 126 End User Quarantine Data - Add fields

Field Description
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or is an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To Select the kind of entity to which the policy will apply. Options are:
• Global
• Domain Group
• Domain
• User Group
• Email Address
Data selection If you chose Domain Group or User Group above, select the configured
group name from whichever pick list is enabled by your Apply To
selection.
Data If you chose Domain or Email Address above, type the domain name or
email address in this data field.
Exclude If the user is to be excluded (that is, the entity is not to receive
notifications), select the checkbox. Otherwise, this will be an “include”
rule by default.

222 McAfee Email Gateway 6.7.2 Administration Guide

 End User Quarantine
The Mailing List

Table 126 End User Quarantine Data - Add fields (continued)

Field Description
User Type Select the kind of user who will receive notices in compliance with this
rule. Options are:
• Recipient
• Sender
• Both
Quarantine Queue Select one or more quarantine queues from the scrolling list. The user will
receive notices regarding messages that are quarantined in the selected
queues.

When the information is correct, click Submit. The End User Quarantine User List will update to include the
new user.

Note: The entries in the EUQ User List cannot be edited. User entries can only be deleted and re-entered with
different information (for example, a different queue selection).

The Mailing List

You might wish to set up mailing lists that will receive EUQ Notifications. A mailing list consists of one or
more members, whose email addresses are listed as part of the mailing list. One notification email is sent to
the mailing list, and is delivered to each member of that list. Any member of the list is authorized to release
quarantined messages that appear in the notifications.
Figure 112 Mailing List window

Table 127 Mailing List fields

Field Description
Mailing List This column lists the names of any mailing lists that have been created.
The mailing list name must be an email address.
Email Address The email addresses of each member of the list to which notices are to be
appear in this column.
Delete If you need to delete a mailing list, select the checkbox and then click
Submit.
Adding New Lists The data entry fields at the bottom of the window allow you to add a new
mailing list to the table.

McAfee Email Gateway 6.7.2 Administration Guide 223

 End User Quarantine
Quarantine release notification

Table 127 Mailing List fields (continued)

Field Description
Mailing List Type a name for the new mailing list.
The mailing list name must be an email address.
Email Address Type one or more email addresses in a comma-separated list. These
addresses represent the members of the mailing list who will receive
notifications.

To add a new list to the table of mailing lists, complete the information at the bottom of the window
described above. When you click Submit, the new mailing list will be included.

Note: The entries in the EUQ Mailing List cannot be edited. They can only be deleted and re-entered.

Quarantine release notification

Quarantine release notification is sent in the form of an email message generated for each user defined in
an end user quarantine policy when they have messages in associated quarantine queues. The notification
can contain the message headers for a maximum of 500 messages for a single end user. If a message is
sent to a group of end users, it can be released by any one of them, and the message will remain in
quarantine for the rest of the end users in the group. If an email has more than one recipient (in the To,
CC, or BCC fields), the quarantine release notification is delivered to ALL recipients. End users will receive
multiple notifications if they have multiple email aliases that have messages in quarantine. Email Gateway
treats each alias as a separate address for the purposes of notification.
The quarantine queue is monitored according to the frequency set as the frequency schedule on the End
User Quarantine - Configure window. Quarantine Release Notifications are sent to specified end users or
groups after the quarantine queue is checked for any messages that have not yet triggered a notification.
The end user or group is identified in the To: field of the notification email.
When the End User Quarantine query runs, it queries a maximum of 25,000 quarantined messages at a
time, then sends notifications for that group of messages. Then the query runs again, querying the next
25,000 additional messages, and sends the notifications for that group. It continues in this manner until it
has queried all messages that have been quarantined since the last time End User Quarantine Release
(EUQR) was performed. This can result in two or more notifications to a single end user at the same time, if
that user has messages in more than one group of 25,000 messages.
Note: The entries in the EUQ Mailing List cannot be edited. They can only be deleted and re-entered.The entries in
the EUQ Mailing List cannot be edited. They can only be deleted and re-entered.

An end user can use the link at the top of the release notification to view a list of all of his or her
quarantined messages, then select one or more messages from the quarantine queue and release them for
delivery. Accessing this link shows all messages in the monitored Quarantine Queues for the user, not just
the ones in the associated email.
Note: You can include all Quarantine Queues in their policies. End users can see a list of their messages that are
in the Quarantine Queues except for messages in the Outbound Quarantine Queue, Off Hour Queue, and Failure
Queue.

224 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
Quarantine release notification

Figure 113 Sample EUQ notification

Table 128 End User Quarantine notification fields

Field Description
Message ID This column displays the unique system-generated ID number that
identifies the message. Selecting this ID number will release the specific
message. Email Gateway will then display a confirmation to the end user.
Sender This columns shows the RFC821 From address of the sender of the
message.
Subject The message’s Subject line displays here.
Size in Bytes This column shows the size of the message in bytes.
Date The timestamp when the message was received is listed in this column.
Info This column names the quarantine queue where the message has been
quarantined. Messages in the outbound quarantine queue are not
included in EUQ Release and are not listed in the notice.
Multiple Recipients If the message is addressed to more than one recipient, this column
displays a “Y” for that message. If not, the column displays an “N.”

Both the notification itself and the window that appears when the user wants to view a list of all
quarantined messages contain in indicator that lets the user know if the message has multiple recipients.

Configuring the notification

You can configure the notices users are to receive in the Mail Notification windows. Email Gateway is
delivered with a default EUQ Link Notification that cannot be edited or deleted. To view the notice, navigate
to the Mail Notification - Manage window (Compliance | Advanced Compliance | Mail Notification).
You can also add your own custom notice by clicking Add New at the bottom of the window.
Select the type of notification you want to create, then enter the required information, just as you would for
any other type of mail notification.

Viewing a list of all quarantined messages

To view a list of all quarantined messages for an end user, click the hyperlink at the top of the notification
email. All quarantined messages that have been validated and found to qualify for notification and for which
notices have not previously been sent will show on the user's window. Messages that have been released or
processed do not appear on the list of all quarantined messages for the user.

McAfee Email Gateway 6.7.2 Administration Guide 225

 End User Quarantine
Releasing quarantined messages

Table 129 Quarantined message list fields

Field Description
Message ID This column displays the unique system-generated ID number that
identifies the message.
From This columns shows the RFC821 From address of the sender of the
message.
Subject The message’s Subject line displays here.
Date This column shows the size of the message in bytes.
Size The timestamp when the message was received is listed in this column.
Info This column names the quarantine queue where the message has been
quarantined. Messages in the outbound quarantine queue are not
included in EUQ Release and are not listed in the notice.
Multiple Recipients If the message is addressed to more than one recipient, this column
displays a Y for that message. If not, the column displays an N.
Release Selecting the box in this column associated with any message will cause
the selected messages to be released when you click Submit. Clicking the
Release hyperlink selects all the messages in the list.
Delete Selecting the Delete box associated with any message will cause the
message to be deleted when you click Submit. Clicking the Delete
hyperlink selects all the messages in the list.
Whitelist Select a box in the Whitelist column to request that the sender or the
sending domain be whitelisted for this user, as well as messages going out
from the user to the specified users or domains. Clicking the Whitelist
hyperlink will request whitelisting for all senders on the list.

You can delete messages using this window by submitting a delete request. If the message has only one
recipient (the user who submitted the request), the message is dropped. If the message has multiple
recipients, the current user is removed from the list.
Note: The hyperlink that displays the list of all quarantined messages might not work with MS Outlook OWA 2003.
This problem exists when signature protection is enabled, with the specific signature #1054 (WEB-MISC weblogic
view source attempt) enabled as well. If the problem occurs, you can resolve it by disabling the signature.

Quarantine duration
An issue related to End User Quarantine and the associated functionality is quarantine duration. The
duration is the number of days a given message will remain in quarantine before it is delivered or deleted
according to the Email Gateway Cleanup Schedule. The quarantine duration is set when rules are applied by
the various features in Email Gateway. At the end of the time set for the specific rule that quarantined the
message, that message can be sent on to the next configured feature or deleted. End User Quarantine
actions must occur within this duration or the message involved will no longer be available.
Note: When you configure a quarantine policy for 0 days, the expiration is tied to the Cleanup Schedule. The
default for Cleanup Schedule is 36 hours. The schedule can be set at Administration | Cleanup Schedule.

Releasing quarantined messages

The end user who receives a quarantined message notification can request that any message shown on that
notice be released. The user has two options:
• Request the release from the email notice itself (for one message at a time); or,

• Navigate to a list of all available messages to request the release of one or more messages.

226 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
Releasing quarantined messages

Releasing from the notification

To request release of a quarantined message from an email notice like the one shown above, click the
Message ID link for the particular message. The message will be released, and Email Gateway will display
a message indicating that the message has been successfully released. The message will proceed through
Email Gateway’s remaining queues and will ultimately appear in the user’s inbound mail.
If a quarantined message is addressed to multiple recipients, each recipient will receive a separate
notification. One user’s request to release the message will not release it for any of the other users. All
recipients can decide for themselves if the message should be released. The process for multiple recipients
holds true when the user releases messages from the available message list as well as from the original
email notice.

Releasing from the quarantined message list

If the user who received the email notice clicks the link at the top of the notice, the list of available
quarantined messages for that user will appear.
To release one or more of the messages that appear on the list, the user selects the Release checkbox for
each message to be released. Clicking the Release hyperlink at the top of the window will set all the
messages for release. You can also delete any or all messages or request whitelisting for any of them by
following a similar process.
To complete the actions you have requested for the selected message or messages, click Submit. Email
Gateway will present a message confirming that the operations you desired have been completed
successfully.

McAfee Email Gateway 6.7.2 Administration Guide 227

 End User Quarantine
Releasing quarantined messages

The release process

The flow chart below illustrates the EUQ Release process.
Figure 114 EUQ Process Flow

1 From the email notification or the available message list, the user requests that one or more messages
be released.

2 Email Gateway EUQ process determines if the user who is making the request is the sender of the
message or an intended recipient. Release requests are processed accordingly.

3 If the requestor is the sender of the message, the EUQ process releases the message from quarantine so
it can proceed through any remaining Email Gateway queues and be delivered. The number of recipients
is irrelevant in this case.

228 McAfee Email Gateway 6.7.2 Administration Guide

 End User Quarantine
About the End User Quarantine Whitelist

4 Email Gateway EUQ process must determine whether the message is addressed to one recipient or
multiple recipients.

5 If the quarantined message has only one recipient, the EUQ process releases the message from
quarantine so it can proceed through any remaining Email Gateway queues and be delivered. This process
also applies to the last remaining recipient of a multiple-recipient message.

6 If the message is intended for more than one recipient, the EUQ process will first make a copy of the
message and store it in the database to keep it available to remaining recipients. The message will then
be delivered to the recipient who released the message, and that user will be removed from the list of
recipients for the message.
Note: The remaining users can decide to release the message for themselves, following this same process.

If the message was still in quarantine and is released by the current user, the pop-up window displays,
“The message has been successfully released.”
Note: If the end-user has installed a pop-up blocker, it can prevent the display of pop-up windows used in End
User Quarantine Release. To avoid blocking Email Gateway pop-ups, disable or override the pop-up blocker.

Under certain circumstances, a message that has been released or deleted by the user can still appear in
the message list after the user has clicked Submit. One possible reason for this is that the release or delete
process is a delayed action, processing a maximum of 100 messages per batch. The selected message
might be waiting for its place in a batch. If the user should retry releasing or deleting the message, the
window will refresh to display a message saying, “Message(s) already released or deleted.” This is simply a
result of the feature’s design, and should not be considered an exception.

About the End User Quarantine Whitelist

End User Quarantine Whitelisting allows users to whitelist rules and policies that apply only to themselves.
They base these rules and policies on the quarantined messages for which they receive EUQ notifications.
This ability can relieve some of the Administrative burden associated with maintaining whitelists while still
allowing the means for administrative oversight when appropriate.
When a user receives notification of a quarantined message for which a whitelist entry is desirable, the user
submits a request to whitelist either the email address or the domain associated with that message. Either
the sender or the recipient (when the end user is the sender) of the message can be whitelisted. In other
words, the user can whitelist messages coming in from specific senders or domains or messages going out
to specific users or domains. In either case, the messages will be allowed to bypass specific Email Gateway
processes.
Email Gateway can be configured to accept whitelist entries automatically or manually.

Automatic processing
If EUQ Whitelisting is enabled and is configured for automatic whitelisting, the end user can create whitelist
entries without assistance.
Note: Automatic processing is not the recommended method, since it does not allow you to monitor the process
as closely as necessary.

When the user receives a notification and then clicks the main link on the notification email, a complete list
of all quarantined messages for that user displays. Clicking the link opens the message list. This window
includes the provision for requesting a whitelist entry for each message shown.
The user can choose one or more messages to be whitelisted. A rule is then created for the sender or the
recipient (email address or domain), and is applied to the user who is doing the whitelisting.
In the case that two or more users create a whitelist entry for the same value (same sender or recipient),
Email Gateway creates only one rule for that entry, and then applies it to all the users who have requested
it.

McAfee Email Gateway 6.7.2 Administration Guide 229

 End User Quarantine
About the End User Quarantine Whitelist

Manual processing
If EUQ is enabled and is configured for manual whitelisting, the end users will still submit requests in the
same way as for automatic processing. However, instead of automatically creating whitelist entries, the
requests are submitted to the database and are available on the GUI, providing you the opportunity to
decide how and to whom the whitelist rule should apply. You have the ability to submit both the rule and
the policy. You can apply the rule to the user who created the request, in which case the rule will be
considered user-created; or he or she might decide to apply the rule differently. This is helpful when you
need to apply the same rule for more than one user. This latter option is considered an
administrator-created rule

Maintaining EUQ Whitelists

Keeping the Whitelists up to date and functioning properly requires maintenance activity. If more than one
Email Gateway appliance is deployed, the whitelists must be synchronized to assure they are applied
correctly. Whitelist usage updates must be propagated as well, as must deletions requested by the users or
the administrator. And, finally, regular automated cleanup is necessary to ensure that only those rules and
policies that are truly useful remain in the whitelists.

Synchronization
In an environment with more than one Email Gateway appliance, the whitelists must be synchronized.
Rules created in one Email Gateway by a user need to be propagated to all others in the system. Each Email
Gateway must recognize all others from which it can receive entries.
Synchronization action only synchronizes end-user whitelists. Administrator-generated whitelist entries are
synchronized by using the Backup and Restore functionalities in the System program area.
Note: Synchronization adds your end-user whitelist entries to the regular whitelist table on all the synchronized
appliances. The entries are user-created, and will not be visible on the whitelist window. Only administrator-
created whitelist entries display. To find your end-user entries you must search for them.

When a user issues a whitelist request from a notification, the pertinent data is stored in a temporary table
on the Email Gateway where it was generated. At a pre-determined time, all the whitelist entries are
collected and then propagated in batches of 100 to the other Email Gateways in the system. SMTPI on the
recipient Email Gateway receives the request to add the new entry, stores it temporarily, and then moves it
to the primary whitelist location at periodic intervals. At these intervals it also reconfigures the RIP Queue
to recognize the newly added entries.
A retry mechanism is available if propagation fails for any reason.
Note: To ensure uniformity of all whitelists in the system, McAfee strongly recommends that all existing whitelists
be synchronized before enabling this feature. All subsequent synchronization is performed on new user entries
added or deleted. The import and export options in whitelisting can be used to accomplish this requirement.

Scheduled cleanup
A second requirement for maintaining accurate whitelists is the elimination of unused rules. The ct_bypass
table includes a time column that is updated to show the last access time whenever a message qualifies for
a user-created whitelist rule. An automatic cleanup process reviews the table and deletes any entries that
have not been used for a user-defined period of time. The user-created policies that apply these rules are
altered accordingly. If the rule is the only rule in a policy, the policy is deleted as well. If this is not the
case, the rule is deleted and the rule ID is removed from the policy.
RIP Queue creates a list of bypass rules that have been triggered when it processes a message. This list is
the source for access times. The database information is updated a pre-configured number of minutes
(every 60 minutes).
The automatic cleanup process is enabled or disabled by the administrator.

Usage updates
In multiple-Email Gateway environments, where messages can flow through any appliance, the usage
information for each rule must be propagated to all Email Gateways in the system. This keeps the usage
information for all rules in sync on all the appliances. This update is performed in batches at the end of the
day.

230 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
About the End User Quarantine Whitelist

Deletions
End users can request that any rules they have created be deleted, but the deletions have to be performed
by an administrator. You have the capability to search for the rule and to eliminate it; you can search
against rule information or policy information, against user-created rules and policies, or against
administrator-created rules and policies. You can choose the rules and users that should be deleted. The
deletions will be accomplished the next time the cleanup process runs. If the rule is the only rule in a policy,
the policy is deleted as well. If this is not the case, the rule is deleted and the rule ID is removed from the
policy.
You can also delete rules that have been requested but have not yet been applied, in either automatic or
manual processing mode, when viewing them in the GUI. Users can also view their own requests and mark
for deletion any that need not be submitted. The UI will then remove the requests.

Configuring the Whitelist

To configure the End User Whitelist from the WebAdmin interface, navigate to the window below.
Figure 115 End User Quarantine Whitelist - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 231

 End User Quarantine
About the End User Quarantine Whitelist

Table 130 End User Whitelist - Configure fields

Field Description
Enable EUQ Select the checkbox to turn on EUQ Whitelisting.
Whitelist
Direction Click the radio button to determine the message direction to which
whitelisting will apply. Options are:
• Inbound
• Outbound
• Both
Queue Select one or more queues that messages from whitelisted users or
domains will bypass. The selections from this list will cause the Bypass list
to be populated.
Bypass Select one or more specific features that will be bypassed by the message.
Synchronize The two columns under the Synchronize heading represent IP addresses
or domains (i.e., separate Email Gateways) that should have identical End
User Whitelist information.
• Send To – this Email Gateway will send synchronization updates to the
Email Gateway appliances on this list.
• Delete – to delete an appliance, select this checkbox and then click
Submit.
• Received From – this Email Gateway will receive synchronization
updates from the appliances on this list.
• Delete – to delete an appliance, select this checkbox and then click
Submit.
Add New Add new IP addresses or domains to either of the Synchronize list by
entering the information in their respective data entry fields. When you
click Submit, the appliances will be added.
Filter Type Click the radio button to determine the type of entries to be applied in this
whitelist. Options are:
• Email – the whitelisting will occur based on the email address
• Domain – whitelisting will be based on domains.
Whitelist Mode How are whitelist entries to be created? Options are:
• Automatic – Email Gateway will automatically create a whitelist entry
for each request it receives.
• Manual – You must create the entries from each request.
Manual is the recommended mode of operation, since it allows you to
monitor the entries and determine if whitelisting is truly in order. You can
also determine if custom application is beneficial, such as for entries that
have been requested by more than one user.
Auto Cleanup Selecting the Auto Cleanup checkbox enables Email Gateway to eliminate
rules that have not been applied for the configured delete period.
Don’t Expire If Email Gateway is configured in automatic whitelist mode, you can select
Automatic Rules the checkbox to prevent any automatically-created rules from expiring.
Frequency Schedule Click the radio button to create a notification schedule based on
frequency. Then choose the frequency from the drop-down list.
Detailed Schedule Click this radio button to disable the frequency schedule and enable a
schedule you must configure based on days and times. Select a day of the
week from the list to the left of the window, then select the checkboxes
for any hours of the day when cleanup should occur.
To configure more than one day (up to all seven days of the week), select
another day and repeat your selection of times.
Repeat this process until you have completed the cleanup schedule. All
the days you have configured will be saved when you click Submit.

When you have completed the configuration information, click Submit to record the configuration.

232 McAfee Email Gateway 6.7.2 Administration Guide

End User Quarantine
About the End User Quarantine Whitelist

User defined policies

Whitelist policies that have been created as a result of end user requests are shown in the User Defined
Policies - Manage window.
Figure 116 User Defined Policies - Manage window

Table 131 User Defined Policies - Manage fields

Field Description
End User This column shows the email address of the user who requested the
whitelist policy
Data This column displays the Email address or domain for the user or domain
that is to be added to the whitelist.
Type The whitelist type is based on the filter type set up when the whitelist is
configured, email address or domain. The options are:
• From Domain
• To Domain
• From Email
• To Email
Direction Inbound or Outbound direction.
Feature Bypassed List of features from which the entity is to be whitelisted.
User Level Checkbox indicating the whitelist rule is applied at the user level (for this
end user only). The column header is also a hyperlink that will cause the
rule to be applied to all the listed users (generally a list of users who have
requested the same whitelist rule).
Custom Apply Checkbox indicating the whitelist rule is applied to an entity other than
the end user. The heading is a hyperlink which will cause the rules
requested by all listed end users to be custom-applied.
When a whitelist entry is custom applied, it will no longer show as a
user-generated entry. It becomes an administrator-generated entry.
Delete Checkbox allowing deletion of whitelist entries.
Navigation At the bottom right of the window, you will find navigation fields to allow
you to move to the next page of content information, the previous page,
or a specific page (by entering a page number in the field)

McAfee Email Gateway 6.7.2 Administration Guide 233

 End User Quarantine
About the End User Quarantine Whitelist

Three buttons appear at the bottom of the window:

• Submit – If you have made any changes on this window, such as marking a policy for deletion, the
changes will be saved when you click this button.

• Reset – If you want to return the configuration to its previous settings (before you took any action), click
this button then click Submit. The window will reset to the way it appeared after the previous Submit
command.

• Synchronize Now – If your environment includes multiple Email Gateway appliances, this button causes
the user defined policies to be synchronized on all appliances.

When user-defined policies appear on this window, they must also be added to the normal Whitelist
window. User-defined whitelist rules that are moved to the regular Whitelist do not appear there. To see
them, you must search for them.

234 McAfee Email Gateway 6.7.2 Administration Guide

16 Advanced Topics in Anti-Spam
Contents
Sender ID lookup
Bayesian filtering
Analyzing headers
Deny lists
Reverse DNS
Anti-Spam feature order
User Spam Reporting
Spam Traps
RealTime Blackhole Lists
DomainKeys Identified Mail
Backscatter protection

Email Gateway provides an impressive assortment of anti-spam features and processes that you can
configure to meet the demands of your network. This chapter will explain these features and their
configuration.

Sender ID lookup
Sender ID (SID) is an anti-spoofing tool that compares the envelope sender domain or HELO/EHLO domain
against the client IP address before any message data is transmitted. The goal is to detect email address
forgery – those messages wherein hackers and spammers have forged the From address, using either a
totally fictitious IP or one they have stolen from a legitimate sender. The tool depends upon having domain
owners designate sending email exchanges in DNS, to allow SMTP servers to distinguish legitimate email
from illegitimate mail. While SID is primarily an anti-forgery weapon, you might also benefit from reduced
spam and decreased vulnerability to viruses, worms, and so forth.
SID does not verify individual sender usernames, but only validates the domain name. It does not protect
the header From: address, only the envelope sender address. Each domain is responsible for publishing and
maintaining its own SID records.
SID is extended SMTP, to prevent spammers from forging email domains. It is a counterpart of the MX list.
SID does not force you to declare a domain for the MTA implementation (SID client). It improves the
veracity of the sender address.

SID in Email Gateway

While the Sender ID Lookup usually occurs before a message enters the network, Email Gateway
implements SID like a Reverse DNS Lookup, supporting only TXT queries. Email Gateway is an SID client.
SID, if it is enabled, is configured to contribute to the Spam Profile score.
Note: You must also enable SID on the SpamProfiler - Configure window to allow the contribution to be accepted.

McAfee Email Gateway 6.7.2 Administration Guide 235

 Advanced Topics in Anti-Spam
Sender ID lookup

Figure 117 Sender ID - Configure window

Table 132 Sender ID - Configure fields

Field Description
Enable Sender ID Select the checkbox to enable the feature. You can also disable it again
by selecting a second time.
Default DNS or Select the correct radio button to determine whether Email Gateway is to
Specify Host for use the default host for DNS, or use the host or hosts you provide.
DNS
DNS Host(s) Type the hostname(s) for the DNS host servers, other than the default
server.
Sender ID Success Type a number to represent the score Sender ID will contribute when SID
Score determines the sender is good. This number will be deducted from the
Spam Profile score.
Sender ID Softfail Type a number to represent the score Sender ID will contribute when SID
Score determines a message is suspicious but does not reject the message (soft
failure).
Sender ID Failure Type a number to represent the score SID will return if the sender is not
Score in the published IP list for the domain. This number will be added to the
profile score.

Enabling SID Lookup allows Email Gateway to verify the sender domain names against the legitimate
domain lists of IP addresses published voluntarily by domain owners. From its lookup process, SID
determines one of the following responses:
• The sender is good (valid), meaning the IP address is listed in the owner's published IP list); SID Lookup
sends the SID Success Score to be deducted from the total Spam Profile.

• The sender is suspicious, but not clearly bad; SID Lookup send the SID Softfail score to be added to the
profile score.

• The sender is bad (not on the domain owner's published IP list); SID Lookup sends the SID Failure Score
to be added to the profile score.

• SID encounters an error (syntax, and so forth) or doesn't recognize the domain because the domain
owner has not published IP addresses; SID sends a contribution of zero (0) points to the SpamProfiler.

Sender ID and SpamProfiler

The Sender ID lookup results in an absolute value that is contributed to SpamProfiler. If the lookup is
successful (SID+), the absolute value in the SID Success Score will be returned as a negative contribution.
If the SID lookup is unsuccessful (SID-), the value in the SID Failure Score will be returned as a positive
contribution

236 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
Bayesian filtering

Table 133 SID Profile Contribution

Factor Description
Values SID lookup values (points)
Formula SpamProfiler Contribution = SID lookup value points.
Example If the SID lookup completed with a matching IP (SID+) and the success
score is 10 points, then:
SpamProfiler Contribution = -10 points.
If the SID lookup completed without a matching IP (SID-) and the failure
score is 49 points, then:
SpamProfiler Contribution = 49 points.

Bayesian filtering
The Bayesian Engine classifies incoming email messages as ham (good email) or spam using probability
theory. Spam messages can be diverted to a separate queue, and so forth, so as not to interrupt mail flow.
The classification is based on clues from prior messages that you have considered spam or ham.
Email Gateway includes a Bayesian word list, but it can also be trained to identify the categories of email
messages. This is done by showing it a large sample of emails the user considers legitimate and a sample of
emails he considers spam. Bayesian Filtering analyses these samples for clues that differentiate them, such
as different words, differences in mail headers, content style, and so forth. The clues are stored as a
Bayesian Dictionary. The system then uses these clues to examine new messages. The Bayesian Engine
contributes to the SpamProfiler profile based on the probability scores that result.
Figure 118 Bayesian - Configure window

This window allows you to enable Bayesian Filtering and to configure the tokenization method and Bayesian
retraining, each of which are discussed in more detail below.

Table 134 Bayesian - Configure fields

Field Description
Enable Bayesian Select the checkbox to enable or disable Bayesian Filtering.
Engine
Enable Automatic Select the checkbox to enable Email Gateway to automatically retrain the
Bayesian Retraining Bayesian engine by providing updated dictionaries. See the discussion of
Bayesian retraining below.
Enable Trainer on Select this checkbox to allow messages released from End User
End User Quarantine Quarantine to be added to the messages available for selection as
Trainable Ham messages in the Bayesian retraining scenario.
Enable Trainer on Select this checkbox to allow messages released from User Spam
User Spam Reporting to be added to the messages available for selection as
Reporting Trainable Spam messages in the Bayesian retraining scenario.

McAfee Email Gateway 6.7.2 Administration Guide 237

 Advanced Topics in Anti-Spam
Bayesian filtering

Table 134 Bayesian - Configure fields (continued)

Field Description
Enable Trainer on Select this checkbox to allow Email Gateway to use all outbound
Outbound Messages messages that have multiple recipients for ham training.
Tokenization Method Select the proper radio button to configure the tokenization method you
want to use:
• Split on white spaces
• Non-overlapping N-GRAM
• Overlapping N-GRAM

When you have finished, click Submit.

Tokenization
The Bayesian dictionary contains accumulated words derived from tokens generated when the Bayesian
engine processes messages. When the engine finds matches for these tokens in the message body, it
assigns points for the number of occurrences if finds. The total of these points is the Bayesian point for the
message.
Email Gateway supports tokenization using one of three methods:
• Splitting on white spaces;

• Non-overlapping N-GRAM; or

• Overlapping N-GRAM.

Splitting on white spaces

When the tokenization method is split on white spaces, the Bayesian engine scans the message body and
defines tokens by selecting each string of characters that is bounded on both sides by white space. Here’s
an example:

Tokenization using white spaces works well for English and most European languages, but not for many
Oriental languages, since they do not use white spaces.

Non-overlapping N-GRAM tokenization

If you select non-overlapping N-GRAM tokenization, the Bayesian engine will define tokens by selecting
strings of characters n characters wide. Here is an example using 5-GRAM tokenization.

If this type of tokenization is applied to English or European languages, white spaces would count like any
other characters.

238 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Bayesian filtering

Overlapping N-GRAM tokenization

If overlapping N-GRAM tokenization is applied, the Bayesian engine will define tokens by selecting strings of
characters n characters wide, but this time each character in the message will start a new token. Here’s an
example of overlapping 5-GRAM tokenization.

Additional Bayesian tokenization

McAfee’s Research group continually tests additional tokenization methods that might be useful in Bayesian
analysis. You can select the desired method from the drop-down list on the Bayesian - Configure window.
Only one method can be selected at a time, and split on white space remains the default method.
Bayesian training can be done for additional tokenization methods; McAfee can apply added methods if
customers have issues with those available in the GUI. The content of the drop-down list will be managed
by the Research group, so that all effective methods are available to you. If you encounter spam
effectiveness issues and Support determines that a different Bayes method would help, additional methods
can be made available to you.

Bayesian filtering and the SpamProfiler

The Bayesian Engine contributes to the Spam Profile score, and takes no action of its own. The scores are
based on individual words used to calculate the probability that a message is spam. The probability score is
used to calculate the Spam Profile contribution using the confidence factor.
More accurately, for each message in the Spam Queue, the Bayesian component of Email Gateway
computes two statistics: a probability of spam (Ps), and a probability of ham (Ph). These two statistics
combine to create the Bayesian Point. This point is used to determine the confidence value for the
message.
The actual contribution provided to the SpamProfiler is configured on the SpamProfiler window itself. You
type two values, one for the ham contribution and another for the Spam contribution. If a message is to
receive an SpamProfiler contribution from Bayesian Filtering, that contribution will be one of these
numbers.
Type values for both Bayesian Engine - Spam and Bayesian Engine - Ham. The values will contribute to the
SpamProfiler score according to the formula that follows. The values are the Bayesian Spam Contribution
(BSC) and the Bayesian Ham Contribution (BHC).
The threshold values that determine the confidence to declare a message to be ham or spam are the
Bayesian Ham Confidence (HBS) and the Bayesian Spam Confidence (SBS). The default values are 0.4 and
0.6, respectively. The confidence values are not configurable, but can be reset by the Threat Response
Update package.
The SpamProfiler contribution will be calculated as follows:
• If the Bayesian Point is less than or equal to the Bayesian Ham Confidence (point <= HBS), the
SpamProfiler score is modified by subtracting the Bayesian Ham Contribution (BHC).
• If the Bayesian Point is greater than or equal to the Bayesian Spam Confidence (point >= SBS), the
SpamProfiler score is modified by adding the Bayesian Spam Contribution (BSC).

• If the Bayesian Point is greater than HBS but less than SBS, the SpamProfiler contribution for Bayesian
Filtering is 0.

The Bayesian Point values will also determine if a message can be used as trainable ham or trainable spam.

McAfee Email Gateway 6.7.2 Administration Guide 239

 Advanced Topics in Anti-Spam
Bayesian filtering

Bayesian retraining
To facilitate Bayesian retraining, Email Gateway will retain a rolling 7-day history of Trainable Spam Per
Day (TSPD) and Trainable Ham Per Day (THPD).
The TSPD values will track the number of messages with high SpamProfiler scores that Email Gateway
receives in a day. These messages will have scores that are greater than or equal (>=) to the attribute
bayes_trainable_high and less than or equal to (<=) the attribute bayes_trainable_max. These attributes
are stored in the database, and are not configurable. They can be reset by the TRU package. Messages with
SpamProfiler scores higher than the maximum will not be used for training. The values are rolled nightly
during the Bayesian Retraining session.
The THPD values will track the number of messages with low SpamProfiler scores. These messages will
have scores that are less than or equal to (<=) the attribute bayes_trainable_low but greater than or equal
to (>=) the attribute bayes_trainable_min. Messages with SpamProfiler scores lower than the minimum will
not be used for training. The values are rolled nightly during the Bayesian Retraining session.

WAIT and Pick modes

When the Bayesian subsystem starts, it checks to determine if any historical values have been saved for
THPD or TSPD. If the table is empty, no messages will be picked for training during the remainder of the
current 24-hour period. Bayesian Retraining will be in WAIT mode, and will not select any messages. This
provides historical data for retraining the following day.
Once the system has historical data with which to estimate the flow of spam and ham, the Bayesian
subsystem will always be in PICK mode when automatic Bayesian retraining is enabled. In PICK mode, the
Bayesian subsystem will use the historical values of TSPD to calculate Estimated TSPD (ETSPD), and then
calculate the ratio of desired spam/ETSPD. If the ratio is greater than 1, it is changed to 1.0. The system
will also use the historical values of THPD to calculate Estimated THPD (ETHPD), and then calculate the
ratio of desired ham/ETHPD. Desired spam and desired ham are values stored in the database,
representing the desired number of spam and ham messages to be accumulated per day for retraining.
At the points when a message is ready to be deleted, the following sequence of events takes place:
1 The system checks to see if the message has an SpamProfiler score that is sufficiently high or sufficiently
low for the message to be considered trainable.

2 If the message is not trainable (does not fall within the trainable ham or trainable spam criteria), it is
deleted.

3 If the message is trainable, it is subject to selection according to the ratios explained above. If it is
selected, it will be moved to a new location and saved for retraining. If it is not selected, it will be deleted.

The two dictionaries

Email Gateway maintains two Bayesian dictionaries at all times. They are:
• Classification dictionary - the dictionary used to classify messages and to contribute points to
SpamProfiler, but not for training. No new training data is applied to this dictionary.

• Current training dictionary - the dictionary that contains all new training data. This dictionary is renewed
every 24 hours.

If messages have been saved for training, the current training dictionary is updated using all the
currently-saved training messages. The saved messages are deleted. Then the number of tokens in the
current training dictionary is counted, and one of three scenarios takes place:
1 If the number of tokens (before pruning) is less than the minimum number of tokens required in the
updated training dictionary for it to be activated (to replace the existing classification dictionary), the
current training dictionary is retained for the next day’s training.

2 If the number of tokens is equal to or exceeds the maximum number of tokens that can exist in a training
dictionary, the updated dictionary will be pruned by deleting all tokens for which the probability of spam
is between Bayesian Ham Confidence (HBS) and Bayesian Spam Confidence (SBS). Then the tokens are
counted again.

240 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
Analyzing headers

• If the number of remaining tokens is less than or equal to the maximum required for activating the
training dictionary, the updated training dictionary will replace the existing classification dictionary,
and a new (empty) training dictionary is created for the next day’s training.

• If the number of tokens is greater than the maximum required for activating the dictionary, the
updated training dictionary is assumed to be polluted and is deleted without replacing the current
classification dictionary. A new training dictionary is created for the next day’s training.

When a new classification dictionary is activated, the old one is deleted.

Ham retraining
As part of McAfee’s ongoing efforts to improve Bayesian training and effectiveness, Bayesian training is
being enhanced to include training on outbound messages. Bayesian functionality will be trained using all
messages being sent outbound from the enterprise, so long as each message has multiple recipients.
Messages destined to a single recipient will not be used for training.
Email Gateway also allows you to send ham, or legitimate email, to a special email account. This mail will
be used for retraining the Bayesian classifier, similar to the way spam messages have been supplied in the
past.
To configure this feature, type the ham notification address in the data field on the User Spam Reporting -
Configure window.
If a message is sent to the ham address and that message contains an embedded image, or if it has an
image attached, the image will be added to the list of whitelisted images for the specific Email Gateway
Image Spam Classifier.
Note: Image Spam Classifier requires that SuperQueue be manually restarted before it will recognize whitelisted
items.

Email Gateway includes a provision to allow you to enable training on outgoing messages (as ham). The
Bayesian - Configure window includes a checkbox that allows you to enable or disable training. This option
can be used to alleviate overemphasis on spam messages for Bayesian training.

Administrator-released messages
Email Gateway provides the ability to specify messages that will be used for Bayesian training, much as the
way EUQ released messages are used.
To specify messages for training, select the messages on the Quarantine Queue Message List window, then
click the button at the top of the window. Any messages you have selected will be used for Bayesian and
ISC training.

Analyzing headers
Email Gateway employs a range of methods to analyze the content and construction of the RFC821 and 822
headers in messages.

Regular expression header analysis

Email Gateway uses regular expressions in processing header analysis. Header fields can be matched
against regular expression rules, or can be examined using functions. All the regular expressions are
compiled at initialization to avoid the necessity to compile them in each thread of the SuperQueue.
Spam functionality reads the Ct_spam_service_list table at initialization. If the active spam service is a
regex function, Spam Queue reads the regex_id field. If that field contains a value, the feature parses the
value to extract regex identifiers (a comma-separated list of regex pattern identifiers). For each pattern
found, Email Gateway calls a function to compile it and return a regex object. If the spam service that is
processing the message is a regex function and a function name is present in the function_name field, this
indicates the need for functional analysis. Each function can use none, one or more of the regex objects.

McAfee Email Gateway 6.7.2 Administration Guide 241

 Advanced Topics in Anti-Spam
Analyzing headers

All regex definitions and function definitions are compiled in a separate file. Email Gateway is delivered with
the current version of the file, and the file can be updated as part of McAfee's update system.
Note: You cannot create regular expressions independently, but can contact McAfee Support to request additions.

When the Spam Queue processes messages, it executes the regular expressions by passing the regex
objects, data from the mail part of the message, and the method (search/replace) as arguments for the
spam detection process. If the process finds a match, it records the configured point value. The functions
also execute and the points are totalled. When total points exceed the configured threshold value, the spam
service takes action based on the rules.

System Defined Header Analysis

Email Gateway System Defined Header Analysis filters examine characteristics of the RFC822 headers.
System Defined Header Analysis is processed in the Anti-Spam feature. Therefore, Anti-Spam must be
enabled and running for this tool to function.
Note: If a single message contains more than 175 total entries in the From, To, CC, or BCC headers, Anti-Spam
will not process that message. The message remains in the SuperQueue until all applicable functionality has been
applied to it.

The System Defined Header Analysis page is broken into two parts: a list of filters that look for specific
header information, and a table of policies specifying what actions Email Gateway should take when certain
thresholds are reached.
Figure 119 System Defined Header Analysis - Configure window

Table 135 System Defined Header Analysis - Configure fields

Field Description
Enable SDHA Select the checkbox to enable SDHA.
SDHA Filters The table in the upper portion of the window is a scrolling list of SDHA
filters, including editable point values and the capability to enable or
disable individual filters. A list of the filters is included later in this chapter.
Filter Name This column is segmented by the message part to which it applies. For
each part, the applicable SDHA rules are listed. The list of rules is
discussed separated.
Points Beside each filter, this column shows the point score assigned to each
filter. These scores are editable.
The allowable range for point scores is between -10,000 and 10,000
points.

242 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Analyzing headers

Table 135 System Defined Header Analysis - Configure fields (continued)

Field Description
Locked Selecting this checkbox locks the individual filter so that it will not be
overwritten when a new TRUResponse update is installed.
Enable Selecting the Enable checkbox beside a filter enables that specific filter.
Clicking the Enable hyperlink enables all filters.
SDHA Rules The lower table lists the currently configured SDHA rules that can be
enabled.
Threshold Value This columns shows the threshold that logically relates to the individual
point values for the enabled filters above. If a message triggers any
enabled filters, their point values are summed, and if the total meets or
exceeds this threshold, the specified action is taken.
Action This column displays the action associated with the policy.
Action Value If the selected action requires additional data, such as a number of days
messages should be kept in quarantine, that information shows here.
Quarantine Type If Quarantine or Remote Quarantine is the selected action, you must also
select a quarantine type. That selection shows in this column.
Delete Selecting the checkbox and then clicking Submit will cause the policy to
be deleted.
Adding New Rules The bottom of the window contains data fields that allow you to add new
SDHA rules.
Threshold Value Type a value to represent the threshold at which this policy will be
triggered.
Action Select from the pick list the action you want Email Gateway to take when
a message triggers this rule.
Action Value If the action you have chosen requires additional information, type the
required value in the data field.
Quarantine Type If Quarantine or Remote Quarantine is the selected action for this rule,
select the quarantine type from the list.

If you have made changes or added a policy, click Submit. The SDHA window will refresh to reflect the new
configuration data.

SDHA filters
Email Gateway will use any of the filters enabled on this page as it examines each message entering the
Anti-Spam Queue. Each enabled filter must be given an associated numeric weight or point value. The point
values are arbitrary, but they must relate logically to the over-all threshold specified for each System
Defined Header Analysis policy. (You can use the point value as a binary value – for example, on or off –
where all filters have the same point value and the over-all threshold simply becomes a count of how many
filters detected certain header characteristics. Alternately, you can use varying point values to reflect your
confidence that a particular header characteristic is correctly associated with spam. The over-all threshold
becomes, then, a weighted scale, where a target has to be reached before Email Gateway will act on the
message.
The table below shows the available SDHA filters.

Table 136 SDHA Filter Rules

Group Rule Description
821-Address Forged From: email Email Gateway will check that the RFC822 FROM email address
address is in the proper format and compare this address with the FROM
email address in the RFC821 header.
821-Address Forged From: Email Gateway will check that the RFC822 FROM domain name
domain name is in the proper format (domain + dot + com/net/org, and so
forth) and compare this address with the FROM domain name in
the RFC821 header.
821-Address From Address DNS Email Gateway will do an MX lookup for the RFC822 From
Lookup Failure address domain.

McAfee Email Gateway 6.7.2 Administration Guide 243

 Advanced Topics in Anti-Spam
Analyzing headers

Table 136 SDHA Filter Rules (continued)

Group Rule Description
821-Address EHLO domain From Email Gateway compares the EHLO domain name it receives in
Address domain the initial SMTP handshake with the From address domain
Mismatch name.
821-Address IP Address Reverse Email Gateway will do a reverse lookup for the IP address from
Lookup Failure which a connection came and compare it with the result of the
MX lookup of the EHLO domain. Note: Because Email Gateway
gets the result of the MX lookup of the EHLO domain, this option
does not require that the previous option, EHLO domain From
address domain mismatch option, be enabled.
821-Address Invalid MailFrom Email Gateway will detect addresses that are a part of the
(Forged Routing routing domain and not in the allow relay IP list.
Domain)
822-Headers Missing Headers Email Gateway will detect any message that does not contain a
To:, From:, Subject RFC822 To or From address, or Subject line. (Be aware that end
users frequently send email that does not contain a Subject
line.)
822-Headers Identical To and Email Gateway will detect if an identical email address is present
From Address in both the To and From addresses.
822-Headers Missing To CC Email Gateway will require that at least one value is present in
either the To or Copy headers. Only if a value is not present in
either header does this filter flag a message.
822 Headers Check Cumulative Email Gateway will check the cumulative number of To and CC
To + CC addresses in the 822 Header, and take action if the threshold is
met.
CC-Address Multiple headers Email Gateway will detect messages with more than 150
addresses present in the CC headers.
Date Timezone out of Email Gateway will not allow TimeZone > + 1400 and < -1400
range
Date More than 96 hrs old Email Gateway will detect if the date header value is 96 hrs in
or 24 to 96 hrs past or 24-96 hrs in future of received header dates
before time
Date Does not conform to Email Gateway detects if the rfc 822 date header value does not
rfc 822 follow the rfc 822 specifications
Date Unusual Y2K Email Gateway detects if the date header does not follow normal
formatting Y2K date formatting.
From-Address Contains at Email Gateway detects if the rfc 822 from address contains the
something-offers word ‘offers’ in the domain name for example
abc@cooloffers.com
From-Address Contains No Local Email Gateway will detect addresses that start with @ which will
part before @ sign catch faulty mail ids like abc @ abc.com<abc@abc.com>
From-Address Contains 3 Email Gateway detects if there are 3 consecutive 8 bit
consecutive 8 bit characters in from address. \x80-\xff are 8 bit characters
characters
From-Address Mixed with numbers Email Gateway checks for From addresses that have numbers
starting with a letter mixed with letters, but starting with a letter.
From-Address Contains numbers Email Gateway checks for From addresses that have numbers
mixed with letters in a special pattern
From-Address Ends with numbers Email Gateway checks for From addresses that end with
numbers
Message-Id Forged Message ID Email servers automatically generate a unique message ID
when sending a message. Email Gateway first checks that there
is a message ID, then checks that it is properly enclosed within
open and closed angle brackets (< and >), and that it contains
a domain name.
Message-Id Pattern indicates Email Gateway detects invalid Message Id format containing a
generation by spam defined pattern of alphanumeric characters generated very
tool often by spam tools

244 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Analyzing headers

Table 136 SDHA Filter Rules (continued)

Group Rule Description
Message-Id Zeroes Variant Email Gateway detects invalid Message Id format containing a
Pattern indicates defined pattern of zeroes generated very often by spam tools
generation by spam
tool
Message-Id 6-letter Variant Email Gateway detects invalid Message Id format containing a
pattern indicates defined pattern of alphanumeric characters generated very
generation by spam often by spam tools
tool
Message-Id 3-Dollars variant Email Gateway detects invalid Message Id format containing a
pattern indicates defined pattern of dollars and digits generated very often by
generation by spam spam tools
tool
Message-Id 4 Zeroes variant Email Gateway detects invalid Message Id format containing a
pattern indicates defined pattern of four zeroes generated very often by spam
generation by spam tools
tool
Message-Id 4 Numbers and Email Gateway detects invalid Message Id format containing a
Dollars variant defined pattern of dollars and four digits generated very often
pattern indicates by spam tools
generation by spam
tool
Message-Id Contains no Email Gateway detects invalid Message Id format with no
hostname information of hostname following @ symbol
MS Outlook Message forged to Email Gateway checks to see if the message has been forged to
Specific appear from have been sent from Microsoft Outlook
MS-Outlook
Received Contains indication Email Gateway detects if one of the received header contains
of receipt via buggy ‘with SMTP.MDaemon.v2.7.SP4.R.’
SMTP server
(MDaemon
2.7.4SP4R)
Received Contains a Email Gateway detects if one of the received header contains
spam-sign i.e. with smtp.
lowercase smtp
Received Contains Email Gateway detects if the received headers indicate that the
CacheFlowServer message was sent by a squid proxy.
IDENT name
Reply-To-Addre Is Empty Email Gateway detects that the header is present but contains
ss nothing.
Subject Starts with To Email Gateway detects that the subject line begins with the To
address address
Subject Not present and Email Gateway detects that there is no subject, and that the
empty body body of the message is empty
Subject Present and empty Email Gateway detects that the subject is present, but the body
body of the message is empty
Subject Not present Email Gateway detects a subject which contains exclamation as
well as question mark in any order meaning that any one can
precede the other and be separated by words or white space.
Subject Starts with Email Gateway detects that the subject starts with the letters
advertising tag ADV.
Subject Contains advertising Email Gateway detects that the subject contains the letters ADV
tag which might be interspersed with white spaces.
Subject Contains As Seen Email Gateway detects subject header containing word As seen
Subject Contains Free Email Gateway detects subject header containing word Free
Instant Instant
Subject Starts with Free Email Gateway detects subject header that starts with the word
Free
Subject Contains Email Gateway detects subject header containing word
GUARANTEED Guaranteed

McAfee Email Gateway 6.7.2 Administration Guide 245

 Advanced Topics in Anti-Spam
Analyzing headers

Table 136 SDHA Filter Rules (continued)

Group Rule Description
Subject Contains life Email Gateway detects subject header containing words life
insurance insurance
Subject Contains Now Only Email Gateway detects subject header containing words now
only
Subject Contains viagra Email Gateway detects subject header containing word viagra
Subject Contains Your Email Gateway detects subject header containing words your
Family family
Subject Contains statement Email Gateway detects subject header which contains
on losing pounds statements like lose pounds /lose weight/ lose lbs or similar
Subject Contains statement Email Gateway detects subject header which contains words like
about being approved or approval
approved
Subject Indicative of Email Gateway detects subject header which contains
Nigerian spam statements like Re: very urgent and confidential
Subject Contains Nigerian Email Gateway detects subject header which contains
spam words statements like Re: family assistance
Subject Contains Korean Email Gateway detects subject header which contains 8 bit
unsolicited email tag characters where /xbc/xba/xc0/xce means 'adult'
/xb1/xa4/xb0/xed means 'advertisement' \xc1\xa4\xba\xb8
means 'information' \xc8\xab\xba\xb8 means 'publicity’
indicative of a Korean spam.
Subject Contains lot of 8 bit Email Gateway detects subject header which contains 8 bit
characters characters \x80-\xff are 8 bit characters
To-Address Contains 3 Email Gateway detects if there are 3 consecutive 8 bit
consecutive 8 bit characters in To address. \x80-\xff are 8 bit characters
characters

RFC821 versus RFC822 headers

The RFC821 (Request for Comment 821) and RFC822 documents (also known as Internet Official Protocol
Standards 10 and 11) are documents that describe the specifications for technologies used for Internet
messaging.
Every email contains two sets of headers that identify the message sender, recipient, data, subject, and so
forth:

RFC821 headers
These are the headers that have to do with delivery of the mail over the internet and are the “envelope
headers” and are described in RFC821. This is the data exchanged between sending and receiving servers
as they negotiate how the message is to be delivered.
Since it is less frequently counterfeited, RFC821 information is more reliable than RFC822 data for use in
capturing true spam while allowing legitimate email to be delivered. Email Gateway displays RFC821 header
data everywhere in the Queue Manager program area except in the Message Details window. Email
Gateway whitelists and blacklists are based on the RFC821 header data.

RFC822 headers
These are content headers that describe the content of the message. Content headers can also contain
information that is particular to specific mail delivery systems. This is the data the email program uses
when displaying the email in its interface. The User Spam Reporting table displays the RFC822 header data.

SDHA and SpamProfiler

System-Defined Header Analysis returns an absolute point value to SpamProfiler. Each SDHA filter that is
configured in the SDHA window has an associated point value. Each of these values (all positive numbers)
is returned to SpamProfiler.

246 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Analyzing headers

Table 137 SDHA SpamProfiler Contribution

Factor Description
Values The configured point value for each triggered SDHA filter.
Formula SpamProfiler Contribution = Sum of all matched SDHA filter points.
Example Invalid MailFrom (Forged Routing Domain): 10 points
Date does not conform to RFC822: 15 points
SpamProfiler Contribution = 10 + 15 = 25 points.

User-Defined Header Analysis

This window allows you fine control over which messages Email Gateway should act upon. It is highly
recommended that only those with expert knowledge of the RFC822 protocol create and use the filters on
this page. Incorrectly created filters can result in unintended consequences.
Create individual filters in the top table specifying a particular RFC822 header and the values it should or
should not contain. Then create a numeric weight for each filter. (The weight is an arbitrary number that
must be logically related to the threshold value provided in the bottom table.) Depending on the over-all
threshold, when some combination of filters identifies spam-like header characteristics in a message, Email
Gateway will take an action.
Figure 120 User Defined Header Analysis - Configure window

Table 138 User Defined Header Analysis - Configure fields

Field Description
Enable UDHA Select the checkbox to enable the UDHA feature.
UDHA Filters The table in the upper portion of the window lists the current UDHA filters.
Header This column displays the name of the RFC822 header type upon which the
filter is based. An X in front of the name indicates that it is a custom
header type created by a User (for example, X-Mime-Key).

McAfee Email Gateway 6.7.2 Administration Guide 247

 Advanced Topics in Anti-Spam
Analyzing headers

Table 138 User Defined Header Analysis - Configure fields (continued)

Field Description
Condition This column displays one of four values:
• There: the specified header is present.
• Not There: the specified header is not present.
• Equal To: the specified header exactly matches the text string
appearing in the Data column to the right.
• Contains: the text string appearing in the Data column to the right
appears anywhere in the specified header.
Data This column displays the text string that the User Defined Header Analysis
policy is expecting to be present or not present in the specified header.
An entry in the column is required for the Equal To and Contains
conditions.
Points This column displays the point value or weight of a given filter. The
number is arbitrary, but relates logically to the overall thresholds
indicated in the User Defined Header Analysis policy table below.
The allowable range for point scores is between -10000 and 10000 points.
Locked Selecting this checkbox locks the individual filter so that it will not be
overwritten when a new TRUResponse update is installed.
Enable Selecting the checkbox for a specific filter enables or disables that filter.
Clicking the Enable hyperlink enables or disables all filters.
Delete Select a filter’s Delete checkbox and click Submit to delete a filter from
this table.
Adding New The data fields just below the list of filters allow you to add new filters.
Filters
Header Type the name of a valid or custom RFC822 header-type upon which to
base the new filter.
Condition Select one of the four options specifying the filter’s condition:
• There: the value in the Data field is characteristic of spam—when it is
there, the filter will flag the message as possible spam.
• Not There: the value in the Data field is expected in normal email —
when it is not there, the filter will flag the message as possible spam.
• Equal To: the value in the Data field is characteristic of spam—if the
header contains the exact string, the filter will flag the message as
possible spam.
• Contains: the value in the Data field is characteristic of spam — when
the header contains the string anywhere within the header, the filter
will flag the message as possible spam.
Data Type a text string that is characteristic of spam or characteristic of normal
email. Depending on the condition specified in the Condition field above,
Email Gateway will check if this string is present in or absent from the
header and make a determination whether or not the message is likely to
be spam.
If you want to add a data value that includes an apostrophe, you must
escape that apostrophe, as shown below:
Subject contains Mike\'s.
Points Type a number representing how confidently the filter can be trusted to
detect spam without generating false positives. The number is arbitrary,
but must relate logically to the overall threshold created in a User Defined
Header Analysis policy below.
Enable (checkbox) If you want the policy to be enabled immediately, select the Enable
checkbox.
UDHA Policies The table in the lower portion of the window shows currently configured
applications of UDHA rules.
Threshold Value This columns shows the threshold that logically relates to the individual
“point values” for the enabled filters above. If a message triggers any
enabled filters, their point values are summed, and if the total meets or
exceeds this threshold, the specified action is taken.
Action This column displays the action associated with the policy.

248 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
Deny lists

Table 138 User Defined Header Analysis - Configure fields (continued)

Field Description
Action Value If the selected action requires additional data, such as a number of days
messages should be kept in quarantine, that information shows here.
Quarantine Type If Quarantine or Remote Quarantine is the selected action, you must also
select a quarantine type. That selection shows in this column.
Delete Selecting the checkbox and then clicking Submit will cause the policy to
be deleted.
Adding New The data fields just below the list of policies allow you to configure new
Policies UDHA policies.
Threshold Value Type a value to represent the threshold at which this policy will be
triggered.
Action Select from the pick list the action you want Email Gateway to take when
a message triggers this rule.
Action Value If the action you have chosen requires additional information, type the
required value in the data field.
Quarantine Type If Quarantine or Remote Quarantine is the selected action for this rule,
select the quarantine type from the list.

If you have made changes or added new rules or policies, click Submit. The UDHA window will update to
show the new configuration.

UDHA and SpamProfiler

User-Defined Header Analysis returns an absolute point value to the SpamProfiler. Each UDHA filter that is
configured in the UDHA window has an associated point value. Each of these values (all positive numbers)
is returned.

Table 139 UDHA SpamProfiler Contribution

Factor Description
Values The configured point value for each triggered UDHA filter.
Formula SpamProfiler Contribution = Sum of all matched UDHA filter points.
Example X-List-Unsubscribe: 10 points
X-Library : 5 points
SpamProfiler Contribution = 10 + 5 = 15 points.

Deny lists
Email Gateway displays three separate deny lists. A deny list is a table of IP addresses that represent
sources that are not allowed to send email to the network. The Deny Lists function at the level of Email
Gateway SMTPI Service. Whenever an external source attempts an SMTP connection, Email Gateway looks
in each of these tables to see if the source IP is present. If the IP address is found in any Deny List, Email
Gateway drops the connection, and the email is not accepted. Each of the three Email Gateway Deny Lists
represents different ways the source IP addresses were identified.

Local Deny List

Before Email Gateway SMTPI Service accepts a connection, it looks in the Local Deny List to see if the IP
address is listed. If the IP address exists, the connection is dropped; if the IP address does not exist in this
or the other two Drop Lists, Email Gateway accepts the connection.
The Local Deny List allows you to manually type an IP address that should not be allowed to make a
connection to Email Gateway. Whenever a spam message is able to get past other spam-blocking tools,
consider finding the message’s IP address in the SMTPI Detailed Log and entering it in the Local Deny List.

McAfee Email Gateway 6.7.2 Administration Guide 249

 Advanced Topics in Anti-Spam
Deny lists

Figure 121 Local Deny List - Configure window

Table 140 Local Deny List - Configure fields

Field Description
IP Address or This column displays the IP address or subnet that identifies the specific
Subnet entry in the list.
Side Note Any additional information entered as side note regarding the entry will
show in this column.
Delete Selecting the checkbox and then clicking Submit will remove the
associated entry from the list.
Add and IP Address If you wish to add an entry to the list, type an IP address. Subnets can
or Subnet also be entered, but only entire Class A, B, or C subnets are allowed. Type
only one IP address or subnet at a time.
Side Note for IP Type any text that will help other users understand why the particular IP
address or subnet has been added to the list. A side note is not required,
but it cannot be entered later.
Add IP addresses or If a list of IP addresses that should not be allowed to connect to Email
subnets from a file Gateway already exists in a plain ASCII text file, click Browse to navigate
to the file.
Each IP address and side note in the text file must be separated from the
others with a carriage return, and the IP address and the side note must
be separated from each other by the pipe ( | ) symbol.
When importing IP addresses from a text file, side notes are not required.

250 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Deny lists

Table 140 Local Deny List - Configure fields (continued)

Field Description
Character Set Select the character set that was used for encoding the list of addresses.
Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• is0-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can
be effectively used.
Export You can store the list of addresses or subnets as a backup by exporting it
to a specific directory from which it can be retrieved.

When you have finished, click Submit.

Adding a listing
To add a new IP address or subnet to the Local Deny List, complete the information in the data fields at the
bottom of the window. Click Submit to record the addition. The window will update to include your new
listing.

RBL Drop List

Before Email Gateway SMTPI Service accepts a connection, it looks in the RBL Drop List to see if the IP
address is listed. If the IP address exists, the connection is dropped; if the IP address does not exist in this
or the other two drop lists, Email Gateway accepts the connection. The RBL Drop List is automatically
generated by Email Gateway if Realtime Blackhole List (RBL) is enabled as an anti-spam tool and its action
is configured to drop. The table of IP addresses is populated with the IP address of any source that tries to
connect to Email Gateway, but whose connection Email Gateway dropped because an RBL query reported
that the address was a known spammer.

McAfee Email Gateway 6.7.2 Administration Guide 251

 Advanced Topics in Anti-Spam
Deny lists

Figure 122 Realtime Blackhole Lists Drop List - Configure window

Table 141 Realtime Blackhole Lists Drop List - Configure fields

Field Description
IP Address This column identifies IP addresses of any source whose connection was
dropped because an RBL lookup determined the source was a spammer.
If Email Gateway RBL anti-spam action was not configured to Drop — for
example, configured, instead, to Quarantine — the source IP would not be
added to this table.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
IP address to be deleted from the list.

Note: The RBL Drop List grows over time (if RBL is enabled with a Drop action), and its data is not deleted by
Email Gateway Cleanup Schedule (Administration | Cleanup Schedule).

RBL services have been known to black list legitimate domains for a variety of reasons. If expected email
from a domain suddenly stops being received, check that the domain’s IP address has not inadvertently
ended up on this RBL Drop List. If so, select its Delete checkbox and delete it from the table. Consider
placing that IP address on Email Gateway whitelist so that future instances of an incorrect RBL blacklisting
do not occur. Because the RBL Drop List is not automatically updated, the resulting build-up of black list
entries can affect Email Gateway performance. After the RBL Drop List grows over time, it is a good idea to
remove entries and start with an empty list and rebuild it (if RBL is enabled as an anti-spam tool and its
action is configured to “Drop”). This also helps to avoid the black listing of legitimate domains.

Reverse DNS Drop List

Before Email Gateway SMTPI Service accepts a connection, it looks in the Reverse DNS Drop List to see if
the IP address is listed. If the IP address exists, the connection is dropped; if the IP address does not exist
in this or the other two Drop Lists, Email Gateway accepts the connection. The Reverse DNS Drop List is
automatically generated by Email Gateway if Reverse DNS is enabled as an anti-spam tool and its action is
configured to Drop. The table of IP addresses is populated with the IP address of any source that tries to
connect to Email Gateway, but whose connection Email Gateway dropped because a reverse DNS query
could not validate the host name.

252 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
Reverse DNS

Figure 123 Reverse DNS Drop List - Configure window

Table 142 Reverse DNS Drop List - Configure fields

Field Description
IP Address This column identifies IP addresses of any source whose connection was
dropped because a Reverse DNS lookup determined the source was a
spammer. If Email Gateway Reverse DNS anti-spam action was not
configured to Drop — for example, configured, instead, to Quarantine —
the source IP would not be added to this table.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
IP address to be deleted from the list.

Reverse DNS
While a normal DNS lookup is used to resolve a host name to an IP address, a reverse DNS lookup is used
to resolve a message sender’s IP address to a valid host name.
Normal DNS: thispc.thisdomain.com = 10.20.1.210

Reverse DNS: 10.20.1.111 = thatpc.thatdomain.com

If a reverse DNS entry is not present in DNS, it might indicate that the sender is a spammer.
Email Gateway only queries the DNS server for the presence of a reverse DNS entry. It does not resolve the
IP address to the host name. If Email Gateway is behind some versions of proxy-type firewalls, reverse
DNS will not function correctly. The firewall will present its IP address to the DNS server instead of the
address of the sending host.
Due caution should be used when enabling Email Gateway Reverse DNS lookup. While reverse DNS used to
be effective at detecting spammers, domains are increasingly incorrectly or intentionally not configuring
their servers for reverse DNS. Therefore, reverse DNS queries might incorrectly consider legitimate email
as spam. You might be advised to set the Reverse DNS action to Log or Quarantine instead of Drop or
Subject Rewrite. After monitoring the results of reverse DNS queries, you can decide not to implement this
tool, unless confidence-based spam detection and blocking is being implemented.

McAfee Email Gateway 6.7.2 Administration Guide 253

 Advanced Topics in Anti-Spam
Anti-Spam feature order

Figure 124 Reverse DNS - Configure window

Table 143 Reverse DNS - Configure fields

Field Description
Enable Reverse DNS Select the Enable Reverse DNS lookup checkbox to turn on this anti-spam
Lookup tool. When enabled, Email Gateway will perform a reverse DNS query for
every message that does not originate from a domain identified in the
Domain-Based Routing table.
Default DNS or Select the proper radio button to enable Email Gateway to use the default
host for DNS, or to use the DNS host(s) you specify.
Specify Host for
DNS
DNS Host(s) Type the IP address or fully qualified host name of one or more DNS
servers, if Default DNS is not selected. Multiple IP addresses and host
names must be separated from each other with commas. Do not include
spaces between the commas and the beginning of each IP address or host
name.
Action Select from the pick list the action you want Email Gateway to take when
a message triggers this rule.
Action Data If the action you have chosen requires additional information, type the
required value in the data field.
Quarantine Type If Quarantine or Remote Quarantine is the selected action for this rule,
select the quarantine type from the list.

When you have finished, click Submit.

Reverse DNS contributes to the overall Spam Profile in a simple way. RDNS returns a score of 100 if no PTR
record was found for the domain being processed, and a score of 0 if a PTR record was found for the
domain.

Table 144 Reverse DNS SpamProfiler Contribution

Factor Description
Values No PTR record found: 100 (this is potentially a spam message)
PTR record found: 0 (this is likely to be a legitimate message)
Confidence value: a pre-configured percentage
Formula SpamProfiler Contribution = RDNS value X Confidence %
Example SpamProfiler Contribution = 100 X 20% = 20 points

Anti-Spam feature order

Email Gateway Anti-Spam Features Order - Configure window defines the order in which spam tools take
action when spam is detected. Once an action is taken by any of the Email Gateway spam tools, no other
spam action will occur. That is, if four of five of the Email Gateway spam-blocking tools determine that a
message is spam, and their actions differ, Email Gateway will perform the action of the spam tool in the
first position.

254 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
User Spam Reporting

Ordinarily, SpamProfiler should be placed in the first position, as its spam-detection capability is more
reliable than any other spam tool on its own. However, if SpamProfiler is placed in a later position, then its
action(s) will not be enforced unless all prior spam-blocking tools have declined to act on the message.
Bear in mind that unless SpamProfiler is enabled, messages will not necessarily be evaluated by all of the
Email Gateway spam-blocking tools. Once a spam tool determines that a message is spam, no other tools
evaluate it.
Figure 125 Anti-Spam Feature Order - Configure window

Table 145 Anti-Spam Feature Order - Configure fields

Field Description
Anti-Spam Process This column shows the names of all the spam-blocking tools.
Order The currently configured processing order for the tools is set in this
column. Options are:
• Position 1
• Position 2
• Position 3
• Position 4
• Position 5
• Position 6
• Position 7
• Remove

All of the spam-blocking tools processed within the Anti-Spam Queue are identified on this page. For each
enabled tool, a pick list allows the selection of an order. Selecting Remove instructs Email Gateway to not
examine messages with that tool. Functionally, selecting Remove is the same as disabling the tool from
within its own configuration page.
You can reset the processing order of the anti-spam processes using this window. Choose the position for
each tool from its associated Order drop-down list. You can also select Remove if you don’t want to use a
particular spam-blocking tool. When you have the order as you want it, click Submit.
Duplicate positions are not allowed. If you change the positions of any spam tools, you must ensure that
only one tool is set to occupy each position.
The window will refresh to show your revised order.

User Spam Reporting

Whenever spam is able to slip past other spam-blocking tools, User Spam Reporting is an effective last line
of defense. End users within the network can forward (as attachments) the spam that makes its way into
their mailboxes to an email address that the Email Gateway appliance monitors. Email Gateway then allows
you to make Envelope Analysis policies that drop, quarantine, or take another action on future messages
with the same message characteristics. While Email Gateway provides the option of automatically creating
rules or requiring you to manually create the rules, McAfee encourages you to create these rules manually.

McAfee Email Gateway 6.7.2 Administration Guide 255

 Advanced Topics in Anti-Spam
User Spam Reporting

The User Spam Reporting page reports the RFC822 header data. This information, from the User Spam
Reporting table, can be used to create additional rules for blocking this same type of spam in the future
without preventing the delivery of legitimate email.
If User Spam Reporting is configured to automatically generate a policy, that policy will be identified as
system-generated. System-generated policies can not be deleted until all the individual rules used by that
policy are deleted.
Figure 126 User Spam Reporting - Configure window

Table 146 User Spam Reporting - Configure fields

Field Description
Enable Spam Select the checkbox to enable User Spam Reporting. When the feature is
Blocking enabled, end users can forward as attachments any spam they receive to
the designated email address monitored by Email Gateway.
Require End User Select the checkbox to instruct Email Gateway to only accept forwarded
Valid Subnet spam from users within the network. This prevents users outside the
network from mischievously or malevolently submitting valid email
addresses for blocking. If enabled, Email Gateway will not accept any
message that does not originate from an IP address or subnet listed in the
Mail-Firewall | Allow Relay table.
If this option is enabled, you should add to the Allow Relay table any
internal IP subnets used within the enterprise so users can forward spam
to the Email Gateway.
Auto When selected, Email Gateway will automatically generate rules based on
an administrator-specified message characteristic.
This is NOT the recommended configuration!
Manual When selected, you must manually generate rules based on message
characteristics of the spam that users forward to the Email Gateway. This
is the recommended method.
Spam Notification Type a unique email address not used by any mail server in the domain.
Address The username is arbitrary (but should be easy to remember—for example
Spam@domain.com); the domain must be one that Email Gateway
actually hosts. When messages are sent to the specified email address,
Email Gateway will read the spam’s From address, IP address (if it is
present), and Subject line, and populate the table of forwarded spam with
the data.

256 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Topics in Anti-Spam
Spam Traps

Table 146 User Spam Reporting - Configure fields (continued)

Field Description
Ham Notification Type a unique email address not used by any mail server in the domain.
Address The username is arbitrary (but should be easy to remember—for example
Spam@domain.com); the domain must be one that Email Gateway
actually hosts.
When messages are sent to this address, they will be used as ham
messages for Bayesian training.
Setting Actions The table in the lower portion of the window contains data about spam
emails reported by users. You can set actions based on the sender or
subject, and you can add the IP address to the Local Deny List.
Mail From This is the RFC822 From address. You can configure Email Gateway to
perform an action when an email originates from this address.
Subject This information comes from the message’s Subject line.
Source IP This is the RFC821 From IP address. If the IP is available, you can add it
to the Local Deny List.
Delete Selecting the checkbox and then clicking Submit will delete the listing
from the reporting list.

When you have finished, click Submit.

Spam Traps
Email Gateway Spam Traps function similarly to End User Spam Reporting. The difference is that you will
type honey pot email addresses in the Spam Notification Address input field. That is, you can create
fictitious email addresses for a domain that Email Gateway hosts, and submit these addresses to web sites
and newsgroups where there is a high probability they will be acquired by spammers (the username of the
address must not be used by any internal mail server). Spammers will begin sending their junk email and
pornography to these addresses — addresses that Email Gateway will monitor. Email Gateway will populate
the spam table with those messages, and rules can be created for them.
Figure 127 Spam Traps - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 257

 Advanced Topics in Anti-Spam
RealTime Blackhole Lists

Table 147 Spam Traps - Configure fields

Field Description
Enable Spam Select the checkbox to enable Spam Traps. When the feature is enabled,
Blocking spam mailed to the notification address specified below will be processed
by Email Gateway to allow creation of rules to block the spam from
entering the network in the future.
Auto When selected, Email Gateway will automatically generate rules based on
an administrator-specified message characteristic.
This is NOT the recommended configuration!
Manual When selected, you must manually generate rules based on message
characteristics of the spam that users forward to the Email Gateway. This
is the recommended method.
Spam Notification Type a unique email address not used by any mail server in the domain.
Address The username is arbitrary (but should be easy to remember - for
example, Spam@domain.com; the domain must be one that Email
Gateway actually hosts. When messages are sent to the specified email
address, Email Gateway will read the spam’s From address, IP address (if
it is present), and Subject line, and populate the table of captured spam
with the data.
Setting Actions The table in the lower portion of the window contains data about spam
emails captured by Spam Traps. You can set actions based on the sender
or subject, and you can add the IP address to the Local Deny List.
Mail From This is the RFC822 From address. You can configure Email Gateway to
perform an action when an email originates from this address.
Subject This information comes from the message’s Subject line.
Source IP This is the RFC821 From IP address. If the IP is available, you can add it
to the Local Deny List.
Delete Selecting the checkbox and then clicking Submit will delete the listing
from the reporting list.

RealTime Blackhole Lists

Email Gateway performs an RBL query on each message that does not originate from a domain listed in the
Domain-Based Routing table (See IntrusionDefender | Mail Firewall | Mail Routing | Domain Based).
If enabled, Email Gateway performs a query of one or more RBL services. If the RBL service reports that
the message-sender’s IP address is on its list as a known spammer, Email Gateway will take the action
specified on this page.
By default, Email Gateway performs its RBL lookup only on the host that is connected to it. This is the most
effective configuration so long as Email Gateway is positioned before the gateway of the network. In those
rare instances when Email Gateway is positioned after the gateway, it can be configured by McAfee Support
to perform its query against the IP address in the message header. McAfee recommends that the default
configuration be used in all cases where Email Gateway is before the gateway.
Caution: Due caution should be used when enabling Email Gateway RBL lookup. Legitimate businesses sometimes
find themselves—for a variety of reasons—on an RBL list. While some administrators are more confidant in RBL
services and comfortably select a Drop action for messages reported as spam, others are more cautious and
quarantine RBL-suspected spam.

258 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
RealTime Blackhole Lists

Configuring RealTime Blackhole Lists

Figure 128 RealTime Blackhole Lists - Configure window

Table 148 RealTime Blackhole Lists - Configure fields

Field Description
Configure DNS This portion of the window allows you to designate the DNS server you
want to use for the RBL service
Enable RealTime Select the checkbox to turn on this anti-spam tool. When enabled, Email
Blackhole Lists Gateway will perform an RBL query for every message that does not
originate from a domain listed in its domain-based routing table.
Default DNS or Select the proper radio button to enable Email Gateway to use the default
host for DNS, or to use the DNS host(s) you specify.
Specify Host for
DNS
DNS Host(s) Type the IP address or fully qualified host name of one or more RBL
servers, if the Specirfy Host for DNS option is selected. Multiple IP
addresses and host names must be separated from each other with
commas. Do not include spaces between the commas and the beginning
of each IP address or host name.
RealTime The second panel of the window lists all existing RBL entries, and allows
Blackhole Lists you to add new zones.
Black List
Zone This field contains the list of RBL zones for which filters have been
configured.
Query Type This column displays the type of query to be run. The choices are A and
TXT searches; Email Gateway will search the record type specified.
Points This column displays the points assigned to each Zone.

McAfee Email Gateway 6.7.2 Administration Guide 259

 Advanced Topics in Anti-Spam
RealTime Blackhole Lists

Table 148 RealTime Blackhole Lists - Configure fields (continued)

Field Description
Enable If this checkbox is checked, RBL for the particular zone is enabled. If you
wish to disable that zone, select the checkbox to remove the existing
check. The zone will be disabled when you press Submit.
Delete If you wish to delete the zone, check the Delete checkbox. When you
press Submit, the zone will be deleted.
Adding new zones The data fields at the bottom of the Black Lists panel can be used to add
a new zone. The fields, from left to right, require the following:
• Type the host name or the IP address of the zone you want to add;
• Select the query type (A or TXT search) from the drop-down list;
• Type the point score you want to attribute to this zone;
• If you want to enable the zone at this time, select the checkbox.
When you click Submit, the zone will be added.
Configure Actions The third panel of the window lists currently configured actions Email
Gateway will take based upon the RBL scores submitted to the Spam
Profile, and create new ones as needed.
Threshold Value This column displays the threshold values for each policy.
Action The action to be taken when the policy is triggered appears in this column.
Action Value If the action associated with the policy requires additional information,
that information shows in this column.
Quarantine Type If Quarantine or Remote Quarantine is the selected action, the associated
quarantine type displays in this column.
Delete Selecting the checkbox and then clicking Submit will cause the policy to
be deleted.
Adding New Policies The data fields beneath the table allow you to add new RBL policies.
• Type the threshold value at which messages will trigger action by the
new policy;
• Select from the pick list the action you want Email Gateway to take
when a message triggers this rule;
• If the action you have chosen requires additional information, type the
required value in the data field;
• If “Quarantine” or “Remote Quarantine” is the selected action for this
rule, select the quarantine type from the list.
Configure RBL IP The lower panel of the window provides the option to configure Email
Hop Count Gateway Dynamic Hop Count feature. See the information and rules
below.
Connecting IP The IP address to which the hop count applies.
Header The header string for which the hop count is configured. The presence of
a header string also requires a header position.
Header Position The position within the message header where the particular header string
should be sought.
Hop Count The hop count in within the routing from which the TrustedSource query
should originate.
Delete If you wish to eliminate an existing configuration, select the checkbox.
Then click Submit.
Configure New Hop The data fields at the bottom of this panel allow configuration of hop
Counts counts for additional IPs and headers.
• Specify the IP address for which you are setting the hop count;
• Specify the header string that should for which you are setting hop
count. If you specify a header, you must also specify a header position;
• Specify the hop count in within the routing from which the
TrustedSource query should originate;
• Specify the hop count in within the routing from which the
TrustedSource query should originate.

When you have made changes or added new zones or policies, click Submit to record your changes. The
window will update to reflect the new configuration.

260 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
RealTime Blackhole Lists

Dynamic hop count

Dynamic hop count allows you to specify the hop count of mail as it gets reported to TrustedSource. It is
intended for use with internal (trusted) mail servers within a company, so that companies with more
complex networks, such as those with multiple paths to their email systems, can report hop counts
correctly to TrustedSource and get back meaningful scores. From the UI, hop count can be adjusted based
on combinations of the following information:
• The connecting IP address;

• Received headers;

• Positions of the received headers within messages; and

• The hop count from which the TrustedSource query should originate.
The essential rules for setting hop counts are as follows:
• If you specify all three of the parameters above (connecting IP, received header and header position), all
three conditions must be met, or the specified hop count will not apply. The default hop count will be used.

• If you specify connecting IP alone, the hop count will apply for all traffic from that IP.

• If you set the header string and header position (which must always be specified together), the hop count
will be set for that combination.

• You must always specify the hop count.

RBL hop count

The dynamic hop count feature allows you to specify the hop count of messages, identifying the entities
that are to be reported by TrustedSource. The feature is important for companies that have complex
networks, such as multiple paths to their email systems. It tells TrustedSource what to check and in what
position it should occur when reporting a reputation score.
Dynamic hop count is configured on the Realtime Blackhole List window. Configuration is based on
combinations of the following pieces of information:
• The connecting IP address;

• Received headers (the header string to be matched); and,

• Position of the received header string (header position).

Email Gateway supports the following configuration combinations:

• Connecting IP, header string and header position - all conditions must be met;

• Connecting IP only – set the hop count for the specified IP; or,

• Header string and header position - set the hop count for matches on the header string and position, for
all IPs. The received header is checked to see if the header string occurs in the specified header position.

The following basic rules apply:

• You must always specify the header string and header position together. You must have both.

• You cannot specify a header string with a position of 0, which implies the header string is NULL (matching
is done for the connecting IP only).

The actual processing using dynamic hop count occurs in smtpproxy, where the TrustedSource lookup
happens.

Extended dynamic hop count functions

Email Gateway has extended the Dynamic Hop Count functions to additional anti-spam features, including
SenderID, Reverse DNS and System Defined Header Analysis. Settings that were formerly limited to RBL
now apply globally to these features, to ensure they analyze the correct IP address.

McAfee Email Gateway 6.7.2 Administration Guide 261

 Advanced Topics in Anti-Spam
DomainKeys Identified Mail

Multiple blacklists
Multiple RBL servers are allowed. Email Gateway accounts for each one separately, submitting all the IPs
from the messages to each blacklist in succession. Each RBL is assigned its own confidence level, and can
contribute to the Spam Profile. Different RBLs might have different confidence levels and can be configured
for different actions for each threshold.
Note: Up to ten (10) RBL servers can be configured, but McAfee recommends that no more than two (2) be
enabled to assure maximum performance levels.

RBL and SpamProfiler

Realtime Blackhole List functionality returns an absolute point value to the Spam Profile, based on the point
value that has been associated with each configured zone in RBL. Any realtime Whitelist configured with a
negative point value will return that negative value.

Table 149 RBL SpamProfiler Contribution

Factor Description
Values Specific point values assigned to each zone in the list: positive numbers
for blacklist entries, and negative numbers for whitelist entries.
Formula SpamProfiler Contribution = Sum of all matched RBL zone points.
Example bl.spamcop.net 10 points
dnsbl.sorbs.net 15 points
ct-rwl.ciphertrust.com -20 points
If the connecting IP address was in the first and second RBL lists, the
SpamProfiler contribution would be 25 points (10 pts + 15 pts).
If the connecting IP address was maintained in the third list, the
SpamProfiler contribution would be -20 points.

DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM) defines a simple, low-cost and effective mechanism for applying
cryptographic signatures to email messages. The purpose is to demonstrate that the sender of the message
was indeed authorized to use the specific email address.
The DomainKeys protocol works by performing a secure hash of the contents of a mail message, encrypting
the result using a private key and then encoding the encrypted data. The encrypted string is added to the
email as the first RFC 822 header, with the name DomainKey-Signature. Recipients can verify the sending
signature by performing a DNS query regarding the signer’s domain to ensure that the key used to sign the
message was authorized by that domain for that particular address. The returned data includes that
domain’s public key.

Domains and selectors

Two primary components of a DKIM are:
• Domain, which owns the signature keys (the private key is assigned to the domain); and,

• One or more Selectors, each of which is assigned one of potentially multiple public keys.

Selectors act as subdivisions of the domain. They can be used to define sub-domains, such as office
locations, divisions, departments or groups; they can define permission durations, such as a month and
year; or they can define individual users, if so desired.

Configuring DKIM
DKIM functionality is defined and enabled on the Domain Keys Identified Mail (DKIM) - Manage window.

262 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
DomainKeys Identified Mail

Figure 129 Domain Keys Identified Mail (DKIM) - Manage window

Table 150 Domain Keys Identified Mail (DKIM) - Manage fields

Field Description
DKIM Verification The upper panel allows you to enable DKIM verification and to configure
Setting the contribution it will make to spam scores.
Enable DKIM Select the checkbox to enable DKIM verification for inbound messages.
Verification
Default DNS Click the radio button if you want Email Gateway to use one of the default
DNS servers that were configured during the initial Email Gateway setup.
Specify Host for If you want to instruct Email Gateway to use a specific DNS server other
DNS than the default servers, click this radio button. You must also specify the
DNS server to be used.
DNS Hosts Type one or more IP addresses or fully qualified domain names to identify
the host server(s) for the radio button above.
DKIM Success Score Type a number from 0 to 100 to represent the points to be deducted from
the SpamProfiler score whenever DKIM is able to verify a message. The
default value is 10 points.
DKIM Failure Score Type a number from 0 to 100 points to be contributed to the SpamProfiler
score when DKIM verification fails.
DKIM Neutral Score Type a number from 0 to 100 points to be contributed when DKIM results
in neither success or failure (verification cannot be completed).
DKIM Signing This panel permits you to enable DKIM signing of outbound mail as a
Setting means of authentication.
Enable DKIM To enable DKIM signature service, select the checkbox.
Signing
Global Use this setting to determine the level of minor modifications to a
Canonicalization message in transit that DKIM will tolerate. You can set different methods
Setting for the header and the body of the message.
Header Click the radio button to select the verification setting for the message
header. Options are:
• Simple – DKIM will tolerate almost no modification.
• relaxed – DKIM will tolerate common modifications, such as
whitespace replacement.

McAfee Email Gateway 6.7.2 Administration Guide 263

 Advanced Topics in Anti-Spam
Backscatter protection

Table 150 Domain Keys Identified Mail (DKIM) - Manage fields (continued)
Field Description
Body Click the radio button to select the verification setting for the message
body. Options are:
• Simple – DKIM will tolerate almost no modification.
• relaxed – DKIM will tolerate common modifications, such as
whitespace replacement.
Domain This column will display the domains for which DKIM functionality has
been configured.
Selector The names of configured selectors appear in this column. Each selector
name appears only once.
Primary Key The link in this column allows you to export the primary key associated
with this DKIM combination to a location where it can be stored as a
backup.
Public Key The link in this column allows you to export the public key assigned to this
selector. This key is exported to customer DNS records as part of the data
returned by the recipient’s DNS lookup, in order to allow communication
using DKIM encryption.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
DKIM combination to be deleted. The Delete hyperlink at the top of the
column will delete all combinations.
Commands The fields at the bottom of the window allow you to import a stored DKIM
key or generate a new key combination.
If you click the Import radio button, the following fields are enabled:
• Domain – select the domain associated with the key you want to
import from the drop-down list;
• Selector – type the name of the selector associated with the domain;
• Primary key file – if you choose, you can browse to the location where
the key is stored.
If you click the Generate radio button, you will see only the Domain and
Selector fields.

When you have entered the configuration parameters, click Submit at the bottom of the window. The
imported or newly generated key information will be added to the signing settings.

Backscatter protection
When hackers create spam or phishing messages using forged (spoofed) source addresses belonging to a
company’s domain, that company can experience denial of service attacks under certain conditions. Where
the fraudulent email's recipient address doesn’t exist, the spoofed company can be flooded with email
bounces. In the worst cases, a mail loop occurs when the message is bounced to a non-existent sender
address.
Bounced Address Tag Validation (BATV) is a method for determining whether the return address specified
in a bounced email is valid. The goal is to reject bounced messages to forged return addresses.
The BATV feature in Email Gateway is DSN Bounce Verification Protection. The feature allows you to
configure a text key that is included in all recipient addresses supported by Email Gateway appliances.
The following conditions apply:
• DSN Bounce Verification will not work if Email Gateway or a BATV-compatible device with matching
Address Tagging key is not used for outbound mail delivery.

• If there are multiple Email Gateways on site, they must share the same hash code.

• Recipients of outgoing messages will not be able to see the header code.

• You should allow a delay time to allow the DSNs to filter through your system.

264 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Topics in Anti-Spam
Backscatter protection

Configuring DSN Bounce Verification

To configure this feature, navigate to the DSN Bounce Verification Protection - Configure window
(Anti-Spam | Anti-Spam Advanced | DSN Bounce Verification Protection).
Figure 130 DSN Bounce Verification Protection - Configure window

Table 151 DSN Bounce Verification Protection - Configure fields

Field Description
Enable DSN Select the checkbox to enable DSN Verification Protection on this Email
Verification Gateway.
Protection The protection is disabled by default.
Select Action Click the proper radio button to configure the action Email Gateway
should take when a message fails bounce protection. Options are:
• Log verification failure – Email Gateway creates a log entry for the
failed message, but the message will still be received.
• Log and block verification failure – Email Gateway creates a log
entry for the failure and drops the message.
Address Tagging Type the text for the tagging key (in plain text) that will be included in
Key the mail recipient addresses that are supported by this Email Gateway. A
minimum of four characters is required; the maximum number allowed is
fourteen characters.
If multiple BATV-capable devices exist on site, they must all have the
same key.
Incoming DSNs are Specify the number of days before incoming DSNs are considered
considered expired expired, even if otherwise valid, by selecting the number of days from the
after __ days drop-down list.

When the configuration options have been properly set, click Submit.
Tip: When you first enable BATV, set your action to Log verification failure and leave it configured like that until
the DSN expiration days have passed. Also, if you change the Address Tagging Key, you should set the action to
Log verification failure until the DSN expiration days have passed. Then you can change the action back to Log
and block verification failure.

How DSN Bounce Verification Protection works

The feature solves the BATV issue by generating a unique hash (the tagging key) and including it in the
header of all outgoing email messages. If a bounced email doesn’t include this header code, Email Gateway
takes the configured action on that message (log only, or log and drop).
DSN Verification processing is performed in SMTPProxy. When the feature is enabled, Email Gateway will
check to see if the Mail From header is empty. If it is NOT empty, then BATV will be bypassed. If the header
is empty, Email Gateway will check the Receipt To header to see if the tagging key is present. If it is not
present, Email Gateway will take the configured action.

McAfee Email Gateway 6.7.2 Administration Guide 265

 Advanced Topics in Anti-Spam
Backscatter protection

266 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 5

Anti-Virus

Appendix 17, Anti-Virus Protection

17 Anti-Virus Protection
Contents
About Anti-Virus protection
Current Anti-Virus information
Signature engines
Updating signature protection

About Anti-Virus protection

If you purchased one or more anti-virus licenses and installed them on the Email Gateway appliance, it is
capable of scanning all incoming and outgoing messages for viruses. By placing virus protection at the
email gateway, you can have greater confidence that viruses will not enter your network through email.
Administrators can purchase licenses for Sophos, Authentium and/or McAfee products. These anti-virus
engines are seamlessly embedded within Email Gateway’s queue architecture, providing robust protection
against even the very newest viruses and worms. Virus definition or “identity” files can be automatically
downloaded once an hour to ensure that Email Gateway is able to stop the most recent threats.
The Email Gateway Virus Engine can scan the contents within an attached zip file down to sixteen levels of
zipping. If a virus is detected and it can be cleaned, this cleaning is performed. If it cannot be cleaned,
action is taken on the entire zip part or the entire message. For example, the message can be quarantined
or email delivery stopped.
When an anti-virus license expires, it disappears from the Web Administration interface and its functionality
ceases on the midnight before the date of expiration. License renewals should be installed prior to license
expiration. If a renewal license is installed after license expiration, administrators will have to manually
re-configure anti-virus settings and place the Virus Scan Queue back into the Queue Order.

Anti-Virus snapshot
The first window that appears when you navigate to the Anti-Virus tab is the Quick Snapshot for Zero Day
Protection. This overview page presents both historical and current-day information about messages that
have been processed.
The window displays both summary and detailed versions of the reports.

Summary snapshot
The summary reports provide an easy glance at overall processing by the Zero Day Protection features. The
summaries appear in two panels.

McAfee Email Gateway 6.7.2 Administration Guide 269

 Anti-Virus Protection
About Anti-Virus protection

Figure 131 Zero Day Protection Quick Snapshot window

The upper portion of the summary report shows historical data that distinguishes among three type of
message actions:
• Good message actions

• Signature blocked messages – those containing viruses or suspected of containing them

• Non-signature blocked message – those messages that were blocked by content compliance, attachment
compliance, connection control, LDAP rejection, and so forth.

The historical trend data allows you to detect changes over time. The time period covered by the historical
graphs will vary according to the amount of data that has been accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.

• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.

• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.

The lower portion of the summary report contains a pie chart and summary table with numbers and
percentages that present the same kind of information, but for only the current day.
Note: The information in today’s current snapshots (summary or detailed) might not be completely up to date. A
lag time of approximately 15 minutes is required to populate the charts and tables with the most current
information.

Detailed snapshot
The Detailed tab on the Quick Snapshot window presents the detailed reports. The graphs and tables
correlate to the ones in the Summary reports, but the information is broken down into more granular
segments, allowing a more specific tracking of individual features.

270 McAfee Email Gateway 6.7.2 Administration Guide

Anti-Virus Protection
About Anti-Virus protection

Figure 132 Zero Day Protection Quick Snapshot window

The upper panel of the window shows more detailed data about actions taken by Zero Day Protection,
breaking down the non-signature blocked message actions into individual components. The detailed report
tracks the following:
• Good message actions

• Signature blocked messages

• Messages blocked by ESP/Trusted Source

• Messages blocked by Connection Control

• Messages blocked by Recipient Rejection

• Messages blocked by Attachment Analysis

• Messages blocked by Content Analysis

The lower pie chart and table present the current day’s information about the same kinds or actions and
processes.

McAfee Email Gateway 6.7.2 Administration Guide 271

 Anti-Virus Protection
About Anti-Virus protection

Zero-Day Protection Setting

The Zero-Day Protection Setting window presents a detailed overview of protection tools enabled or
available on your Email Gateway.
Figure 133 Zero Day Protection Setting window

Table 152 Zero-Day Protection Setting fields

Field Description
Signature Engines This panel displays a summary of the enabled signature engines.
Engine This column lists the enabled engines by name.
Engine Version The current version of the signature engine shows in this column.

272 McAfee Email Gateway 6.7.2 Administration Guide

Anti-Virus Protection
About Anti-Virus protection

Table 152 Zero-Day Protection Setting fields (continued)

Field Description
Signature Version The version number of the most current installed update for the engine
and engine version appears here.
Date This column shows the date the current signature version was installed.
Number of Virus This column lists the number of virus signatures for which the current
Signatures signature version offers protection.
Attachment This panel provides an overview of the Attachment Analysis rules
Blocking configured on this Email Gateway./
Enabled A check mark in this field indicates that Attachment blocking is enabled.
Binary Type Block This field reports the number of rules configured to block attachments
Rules based upon their file extensions.
File Type Rules This field reports the number of rules configured to block attachments
based on file names rather than just extension types.
TrustedSource This portion of the Zero Day Protection window provides information
about the TrustedSource reputation service.
Hostname This field can contain the hostname of the server where TrustedSource
resides.
Enabled A checkmark in this field indicates that the reputation service is enabled.
SLS Config This field identifies the SLS server that is being queried by the reputation
services.
Keyword Blocking This area provides a list of dictionaries and reports on their status and
their inclusion in the Policy Compliance Report - AV Keyword Blocking.
Compliance This column lists the available dictionaries by name.
Dictionaries
Enabled This column indicates the activity status for each dictionary. It the
dictionary has been enabled for one or more rules, and at least one rule
has been applied in an Email Gateway policy, a blue check mark appears
in this column. If the dictionary is not in active use, a red exclamation
point appears.
Policy Compliance This column indicates whether or not an actively enabled dictionary is
Report - AV Keyword configured to be included in the report. If so, a blue check mark appears
Blocking in this column. Otherwise, a red exclamation point shows.
Connection The lower right panel of the window reports the status of the Connection
Control Control feature.
System Defined This column shows the Connection Control rules defined by the Email
Rules Gateway System.
Enabled If the rule is enabled and in use, a blue check mark will appear in this
column. If not, a red exclamation point shows.

Of the protection sources displayed on the Zero Day Protection Setting window, only the Signature Engines
can be configured in the Anti-Virus area of Email Gateway. TrustedSource and Connection Control appear in
the Anti-Spam program area, while Attachment Blocking and Keyword Blocking are part of the Compliance
functionality. More information about these features can be found in the Compliance and Anti-Spam
Sections of this Administration Guide.

McAfee Email Gateway 6.7.2 Administration Guide 273

 Anti-Virus Protection
Current Anti-Virus information

Current Anti-Virus information

The Current Anti-Virus Information window shows the protection engines presently installed on the Email
Gateway, including current version information.
Figure 134 Current Anti-Virus Information window

For each licensed Anti-Virus engine, the Current Anti-Virus Information window presents the following
information:

Table 153 Current Anti-Virus Information fields

Field Description
Engine Name The top of each major segment of this window will contain the name of
one virus engine. The number of segments will vary based on the number
of virus licenses that are installed on this Email Gateway
Engine Version The current release version of the signature engine software shows in this
field.
Signature Version The most recently installed update for the current engine and engine
version appears in this field.
Date This field contains the date when the specific engine was installed.
Number of Virus This field shows the number of virus signatures that can trigger the
Signatures Available current version of this specific signature protection configuration.
Library/Virus ID The names of current libraries or virus IDs show in this column.
Version/Date The corresponding version date (installation date) for each library or virus
ID appears here.

Much of the information included on this window is also shown in different format on the Zero Day
Protection window. The specific library or virus ID data and the version dates for each are unique to this
window.

274 McAfee Email Gateway 6.7.2 Administration Guide

 Anti-Virus Protection
Signature engines

Signature engines
Email Gateway currently supports up to three signature engines. Each engine requires a separate license.
The Signature Engines window permits you to configure the processing order and general behavior of each
licensed engine.
Figure 135 Signature Engines - Configure window

The Signature Engines window as it first appears presents the following information:

Table 154 Signature Engines - Configure fields

Field Description
Anti-Virus The top section of this window lists the installed engines, their processing
Engines order and the actions they are to take.
Engine The licensed, available signature engines are listed by name in this
column.
Order This column shows the processing order for all licenses signature engines.
Options are:
• Disable – don’t use this signature engine
• First – this engine will process messages before any other engine.
• Second – this engine will process second.
• Third – this engine will process third.
Each enabled engine must have a unique processing order position. Email
Gateway will not accept duplications.
Scan Only Click this radio button if you want the particular engine to simply detect
and report suspected viruses.
Scan and Clean Click this radio button if you want the engine to attempt removing the
detected virus. The Scan Only and Scan and Clean buttons are mutually
exclusive.
Advanced The lower portion of the window is visible when the window appears, but
Protection Setting can be collapsed by clicking the double arrows at the right of the
“Advanced” header bar. The expanded lower portion of the window
permits configuration of the actions to be taken by the virus engines,
based upon the kinds of instances detected.
Message Types Messages can trigger action by a signature engine for three distinct
reasons. They can be:
• Virus Messages – an actual virus is detected in this message or its
attachments.
• Sweep Error Messages – the virus protection engine is unable to
perform a virus scan on this message, for any one of a number of
reasons.
• Password Protected Messages – these messages cannot be scanned
due to password security.

McAfee Email Gateway 6.7.2 Administration Guide 275

 Anti-Virus Protection
Signature engines

Table 154 Signature Engines - Configure fields (continued)

Field Description
Action The desired actions for each message type populate this portion of the
window when it appears.
Action Value If the configured action requires additional configuration information, that
information shows in the data field.
Enable/Disable A Yes in this field indicates this message type will generate a notification
Notification when triggered. A No indicates it will not generate a notification.
Change Extension Select the checkbox to enable Email Gateway to change the file extension
for any detected attachment that could not be cleaned.
Bypass Extension For Sweep Error or Password Protected messages, bypassing extensions
is possible to allow the messages to be delivered. Each of the two
message types has a List of Extensions hyperlink that allows extension
override.

When you have set the configuration as required, click Submit to record your changes.

Editing detection behaviors

For each of the three event types, you can edit the configured Email Gateway behavior. If you click the
Virus Messages link on the Signature Engines - Configure window, the Edit Anti-Virus Configuration
window appears with “Virus Messages” in the Name field
.

Table 155 Edit Anti-Virus Configuration fields

Field Description
Name The name of the message type to be configured appears in this field. The
name is not editable.
Action Select the action for this message type from the pick list. The currently
configured option populates this field when the window appears.
Quarantine Type If the configured action is Quarantine, you must select a quarantine type
from the drop-down list.
Action Value If the configured action will require additional configuration data, type
that data in the data field.
Change Extension Select the checkbox to enable Email Gateway to change the file extension
for any detected attachment that will not be cleaned.
Notification The lower portion of the window permits configuration of email
notifications that Email Gateway will send when a message of the specific
type is detected.
Notification You can select one or more recipients who will be notified when this rule
Recipients is triggered. You can select:
• The Sender of the message;
• The Recipient of the message; and/or
• Additional Recipients, such as perhaps an administrator. You can type
up to three email addresses for additional recipients.
Notification For each recipient, you must select the template to be used for the
Templates notification message. The templates can be configured by navigating to
Compliance | Compliance Advanced | Mail Notifications.

Identical screens are available for Sweep Errors and Password Protected messages. When you have set the
configuration as desired, click Submit.

Configuring bypass extensions

Sometimes the Signature Engines cannot scan a file because it is password protected, encrypted, or
otherwise unreadable. To enable specific, protected files to pass through the Virus Queue, you can use the
Extension Override functionality. This function allows you to create and maintain lists of specific file
extensions that are to be allowed to pass through the Virus Queue. Files with extensions that are not listed
are treated like any other infected file.

276 McAfee Email Gateway 6.7.2 Administration Guide

 Anti-Virus Protection
Updating signature protection

Figure 136 Configure Anti-Virus Bypass Extensions window

Table 156 Configure Anti-Virus Bypass Extensions fields

Field Description
New Extension To add a new extension, type the extension name in the data field, then
Name click Submit. The extension list will update to include the new extension.
Fallback to Select this checkbox if you want Email Gateway to use the attachment
Extension extension method (scanning the extensions rather than the whole file) for
identifying files when the document identification method fails. If this
option is not enabled, Email Gateway will scan the entire file.
Enable Extension Select this checkbox if you want to enable the override functionality for
Override password protected files or sweep error files if those files are included in
the list of bypass extensions.
Extension This column lists the specific file extensions that are included in this
bypass list.
Delete Selecting the checkbox and then clicking Submit causes the extension to
be deleted from the list.

Note: Sweep Error Message and Password Protected Message types have their own bypass extension lists.

Adding an extension
You can add an extension by entering it in the New Extension Name field and clicking Submit. The new
extension will be added to the specific list.

Updating signature protection

Signature protection requires continual updating if it is to retain maximum effectiveness. New virus
signatures are constantly appearing, and vendors respond rapidly.
You can update your signature protection manually, or configure your Email Gateway for automatic
updates.

Manual signature updates

You can update signature protection manually anytime updates are available. Navigate to the Anti-Virus |
Manual Signature Updates.
Note: You can also updated by navigating to the System | Updates window and selecting Anti-Virus as the
Update Type.

McAfee Email Gateway 6.7.2 Administration Guide 277

 Anti-Virus Protection
Updating signature protection

Figure 137 Updates window

Table 157 Updates fields

Field Description
Installed Updates The upper table shows information about all signature updates currently
installed.
Name This column shows the vendor name and version information for each
update.
Priority This column is intended to show the relative importance of each update.
Date Released This column displays the day, date and time when the specific update was
released
Available Updates The lower table displays all available updates for the currently installed
version of the Email Gateway software.
Name This column shows the vendor name and version information for each
update.
Priority This column is intended to show the relative importance of each update.
Date Released This column displays the day, date and time when the specific update was
released
Select Checking this box selects the specific available update for installation.
Delete Checking this box selects the update for deletion.
Load a Package If signature updates are stored in a file on a known directory, you can
load the update package by entering the complete pathname or by
browsing to the file. When the path is correct, click Upload to acquire the
update file.
Commands Two buttons control installation. You can click Submit or Express
Install. Clicking View Log will allow you to view the current update log.
More detailed information about updates and the update process can be
found in Chapter 34, System Updates.

278 McAfee Email Gateway 6.7.2 Administration Guide

Anti-Virus Protection
Updating signature protection

If you click any of the links in the Name column, the window will expand to provide details about that
particular update.

Automatic Signature Updates

You might prefer to have Email Gateway update your signature protection automatically. To configure this
option, navigate to the Auto Signature Updates window.
Figure 138 Auto Signature Updates window

Table 158 Auto Signature Updates fields

Field Description
Automatically Select the checkbox to enable automatic signature updates.
Upgrade Anti-Virus
Software
Automatic Check Type a number in this field to represent the frequency in minutes to
Interval (minutes) determine how often Email Gateway will check the update server for
new signature updates.
View Log Clicking this button will display the current log entries for the automatic
update process.

When you have entered the information correctly, click Submit. Email Gateway will check for updates automatically,
and upgrade your protection according to your configured schedule.
Tip: Automatic updating is generally the preferred method for ensuring the signature engines are kept in the most
current state.

McAfee Email Gateway 6.7.2 Administration Guide 279

 Anti-Virus Protection
Updating signature protection

280 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 6

Encryption

Chapter 18, Managing Encryption

Chapter 19, Advanced Encryption

18 Managing Encryption
Contents
About Encryption
Available reports
About Secure Web Delivery
Configuring the Encryption Router
Certificate management
Managing domains

About Encryption
Current protocols governing email dictate that all messages transmitted over the internet be sent in plain
ASCII text characters. The problem caused by this requirement is that anyone with the right tools can read
a message sent by anyone else. The tools, such as TCP or packet sniffers, can be freely downloaded from
the internet. The tools not only allow hackers to read anyone's email, but also allow them to intercept and
alter the messages before they are delivered to the recipient. The easiest and most popular way for
enterprises to secure their email is by using Digital Certificates.
These certificates allow two essential strategies for message encryption: client to client and server to server
encryption.
In client-to-client encryption, Security Certificates are installed on individual workstations. The dominant
benefit of this method is that the message is encrypted before it leaves the originator's computer and
remains encrypted until it is received (protection from end to end).
Server-to-server encryption, on the other hand, requires Security Certificates be installed on the mail
servers. Messages are protected only from server to server, not from the client to the server. The Email
Gateway strategy provides the benefits of server-to-server encryption without permitting its drawbacks.

Available reports
The Quick Snapshots are intended to provide an easily understood overview of processes and actions within
the Encryption program area. The reports are provided separately for received and delivered email traffic.
Both sets of reports provide historical information and the current day’s actions.
The Encryption Quick Snapshot can be toggled between incoming and outgoing data by clicking the
appropriate tab at the top of the window. Both views report message trends and message actions for their
respective traffic directions.

McAfee Email Gateway 6.7.2 Administration Guide 283

 Managing Encryption
Available reports

Incoming message reports

Figure 139 Encryption Quick Snapshot (incoming)

The upper panel of the window shows historical data regarding Encryption action over time.
The graph tracks the following types of incoming messages:
• Clear (unencrypted) connection count

• Connections with TLS encryption

• Messages encrypted using S/MIME

• Messages encrypted using PGP/MIME

Note: Information for the Stage Server (both data and the legends) will only appear on the Snapshot if Secure
Web Delivery is enabled on this Email Gateway appliance.

The historical trend data allows you to detect changes over time. The time period covered by the historical
graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.

• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.

• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.
Note: Email Gateway keeps track of messages it processes; however, the Stage Server can normally send
messages out without having them pass through the Email Gateway. Inbound messages destined for the Stage
Server and secure replies coming from it will increment the totals in the Encryption Quick Snapshot, but apparent
discrepancies in message totals might occur since outbound traffic does not pass through Email Gateway.

The lower panel contains a pie chart that shows actions in the Encryption program area since midnight. This
graph tracks the same as the trend report, limited to the present day.

Outgoing message reports

The outbound report window displays reports about delivered email traffic. This group of reports is divided
into two panels that correspond to those for the inbound reports.The outbound reports track precisely the
same statistics about the email traffic as the inbound reports.

284 McAfee Email Gateway 6.7.2 Administration Guide

 Managing Encryption
About Secure Web Delivery

About Secure Web Delivery

The use of outbound S/MIME, PGP, and SSL/TLS secure message delivery is contingent upon the ability of
the receiving mail server to support these methods of encryption. If the receiving server does not have a
suitable Security Certificate, or cannot accommodate a secure method for any reason, and the Email
Gateway Secure Mode is enabled, Email Gateway will drop the message. Secure Web Delivery, however, is
designed to provide a secure alternative to server-server encryption.
Email Gateway Encryption uses a system of encryption tools, filters and email policies. It includes:
• Mail-VPN, using SSL/TLS to create a secure connection to the recipient server or client and to deliver the
message securely, requires support for SSL/TLS on the recipient server or client.

• Server-side S/MIME, one of two major secure key exchange standards, is used primarily to support legacy
encryption systems.

• Server-side PGP, the other major secure key exchange standard, is also used mainly to support legacy
encryption systems.

• Secure Web Delivery (SWD) is used when a message must be delivered securely, but no secure
connection can be established with the recipient server. This method emails the recipient that they have
a message waiting in a secure, web-based mailbox. The notification provides a URL link to the secure web
page where the message can be retrieved.
Note: At present, Email Gateway will continue to check the SSL capability of the receiving server to receive a
secure message before falling back to Secure Web Delivery, even if SSL is disabled. This additional check is only
seen in the SMTPO log file, and does not affect expected behavior.

Additionally, when encryption is performed at the gateway, Secure Delivery allows you to use Email
Gateway Compliance features to make decisions about encryption of messages, based on keywords or
header information. Secure Delivery will attempt to deliver the message securely using any of the available
methods as configured by the administrator, with Secure Web Delivery as the final method. Email Gateway
can be configured to “fall back” to SWD.
Secure Web Delivery consists of two major components. There must be:
1 A host appliance providing the ability to configure SWD, produce reports, allow searches, and so forth.
This can be a regular Email Gateway appliance with SWD functionality enabled (the Secure Web Delivery
Redirector).

2 A server to receive and hold messages and to allow properly authenticated recipients to receive their
messages (the Secure Web Delivery Server).

Email Gateway can be configured to deliver the original message securely to the Secure Web Delivery
Server. SWD will create a new email to the original recipient that contains a hyperlink to Secure Web
Delivery. The original recipient is invited to click here to read the message waiting for them. When the
recipient opens a browser to retrieve the message, a Security Certificate installed on the Secure Web
Delivery appliance forces an HTTPS session, ensuring that the message is read in an encrypted session.
There are two ways of enabling the policies for a message's delivery using Secure Web Delivery:
1 If one of the Email Gateway Envelope Analysis policies requires Secure Delivery as a policy action, Email
Gateway will use Secure Web Delivery as the fall back option. When Secure Delivery is the designated
action, Email Gateway will attempt to deliver the message in the following order of encryption methods:
S/MIME, PGP, and TLS. If it is unsuccessful delivering the message using these methods, Email Gateway
will fall back to Secure Web Delivery.

2 Users and domains appearing in the Secure Web Delivery User List will always receive messages via
HTTPS. Before the Email Gateway SMTPO Service delivers any message off the appliance, it will look for
the address/domain in its User List. If the address or domain exists on the list, the SMTPO Service will
redirect the message to the Secure Web Delivery Server, which will then generate a new email indicating
that a message is waiting to be read securely. The email contains a URL pointing back to the original
message now stored on the Secure Web Delivery Server.

McAfee Email Gateway 6.7.2 Administration Guide 285

 Managing Encryption
Configuring the Encryption Router

Note: SWD will not work on any Email Gateway that has High Performance enabled. A MIME error exception will
be generated in SMTPO for any message scheduled for SWD.

Secure Web Delivery is a licensable feature. If a Secure Web Delivery license is installed after Email
Gateway initial installation, you must log out of the Web Administration user interface and log back in again
before the Secure Web Delivery feature is displayed.
When Secure Web Delivery is hosted on a Secure Web Delivery Server (separate from the Email Gateway
appliance), it must be configured on both the Email Gateway and the Secure Web Delivery Server.
Secure Web Delivery requires that messages have a valid MIME. For messages that the Email Gateway
RIPQ is unable to parse (“rip” the message into its constituent MIME parts) successfully, the Secure Web
Delivery option is not available. When the SMTPO process checks for the availability of Secure Web
Delivery, it also checks for the validity of the message for MIME.
Recipients of messages delivered via Secure Web Delivery have the ability to send secure replies or
acknowledgements for those received messages. Email Gateway supports secure replies only to the original
senders over SSL. You can edit the subject of the message and configure the relay target. It is also possible
to include attachments with the reply. See Configure Secure Web Delivery for configuration details.

Configuring the Encryption Router

Configuration of Encryption service requires setup on both the Email Gateway appliance and the Stage
Server. On the Email Gateway appliance, you must configure the Encryption Router to enable messages
received via HTTPS. The Stage Server must be configured on the Secure Web Delivery appliance.
Configuring the Encryption Router, on the Email Gateway appliance, begins with navigation to the
Configure window. You must provide the IP address for the Secure Web Delivery Server. Email Gateway will
deliver messages securely to this address.
Figure 140 Encryption - Configure Router window

Table 159 Encryption - Configure Router fields

Field Description
Enable Encryption Select the checkbox to enable Email Gateway to use Secure Web Delivery.
Router This enables communication with the router hosting SWD.
Advanced This box displays only if the encryption router is enabled. Checking this
Encryption box causes all SWD messages to be routed to an Advanced Server for
encryption. If the box is not checked, and the router IP is an Advanced
Server, the SWD messages will not be treated for encryption.
Encryption Router IP Type the IP address of the machine hosting Secure Web Delivery. You
Address have the following options:
• Type the virtual IP address for this Email Gateway if an SWD Server
license is installed.
The DNS must resolve the virtual IP address to Email Gateway.
• Type the IP address of the external appliance hosting SWD if an SWD
Redirector license is installed.
In order to provide failover protection for SWD, you can type two IP
addresses as a comma-separated list. Only two IPs can be entered.

When information is entered correctly, click Submit.

286 McAfee Email Gateway 6.7.2 Administration Guide

 Managing Encryption
Certificate management

Note: This Email Gateway IP address must be added to the Allow Relay list on the Stage Server, and the server
must be included on the Allow Relay list on Email Gateway.

Certificate management
Email Gateway protects messages in transit through the use of two types of methods:
• Creating encrypted channels of communication (SSL)

• Creating encrypted message data (S/MIME or PGP)

When Email Gateway is first installed, it is delivered with a self-signed Security Certificate which is
adequate for encrypting the Web Administration sessions for administrators managing their Email
Gateways. This self-signed certificate can also encrypt SMTP messaging, though sending servers can refuse
to deliver their email to a server whose certificate cannot be authenticated. Therefore, administrators are
enabled by Email Gateway to create and install certificates signed by a certificate authority. This Certificate
Manager program area provides the ability to create a Certificate Signing Request, as well as to install,
backup and restore one or more Security Certificates.

Certificates
Email Gateway provides an interface for requesting and installing a Security Certificate from a Certificate
Authority. When a certificate is installed on the Email Gateway appliance, it is not necessary to install
additional certificates on internal servers, unless you want to protect the connection between Email
Gateway and the internal servers and provide security for internal users sending or retrieving messages
directly to or from the server. Email Gateway requires the installation of a Security Certificate so that
administrative sessions with it via the Web Administration browser interface can be conducted securely.
Email Gateway supports two primary certificate types: X.509 certificates and PGP (Pretty Good Privacy)
certificates. Each type provides encryption standards that Email Gateway will use to send and receive
messages. X.509 certificates use both a public key, shared with others that will be allowed to send
encrypted messages to Email Gateway or receive encrypted messages from Email Gateway, and a private
key that is maintained in complete secrecy. The private key is used to encrypt outgoing messages and
decrypt incoming messages. The certificates must be purchased from a Trusted Root Certificate Authority
(CA).
PGP certificates also uses the public and private keys, but rather than binding the certificate to the user (or
server), PGP uses a Web of Trust concept, a multiple path of certification that allows some tolerance. The
PGP certificates are generated by a PGP encryption package, available free from several sources. The
official repository is at the Massachusetts Institute of Technology.
X.509 certificates are used for Email Gateway's S/MIME functionality.

X509 certificates
The Certificate Signing Request (CSR) is actually the request made by an administrator for a new
certificate. Open the CSR List to see existing CSRs and to request new ones.

McAfee Email Gateway 6.7.2 Administration Guide 287

 Managing Encryption
Certificate management

Figure 141 CSR List - Manage window

Table 160 CSR List - Manage fields

Field Description
Name This column shows the digital name for each CSR that has been processed
and is awaiting installation.
Canonical Name This column displays the canonical name for the server where the
certificate will be installed.
Example: mail.marketing.myplace.com
Organization The name of the organization (for example, McAfee Corporation) that
requested the CSR shows in this column.
Organizational Unit This column lists the department or unit within the organization to which
the certificate will be assigned (for example, Development).
Installed This column contains an N (for "not installed") until the certificate is
installed.
Delete Selecting the Delete checkbox associated with any CSR and clicking
Submit will delete that CSR. Clicking the Delete hyperlink will delete all
CSRs.

Adding a CSR
Clicking the Add New button at the bottom of the CSR List window opens the Add CSR window. This
window allows you to generate a Certificate Signing Request.
Figure 142 Add CSR window

288 McAfee Email Gateway 6.7.2 Administration Guide

Managing Encryption
Certificate management

Table 161 Add CSR fields

Field Description
Digital Name for the Type the digital (displayed) name for the new certificate being requested.
Certificate In order for the CSR to be generated, this name cannot contain spaces.
Country Type the name or abbreviation for the country where the certificate is to
apply.
State Type the state name.
Locality Type the name of the locality.
Organization Type the name of the organization requesting the certificate.
Organization Unit If applicable, type the name of the unit within the organization to which
the certificate will be assigned.
Common Name Type the server name where the certificate will be installed.
Key Size Select the appropriate key size, in bits, for the public key to be installed.
Options are:
• 4096
• 2048
• 1024 bits
• 512 bits
The larger key is more secure, but is slower to process.
Email Address Type the email address for the administrator for the certificate.
Password Type the password to be used to maintain the certificate.
Confirm Password Confirm the password by entering it again.

When you have completed the necessary information, click Submit. The CSR List will refresh to add your
new CSR.
Email Gateway will generate a private key/public key pair, and display in a text string the public key to be
submitted to a trusted root source (such as VeriSign) for Security Certificates.
To complete the submission, do the following:
1 In the Name column, click the name of the CSR you just created.

2 Open a second browser window to navigate to a Security Certificate-issuing source.

3 Copy and paste the Email Gateway-generated text string into the appropriate input field of the Certificate
Authority's web page when applying for a Certificate. When copying and pasting the key information,
include the

“- - - - -BEGIN CERTIFICATE REQUEST- - - - -” AND “- - - - -END CERTIFICATE REQUEST- -

- - -”
at the beginning and end of the Email Gateway-generated text string.
Caution: When you go to the Verisign web page to get your certificates, you will be asked what platform you plan
to use. Select Apache. If you choose Windows or IIS, the certificates you download will not work with Email
Gateway appliances.

When you click Submit, the CSR is submitted to the Certificate Authority (CA). Email Gateway creates and
stores a private key/public key text string in its database. When this string is submitted to a CA after you
complete and submit the CSR a second time, the issuing authority generates a new public key string. The
new certificate information appears in the CSR List - Manage window.
The install procedure allows you to paste this string in the Email Gateway Certificate panel of the Install
Security Certificate window and complete the certificate generation.

McAfee Email Gateway 6.7.2 Administration Guide 289

 Managing Encryption
Certificate management

Installing an X509 certificate

Email Gateway is pre-configured with an unsigned certificate in order to immediately provide secure SSL
connections required for administrative sessions with the Web Administration interface. While the invalid
certificate does allow encryption of email messages, that security is minimal because Email Gateway will
not be able to authenticate itself to other servers, which can refuse to send messages to it. Therefore, in
order to provide genuine security, a valid Security Certificate must be installed.
When the Certificate Authority returns the necessary certificate information, click Install on the CSR List
window. The Install Security Certificate window appears.
Figure 143 Install Security Certificate window

From the picklist, populated from the CSR List, select the certificate that is to be installed. Type the
password that was used to request the CSR from the Certificate Authority (CA). Then copy and paste into
the Certificate input field the Security Certificate text string provided by the CA. Click Submit. The
certificate will be installed, and the CSR will disappear from the CSR List.
Caution: Installed Security Certificates cannot be uninstalled.

Storing X509 certificates

When a certificate is installed, it is added to the X509 list (X509 Certificates - Manage). Storing the
available certificates allows them to be archived for backup purposes. X.509 Certificates are added from the
CSR list when they are installed.

290 McAfee Email Gateway 6.7.2 Administration Guide

Managing Encryption
Certificate management

Figure 144 X.509 Certificates - Manage window

Table 162 X.509 Certificates - Manage fields

Field Description
Certificate The name of each installed certificate will appear in this column.
Internal For each certificate on the list, an Export hyperlink appears in this
column. Use this link to export a copy of the internal certificate to a file
where it can be saved as a backup.
External For each certificate on the list, an Export hyperlink appears in this
column. Use this link to export a copy of the external certificate to a file
where it can be saved as a backup.
Import Click Import to locate and retrieve an internal certificate you have
already stored.

Exporting an X509 certificate

Because the Security Certificate can cost a considerable sum of money, Email Gateway provides a
mechanism allowing administrators to “archive” a copy of it for safekeeping. Additionally, the public key of
installed SSL and S/MIME Security Certificates can be exported to disk so they can be shared with trusted
domains.
To export from certificate storage in the X509 List, click the Export link for the certificate you want to
store. The Export Security Certificate window displays.

Importing an X509 Certificate

To import an X.509 certificate, click the Import button at the bottom of the X509 List window. The X.509
Certificates - Add window displays. The specific window to use will depend upon what type of X509
certificate you want to import.
Figure 145 X.509 Certificates - Add window

Note: P7C and PEM Certificates involve public keys only. No password is required. Provide the information
required, browse to the file location where the certificate is stored (for P7C) and click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 291

 Managing Encryption
Certificate management

Table 163 X509 Certificates - Add window (P7C certificate)

Field Description
Certificate Type Click the correct radio button to identify the certificate type (in this case,
P7C). The window will refresh to provide the correct data fields.
Name of Certificate Type the display name of the certificate.
File Type the path to the stored certificate or browse to it.

Click Submit to import the certificate.

Table 164 X509 Certificates - Add fields (PEM certificate)

Field Description
Certificate Type Click the correct radio button to identify the certificate type (in this case,
PEM). The window will refresh to provide the correct data fields.
Name of Certificate Type the display name of the certificate.
Certificate Paste in the certificate information as it came from the Certificate
Authority.

Click Submit to import the certificate.

For the P12 Certificates, a password is required, since the certificate contains both public and private keys.
Type the certificate name, browse to the file storage location, and type the password that was associated
with the certificate at the time it was exported. Click Submit. The imported certificate will appear on the
X.509 List.

Table 165 X509 Certificates - Add fields (P12 certificate)

Field Description
Certificate Type Click the correct radio button to identify the certificate type (in this case,
P12). The window will refresh to provide the correct data fields.
Name of Certificate Type the display name of the certificate.
File Type the path to the stored certificate or browse to it.
Password Type the password associated with the certificate.

Click Submit to import the certificate.

PGP certificates
All existing PGP certificates appear in the PGP List. This window also allows you to generate new PGP
certificates and import existing ones from backup.
Figure 146 PGP Certificates - Manage window

292 McAfee Email Gateway 6.7.2 Administration Guide

Managing Encryption
Certificate management

Table 166 PGP Certificates - Manage fields

Field Description
Certificate This column contains the list of names for every PGP certificate on this
Email Gateway.
Internal For each listed certificate, this column will show an Export hyperlink that
allows you save a backup copy of the private (internal) key for the
certificate.
External For each listed certificate, this column will show an Export hyperlink that
allows you save a backup copy of the public (external) key for the
certificate.

Generating a PGP certificate

To generate a new PGP certificate, begin by clicking the Generate button at the bottom of the PGP list. The
lower portion of the window refreshes.
Figure 147 PGP Certificates - Manage window

Type the name for the new certificate, then click Submit. The window will refresh to include the new PGP
certificate.

Exporting a PGP certificate

If you wish to store copies of the internal key, the external key or both, click the Export hyperlink beneath
the Internal or External column headings. Your window will display a confirmation message.
You can look at the particular certificate by clicking Open. If you want to save a backup copy, click Save.
This will allow you to navigate to the place of your choice for storing the certificates, just as you would save
any other file.

Importing a PGP certificate

If you have saved backup copies of your PGP certificates, you can import them to the PGP list. Begin by
clicking Import at the bottom of the PGP List. The Import PGP Certificate window displays.

Table 167 Import PGP Certificate fields

Field Description
Certificate Type Click the proper radio button to choose the internal key or the external
key.

McAfee Email Gateway 6.7.2 Administration Guide 293

 Managing Encryption
Managing domains

Table 167 Import PGP Certificate fields (continued)

Field Description
Name of Key Type the name of the certificate.
File Location for Type the path or browse to the file location where you stored the public
Public Key, or key or the private key (option depends upon which type you are
importing).
File Location for
Private Key

When the information is entered correctly, click Submit. The certificate will appear on the PGP List.

Managing domains
For server to server encryption, Email Gateway includes a single option in the Mail-VPN configuration that
tells it to always try to send messages securely over Port 25 (SMTPS). You can also instruct Email Gateway
what to do if the receiving server doesn't accommodate a secure session. Email Gateway can fall back to
non-secure delivery or it can be configured not to send the message at all.
Email Gateway provides the ability to send and receive server-based S/MIME or PGP messages using much
the same functionality as Mail-VPN. Every incoming message is checked to see if it is an S/MIME or PGP
message. If so, Email Gateway checks to see if a key exists to decrypt the message. If a key exists, Email
Gateway decrypts the message. If no key exists, the message is treated as normal. Outgoing messages are
checked for a domain or user that exists in the S/MIME or PGP encryption lists. Different keys are required
for different domains.

External domains
External domains are those domains outside Email Gateway network with which it communicates securely.
Email Gateway can use both S/MIME and PGP encryption for secure communication.

External S/MIME
Use the External S/MIME window to configure the domains to which Email Gateway sends messages using
S/MIME encryption. Note that the public key of the S/MIME Security Certificate of each external domain
must be installed on the Email Gateway.
Figure 148 External S/MIME Certificates - Manage window

294 McAfee Email Gateway 6.7.2 Administration Guide

Managing Encryption
Managing domains

Table 168 External S/MIME Certificates - Manage fields

Field Description
Enable S/MIME Select the checkbox to enable S/MIME encryption.
Domain This column lists the domain names for domains to which Email Gateway
sends messages using S/MIME encryption.
Certificate The name of the certificate associated with each domain appears in this
column.
Enable Selecting the checkbox will enable or disable S/MIME encryption for the
associated domain.
Secure Mode If Email Gateway must communicate with the domain only via S/MIME
encryption, the checkbox will be checked. You can toggle the Secure
Mode requirement on and off with this checkbox.
Delete Selecting the checkbox and then clicking Submit will cause the domain
to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to
fields the list. They will be explained below.

If you have made changes, click Submit.

External PGP
Use the External PGP page to manage the specific domains to which Email Gateway should send messages
using PGP encryption.
Figure 149 External PGP Certificates - Manage window

Table 169 External PGP Certificates - Manage fields

Field Description
Enable PGP Select the checkbox to enable PGP encryption.
Domain This column lists the domain names for domains to which Email Gateway
sends messages using PGP encryption.
Certificate The name of the certificate associated with each domain appears in this
column.
Enable Selecting the checkbox will enable or disable PGP encryption for the
associated domain.

McAfee Email Gateway 6.7.2 Administration Guide 295

 Managing Encryption
Managing domains

Table 169 External PGP Certificates - Manage fields (continued)

Field Description
Secure Mode If Email Gateway must communicate with the domain only via PGP
encryption, the checkbox will be checked. You can toggle the Secure
Mode requirement on and off with this checkbox.
Delete Selecting the checkbox and then clicking Submit will cause the domain
to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to
fields the list. They are explained below.

If you have made changes, click Submit.

To add an external domain to either the S/MIME or PGP list, complete the information in the data fields at
the bottom of the window.

Table 170 Adding an external domain

Field Description
Domain Type the domain name that you wish to add to the S/MIME or PGP
encryption list.
Secure Delivery If communication with this domain is to be via secure encryption only,
Only select the checkbox.
Certificate Select the certificate to be used for encryption from the pick list.

When the information is entered correctly, click Submit

Internal domains
Internal domains are located within Email Gateway network. Email Gateway can communicate with them
using S/MIME or PGP decryption.

Internal S/MIME
The Internal S/MIME page is used to specify internal domains hosted by Email Gateway that are required to
receive messages securely using S/MIME. For each domain, specify which Email Gateway Security
Certificate is to be used to provide the decryption.
Figure 150 Internal S/MIME Certificates - Manage window

296 McAfee Email Gateway 6.7.2 Administration Guide

Managing Encryption
Managing domains

Table 171 Internal S/MIME Certificates - Manage fields

Field Description
Domain This column lists the domain names for internal domains for which Email
Gateway receives messages using S/MIME decryption.
Certificate The name of the certificate associated with each domain appears in this
column.
Enable Selecting the checkbox will enable or disable S/MIME decryption for the
associated domain.
Secure Mode If Email Gateway must receive only S/MIME encrypted messages for the
domain, the checkbox will be checked. You can toggle the Secure Mode
requirement on and off with this checkbox.
Delete Selecting the checkbox and then clicking Submit will cause the domain
to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to
fields the list. They will be explained below.

Internal PGP
The Internal PGP Certificate Management window displays any internal domain for which a PGP Security
Certificate was installed on Email Gateway. Administrators can enable/disable use of PGP decryption, or
permanently remove the use of PGP for a domain.
Email Gateway only supports incoming PGP messages that are RFC3156-compliant.
Figure 151 Internal PGP Certificates - Manage window

Table 172 Internal PGP Certificates - Manage fields

Field Description
Domain This column lists the domain names for internal domains for which Email
Gateway receives messages using PGP decryption.
Certificate The name of the certificate associated with each domain appears in this
column.
Enable Selecting the checkbox will enable or disable PGP decryption for the
associated domain.
Secure Mode If Email Gateway must receive only PGP encrypted messages for the
domain, the checkbox will be checked. You can toggle the Secure Mode
requirement on and off with this checkbox.

McAfee Email Gateway 6.7.2 Administration Guide 297

 Managing Encryption
Managing domains

Table 172 Internal PGP Certificates - Manage fields (continued)

Field Description
Delete Selecting the checkbox and then clicking Submit will cause the domain
to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to
fields the list. They are explained below.

To add an internal domain, complete the information in the data fields at the bottom of the window.

Table 173 Adding an internal domain

Field Description
Domain Type the domain name that you wish to add to the decryption list.
Certificate Select the certificate to be used for decryption from the drop-down list.
Secure Delivery If communication with this domain is to be via secure encryption only,
Only select the checkbox.

When the information is entered correctly, click Submit

298 McAfee Email Gateway 6.7.2 Administration Guide

19 Advanced Encryption
Contents
Advanced Encryption tab
Advanced Encryption quick snapshot
Secure Web Mail overview
Secure Web Delivery configuration
SWD User Administration
SWD Password Management
Certificate management
Managing messages

Advanced Encryption tab

The Advanced Encryption tab or the Encryption tab only appear on the screen under certain conditions,
depending on the appliance and license you have purchased. Your appliance may be one of the following:
• McAfee Email Gateway + Advanced Encryption

• McAfee Email Gateway + Encryption Router

• Secure Web Delivery (SWD Encryption) Standalone

• McAfee Email Gateway without Advanced Encryption

Depending on your license, the Advanced Encryption tab provides you with various configuration options to
help you perform a variety of functions related to your appliance. Main menu options may include such
items as:
• Configuration

• User administration

• Certification management

• Server to server encryption configuration

• X509 Certificate management

Current protocols governing email dictate that all messages transmitted over the internet be sent in plain
ASCII text characters. The problem caused by this requirement is that anyone with the right tools can read
a message sent by anyone else. The tools, such as TCP or packet sniffers, may be freely downloaded from
the internet. The tools not only allow hackers to read anyone's email, but also allow them to intercept and
alter the messages before they are delivered to the recipient. The easiest and most popular way for
enterprises to secure their email is by using Digital Certificates.
These certificates allow two essential strategies for message encryption: client to client and server to server
encryption.
In client-to-client encryption, Security Certificates are installed on individual workstations. The dominant
benefit of this method is that the message is encrypted before it leaves the originator's computer and
remains encrypted until it is received (protection from end to end).
Server-to-server encryption, on the other hand, requires Security Certificates be installed on the mail
servers. Messages are protected only from server to server, not from the client to the server.

McAfee Email Gateway 6.7.2 Administration Guide 299

 Advanced Encryption
Advanced Encryption quick snapshot

Advanced Encryption quick snapshot

The Quick Snapshots are intended to provide an easily understood overview of processes and actions within
the Encryption program area. The reports are provided separately for incoming and outgoing email traffic.
Both sets of reports provide historical information and the current day’s actions.
The Encryption Quick Snapshot can be toggled between incoming and outgoing data by clicking the
appropriate tab at the top of the window. Both views report message trends and message actions for their
respective traffic directions.

Incoming message reports

Figure 152 Encryption Quick Snapshot (SMTPI) window

The upper panel of the window shows historical data regarding Encryption action over time. Note that the
first time you access this screen, it will have no data displayed because no activity has taken place.
The graph tracks the following types of incoming messages:
• Clear (unencrypted) connection count

• Connections with TLS encryption

• Messages encrypted using S/MIME

• Messages encrypted using PGP/MIME

Note: Information (both data and the legends) will only appear on the Snapshot if Secure Web Delivery is enabled
on this Email Gateway appliance.

The historical trend data allows the Administrator to detect changes over time. The time period covered by
the historical graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.

• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.

• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.

300 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Encryption
Secure Web Mail overview

Note: Email Gateway keeps track of messages it processes; however, the server can normally send messages out
without having them pass through the Email Gateway. Inbound messages destined for the Stage Server and
secure replies coming from it will increment the totals in the Encryption Quick Snapshot, but apparent
discrepancies in message totals may occur if some outbound traffic does not pass through Email Gateway.

The lower panel contains a pie chart that shows actions in the Encryption program area since midnight. This
graph tracks the same as the trend report, limited to the present day.

Outgoing message report

Figure 153 Encryption Quick Snapshot (SMTPO) window

The outbound report window displays reports about delivered email traffic. This group of reports is divided
into two panels that correspond to those for the inbound reports. The outbound reports track the same
statistics about the email traffic as the inbound reports.

Secure Web Mail overview

Using outbound S/MIME, PGP, and SSL/TLS secure message delivery is contingent upon the ability of the
receiving mail server to support these methods of encryption. If the receiving server does not have a
suitable Security Certificate, or cannot accommodate a secure method for any reason, and the Email
Gateway Secure Mode is enabled, Email Gateway will drop the message. Secure Web Delivery, however, is
designed to provide a secure alternative to server-server encryption.
Email Gateway Encryption uses a system of encryption tools, filters and email policies. It includes:
• Mail-VPN, using SSL/TLS to create a secure connection to the recipient server or client and to deliver the
message securely, requires support for SSL/TLS on the recipient server or client.

• Server-side S/MIME, one of two major secure key exchange standards, is used primarily to support legacy
encryption systems.

• Server-side PGP, the other major secure key exchange standard, is also used mainly to support legacy
encryption systems.

McAfee Email Gateway 6.7.2 Administration Guide 301

 Advanced Encryption
Secure Web Mail overview

• Secure Web Delivery (SWD) is used when a message must be delivered securely, but no secure
connection can be established with the recipient server. This method emails the recipient that they have
a message waiting in a secure, web-based mailbox. The notification provides a URL link to the secure web
page where the message may be retrieved.
Note: At present, Email Gateway will continue to check the SSL capability of the receiving server to receive a
secure message before falling back to Secure Web Delivery, even if SSL is disabled. This additional check is only
seen in the SMTPO log file, and does not affect expected behavior.

Additionally, when encryption is performed at the gateway, Secure Delivery allows the Administrator to use
Email Gateway Compliance features to make decisions about encryption of messages, based on keywords
or header information. Secure Delivery will attempt to deliver the message securely using any of the
available methods as configured by the Administrator, with Secure Web Delivery as the final method.
Secure Web Delivery consists of two major components. There must be:
1 A host appliance providing the ability to configure SWD, produce reports, allow searches, etc. This may
be a regular Email Gateway appliance with SWD functionality enabled.

2 A server to receive and hold messages and to allow properly authenticated recipients to receive their
messages (the Secure Web Delivery Server).

Email Gateway can be configured to deliver the original message securely to the Secure Web Delivery
Server. SWD will create a new email to the original recipient that contains a hyperlink to Secure Web
Delivery. The original recipient is invited to click here to read the message waiting for them. When the
recipient opens a browser to retrieve the message, a Security Certificate installed on the Secure Web
Delivery appliance forces an HTTPS session for the user, ensuring that the message is read in an encrypted
session.
Note the following:
• If one of the Email Gateway Envelope Analysis policies requires Secure Delivery as a policy action, Email
Gateway will use Secure Web Delivery as the fall back option.

• When Secure Delivery is the designated action, Email Gateway will attempt to deliver the message in the
following order of encryption methods: S/MIME, PGP, and TLS. If it is unsuccessful delivering the message
using these methods, Email Gateway will fall back to Secure Web Delivery.
Note: Users and domains appearing in the Secure Web Delivery User List will always receive messages via HTTPS.
If the email address exists on the list, the SMTPO Service will redirect the message to the Secure Web Delivery
Server, which will then generate a new email to the user indicating that a message is waiting to be read securely.
The email contains a URL pointing back to the original message now stored on the Secure Web Delivery Server. If
the email address does NOT exist on the list, and auto-enrollment is enabled, the user will be automatically added
and SMTPO will redirect the message to SWD, otherwise the message will be dropped and a notification will be
sent to the sender.

Secure Web Delivery is a licensable feature. If a Secure Web Delivery license is installed after Email
Gateway initial installation, the Administrator must log out of the Web Administration user interface and log
back in again before the Secure Web Delivery feature is displayed.
When Secure Web Delivery is hosted on a Secure Web Delivery Server (separate from the Email Gateway
appliance), it must be configured on both the Email Gateway and the Secure Web Delivery Server.
Secure Web Delivery requires that messages have a valid MIME. For messages that the Email Gateway
RIPQ is unable to parse (rip the message into its constituent MIME parts) successfully, the Secure Web
Delivery option is not available. When the SMTPO process checks for the availability of Secure Web
Delivery, it also checks for the validity of the message for MIME.
Recipients of messages delivered via Secure Web Delivery have the ability to send secure replies or
acknowledgements for those received messages. Email Gateway supports secure replies only to the original
senders over SSL. You may edit the subject of the message and configure the relay target. It is also
possible to include attachments with the reply. See Configure Secure Web Delivery for configuration details.

302 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Encryption
Secure Web Delivery configuration

Secure Web Delivery configuration

Configuring Secure Web Delivery may be optional, depending upon your license. However, should you
decide to enable Secure Web Delivery, it must be configured properly to perform its intended function.
Use this window to configure SWD options. To begin configuration,
1 Go to the Advanced Encryption tab, then click Configuration.

Figure 154 SWD configuration window

Figure 155 SWD configuration (continued)

McAfee Email Gateway 6.7.2 Administration Guide 303

 Advanced Encryption
Secure Web Delivery configuration
Figure 156 SWD configuration (continued)
2 Use the following table to determine your SWD configuration settings.
Table 174 SWD configuration settings
Field name
Enable SWD Server
Virtual Host Configuration
Hostname
SWD Server’s Virtual IP Address
Certificate
Secure Message Configuration
Enable Auto Enrollment
Enable Original From Address
SWD Support Message
PUSH Message Limit (MB)
PULL Message Limit (MB)
Secure Delivery Mechanism
304 McAfee Email Gateway 6.7.2 Administration Guide
Description
Select the check box to enable Email Gateway to use Secure Web Delivery. This
enables communication with the router hosting SWD.
Enter the hostname of the machine hosting SWD. Enter Email Gateway's virtual
hostname if a SWD Server license is installed. (DNS must resolve the virtual
hostname to Email Gateway.)
Enter the IP address of the machine hosting SWD. Enter Email Gateway's virtual
IP address if an SWD Server license is installed. (DNS must resolve the virtual
IP address to the Email Gateway.) Select the IP address of the external server
hosting SWD.
The Security Certificate that is currently being used by the SWD.
Note: If you are using a valid certificate rather than the default provided
with the appliance, it must have already been installed.
If the Notification features for SWD messages are to work without individual
additions to the User List, you must check Enable Auto-Enrollment.
Otherwise, you will have to enroll users individually.
If enabled, secure web delivery notifications will contain the original From
address in the 821 From field, else it will be blank.
Enter the support message for the SWD message. For example: “Please contact
support by sending an email to swd-support@yourdomain (or) call
1-800-SWD-MESG for support.”
Messages larger than this size will be sent as PULL message. If the size is greater
than PULL limit then the message will be dropped. The Maximum default limit is
10 MB.
Messages of type PULL larger than the specified size will be dropped.
This field is where you specify the method of delivery; either PULL or PUSH.
Select the option you want to use to allow users to access the secure message.
Your options are:
• Pull – Selecting this option allows users to log on and view a list of their email
messages. Users may or may not be allowed to delete messages or perform
any other functions based on the configuration settings made on this page.
• Push – Selecting this option allows users to log on, but only view the current
email message. Users are not allowed to delete the message or perform any
other functions not allowed due to the settings on this configuration page.
• Push & Pull – Selecting this option allows users to use either Push or Pull
methods to access their messages.
Advanced Encryption
Secure Web Delivery configuration
Table 174 SWD configuration settings (continued)
Field name
Enable hostname for Push cluster
Hostname for Push messages
Choose Customization Profile
Notification Template
SWD Notification template
SWD Password Reset template
Unread Notify Recipient template
Unread Notify Sender template
SWD Auto-Enroll DSN template
Read Receipt Notification
Message Composition Configuration
Enable Reply Message
Enable Compose Message
Enable Forward Message
Enable Print Message
SMTP Proxy Server's IP Address
File attachment size (MB)
Message Composition Size (MB)
Miscellaneous
Enable Authentication
Login Retry Limit
Trigger String in Subject
Replace String in Subject
Strong Cipher Key Length
Notification
Enable Unread message notification
for Recipient
Notify Recipient of Unread messages
Enable Read Receipts
Key Escrow
McAfee Email Gateway 6.7.2 Administration Guide
Description
Enable this option if the hostname needs to be different for Pull and Push
messages.
Note: If enabled [Hostname for Push messages] is a required field.
Enter the hostname for Push message access.
Choose one of the available customization profiles. You can create a new
customization profile from the menu at Customization Profiles. See page 314 for
more information regarding Customization Profiles.
Select the template to use for SWD notifications.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Select the template to use for SWD Password Reset notifications.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Select the template to use to notify the recipient of non-retrieval of a message.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Select the template to use to notify the sender of non-retrieval of a message.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Select the template to use for Auto-enrollment of users.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Select the template to use for Read Receipt Notification.
Note: Only the default template appears in the drop-down menu unless you
have already created a new template via the Mail Notification menu.
Check this box to allow users to reply to SWD email messages.
Check this box to allow users to compose new SWD email messages.
Check this box to allow users to forward SWD email messages.
Check this box to allow users to print SWD email messages.
If Reply is enabled, provide the IP address of the SMTP server that will proxy the
SWD secure replies.
Enter the SWD reply attachment size limit (in MB). Max possible is 10MB.
Specify the maximum SWD messages size. Reply messages larger than the
specified size will be dropped.
Check this box to enable authentication, otherwise not authentication is used.
Enter the number of SWD user login retry attempts you will allow.
Enter a text string that will be used as the trigger to allow replacement of the
specified string in the subject.
Enter the replacement string to be used to replace the trigger string in the
subject.
Selected key length that will be used to encrypt messages.
Check this box to enable non-retrieval notifications to be sent to recipients.
Enter the number of days after which the recipient is issued a non-retrieval
notification.
Check this box to enable this system to send Read receipts to senders of
messages.
305
 Advanced Encryption
SWD User Administration

Table 174 SWD configuration settings (continued)

Field name
Enable Key Escrow
Key Escrow Password
Confirm Key Escrow Password
Key Escrow Email Address
Static URL Configuration
Enable Compose to Internal
Internal Domain List
Description
Check this box to enable the SecureEnvelope Escrow Address to be used to
escrow all keys for SecureEnvelope.
Enter the password to be used to encrypt keys for escrow.
Re-enter the password to be used to encrypt keys for escrow.
Enter the email address to be used to escrow SecureEnvelope keys.
Check this box to limit “Compose” access to internal users only.
Enter a list of internal domains to which end users can compose a message. (This
must be in comma separated value (CSV) format).

Made your selections, then click Submit.

SWD User Administration

Users appearing on the SWD user list will always have messages delivered to them via Secure Web
Delivery.
If Auto-enrollment is enabled, the first time a message is delivered to a user on the Email Gateway User
List, the Secure Web Delivery Server adds the account to its own SWD User List.
If an Email Gateway policy (such as an Envelope Analysis or Content Analysis policy) requires a Secure
Delivery action, Email Gateway will first attempt to deliver the message via S/MIME, then PGP, and then
SSL. If it cannot deliver the message via those methods, Email Gateway will fall back to Secure Web
Delivery. When a message is delivered by Secure Web Delivery because of an Email Gateway policy, the
user is not added to the SWD User List.

Managing the SWD User List

Use this window to manage your SWD users.
Figure 157 Encryption - Manage User List

306 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD User Administration

The main portion of the screen is comprised of four columns of information.

Table 175 SWD Manage User List
Column name Function description
User Contains the full email address of the SWD user.
Enable Checking or deselecting this box, then clicking Submit, enables or disables this user’s account.
Delete Checking this box, then clicking Submit, deletes this user’s account.
Delete Key Checking this box, then clicking Submit, deletes this user’s encryption key file.

Note: Deleting email addresses from the SWD User List and then adding them back again will not restore access
to previous messages. Even though the messages exist on the SWD sever and may never have been accessed,
they are no longer available to the deleted and re-added email address.

Adding SWD users

As stated previously, if Auto-enrollment is enabled, the first time a message is delivered to a user via SWD,
the Secure Web Delivery Server adds the account to its own SWD User List.
To add a single user,
1 Scroll down to the Add New User(s) area.

Figure 158 Add user window

2 From the drop-down list, select either Single User or Upload List. If you select Single User the screen
will change and allow you to enter the user’s email address, password, and if enabled, a series of
challenge/response security questions and answers.
Note: See the Challenge Response area for details about Challenge Response questions and answers.

Figure 159 Add single user window

3 Enter the email address of the user.

4 Enter and confirm a password for the user.

5 If Challenge Response is enabled and security questions are editable, enter the questions and answers to
be used for the Challenge Response function.

6 When you have finished entering the user information, click Submit.

Note that you also have the option to add a list of users via upload.
To upload and existing list of users,

McAfee Email Gateway 6.7.2 Administration Guide 307

 Advanced Encryption
SWD User Administration

1 Select Upload List.

Figure 160 Add users via Upload List window

2 Click Browse and navigate to the location of your user list.

Figure 161 Browse to user list window

3 Select your user list file and click Open. The path will appear in the Browse field.

Note: The proper format for System Questions is:

SYSTEM|Question1|

SYSTEM|Question2|
Note: The proper format for the User list when Challenge Response is enabled and editable questions enabled
is:

User1@test.com|Password(optional)|Question1|Answer1 (optional)
User1@test.com|Password(optional)|Question2|Answer2 (optional)
The same user with different questions and answers repeated for the configured number of questions.
Note: The proper formats for the User list when Challenge Response is enabled and editable questions disabled
(system questions will be taken):

User1@test.com|Password(optional)||
User2@test.com|Password(optional)||
Note: The format for the User list when Challenge Response is disabled is:

User1@test.com|Password(optional)||
User2@test.com|Password(optional)||
4 Click Submit.

308 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD User Administration

Editing users
You can edit SWD user information two ways.
• In the user list, click the user’s email address. That user’s edit screen will appear.

• From the User/Search menu item, enter all or part of the user’s email address, then click Submit. A list
of users matching your search criteria will appear. Click the email address of the user you want to edit.
That user’s edit screen will appear.

To edit a SWD user’s information,

1 Click the user’s email address.

Figure 162 Edit SWD user information window

Table 176 User data detail

Field name Description
Enable Check this box to enable or disable the email address on SWD.
Reset Try Count A user may make a preconfigured number of attempts to enter a verifiable password.
(This number is set on the Configuration page.) When this maximum number is reached,
the system locks the user out. Clicking this box and clicking Submit resets the count of
attempts to zero so the user may try again.
Reset Password Clicking the checkbox and clicking Submit will reset the password to the value entered and
confirmed in the next two fields.
Note: If this box is checked, the next two fields are required.
Password Enter the new password to be associated with this email address.
Confirm Password Confirm the new password by re-entering it.
Reset Challenge Response Check this box, then click Submit to reset the answers of Challenge Response questions.

2 Make your selections, then click Submit.

User Search/Edit
You can search for SWD users via the search function. To search for a SWD user,
1 Click the User Search/Edit menu item.

Figure 163 Search users window

2 Enter all or part of the user’s name or email address, then click Submit. A list of user’s matching the
search criteria appears.

McAfee Email Gateway 6.7.2 Administration Guide 309

 Advanced Encryption
SWD Password Management

Figure 164 Search result window

3 Click the user’s email address to edit the user’s details.

SWD Password Management

This area allows you to configure Challenge Response settings along with various password policy settings.

Challenge Response
Use the Challenge Response window to enable and configure your Challenge Response settings.
Figure 165 Challenge Response

Use the following table to help you configure your Challenge Response options.
Table 177 Challenge Response fields
Field name
Enable Challenge Response
Number of Questions Challenged
Number of successful responses
expected
Enable Editable Questions
Description
Check this box to enable security questions and answers to be populated for
individual users. The questions are used to authenticate the user who forgets
the password.
Enter the maximum number of security questions to be presented to the user.
Enter the minimum number of correct answers to the security questions
required for authentication.
Check this box to enable security questions to be defined for the individual
user. If disabled, only global security questions that apply to all users can be
defined.

310 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD Password Management

Table 177 Challenge Response fields (continued)

Field name Description
Upload Questions File Enter or browse to the location where the file containing the security questions
is stored.
The proper format for System Questions is:
• SYSTEM|Question1|
• SYSTEM|Question2|
The proper format for the User list when Challenge Response is enabled and
editable questions enabled is:
• User1@test.com|Password(optional)|Question1|Answer1 (optional)
• User1@test.com|Password(optional)|Question2|Answer2 (optional)
The same user with different questions and answers repeated for the
configured number of questions.
The proper formats for the User list when Challenge Response is enabled and
editable questions disabled (system questions will be taken):
• User1@test.com|Password(optional)||
• User2@test.com|Password(optional)||
The format for the User list when Challenge Response is disabled is:
• User1@test.com|Password(optional)||
• User2@test.com|Password(optional)||
Export Click this link to export the question file.
Purge If checked, the existing questions and answers for the users are deleted. This
option is used in combination with Upload Questions File to upload new
questions and answers.
Note: Changes to questions can only be configured by exporting the question
and answer file, making the changes, and reloading the file.

After you have made your selections, click Submit.

Password Reset
There are three reset password cases, depending on the configuration options set by the Administrator:
• Challenge/Response is enabled by the administrator and questions have been uploaded and answers have
been configured – proceed to password reset.

• Challenge/Response is enabled and questions have been uploaded, but answers have not been set – a
popup appears and informs you to go to the user notification and either click the attachment or the view
message link.

• Challenge/Response is not enabled – a popup window appears and requires you to enter your email
address to reset your password.

McAfee Email Gateway 6.7.2 Administration Guide 311

 Advanced Encryption
SWD Password Management

Password policy
The Password Policy Configuration window allows you to set various settings for your password policies.
Figure 166 Password policy configuration window

Use the following table to configure your password policy settings.

Table 178 Password policy configuration
Field name
Password Length
Minimum Password Length
Password Strength
Password Must Contain Alpha
Characters
Minimum Number of Alpha Characters
Alpha Character Style
Password Must Contain Digits
Minimum Number of Digits
Password Must Contain Special
Characters
Minimum Number of Special
Characters
Password Must Contain a Regular
Expression (REGEX)
Regular Expression (REGEX)
Description
Enter a number from 8 to 32 for the minimum length (number of characters)
of the password.
Check this option if the password must have alphabetic characters.
Enter the minimum number of alphabetic characters (from 1 to 32) the
password must have.
From the drop-down menu, choose the case of the alphabetic characters in
the password. Choices are:
• lower
• UPPER
• lower & UPPER
Check this option if the password must have numerical characters.
Enter the minimum number of digits (from 1 to 32) the password must
have.
Check this option if the password must have special characters.
Enter the minimum number of special characters (from 1 to 32) the
password must have.
Check this option if the password must adhere to a pre-defined Regular
Expression.
Enter the Regular Expression that the password must adhere to.

312 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD Password Management

Table 178 Password policy configuration (continued)

Field name Description
Password Expiration
Password Expiration Select this check box to enable Password Expiration. If this option is
enabled, the password will expire at the end of the expiration period you
configure.
Note: Users will be notified in advance of expiration ONLY if you enable the
Password Expiration Reminder option.
Password Expiration Period (days) Enter the number of days from 90 to 365 for the valid duration of the
password.
Minimum period between subsequent Enter the minimum number of days from 1 to 365 before the password can
password changes (days) be changed again.
Password Expiration Reminder Check this option if the users should be given a prior warning before
impending password expiration.
Expiration Reminder - Number of days Enter the number of days from 1 to 30 for the prior warning of the password
prior to Expiration expiration.
Password History
Number of Previous Passwords to Not Enter the number of most recent passwords (from 2 to 99) that cannot be
Allow re-used.

Make your selections, then click Submit.

SWD Help Desk

The SWD Help Desk window allows you and administrators who are limited to the role of Help Desk to
search for users and reset their passwords.
Figure 167 Help Desk

To reset a user’s password,

1 Enter all or part of the user’s email address, then click Submit. The screen will change and display a list
of users who match your search criteria.
Figure 168 Help Desk search

McAfee Email Gateway 6.7.2 Administration Guide 313

 Advanced Encryption
SWD Password Management

2 Check the box next the user whose password you want to reset, then click Submit. This will reset the
enrollment status for this email address and allow the user to reset the password at their next login. User
should, of course, be advised of this action.

Customization profile
Use this window to configure the display pages that users normally see. For example, when logging into
their email.
Figure 169 Customize SWD pages window

Tip: You can create and enable a customization profile from this process, but you must apply it from the Secure
Web Delivery Customization window, in the Secure Message Configuration section, Choose Customization Profile
field. For more information, see Secure Web Delivery configuration.

Add new customization profile

To add customized pages,
1 Click Add New. The first portion of the customization screen appears.

Figure 170 Add new customization part 1

2 Enter a name for your new customization pages.

3 Enter the disclaimer text you want to use.

4 Click Submit. The screen will change and display the customization options.

314 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD Password Management

Figure 171 Add new customization options

5 Check the box next to the Enable field to enable this customization profile. The enabled customization
profile will be a candidate profile show in the activation list ready for activation.
Note: You may also edit your disclaimer text if desired.

6 Next to the Resource Upload field, click Browse and navigate to the folder that contains the logo, graphic,
or file you want to use with your customization and select it.
Note: You may choose different logos or graphics to use with different assets, but the logo or graphic to be
used for mobile devices MUST be small enough to fit properly. We suggest a size no larger than 100 pixels
wide x 50 pixels high.

7 Check the box next to the Assets to which the Resource applies, then click Submit.

Note: When uploading a resource file, you cannot assign it to override and non-override assets types
simultaneously by selecting multiple check boxes.

CSS file editing

The css file may be edited, but its filename will always remain the same. To edit the css file,
1 Expand StyleSheet

2 Click the css filename. A preview appears in the preview window.

McAfee Email Gateway 6.7.2 Administration Guide 315

 Advanced Encryption
SWD Password Management

Figure 172 CSS Display window

3 Click Download Default Resource. Depending on your browser a save window appears.

4 Save the file to a convenient location.

5 Open the css file, edit it to suit your needs, then save it.

6 Return to the Customize SWD Pages window and from the Browse field, navigate to your edited css file
and select it.

7 Click Submit. Your file will be renamed and then be used by the system.

Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.

Deleting resource files

You can delete a file you have associated with an asset. To delete a resource file,
1 Check the box next to the file name in the Delete column.

2 Click Submit. The file is removed from the Assets list.

Editing a customization profile

To edit a customization profile,
1 Click the profile name. The profile options page appears.

2 Make any changes to suit your needs, then click Submit.

Deleting a customization profile

To delete a customization profile,
1 Check the Delete box next the profile you want to remove.

2 Click Submit. The profile will be deleted.

316 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
SWD Password Management

Mail notification
The Mail Notification screen displays a list of mail notification templates. The defaults are defined by the
system, but you can add new templates based on the default settings.
Use this window to manage your mail notification templates.
Figure 173 Mail notification default templates window

Create new mail notification template

To create a new Mail Notification template,
1 Click Add New.

Figure 174 Add new mail notification template window

2 In the Type field, select a template to use as the base for your Customization. The screen will change and
display the tags available for your use.

McAfee Email Gateway 6.7.2 Administration Guide 317

 Advanced Encryption
SWD Password Management

Figure 175 Template tags available window

3 Enter a name for your new notification template.

4 In the From field, accept the default or enter a new name.

5 If desired, edit the Subject to suit your needs.

Note: Inserting a tag at the cursor location results in that tags information being inserted at that location
inside the Notification. You may move existing tags around, but do not delete them.

6 If desired, edit the Body to suit your needs.

Note: Inserting a tag at the cursor location results in that tags information being inserted at that location
inside the Notification. You may move existing tags around, but do not delete them.

7 When you have finished creating your new Mail Notification template, click Submit. You will be returned
to the Mail Notification page. A success message should appear at the top of the screen and your new
template should appear in the template list.

318 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Encryption
Certificate management

Figure 176 New mail notification added to list window

Note the checkbox that appears next to your template in the Delete column. Checking this box, then
clicking Submit, will delete the template.
To create additional templates, simply repeat steps 1 through 6, selecting the specific template you want to
use to suit your needs.

Certificate management
Email Gateway protects messages in transit through the use of two types of methods:
• Creating encrypted channels of communication (SSL)

• Creating encrypted message data (S/MIME or PGP)

When Email Gateway is first installed, it is delivered with a self-signed Security Certificate which is
adequate for encrypting the Web Administration sessions for administrators managing their Email
Gateways. This self-signed certificate can also encrypt SMTP messaging, though sending servers may
refuse to deliver their email to a server whose certificate cannot be authenticated. Therefore,
administrators are enabled by Email Gateway to create and install certificates signed by a certificate
authority. This Certificate Manager program area provides the ability to create a Certificate Signing
Request, as well as to install, backup and restore one or more Security Certificates.

Certificates
Email Gateway provides an interface for requesting and installing a Security Certificate from a Certificate
Authority. When a certificate is installed on the Email Gateway appliance, it is not necessary to install
additional certificates on internal servers, unless the Administrator wants to protect the connection between
Email Gateway and the internal servers and provide security for internal users sending or retrieving
messages directly to or from the server. Email Gateway requires the installation of a Security Certificate so
that administrative sessions with it via the Web Administration browser interface can be conducted
securely.

McAfee Email Gateway 6.7.2 Administration Guide 319

 Advanced Encryption
Certificate management

Email Gateway supports two primary certificate types: X.509 certificates and PGP (Pretty Good Privacy)
certificates. Each type provides encryption standards that Email Gateway will use to send and receive
messages. X.509 certificates use both a public key, shared with others that will be allowed to send
encrypted messages to Email Gateway or receive encrypted messages from Email Gateway, and a private
key that is maintained in complete secrecy. The private key is used to encrypt outgoing messages and
decrypt incoming messages. The certificates must be purchased from a Trusted Root Certificate Authority
(CA).
PGP certificates also uses the public and private keys, but rather than binding the certificate to the user (or
server), PGP uses a Web of Trust concept, a multiple path of certification that allows some tolerance. The
PGP certificates are generated by a PGP encryption package, available free from several sources. The
official repository is at the Massachusetts Institute of Technology.
X.509 certificates are used for Email Gateway's S/MIME functionality.

X509 certificates
The Certificate Signing Request (CSR) is actually the request made by an Administrator for a new
certificate. Open the CSR List to see existing CSRs and to request new ones.
Use this window to manage your CSRs.
Figure 177 CSR List - Manage window

Table 179 CSR List - Manage fields

Field Description
Name This column shows the digital name for each CSR that has been processed and is awaiting
installation.
Canonical Name This column displays the canonical name for the server where the certificate will be installed.
Example: mail.marketing.myplace.com
Organization The name of the organization (for example, Secure Computing Corporation) that requested the
CSR shows in this column.
Organizational Unit This column lists the department or unit within the organization to which the certificate will be
assigned (for example, Development).
Installed This column contains an N (for "not installed") until the certificate is installed.
Delete Clicking the Delete checkbox associated with any CSR and clicking Submit will delete that CSR.
Clicking the Delete hyperlink will delete all CSRs.

320 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Certificate management

Adding a CSR
Use this window to generate a Certificate Signing Request.
To add a CSR,
1 Click the Add New button at the bottom of the CSR List window.

Figure 178 Add CSR window

Use the following table to help you configure your CSR request.

Table 180 Add CSR fields

Field Description
Digital Name for the Enter the digital (displayed) name for the new certificate being requested.
Certificate
In order for the CSR to be generated, this name cannot contain spaces.
Country Enter the name or abbreviation for the country where the certificate is to apply.
State Enter the state name.
Locality Enter the name of the locality.
Organization Enter the name of the organization requesting the certificate.
Organization Unit If applicable, enter the name of the unit within the organization to which the certificate will be
assigned.
Common Name Enter the server name where the certificate will be installed.
Key Size Select the appropriate key size, in bits, for the public key to be installed. Options are:
• 1024 bits
• 512 bits
The larger key is more secure, but is slower to process.
Email Address Enter the email address for the Administrator for the certificate.
Password Enter the password to be used by the Administrator to maintain the certificate.
Confirm Password Confirm the password by entering it again.

2 When you have completed the necessary information, click Submit. The CSR List will refresh to add your
new CSR.

Email Gateway will generate a private key/public key pair, and display in a text string the public key to be
submitted to a trusted root source (such as VeriSign) for Security Certificates.
To complete the submission, do the following:
1 In the Name column, click the name of the CSR you just created.

2 Open a second browser window to navigate to a Security Certificate-issuing source.

McAfee Email Gateway 6.7.2 Administration Guide 321

 Advanced Encryption
Certificate management

3 Copy and paste the Email Gateway-generated text string into the appropriate input field of the Certificate
Authority's web page when applying for a Certificate. When copying and pasting the key information,
include the

“- - - -BEGIN CERTIFICATE REQUEST- - - -” AND “- - - -END CERTIFICATE REQUEST- - - -”

at the beginning and end of the Email Gateway-generated text string.
Caution: When you go to the Verisign web page to get your certificates, you will be asked what platform you plan
to use. Select Apache. If you choose Windows or IIS, the certificates you download will not work with Email
Gateway appliances.

When you click Submit, the CSR is submitted to the Certificate Authority (CA). Email Gateway creates and
stores a private key/public key text string in its database. When this string is submitted to a CA after the
administrator completes and submits the CSR a second time, the issuing authority generates a new public
key string. The new certificate information appears in the CSR List - Manage window.
Figure 179 CSR list showing new certificate

The install procedure allows you to paste this string in the Email Gateway Certificate panel of the Install
Security Certificate window and complete the certificate generation.

Installing an X509 certificate

Email Gateway is pre-configured with an unsigned certificate in order to immediately provide secure SSL
connections required for administrative sessions with the Web Administration interface. While the invalid
certificate does allow encryption of email messages, that security is minimal because Email Gateway will
not be able to authenticate itself to other servers, which may refuse to send messages to it. Therefore, in
order to provide genuine security, a valid Security Certificate must be installed.
To install a certificate,

322 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Certificate management

1 Click Install on the CSR List window. The Install Security Certificate window opens.

Figure 180 Install Security Certificate window

2 From the list, populated on the CSR List, select the certificate that is to be installed.

3 Enter the password used to request the CSR from the Certificate Authority (CA).

4 Copy and paste into the Certificate input field the Security Certificate text string provided by the CA.

5 Click Submit. The certificate will be installed, and the CSR will disappear from the CSR List.

Caution: Installed Security Certificates cannot be uninstalled.

Certificate Store
When a certificate is installed, it is added to the X509 list (X509 Certificates - Manage). Storing the
available certificates allows them to be archived for backup purposes. X.509 Certificates are added from the
CSR list when they are installed.
Figure 181 S/MIME Certificates - Manage window

Table 181 S/MIME Certificates - Manage fields

Field Description
Certificate The name of each installed certificate will appear in this column.
Internal For each certificate on the list, an Export hyperlink appears in this column. Use this link to export
a copy of the internal certificate to a file where it can be saved as a backup.
Import Click Import to locate and retrieve an internal certificate you have already stored.

McAfee Email Gateway 6.7.2 Administration Guide 323

 Advanced Encryption
Certificate management

Exporting an X509 certificate

Because the Security Certificate may cost a considerable sum of money, Email Gateway provides a
mechanism allowing administrators to archive a copy of it for safekeeping. Additionally, the public key of
installed SSL and S/MIME Security Certificates may be exported to disk so they may be shared with trusted
domains.
To export your certificate information,
1 Click the Export link for the certificate you want to store. The Export Security Certificate window appears.

2 Select the certificate type.

3 Enter and confirm the password for the certificate.

4 Click Submit. Depending on your browser, a Save window may appear.

5 Save the file to a convenient location.

Importing an X509 Certificate

To import an X.509 certificate,
1 Click the Import button at the bottom of the X509 List window. The Import Security Certificate window
displays. The specific window to use will depend upon what type of X509 certificate you want to import.
Note: P7C and PEM Certificates involve public keys only. No password is required to retrieve the file.

Figure 182 X509 Certificates - Add window

Table 182 X509 Certificates - Add window (P7C certificate)

Field Description
Certificate Type Select the correct radio button to identify the certificate type. The window will refresh to
provide the correct data fields.
Name of Certificate Enter the display name of the certificate.
File Enter the path to the stored certificate or browse to it.

2 Enter the appropriate information, then click Submit.

Note: For a PEM certificate, enter a display name for the certificate, then paste the certificate information in
the certificate box.

324 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Certificate management

Figure 183 X509 Certificates - Import PEM certificate window

Table 183 X509 Certificates - Add fields (PEM certificate)

Field Description
Certificate Type Click the correct radio button to identify the certificate type (in this case, PEM). The window will
refresh to provide the correct data fields.
Name of Certificate Enter the display name of the certificate.
Certificate Paste in the certificate information as it came from the Certificate Authority.

3 Click Submit to import the PEM certificate.

Figure 184 X509 Certificates - Add window

For the P12 Certificates, a password is required, since the certificate contains both public and private
keys.

4 Enter the certificate name, browse to the file storage location, and enter the password that was associated
with the certificate at the time it was exported.

Table 184 X509 Certificates - Add fields (P12 certificate)

Field Description
Certificate Type Click the correct radio button to identify the certificate type (in this case, P12). The window will
refresh to provide the correct data fields.
Name of Certificate Enter the display name of the certificate.
File Enter the path to the stored certificate or browse to it.
Password Enter the password associated with the certificate.

5 Click Submit to import the certificate.

McAfee Email Gateway 6.7.2 Administration Guide 325

 Advanced Encryption
Certificate management

PGP certificates
All existing PGP certificates appear in the PGP List. This window also allows you to generate new PGP
certificates and import existing ones from backup.
Figure 185 PGP Certificates - Manage window

Table 185 PGP Certificates - Manage fields

Field Description
Certificate This column contains the list of names for every PGP certificate on this Email Gateway.
Internal For each listed certificate, this column will show an Export hyperlink that allows you save a
backup copy of the private (internal) key for the certificate.
External For each listed certificate, this column will show an Export hyperlink that allows you save a
backup copy of the public (external) key for the certificate.

Generating a PGP certificate

To generate a new PGP certificate,
1 Click the Generate button at the bottom of the PGP list. The lower portion of the window refreshes.

Figure 186 PGP Certificates - Manage window

2 Enter a name for the PGP certificate, then click Submit. The window will refresh to include the new PGP
certificate.

326 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Encryption
Server-to-server encryption

Figure 187 PGP Certificates - Manage window updated

Exporting a PGP certificate

If you wish to store copies of the internal key, the external key or both, click the Export hyperlink beneath
the Internal or External column headings. A popup window will appear and you can either open the file for
viewing or you can save it to a convenient location (recommended).

Importing a PGP certificate

If you have saved backup copies of your PGP certificates, you can import them to the PGP list.
1 Click Import at the bottom of the PGP List. The Import PGP Certificate window displays.

Figure 188 Import PGP Certificate window

Table 186 Import PGP Certificate fields

Field Description
Certificate Type Click the proper radio button to choose the internal key or the external key.
Name of Key Enter the name of the certificate.
File Location for Public Key, Enter the path or browse to the file location where you stored the public key or the private
or key (option depends upon which type you are importing).
File Location for Private
Key

2 Enter the appropriate information, then click Submit. The certificate will appear on the PGP List.

Server-to-server encryption
For server to server encryption, Email Gateway includes a single option in the Mail-VPN configuration that
tells it to always try to send messages securely over Port 25 (SMTPS). You can also instruct Email Gateway
Gateway what to do if the receiving server doesn't accommodate a secure session. Email Gateway can fall
back to non-secure delivery or it can be configured not to send the message at all.

McAfee Email Gateway 6.7.2 Administration Guide 327

 Advanced Encryption
Server-to-server encryption

Email Gateway provides the ability to send and receive server-based S/MIME or PGP messages using much
the same functionality as Mail-VPN. Every incoming message is checked to see if it is an S/MIME or PGP
message. If so, Email Gateway checks to see if a key exists to decrypt the message. If a key exists, Email
Gateway decrypts the message. If no key exists, the message is treated as normal. Outgoing messages are
checked for a domain or user that exists in the S/MIME or PGP encryption lists. Different keys are required
for different domains.

External domains
External domains are those domains outside the Email Gateway network with which it communicates
securely. Email Gateway can use both S/MIME and PGP encryption for secure communication.

External S/MIME
Use the External S/MIME window to configure the domains to which Email Gateway sends messages using
S/MIME encryption. Note that the public key of the S/MIME Security Certificate of each external domain
must be installed on the Email Gateway appliance.
Figure 189 External S/MIME Certificates - Manage window

Table 187 External S/MIME Certificates - Manage fields

Field Description
Enable S/MIME Click the check box to enable S/MIME encryption.
Domain This column lists the domain names for domains to which Email Gateway sends messages using
S/MIME encryption.
Certificate The name of the certificate associated with each domain appears in this column.
Enable Clicking the check box will enable or disable S/MIME encryption for the associated domain.
Secure Mode If Email Gateway must communicate with the domain only via S/MIME encryption, the check box
will be checked. You can toggle the Secure Mode requirement on and off with this check box.
Delete Clicking the check box and then clicking Submit will cause the domain to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to the list.
fields

If you have made changes, click Submit.

External PGP
Use the External PGP page to manage the specific domains to which Email Gateway should send messages
using PGP encryption.

328 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Server-to-server encryption

Figure 190 External PGP Certificates - Manage window

Table 188 External PGP Certificates - Manage fields

Field Description
Enable PGP Click the check box to enable PGP encryption.
Domain This column lists the domain names for domains to which Email Gateway sends messages using
PGP encryption.
Certificate The name of the certificate associated with each domain appears in this column.
Enable Clicking the check box will enable or disable PGP encryption for the associated domain.
Secure Mode If Email Gateway must communicate with the domain only via PGP encryption, the check box will
be checked. You can toggle the Secure Mode requirement on and off with this check box.
Delete Clicking the check box and then clicking Submit will cause the domain to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to the list.
fields

If you have made changes, click Submit.

To add an external domain to either the S/MIME or PGP list, complete the information in the data fields at
the bottom of the window.

Table 189 Adding an external domain

Field Description
Domain Enter the domain name that you wish to add to the S/MIME or PGP encryption list.
Secure Delivery If communication with this domain is to be via secure encryption only, click the check box.
Only
Certificate Select the certificate to be used for encryption from the pick list.

When the information is entered correctly, click Submit

McAfee Email Gateway 6.7.2 Administration Guide 329

 Advanced Encryption
Server-to-server encryption

Internal domains
Internal domains are located within the Email Gateway network. Email Gateway can communicate with
them using S/MIME or PGP decryption.

Internal S/MIME
Use the Internal S/MIME page to specify internal domains hosted by Email Gateway that are required to
receive messages securely using S/MIME. For each domain, specify which Email Gateway Security
Certificate is to be used to provide the decryption.
Figure 191 Internal S/MIME Certificates - Manage window

Table 190 Internal S/MIME Certificates - Manage fields

Field Description
Domain This column lists the domain names for internal domains for which Email Gateway receives
messages using S/MIME decryption.
Certificate The name of the certificate associated with each domain appears in this column.
Enable Selecting the checkbox will enable or disable S/MIME decryption for the associated domain.
Secure Mode If Email Gateway must receive only S/MIME encrypted messages for the domain, the checkbox
will be checked. You can toggle the Secure Mode requirement on and off with this checkbox.
Delete Clicking the check box and then clicking Submit will cause the domain to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to the list.
fields

Make your selections, then click Submit.

330 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Server-to-server encryption

Internal PGP
The Internal PGP Certificate Management window displays any internal domain for which a PGP Security
Certificate was installed on Email Gateway. Administrators may enable/disable use of PGP encryption, or
permanently remove the use of PGP for a domain.
Email Gateway only supports incoming PGP messages that are RFC3156-compliant.
Figure 192 Internal PGP Certificates - Manage window

Table 191 Internal PGP Certificates - Manage fields

Field Description
Domain This column lists the domain names for internal domains for which Email Gateway receives
messages using PGP decryption.
Certificate The name of the certificate associated with each domain appears in this column.
Enable Selecting the checkbox will enable or disable PGP decryption for the associated domain.
Secure Mode If Email Gateway must receive only PGP encrypted messages for the domain, the checkbox will
be checked. You can toggle the Secure Mode requirement on and off with this checkbox.
Delete Clicking the check box and then clicking Submit will cause the domain to be deleted from the list.
Domain addition The data fields at the bottom of the window allow you to add domains to the list.
fields

To add an internal PGP domain, complete the information in the data fields at the bottom of the window.

Table 192 Adding an internal domain

Field Description
Domain Enter the domain name that you wish to add to the decryption list.
Certificate Select the certificate to be used for decryption from the drop-down list.
Secure Delivery If communication with this domain is to be via secure encryption only, click the check box.
Only

When the information is entered correctly, click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 331

 Advanced Encryption
Managing messages

Managing messages
Use the Message Management window to search for encrypted messages currently stored on this appliance.
To search for a message, do the following:
1 On the Encryption tab, click Message Management. The Message Management window appears.

2 Provide as much information about the message as possible (see Table 193).

3 Click Search. A message list containing only the results of your search will display.

You can use this listing to further investigate any of the messages that met your search criteria
Figure 193 Message Management window

Table 193 Message Search fields

Field Description
Domain Name Type the domain name associated with the message.
Virtual Hosts If the search is to be confined to messages to or from specific Virtual
Hosts, select one or more by selecting the “Select” checkbox for the hosts
you want to include.
Message ID Type the message ID for the particular message. The unique ID is
assigned by Email Gateway when the message is received.
From Type the RFC822 From address for the message/
To Type the RFC822 To address for the message.
Subject Type the subject line from the message, if known, or some portion of it.
Search Type Click the correct radio button to indicate the type of search to be
performed:
Fuzzy Search – conducts a search that will include searching for
parameters within strings without requiring an exact match.
Example: A search for “cat” in an address will produce results for
tomcat@aol.com or catherine@yahoo.com
Exact Search – conducts a search for data that precisely matches the
search parameters you entered.
Advanced Search The window offers additional options when you click Advanced Search.
The window expands to show more search data fields.

332 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Encryption
Managing messages

Table 193 Message Search fields (continued)

Field Description
Search Clause Click the appropriate radio button to determine the relationship among
advanced search parameters.
• And – the messages must meet all your provided advanced search
parameters.
• Or – the message must meet at least one of your advanced search
parameters.
Size Provide the proper information to allow Email Gateway to search for
messages by size.
• Condition – select the size condition (greater than, equal to, between,
and so forth) you want to use from the drop-down list.
• Parameters – type the size or size range that will define the messages
(type a number and select B, KB, MB, and so forth). For a size range,
type minimum and maximum sizes.
IP Address Type the IP address from which the message was sent.
Date Type or select a date or dates. You can search for messages received on
a single day or for a range of dates. For a range, set the beginning and
ending dates for your search.

McAfee Email Gateway 6.7.2 Administration Guide 333

 Advanced Encryption
Managing messages

334 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 7

IntrusionDefender

Chapter 20, IntrusionDefender Overview

Chapter 21, Mail Firewall

Chapter 22, Lightweight Directory Access Protocol

(LDAP)

Chapter 23, WebMail Protection

Chapter 24, Mail Intrusion Protection Service

Chapter 25, Virtual Hosts

Chapter 26, Other Intrusion Defenders

20 IntrusionDefender Overview
Contents
About IntrusionDefender
Controlling the gateway

About IntrusionDefender
The network perimeter is, for most corporations, relatively secure. Firewalls, combined with a handful of
other tools such as intrusion detection systems (IDS), have established a solid line of defense for corporate
networks. In fact, firewalls have been so successful that most attackers have ceased trying to attack them.
Instead, hackers are shifting their attacks to areas unprotected by traditional network security tools—to
applications such as mail server and web server software. Hackers have learned to use actual email and
email protocols as the carriers of, or vehicles for, their attacks. Email systems are being widely exploited in
order to disrupt and violate corporate networks.
McAfee has taken a comprehensive approach to protecting corporations from email risks by providing an
integrated solution, deployed at the gateway, which secures every aspect of the email system. It created
Email Gateway, the secure email gateway appliance.

Controlling the gateway

The first step to achieving email security is control of the gateway. Control the gateway and you protect the
entire email infrastructure sitting behind it. But the range of threats targeted at email systems makes
control of the gateway difficult. A comprehensive gateway security system must be capable of scrutinizing
every attempted Internet connection to your internal servers, as well as the email messages themselves,
ensuring that nothing harmful gets through. Such security must be able to stop a hacker’s malicious code,
a self-propagating worm, or even a dirty joke. If the gateway is secure, attacks never reach the mail
servers. Email Gateway provides this security by fortifying the gateway and scrutinizing everything that
attempts to pass through it.

Gateway threats
Three primary threats plague enterprises if they are allowed to enter through the network gateway:
• Denial of service attacks;

• Intrusions; and

• Web mail attacks.

Email Gateway provides state-of-the-art solutions for each.

Denial of Service
Hackers can launch denial-of-service attacks against email systems in an attempt to bring those systems to
a halt. Many techniques are capable of accomplishing this disruption, but hackers typically exploit
vulnerabilities in a mail server, such as the inability to process a malformed MIME message or buffer
overflow constraints. Or the attackers can simply flood a mail server with more SMTP connections or
instructions than the server can handle.

McAfee Email Gateway 6.7.2 Administration Guide 337

 IntrusionDefender Overview
Controlling the gateway

Intrusions
Intrusions occur when unauthorized users gain access to the organization’s infrastructure. For spammers,
this typically means breaking into a mail server to send spam (mail relay) or to harvest email addresses.
Spammers can also plant computer code on the organization’s personal computers, which then become
spam machines or drones. Recent worms and viruses are examples of the results from intrusions.

Web mail attacks

Many enterprises allow their mobile workers to access corporate email through applications such as Outlook
Web Access (OWA) or iNotes. Web mail requires a web server, which is subject to numerous vulnerabilities,
blended threats, viruses and worms.
Email Gateway is a hardened email gateway appliance that acts as an application-specific firewall. It allows
only valid and safe connections to email servers.

Quick snapshot
The first window that appears when Intrusion Defender opens is the Intrusion Defender Quick Snapshot.
This report window consists of three panels containing tables that provide current information about
processes within this program area.
Figure 194 IntrusionDefender Quick Snapshot window

The Services Status panel provides data about a variety of services, configured by specific functions within
Email Gateway

Table 194 IntrusionDefender Quick Snapshot Services Status fields

Field Description
Service This column lists the various mail services that are being monitored. Each
service name is also a hyperlink that opens the specific service properties
screens for the service in question.
Auto-Start This column indicates for each service whether or not it is configured to
be started automatically if it is not running when it is checked by Health
Monitor. A check mark indicates the service is configured to restart. And
X indicates it is not so configured. Clicking the current symbol will toggle
the configuration to the other status.

338 McAfee Email Gateway 6.7.2 Administration Guide

IntrusionDefender Overview
Controlling the gateway

Table 194 IntrusionDefender Quick Snapshot Services Status fields (continued)

Field Description
Running A green light icon in this field indicates the service is currently running. A
red icon indicates it is not running. Clicking the icon will toggle the service
off and on.
Uptime This column displays the time in days, hours, minutes and seconds the
service has been running since it was last started.

The Active Protection Status panel tracks the current status of three forms of protection:
• Denial of Service protection

• SMTPI Service load throttling

• DNS Hijack protection

The Mail IPS Status panel tracks the results of intrusion detection tools at two levels:
• Application Level

• System Level

Table 195 IntrusionDefender Quick Snapshot Mail IPS status fields

Field Description
Application Level This area reports the results reported by application level protection tools.
DoS Monitoring This field includes reports of Denial of Service attacks on three different
services. A number of detected attacks since midnight will show for each
service. The services are:
• SMTPI
• POP3
• IMAP4
The DoS Monitoring label is a hyperlink that opens the DoS Protection
window. Each service label is a hyperlink that will take you to the
associated service properties window.
Number of Weak This field will report the number of weak passwords detected since
Passwords midnight. The field name is a hyperlink that will open the Password
Strength window.
Number of Password This field displays the number of password cracking attempts. The field
Cracking Attempts name is also a hyperlink that opens the Password Cracking window.
Anomaly Detection This field will report any violations of anomaly detection rules. The name
Engine is also a hyperlink that opens the Show Anomaly Detection Rules window.
System Level This area reports the results from System Level Protection tools. Each
field title is a link that will take you to the respective system level window.
Total Programs This field contains the results of the last Program Integrity check, in terms
Monitored/Failed of the number of programs checked and the number that failed the check.
Total System Files This field contains the results of the last File System Integrity check, in
Monitored/Failed terms of number of files checked and the number that failed.

McAfee Email Gateway 6.7.2 Administration Guide 339

 IntrusionDefender Overview
Controlling the gateway

340 McAfee Email Gateway 6.7.2 Administration Guide

21 Mail Firewall
Contents
About mail services
Configure mail services
Allow Relay
About mail routing
About Mail VPN
About Domain Require and Deny

As a proxy, Email Gateway scrutinizes every attempted connection to your mail servers, detecting and
blocking all known or potentially harmful connections. Email Gateway employs McAfee's patented
Mail-Firewall technology to deliver the most robust email gateway protection available.
®

About mail services

Email Gateway implements two services or subsystems to process messages transmitted via the SMTP
email protocol.
• The SMTPI Service processes messages coming into the Email Gateway appliance (the I signifies coming
Into Email Gateway). New Email Gateway users frequently confuse incoming messages with messages
coming into the network from the Internet. In fact, the SMTPI Service processes all messages coming into
the Email Gateway appliance, whether originating inside or outside the local network (see SMTPI Service,
below).

• The SMTPO Service processes all messages that Email Gateway delivers out of the appliance. (The O
represents delivered Out of Email Gateway.) Again, new Email Gateway users mistakenly think of the
SMTPO Service as the subsystem that delivers email originating within the network to users out in the
Internet. While this is true, it is more correct to understand that the SMTPO Service delivers all messages
out of the appliance, whether their destination is inside or outside the network (see SMTPO Service).

Invisible to the Email Gateway administrator is the SMTPI Service’s enforcement of the SMTP protocol.
Before this service will accept the data or payload of an email, it inspects the requested email connection at
the application level to ensure that it is legitimate. Connection requests that do not conform to the SMTP
protocol are dropped. If the connection is accepted, then Email Gateway processes the message like a
full-featured mail server application. Accordingly, the SMTPI Service has many configuration options that
affect how it processes and delivers messages.

McAfee Email Gateway 6.7.2 Administration Guide 341

 Mail Firewall
Configure mail services

Configure mail services

The Mail Services - Configure window contains four columns: Service, Auto-Start, Running, and Service
Uptime.
Figure 195 Mail Services - Configure window

Table 196 Mail Services - Configure fields

Field Description
Service This column contains the names of the Email Gateway services or
subsystems that process SMTP email delivery. The Global service in this
column allows configuration options that do not strictly fall under the
SMTPI or SMTPO Services.
Each service name is a hyperlink that allows configuration of that service.
Auto-Start A red X or green check icon indicates whether or not the service is set to
start automatically when the Email Gateway appliance is rebooted. If an
icon is green, the service will begin running when Email Gateway restarts.
In addition, if the icon is green, Email Gateway Health Monitor will restart
any service except SMTPO that has stopped for any reason when it
performs its tests on all appliance subsystems. If an icon is red, the
service will not start on reboot, nor when Health Monitor runs its system
tests.
A service can continue to run after its auto-start setting is turned off.
The red and green light icons are hyperlinks. Clicking the icon/hyperlink
toggles the auto-start option on and off.
Running A red or green light icon indicates whether or not the service is currently
running.
In some situations, the Running icon might not refresh when selected, i.e.
change from green to red. If the icon does not toggle as expected, click
the Mail Services - Configure hyperlink in the left navigation frame of the
Web Administration interface to refresh the page, rather than clicking the
Running icon a second time.
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
service has been running since it was last restarted.
If the “uptime” appears less than expected, it might indicate that the
service was manually stopped and restarted by an administrator, or was
stopped by an administrator and was restarted automatically by Email
Gateway Health Monitor.

SMTPI service
Clicking the SMTPI Service link on the Mail Services - Configure window opens the SMTPI Service
Configuration window. On this window you can configure parameters in eight categories, governing the
behavior of the SMTPI functionality.

342 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
Configure mail services

Figure 196 SMTPI Service Configuration window

The following table shows configuration options.

McAfee Email Gateway 6.7.2 Administration Guide 343

 Mail Firewall
Configure mail services

Table 197 SMTPI Service Configuration fields

Field Description
General
Log Level Email Gateway generates detailed logs that record the activities of all its
subsystems. The detailed logs can be saved to disk and sent to McAfee
engineers for troubleshooting purposes.
The Log Level set here determines the type and amount of detail written
to the log. Select the proper log level from the drop-down list. The options
are:
• Critical
• Error
• Information
• Detailed
In high email-volume environments (50,000+ messages per day), the
SMTPI Service's log can easily grow to 100 MB or more per day. If Email
Gateway is not configured to delete these logs after 3-7 days, there is a
danger that Email Gateway's hard disk can quickly become full.
Default Route Type the hostname or the IP address for the default route here. You can
type multiple routes to serve as fallback options when they are separated
by commas.
Banner If you wish to use an alternate welcome banner to avoid displaying
information about the mail infrastructure, type the banner here. The
banner is limited to 80 characters and can not contain new line
characters.
Connection Management
Enable Load Email Gateway has a very powerful and efficient engine capable of
Throttling processing tens of thousands of messages very quickly. However, in very
high email environments, or during times of peak volume, Email Gateway
can dynamically throttle the rate of incoming connections based on how
many messages have already been received and are still in the process of
being examined. As the number of unprocessed and still-being-processed
messages grows, the SMTP Service will begin lowering the numbers of
simultaneous email connection requests it accepts. When Email Gateway
reaches an administrator-defined maximum message load (see
immediately below), the SMTP Service drops to its default low-acceptance
rate of three simultaneous connections. As the message load decreases,
the rate of simultaneous incoming SMTP connections increases again.
When Email Gateway's load throttling is in effect, users trying to send
mail to domains Email Gateway hosts will receive a 421: Server busy. Try
again… alert message in their email client if their connection is refused.
The load throttling parameters are established by the Connection Limit
and Message Limit fields that follow.
Connection Limit Type a number (1-500) representing the maximum number of
simultaneous incoming SMTP connections Email Gateway allows. Email
Gateway will dynamically throttle backward from this number.
(Administrators might wish to monitor their daily volume of email for one
or more weeks before setting this value. Review the corporate firewall
Connection Log for port 25 to see what typical simultaneous connection
rates are.)
Message Limit Type a number (500-50,000) representing the Email Gateway maximum
message load. (A zero is not allowed in this field.) When this number of
not yet processed and in-process but not yet delivered messages is
present in the Email Gateway Message Store, the SMTP Service will drop
to its lowest connection acceptance rate of three simultaneous
connections.
Load throttling gracefully slows the number of accepted simultaneous
connections, from the number established as the Connection Limit down
to a default low of three simultaneous connections, depending on how
closely the number of messages in the Message Store approaches the
Message Limit specified here.
SIZE Extension Type the maximum size (in megabytes) for messages Email Gateway will
(MB) - External accept from outside the network. 0 = unlimited size.

344 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
Configure mail services

Table 197 SMTPI Service Configuration fields (continued)

Field Description
SIZE Extension Type the maximum size (in megabytes) for messages that can be
(MB) - Internal accepted from inside the network. 0 = unlimited size.
Maximum Type a number from 25 to 500 to represent the maximum number of
Recipients per recipients to be allowed per message.
Message
Maximum Messages Type a number from 0 to 50 to represent the maximum number of
per Connection messages allowed per connection. 0 = unlimited messages. The limit does
not apply to connections that have Allow Relay permission.
Enable Recipient Select the checkbox to enable recipient rejections threshold validation. If
Rejections this option is enabled, validation will occur on each SMTP connection
Threshold against the specified threshold. If the threshold is exceeded, the
connection will become unusable for future commands.
You must also configure the threshold below.
Recipient Rejections Type the maximum number of recipient rejections allowed on an SMTP
Threshold per connection before marking the connection as unusable for future
Connection commands.
Validate SMTPI Enabling this feature will impact BOTH and OUTBOUND Virtual Hosts.
Outbound When it is enabled, SMTP Proxy will validate that only connections from
Connections internal/inbound servers are allowed from the SMTPI outbound Virtual
Host interface.
Delivery Retry Handling
Skip Internal Server Select this checkbox if you want to enable Email Gateway to bypass
for Outbound internal mail servers for messages destined for delivery to an external
Messages domain.
Reject Invalid Select this checkbox to enable Email Gateway to reject mail from an
MailFrom address that is part of the routing domain but is not in the Allow Relay list.
Insert Received Select this checkbox to enable Email Gateway to add itself to the RFC822
Headers header information of messages to identify its own role in routing the
messages.
Enable Masquerade If enabled, Email Gateway will perform Address Masquerade functions
before Routing before routing validations.
Pattern Matching
Enable Recipient Select this checkbox to enable Email Gateway pattern matching
Pattern Match capabilities.
Patterns to Match Type the list of patterns to match as a comma-separated list. Only *.* *_*
and *-* are currently supported.
Pattern Rejection Type the rejection message to be used for invalid patterns in the
Message recipient’s address. Do not use double quotes.
Whitelist for Pattern Type a comma-separated list of email addresses that Email Gateway
Match should bypass for pattern matching.
Enable Phishing Select this checkbox to enable Email Gateway phishing rejection
Rejection capabilities.
Phishing Patterns Type a comma-separated list of patterns Email Gateway will match for
phishing identification. If the user ID of the incoming message’s recipient
address starts with any one of these patterns, the message will be
identified as a phishing attack.
Phishing UIDs Type a comma-separated list of specific user IDs to match for phishing
identification. If the UIDs of the incoming messages’ recipients should
match any one of the UIDs listed, the message will be identified as a
phishing attack.
Whitelist for Type a comma-separated list of user IDs that are to be bypassed for
Phishing phishing identification.
Identification
Relaying & Authentication
Authentication: This option allows messages to be relayed only if an internal mail server
SMTP Auth authenticates the user with an encrypted validation process. If you enable
this option, you must also select the authentication method from the list
below.

McAfee Email Gateway 6.7.2 Administration Guide 345

 Mail Firewall
Configure mail services

Table 197 SMTPI Service Configuration fields (continued)

Field Description
Authentication: Select the authentication method to be used for user authentication: POP
SMTP Auth Validate or SMTP.
Method
Authentication: If you enabled SMTP Authentication above, type the hostname of the
SMTP Auth Validate server that provides POP3 or SMTP authentication.
Host
Allow relaying to When this option is disabled, only users who are authenticated by a POP
external domains or SMTP process or machines whose IP addresses or subnets are included
in the Allow Relay List will be allowed to relay messages through Email
Gateway to external domains. If the option is enabled, any user can relay
messages through Email Gateway to external domains. NOT enabling the
option is recommended practice.
Authentication: POP If this option is enabled, Email Gateway will relay a message only if the
before SMTP users popped their messages and an internal server validated them.
Email Gateway will remember the POP authentication for 15 minutes.
After 15 minutes, the use must pop the mail a second time to force the
POP server to authenticate the account again.
If you enable this option, you must also enable the Denial of Service
option in Mail IPS | Application Level | DoS Protection.
TLS Required Type the list of domains that are required to perform a TLS handshake
Domains before Email Gateway will accept messages for them.
Message Splitting
Enable Message Select this checkbox to enable Email Gateway to split messages for the
Splitting recipients listed in the address field below.
Message Splitting Type email addresses for which incoming messages will be split. These
Addresses addresses will receive a second copy of he message with a different ID,
and the message will be treated according to policies that apply to this
group. Limit the number of email addresses to 24.
Other Protocols
Enable Secure Enable this option to cause Email Gateway to accept incoming requests
Service on the configured SSL port.
Secure Client Enable this option to allow Email Gateway to accommodate SSL
Communication connections on the non-secure port 25 if the sending server requests it.
(SSL)
Minimum Cipher Select from the drop-down list the minimum TLS cipher strength required
Strength Allowed for connections with SMTPI. Export is the default setting.
Enable UUCP Enable this option to allow UUCP (Unix-to-Unix Copy Protocol) addressing,
Addressing including the use of exclamation points as separators. If the option is not
enabled, Email Gateway will reject UUCP addresses.
Enforce Command Email Gateway will enforce RFC restrictions on the length of an SMTP
Line Length command line to 512 characters, including carriage returns and line
feeds.
Interface
Enable Data from Select the checkbox to enable Email Gateway to receive data about the
Edge Server original sender of a message from an Edge server.
Edge Server Type the IP address(es) for the Edge Server(s) from which Email Gateway
Address(es) will accept data.

Spoofed message protection

Email Gateway provides administrators the ability to reject any email with the user's own domains in the
Mail From field, unless that message comes from a server that exists on the Allow Relay list. This
functionality can be applied at either the SMTP level or as part of the System-Defined Header Analysis
rules.
Detection takes place in the Mail From Command of the SMTP protocol; action can be taken in SMTPProxy
or in the Spam Queue. Email Gateway can be configured to drop the message immediately (in SMTPProxy)
or accept the message and mark it as a forged domain for SDHA to act.

346 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
Configure mail services

Note: This function can stop legitimate email for internal users when they use an external source to generate mail
and send it using Email Gateway. This feature should be used caution and forethought.

SMTPO service
Just as the SMTPI Service is responsible for processing messages entering the Email Gateway appliance
(whether originating from inside or outside the hosted domain), the SMTPO Service is responsible for
delivering the messages out of the appliance (whether the recipient is inside or outside the hosted domain).
Clicking the SMTPO Service hyperlink in the Mail Services - Configure window opens a secondary window
where the following configuration options are available:
Figure 197 SMTPO Service Configuration window

McAfee Email Gateway 6.7.2 Administration Guide 347

 Mail Firewall
Configure mail services

Table 198 SMTPO Service Configuration fields

Field Description
General
Log Level Email Gateway generates detailed logs that record the activities of all its
subsystems. The detailed logs can be saved to disk and sent to McAfee
engineers for troubleshooting purposes.
The Log Level set here determines the type and amount of detail written
to the log. Select the proper log level from the drop-down list. The options
are:
• Critical
• Error
• Information
• Detailed
In high email-volume environments (50,000+ messages per day), the
SMTPI Service's log can easily grow to 100 MB or more per day. If Email
Gateway is not configured to delete these logs after 3-7 days, there is a
danger that Email Gateway's hard disk can quickly become full.
Highest SMTPO Email Gateway maintains a log, saved to disk, recording the actions of the
Logging for SMTPO subsystem. By default, the logging level is set to Medium –
Troubleshooting recording useful information, but not detailed information. During times
when maximum information describing how the SMTPO Service processes
messages is required, enable this option.
Logging at this level provides highly detailed information about every
email that is processed. In high-volume mail environments (50,000+
messages a day), the daily SMTPO log file can easily grow to 100 MB or
more, raising the risk that hard disk space can quickly become consumed.
This option should only be enabled for the period of time during which
troubleshooting is occurring. Once the need for detailed logging has
concluded, this option should be disabled.
Send FQDN on Select this checkbox to enable Email Gateway to send the fully qualified
Helo/Ehlo domain name as part of the ehlo/helo command to the connecting server.
Otherwise, only the domain name will be sent.
Delivery Host
DNS MX Lookup If enabled, Email Gateway will use a DNS MX lookup to identify where to
send email it is to deliver. Email Gateway uses the DNS servers whose IP
addresses are listed in System | Configuration |Email Gateway |
DNS-1, DNS-2, and DNS-3. If disabled, Email Gateway will deliver all
email to the address in the Static Host field identified immediately below.
(The DNS MX Lookup and Static Host options are only valid for
messages that are delivered to external domains.)
To prevent potential looping and blocking conditions, Email Gateway does
not attempt delivery of email if the MX lookup returns the reserved IP
address (0.0.0.0 or 127.0.0.1).
Static Outbound Instead of performing a DNS lookup and delivering messages accordingly,
Hosts Email Gateway can send all messages to a specific host that can perform
special processing or routing functions. The host then becomes
responsible for the delivery of messages. Type either the host name (for
example, hostname.domainname.com) or the IP address of the server
where Email Gateway should deliver all its messages. If you are entering
a host name, Email Gateway must be able to resolve the name to the
machine’s IP address; that is, DNS records must exist for it.
Domains and machine names in the Email Gateway routing table
(Mail-Firewall | Mail Routing | Domain-based) take precedence over
the route that is specified here in the SMTPO properties window. Any
messages addressed to a domain listed in the Domain-based routing table
will be delivered directly to that domain’s mail server, rather than to the
Static Host identified here. To ensure that a host processes all messages
Email Gateway has to deliver, either remove all SMTP entries in the
Domain-based routing table, or rename the machine name entries for the
SMTP protocol in that table to the machine name or IP address of the
Static Host identified here.
The DNS MX Lookup and Static Host options are only valid for
messages that are delivered to external domains.

348 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
Configure mail services

Table 198 SMTPO Service Configuration fields (continued)

Field Description
Static Port If Email Gateway is configured to deliver all its messages to a Static Host
(immediately above), provide in this input field the port number on which
Email Gateway must make the connection.
Enable DNS Caching If enabled, Email Gateway will cache the MX records (or A records)
provided by a DNS query for domains to which it delivers messages; the
caching will occur right after delivery to the server. The MX record remains
in cache until the MX record’s time-to-live (TTL) has expired, after which
Email Gateway deletes it. Caching MX records can provide improved
performance, because it reduces the need to perform an MX lookup for
each mail delivery.
If Email Gateway is unsuccessful in querying for MX records, it will query
for A records and try to deliver mail to the A record. It will cache
whichever record it delivers to successfully.
DNS Cache Limit Type a number (between 100 and 2500) representing the maximum
number of MX records Email Gateway will store in its cache. Every 5
minutes, Email Gateway will delete MX records whose DNS-specified TTL
has expired. When the administrator-defined limit has been reached,
Email Gateway will not allow any additional MX records into its cache until
its cleanup process deletes old records.
SMTPO caches its own DNS records independently. It will continue to draw
from its own cache even after DNS changes, until SMTPO is restarted.
Restarting flushes out the cache.
TTL for A-records While the TTL for MX records is defined by the DNS server, the TTL for A
(secs) records is administrator-defined. Type a number (in seconds)
representing how long the A records should live in the Email Gateway
cache. (3600, or one hour, is a recommended setting.) Email Gateway will
delete A records whose TTL has expired.
Connection Management
Messages per Type a maximum number of messages allowed per connection. Type 0 to
Connection allow an unlimited number of messages.
Domain Connection Type a number (between 300 and 900) representing the maximum
Timeout (secs) number of seconds Email Gateway can wait for a domain to accept a
connection. If a connection cannot be established within this time, Email
Gateway will fall back to the Retry Schedule (below) for additional delivery
attempts.
Timeouts can occur if domains are very busy, or a DNS server is unable
to respond with the necessary information)
Delivery Retry Handling
Enable Basic Enable this option to allow Email Gateway to make additional attempts to
Schedule deliver failed messages.
Basic Schedule Type up to four values (in seconds) in the data fields in incremental order
(enter up to 4 to specify the retry interval if a receiving server is unable to receive a
values in seconds) message on the first attempt.
Each of the values you type represents an interval measured from the
time of the first delivery attempt. For example, values of 120, 240, 360
and 480 seconds will enable retry attempts every 120 seconds from the
time of the original attempt.
Enable Extended Enable this option to allow Email Gateway to make even further attempts
Schedule to deliver failed messages after the expiration of the basic schedule.
Extended Schedule - Type a value from 1 to 24 to represent the interval in hours between retry
Frequency (once attempts for the duration set below. Email Gateway will make retry
every indicated attempts at this interval until the duration configured below expires.
hours ->)
Extended Schedule - Type a number to configure the number of hours, days or attempts (from
Duration 1 to 100) to indicate the duration of the extended schedule. Email
Gateway will continue to make retry attempts until this time expires.
Extended Schedule - Select the option to represent the duration type for the extended
Duration Type schedule.

McAfee Email Gateway 6.7.2 Administration Guide 349

 Mail Firewall
Configure mail services

Table 198 SMTPO Service Configuration fields (continued)

Field Description
Action for Select from the list the action you want Email Gateway to take on
Undeliverable messages that ultimately cannot be delivered.
Messages (after
final attempt)
Authentication
Strong Server Type the appropriate value to enable Email Gateway to require receiving
Authentication servers to authenticate themselves before messages are delivered.
Options are:
• 0 – disabled, no authentication required
• 1 – require a security certificate and compare the server host name
against the host name on the certificate
• 2 – check the message domain name to see that it matches the domain
identified in the security certificate
Deliver mail if Enable this option to permit Email Gateway to deliver email to servers if
Strong Server the domain or host name cannot be resolved with the server’s security
Authentication fails certificate.
Recipient Server Enable this option to require the strongest possible authentication before
Certificate sending messages. Email Gateway will validate the security certificate
Verification with the trusted root source that issued it.
If the option is enabled and verification fails, the connection will be
dropped. If the option is disabled, the verification failure will be logged but
the connection will be allowed and the message will be delivered.
Use outbound SMTP Select the checkbox to allow Email Gateway to use IP Address for
AUTH outbound SMTP Authentication.
IP address for Type an IP address to be authenticated using the user name and password
outbound SMTP for outbound mail.
AUTH
Username for Type the user name Email Gateway will use for outbound authentication.
outbound SMTP
AUTH
Password for Type a password for the user name configured above.
outbound SMTP
AUTH
Delivery Status Notification
Enable Notification Select this checkbox to enable delivery status notifications to the senders
for Sender of messages.
Enable Notification Select this checkbox to enable delivery status notifications to additional
for Additional recipients. You must also provide email addresses for these recipients
Recipients below.
Additional Type email addresses for the additional recipients you enabled
Recipients Email immediately above.
Addresses
Enable “Destination Enable this option to generate delivery status notification warning
Domain messages after each unsuccessful attempt to deliver a message.
Unreachable - Otherwise, Email Gateway will only send an alert after the final delivery
Warning” attempt fails.
Notifications
Notification Templates
Destination Domain From the pick list, select the template to be used for Domain Unreachable
Unreachable - Final - Final Attempt notifications when the final attempt to deliver a message
Attempt has failed.
Destination Domain Select the template to use for DSNs warning when a delivery attempt
Unreachable - other than the final attempt fails.
Warning
Destination Domain Select the template to us for notifications when the destination domain
resolves to Email resolves to the Email Gateway appliance itself.
Gateway

350 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
Configure mail services

Table 198 SMTPO Service Configuration fields (continued)

Field Description
Invalid Destination Select the template to be used to generate messages when the
Domain destination domain is invalid.
Destination Domain From the drop-down list, select the notification template to be used in
could not be delivering a Delivery Status Notification when recipient/sender data is not
reached accepted or when an IO/MIME/TLS error occurs.

If Email Gateway has been configured to require SSL message delivery to specific domains and the
receiving server cannot support SSL, Email Gateway will “fall back” to Secure Web Delivery if that
feature/license has been installed and the domain has been configured to use it. Otherwise, Email Gateway
will not deliver the message—it will send a Delivery Status Notification indicating that it could not deliver
the message.

Global properties
Clicking the Global hyperlink on the last row of the Mail Services - Configure window opens a secondary
browser window allowing configuration of additional message-delivery options.
The Global Properties window allows you to configure properties for Email Gateway mail service. It is
important to remember that specific property settings made here will have impact on other Email Gateway
processes. One example is choosing to enable High Performance, or choosing not to enable it.
Figure 198 Global Configuration window

Table 1: Global Configuration fields

Field Description
General
Default Domain By default, the domain name provided as the “Default Email Domain”
during the Installation Wizard process is displayed in this input field. You
can edit the field by entering the domain name of the server to which the
Email Gateway administrative messages are to be delivered.
Enable sub-domain If enabled, Email Gateway will try to resolve sub-domains to a top-level
routing domain identified in the Domain-based routing table (Mail-Firewall |
Mail Routing | Domain-based). That is, if messages are addressed to
subdomain.domain.com and domain.com is in the routing table, Email
Gateway will deliver it to the internal mail server mapped to that domain.
If this option is not enabled, Email Gateway will only deliver messages to
sub-domains if the sub-domains have been specifically added to the
routing table.

McAfee Email Gateway 6.7.2 Administration Guide 351

 Mail Firewall
Configure mail services

Table 1: Global Configuration fields (continued)

Field Description
Advanced Select the checkbox to allow Email Gateway to pass additional parameters
TrustedSource to the TrustedSource lookup.
Lookup
Fail-Open Action Select an action from the drop-down list for the action to be taken on
fail-open (when a message fails to open in ST mode). The options are:
• Drop message – deletes the message from processing
• Quarantine – places the failed message in the Failures Queue
• Pass Through – sends the message on through Email Gateway
processing
Enable High This option enables or disables the Email Gateway High Performance
Performance capability. Enabling High Performance will improve message processing
speed by allowing messages to bypass the MIME Ripper Queue and the
Content Extraction Queue. However, this causes the messages to bypass
Content Analysis, Attachment Analysis, Whitelisting, Message Stamping,
and other Email Gateway features.
SWD will not work on any Email Gateway that has High Performance
enabled. A MIME error exception will be generated in SMTPO for any
message scheduled for SWD.
High Performance is off by default. Consider the potential ramifications
before enabling High Performance.
Default Character Select from the pick list the character set to be used when the character
Set set of a message is unknown. This character set will be used to convert
the text to unicode.
Enable Select the checkbox to allow Email Gateway to detect the character set of
auto-detection of a message automatically.
charset
Time-Outs
External Inactivity Type a value representing the maximum number of seconds Email
Time-out (secs) Gateway can wait for external servers (whether inside or outside the
network) to respond before closing a connection. It is strongly
recommended that the default value of 600 seconds not be changed.
Internal Inactivity Type a value representing the maximum number of seconds Email
Time-out (secs) Gateway can wait for its own internal services and subsystems to respond
before closing a connection. It is strongly recommended that the default
value of 610 not be changed. In any case, this value should be at least 10
seconds greater than the External Inactivity Timeout above.
McAfee Data Collection
Enable Statistical Email Gateway will securely transfer statistical information about spam
Information to be and other trends to be used by McAfee Research for research purposes
Shared only, and to contribute toward increased effectiveness.
Enable Spam and Email Gateway will securely transfer spam and other message information
Other Message to be used by McAfee Research for research purposes only, and to
Information to be contribute toward increased effectiveness.
Shared

352 McAfee Email Gateway 6.7.2 Administration Guide

 Mail Firewall
Allow Relay

Allow Relay
Email Gateway SMTPI Service provides an option to allow relaying to external domains (Mail-Firewall |
Configure Mail Services | SMTPI Service). Ordinarily, this option should never be enabled as it allows
anyone in the world to send email through the domain’s mail server.
Instead, use the Allow Relay - Configure window. If the option on SMTPI is not enabled, Email Gateway will
only accept mail for delivery outside the network if it originates from an IP address or subnet that appears
in this Allow Relay table. This does not include the IP addresses of all internal mail servers that Email
Gateway hosts; they are allowed to deliver. It does include any addresses and subnets of users outside the
network who can have a legitimate need to relay their mail through the network.
Figure 199 Allow Relay - Configure window

Table 199 Allow Relay - Configure fields

Field Description
IP Subnet This field shows the IP address for each approved mail server on the Allow
Relay list.
Side Note If identifying information or other comments were entered when the IP
address was added, the text will appear in this column.
Delete Selecting the checkbox, and then clicking Submit, will delete the
associated IP address. Clicking the Delete hyperlink and then clicking
Submit will delete all the IPs.
Adding a New The lower portion of the window includes the necessary fields for adding
Subnet subnets to the Allow Relay list.
IP Subnet In this field, type the IP address for a Email Gateway-hosted server to be
added.
Side Note for IP Type descriptive text, as desired, to identify the subnet.

McAfee Email Gateway 6.7.2 Administration Guide 353

 Mail Firewall
About mail routing

Table 199 Allow Relay - Configure fields (continued)

Field Description
Add IP Subnets from If a file contains IP subnets in text format, they can be downloaded into
a File the Allow Relay list. The import file should contain one or more lines in
the following format:
IP_subnet>IP_sidenote
Where IP_subnet is a 32-bit (four-octet) IP address or classful subnet.
This value is required.
Where IP_sidenote is any alphanumeric comment. This value is optional.
The sidenote can contain carriage returns if “<br>” is inserted at the
desired location. Multiple spaces my be added by replacing the space with
its HTML equivalent: “&nbsp;”.
Character Set Select the character set to be used for encoding messages. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can
be effectively used.

To add ad subnet to the Allow Relay list, type the required information about the new subnet, as discussed
above. Click Submit when the data is correct. The Allow Relay list is updated.
When an IP subnet is placed on the Allow Relay list, it will not be evaluated for Denial of Service attacks.
This can be a potential vulnerability.

About mail routing

Email Gateway provides several capabilities for routing email. Email addressed to a specific domain can be
mapped to a specific internal mail server. An LDAP directory’s information can also be used to specify how
mail is routed—Email Gateway will look up the LDAP server information and route the message accordingly.
Plus, administrators must explicitly specify which of their internal servers can send messages through Email
Gateway to the outside world.
Note: Unless internal mail servers are identified in the Internal Routing list, Email Gateway will not deliver their
mail to external recipients.

Note: Email Gateway fully supports RFC 3490 in SMTPI, SMTPO, and anywhere requiring the entry or display of a
domain name (allowing processing of domains with international characters).

354 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
About mail routing

Domain-based routing
Specific domains or sub-domains can be mapped to specific internal mail servers. All messages to that
domain or sub-domain will be delivered to the specified machine name (internal mail server).
McAfee recommends you limit each single Email Gateway appliance to routing mail to a maximum of 100
internal domains.
Email Gateway uses the following logic to deliver the message:
1 Use LDAP routing information if LDAP routing is enabled.

2 If LDAP is not enabled, or if LDAP does not provide a route, use the sub-domain route existing in this table.

3 If a sub-domain route does not exist in this table, deliver it to the mail server hosting the next-level of
the destination domain. (For example, if name.subdomain.domain.com does not exist in the Mapping
Table, Email Gateway will look for subdomain.domain.com. And if that entry is not in the table, Email
Gateway will look for domain.com.)

4 Step three repeats until the top-level domain (for example, domain.com) is reached.

5 If the IP address sending the message is not on the Allow Relay list (Mail-Firewall | Allow Relay), Email
Gateway (SMTPI) responds with a 571 Cannot relay message, and the connection is dropped.

6 When Skip Internal Server for Outbound Messages (Mail Firewall | SMTPI Service | Skip Internal
Server for Outbound Messages) is enabled and a message is addressed to a domain not mapped in this
Mapping Table, Email Gateway verifies that the message sender is identified in the Allow Relay List and
relays it. If the sender is not on the Allow Relay List, Email Gateway drops the message.

7 When Skip Internal Server for Outbound Messages is disabled, all messages will be delivered internally,
and if the recipient's domain is not in the Mapping Table, the email is routed to the default domain.

To change the default mail server, type a list of host names or IP addresses separated by commas in the
Machine Name column for the Default entries for the SMTP, POP3, and IMAP4 protocols. Additional internal
mail servers can be added to this list as the number of internal mail servers which Email Gateway protects,
increases.
Figure 200 Domain Based Mapping - Manage window

McAfee Email Gateway 6.7.2 Administration Guide 355

 Mail Firewall
About mail routing

Table 200 Domain Based Mapping - Manage fields

Field Description
Protocol This column shows the mail service (SMTP, IMAP4, or POP3) for the
domain.
• SMTP: protocol for sending email.
• POP3: protocol for retrieving email.
• IMAP4: protocol for retrieving email
Domain Name Lists the domain or sub-domain name that Email Gateway hosts in the
corresponding user input field.
Routing Type This column lists the routing type for each domain as it has been
configured. See the Add New Domain Routing window for details.
Machine This column shows the fully qualified machine name, IP address or
Name/DNS/Domain domain name for the mail server responsible for the domain’s mail.
Name
More than one machine name (or IP address) can exist to provide better
routing. Fail-over occurs in the order in which the machines are listed in
this field.
IP Side Note This column lists any explanatory or descriptive notes that were
configured when someone added a new domain or edited an existing
domain.
Delete To remove mapping of a domain to an internal server, check its Delete
box and click Submit.
Export Clicking the Export hyperlink will allow you to export the list of mapped
domains to a file where it can be maintained as a backup.
Character Set Select the character set to be used for encoding messages. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.

If a message is addressed to a domain not mapped here, Email Gateway will drop the connection – the
message will not be accepted – unless the sender is on the Email Gateway Allow Relay List, or the message
sender has been authenticated by a POP Before SMTP or SMTP AUTH method.

Adding a new routing domain

To add a new routing domain to the Domain Based Routing window, click the Add New button at the
bottom of the window. The following window will appear, allowing you to configure the new domain.

356 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
About mail routing

Figure 201 Domain Routing - Add Mapping window

Table 201 Domain Routing - Add Mapping fields

Field Description
Protocol From the list, select the mail service (SMTP, IMAP4, or POP3) for the
domain. The options are:
• SMTP: protocol for sending email.
• POP3: protocol for retrieving email.
• IMAP4: protocol for retrieving email
Domain Name Type the domain or sub-domain name that Email Gateway will use to host
the domain.
Routing Type • Select the routing type for the domain from the pick list. Options are:
• Static – requires the hostname/IP address (comma separated) of the
MTA the mail should be routed to for the domain. Treat the domain as
a hosted domain.
• DNS – requires the hostname/IP address (comma separated) of the
DNS server where the MX lookup should be done to determine the
route for the domain. Treat the domain as a hosted domain.
• Static Outbound – requires the hostname/IP address of the MTA the
mail should be routed to for the domain. However, treat the domain
as non-hosted. Mail will not be accepted for this domain unless it
comes from the internal servers or the Allow Relay list.
• Alternate MX – requires the domain name for he alternate domain on
which the MX lookup should be done with the default DNS server.The
lookup will determine the route for the destination domain. Treat the
domain as a hosted domain.
The routing types Static, DNS and Alternate MX apply only to inbound
mail since Email Gateway hosts these domains. Static Outbound applies
only to outbound mail. Mail going to non-hosted domains from the
internal servers is treated as outbound mail. Mail coming to non-hosted
domains from other IPs in the Allow Relay list when Skip Internal Server
for Outbound Message is turned on is treated as outbound mail.
If POP3 or IMAP4 is the selected protocol, the routing type is always
Static.
Port Type a valid port ID to specify the custom port you desire.
For more information, see “SMTP on custom TCP ports” on page 358.

McAfee Email Gateway 6.7.2 Administration Guide 357

 Mail Firewall
About mail routing

Table 201 Domain Routing - Add Mapping fields (continued)

Field Description
Machine Type the IP address of the mail server responsible for the domain’s mail.
Name/DNS/Domain Unless Alternate MX is the selected routing type, more than one IP
Name address can be added to provide better routing. Separate the machine
names or IP addresses with commas and without spaces between the
commas and the subsequent name or IP address. “Fail-over” occurs in the
order in which the machines are listed in this field.
If Alternate MX is selected, type the domain name for the alternate
domain on which the MX lookup should be done with the default DNS
server.The lookup will determine the route for the destination domain.
Treat the domain as a hosted domain.
IP Side Note Type any explanatory or descriptive notes that should appear in the
mapping table.
Upload from File You can upload a list of host names or IP addresses from a file by
navigating to the file or entering the complete path to its location.
Character Set Select the character set to be used for encoding messages. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can
be effectively used.

When the information is complete, click Submit. the Domain Based Routing window will update.

SMTP on custom TCP ports

Since some companies have a need for their mail servers to listen for SMTP traffic on ports other than port
25, Email Gateway allows you to define the destination SMTP ports for mail delivery on the Domain Routing
- Add Mapping window. The option is available only for inbound static and outbound static routes.
The information that follows refers to new functionality. Further information about Domain Routing can be
found in Domain-based routing, above.
The process for adding a new static route remains much as it has been, with one change to the window.
The Port field has been added, where you can type a valid port ID to specify the custom port you desire.
When the configuration has been entered properly, click Submit. The Domain Routing Mapping - Manage
window will update to show the newly-designated port.

Editing an existing domain

To edit the configuration of an existing routing domain, click the hyperlink for that domain, which appears
in the Machine Name/DNS/Domain Name column on the Domain Based Routing window. An edit window
will appear, as shown below.
This window allows you to view the existing information about the domain you selected, and to edit some of
the fields.

358 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
About mail routing

Table 202 Domain Routing - Edit Mapping fields

Field Description
Protocol This field contains the protocol for this domain. This field is not editable.
Domain Name This field contains the domain name or subdomain for this routing
configuration. This field is not editable.
Routing Type This field shows the routing type for the domain. The field is not editable.
Machine Type the IP address of the mail server responsible for the domain’s
Name/DNS/Domain mail.
Name Unless Alternate MX has been selected as the routing type, more than one
IP address can be added to provide better routing. Separate the machine
names or IP addresses with commas and without spaces between the
commas and the subsequent name or IP address. “Fail-over” occurs in the
order in which the machines are listed in this field.
If Alternate MX is selected, type the domain name for he alternate domain
on which the MX lookup should be done with the default DNS server.The
lookup will determine the route for the destination domain. Treat the
domain as a hosted domain.
IP Side Note Type any explanatory or descriptive notes that should appear in the
mapping table.

When you click Submit, the edited domain information will appear in the Domain Based Routing window.

Internal routing
Administrators must provide the IP addresses of any internal server allowed to deliver, through Email
Gateway, messages to external domains. The IP address of the default mail server (entered during the
Initial Configuration Wizard when Email Gateway was installed) is listed by default.
Note: Whenever a server’s IP address is added here, it must also be added to the Email Gateway Allow Relay List
(Mail-Firewall | Allow Relay). If an IP address in this table is deleted or edited, the Allow Relay List must be
manually updated to reflect the change.

Figure 202 Internal Servers - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 359

 Mail Firewall
About Mail VPN

Table 203 Internal Servers - Configure fields

Field Description
IP Address This field shows the IP address for the server for which the routing is
configured.
Side Note This field will display any descriptive or explanatory side notes that were
included for the IP address.
Delete Select this checkbox and then click Submit to delete an IP address.
Add an IP If you wish to add an IP address to the routing configuration, type that IP
in this data field. Sub-domains cannot be used.
Side Note for IP Type any explanatory text you want to include with the IP.

Adding an IP to internal routing

If you want to add an IP to the Internal Routing table, type the address in the Add an IP data field, and
add an identifying side note if you wish. Click Submit. The new IP will be added.
Note: You cannot edit an Internal Routing IP. You can only add and delete it, and add a new one to replace it if
necessary.

About Mail VPN

Configure Email Gateway services for processing message retrieval requests (via POP3 and IMAP4
protocols) in the Mail-VPN program area. When Email Gateway proxies these connections, the internal mail
servers are protected from attempted attacks on these ports, as well as shielded from view to the outside
world. When users retrieve their email, Email Gateway intercepts the requests, proxying them to the
internal mail server(s). It passes the username and password to the internal mail server which is
responsible for validating the request. If validated, Email Gateway proxies the internal mail servers’
response back to the client.

Configuring Mail-VPN
The Mail-VPN - Configure window contains four columns: Service, Auto-Start, Running, and Service Uptime.
Figure 203 Mail VPN - Configure window

360 McAfee Email Gateway 6.7.2 Administration Guide

Mail Firewall
About Mail VPN

Table 204 Mail VPN - Configure fields

Field Description
Service This column contains the names of the Email Gateway Services or
subsystems that process email retrieval requests.
Auto-Start A red X or green check icon indicates whether or not the service is set to
start automatically when the Email Gateway appliance is rebooted. If the
icon is green, the service will begin running when Email Gateway restarts.
In addition, if the icon is green Health Monitor will restart a Service that
has stopped for any reason when it performs its tests on all appliance
subsystems. If the icon is red, the service will not start on reboot, nor
when Health Monitor runs its system tests.
A service can continue to run after its auto-start setting is turned off. A
service cannot automatically start running, however, until its auto-start
setting is turned on. Nevertheless, an administrator can manually start a
service even when auto-start is disabled.
The red and green icons are hyperlinks. Clicking the icon/hyperlink
toggles the auto-start option on and off.
Running A red or green light icon indicates whether or not the service is currently
running.
In some situations, the Running icon might not refresh when selected,
(change from an X to a check). If the icon does not toggle as expected,
click IntrusionDefender | Mail-VPN in the left navigation frame of the
Web Administration interface to refresh the page.
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
service has been running since it was last restarted.
If the uptime appears less than expected, it might indicate that the
service was manually stopped by an administrator or by an unexpected
program error, but was restarted automatically by the Email Gateway
Health Monitor.

Configuring the services

Each service name on the Mail VPN - Configure window is a hyperlink that opens the service properties
window for that specific service.
Figure 204 IMAP4 Service Configuration window

Note: The service properties screens for both of the Mail-VPN services are identical with the exception of the port
selection. The table below explains the screens and the service configurations for both services.

McAfee Email Gateway 6.7.2 Administration Guide 361

 Mail Firewall
About Mail VPN

Table 205 IMAP4 Service Configuration fields

Field Description
Log Level Email Gateway generates detailed logs that record the activities of all its
subsystems. The detailed logs can be saved to disk and sent to McAfee
engineers for troubleshooting purposes.
The Log Level set here determines the amount of detail written to the log.
Select the log level to be used.
Default Route Type the default Route here. Multiple routes (as a fallback) are supported
when they are separated by commas. The default route should be either
a hostname or IP address.
Enable Default Check this box to accept incoming requests on the configured port.
Service
Internal IMAP4 Port The proxy will connect to the internal server on this port.
or Specify the port number through which Email Gateway should connect to
the internal IMAP4/POP3 server.
Internal POP3 Port
The standard port number for IMAP4 is 143.
The standard port number for POP3 is 110.
Banner In order to hide information about the email infrastructure that might be
exploited by hackers, Email Gateway provides the ability to create a
neutral, nondescript Welcome Banner replacing the internal mail server’s
banner that might reveal its application-type and version. The banner is
limited to 80 bytes of data, and can not contain new line feed characters
(<CR>).
Send Full User ID to Internal email applications (such as Lotus Notes, Microsoft Exchange, and
Internal Server Novel GroupWise) can be configured to require users’ client applications
to submit a fully qualified username (for example,
username@domain.com). If “Send Full User ID to Internal Server” is
enabled, Email Gateway will proxy the fully qualified username (and
password) to the mail server. If not enabled, Email Gateway will only pass
on the username part of a fully qualified user ID to the mail server.
Enable Secure Check this box to accept incoming requests on the configured SSL port.
Service
Secured Internal If enabled, Email Gateway will connect to an internal IMAP4 server using
Server a SSL connection.
Enable Load If “Enable Load Throttling” is selected, Email Gateway will allow a
Throttling maximum number of simultaneous connections. If this option is not
enabled, Email Gateway will accept an unlimited number of simultaneous
connections.
While SMTPI load throttling is dynamic, gracefully adjusting connection
acceptance-rate with the volume of messages in the Email Gateway
Message Store, this IMAP4/POP3 load throttling simply places a flat limit
on the number of simultaneous connections these subsystems will each
accept. If enabled, a numeric value must be provided in the input field
appearing immediately below.
Connection Limit Type a number, from 100 to 200, representing the maximum number of
simultaneous connections Email Gateway allows on each port.
Administrators might wish to monitor their daily volume of email for one
or more weeks before setting this value. Review the corporate firewall
Connection Log to determine what typical simultaneous connection rates
are.

362 McAfee Email Gateway 6.7.2 Administration Guide

 Mail Firewall
About Domain Require and Deny

Figure 205 POP3 Service Configuration window

About Domain Require and Deny

The SSL/TLS Domains - Require/Deny window allows you to enable the SSL protocol for Email Gateway
appliances. Additionally, the window provides configuration to add Require domains for which Email
Gateway will send messages to users securely, or to add Deny domains to which Email Gateway will never
send SSL-encrypted messages.
The tables on the window are empty until you add domains; afterward, they show the domains for which
SSL encryption is required or denied.
Figure 206 SSL/TLS Domains - Require/Deny window

McAfee Email Gateway 6.7.2 Administration Guide 363

 Mail Firewall
About Domain Require and Deny

Table 206 SSL/TLS Domains - Require/Deny fields

Field Description
Enable SSL/TLS Select the checkbox to enable SSL/TLS encryption.
Required Domains The table in the upper portion of the window contains information about
domains for which SSL encryption is required.
Required Domain This column lists the domain names of those domains for which SSL
encryption is required.
Enable The checkbox allows you to enable (check) or disable (un-check) SSL
encryption for the associated domain.
Delete Selecting the checkbox and then clicking Submit will cause the domain
to be deleted.
Denied Domains The table in the lower half of the window shows information about
domains to which Email Gateway never sends SSL-encrypted email.
Denied Domain This column list the domain names for those domains to which Email
Gateway never sends SSL-encrypted messages.
Enable The checkbox allows you to enable (check) or disable (un-check) SSL
denial for the associated domain.
Delete Selecting the checkbox and then clicking Submit will cause the domain to
be deleted.
Adding New The data fields below allow the addition of new domains to either the
Domains Required or Denied lists.
Require/Deny For the new domain, select Require or Deny from the pick list, to
determine which list to add the domain.
Add Domain Type the domain name for the new domain.

To add a new domain to either list, type the information in the data fields explained above. When the
information is correct, click Submit. The SSL/TLS Domains window will update to add the new domain.
New domains are not enabled by default. If you want to enable the new domain, select the Enable
checkbox and click Submit again. The window will refresh to accept the change.

364 McAfee Email Gateway 6.7.2 Administration Guide

22 Lightweight Directory Access Protocol (LDAP)
Contents
LDAP on Email Gateway
LDAP configuration
Configuring LDAP properties

LDAP on Email Gateway

Lightweight Directory Access Protocol (LDAP) is an internet protocol that email programs use to look up
contact information from a server. LDAP directories provide information such as names, addresses,
locations and other data about people and organizations. In a network, this information can be used for
email addressing, user authentication or network security.
Email Gateway offers integration with a wide range of LDAP servers by allowing flexible methods for
accessing user and group objects and their attributes, regardless of platform or enterprise directory
schema.

LDAP operations
Email Gateway uses LDAP directories to perform two types of operations: Realtime and Synchronized.

Realtime operations
Realtime operations are those which query the LDAP server in real time, to find details about a recipient
when a message is received at SMTPI. The results of each query are evaluated immediately.
Email Gateway Realtime LDAP operations are:
• Recipient validation - during message acceptance, SMTPI can check with the LDAP server to verify that
the recipient is a valid member of a hosted domain.

• Mail routing queries - during message acceptance, if the recipient is a valid member of a hosted domain,
SMTPI can determine, from the LDAP server, the mail server to which the message should be routed.

• Address masquerading - during message acceptance, SMTPI can find the canonical email address (the
original email address) for the recipient and re-write the recipient address at the 821 protocol level ONLY
(an 822 address re-write will not happen).

Synchronized operations
Synchronized Operations are those which query the LDAP server at specific intervals. The resultant
information is stored in Email Gateway database, and is evaluated by a query to the database rather than
to the LDAP server. Synchronized mode is used when it is desirable to duplicate data between the LDAP
server and the local Email Gateway database for faster access.
The Synchronized operations for which Email Gateway uses LDAP are:
• User or group evaluation (Policy Engine) - during message processing, various Email Gateway processes
check group membership in the local data in order to apply any rules based on membership to a group.

• Recipient validation - during message acceptance, when a recipient belongs to a hosted domain, SMTPI
will check the local dataset to determine if the recipient is valid.

• Mail routing queries - during message acceptance, SMTPI can check the local dataset to determine the
mail server to which the message should be routed.

McAfee Email Gateway 6.7.2 Administration Guide 365

 Lightweight Directory Access Protocol (LDAP)
LDAP on Email Gateway

LDAP profiles
An LDAP profile is a collection (a logical grouping) of configuration information about an LDAP server. This
type of grouping helps in switching between servers for failure awareness
A profile includes the following elements:
• Profile ID – a unique identifier for the profile

• Profile Name – a unique display value for the profile

• Platform – the type of LDAP server where the profile applies. For Email Gateway, the types are:

• MS Active Directory

• MS Exchange 5.5

• Domino

• Novell eDirectory

• iPlanet (Sun Java System Directory Server)

• OpenLDAP

• Server IP/Hostname – the hostname or IP address of the LDAP server

• Server Port – the port on which the LDAP server is listening

• User DN – the Distinguished Name of the authenticating user

• Password – the password of the authenticating user

LDAP rules
An LDAP rule is a collection of LDAP operations that can be completed in one pass by either a single query
or a group of queries. It is a grouping of operations that can be applied to a set of domains and evaluated
using the LDAP profiles.
The elements of a rule are:
• Rule Name – a unique display value for the rule

• Rule Type – Realtime rule or Synchronized rule (identifies the type of operation)

• Rule Operations – the set of operations to be completed in the rule

• Rule Enabled – indication whether or not the rule has been enabled

Binding rules and domains

Each LDAP rule is bound to one or more domains. Binding to more than one domain is executed by
specifying: (1) Global, (2) a list of domains, or (3) a Domain Group.
The elements of the binding are:
• The Domain – a comma-separated list of domains or a Domain Group

• Binding Type – either Global, Domain Group, or Domain List

LDAP queries
The configuration parameters used in creating LDAP queries will change, based on the type of LDAP rule
being applied and the operations selected for that rule.

366 McAfee Email Gateway 6.7.2 Administration Guide

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Realtime rule queries

For Realtime rules, the query configuration elements are:
• Rule Type – the Binding Type (see Binding Rules and Domains)

• Profile Name – the profile to be used in making the query

• Search DN – the starting point where the query will search for the Person Object

• Search Filter – the filter string (for identifying individuals) that defines or limits the search

• Validation Attributes – the attributes of the Person Object the query is to use for validation

• Mail Host Attributes – the attributes of the Person Object the query is to treat as containing the routing
information

• Address Masquerading Attributes – the attributes of the Person Object the query will treat as containing
the canonical (main) email address

Synchronized rule queries

For Synchronized rules, the elements are:
• Profile Name – the profile to be used in making the query

• Search DN – the starting point where the query will search for the Group Objects

• Group Filter – the filter string (for identifying groups) that defines or limits the search

• Group Attribute – the attribute of a group that contains information identifying the objects that make up
the group (for example, members)

• Group Routing Attribute – the attributes of a Group Object the query treats as containing routing
information, when routing information is stored at the group level.

• Member Attributes – the attributes of a Group Object the query treats as containing the members of the
group

• Email Attribute – the attribute the query should treat as containing the member’s email address.

• Routing Attribute – when routing information is stored at the member level, the attribute of the
Member Object the query treats as containing the routing information.

LDAP configuration
Using LDAP functionality in Email Gateway requires you to proceed in a logical order to define and configure
all the necessary components for executing queries and evaluating the results.

Configuring LDAP profiles

The LDAP Sever Profiles - Manage window displays any existing LDAP profiles and allows you to edit them.

McAfee Email Gateway 6.7.2 Administration Guide 367

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Figure 207 LDAP Server Profiles - Manage window

Table 207 LDAP Server Profiles - Manage fields

Field Description
ID This column displays the assigned ID number for each specific profile.
Each ID is a hyperlink that will display details about the associated profile.
Name This column lists the name associated with each profile, set when the
profile was configured.
Server Name This column shows the IP address or hostname (FQDN) for the server
where this profile will reside.
Platform This column displays the name of the platform for which the profile is
configured.
Delete Select the checkbox beside any profile, then click Submit to delete the
profile from the system.

Adding a new profile

If you want to add a new profile to the system, click Add New at the bottom of the window. The LDAP
Profile - Add Definition window allows you to define the new profile.
Figure 208 LDAP Profile - Add Definition window

368 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Table 208 LDAP Profile - Add Definition fields

Field Description
Profile Name Type a unique name to identify this profile. The name will be used to
associate the profile with a configured LDAP rule.
Platform Select from the pick list the platform for which you are configuring this
profile. This selection will match the name of the organization that
provides your version of LDAP.
LDAP Server Provide the IP address or Fully Qualified Domain Name of the LDAP server
where this profile will reside.
Port This field will contain the port number Email Gateway should use to
connect to the defined LDAP server. The port will default to the correct
port number based on the selection your selection of the port type radio
button. Choices are:
• Non secure
• Secure LDAP over SSL (LDAPS)
• Secure LDAP and TLS
Ignore Cert Select this checkbox to allow Email Gateway to connect to a secure LDAP
Validation server via TLS without checking that the server’s certificate is present in
the Email Gateway’s list.
This option is available only if you selected Secure LDAP and TLS.
Anonymous Bind Select this checkbox to create an anonymous bind for this profile. This will
disable the next three fields.
User DN Type the user name or Distinguished Name that must be used to connect
to the LDAP server. Leave this field blank for anonymous bind.
Password Type a valid password associated with the user name or DN entered
above. Leave this field blank for anonymous bind.
Confirm Password Confirm the password by entering it a second time.

When the configuration data is complete, click Submit. The LDAP Server Profile - Manage window will be
updated.

Editing a profile
Clicking a profile’s ID hyperlink on the LDAP Server Profiles - Manage window displays details about that
profile. An Edit Profile link is included in that display. Clicking Edit Profile displays the LDAP Profile - Add
Definition window again, populated with the current configuration of the selected profile.
The Profile ID, Profile Name and Platform fields are not editable. The other fields can be edited by changing
the information as allowed.

Table 2: LDAP Profile - Add Definition fields

Field Description
Profile ID This field contains the unique, system-generated ID number for this
profile.
Profile Name This field displays the unique name to identify this profile.
Platform This field shows the platform for which the profile was configured.
LDAP Server This field contains the IP address or Fully Qualified Domain Name of the
LDAP server where this profile resides.
Port Type the port number Email Gateway should use to connect to the defined
LDAP server.
Anonymous Bind
User DN Type the user name or Distinguished Name that must be used to connect
to the LDAP server. Leave this field blank for anonymous bind.
Password Type a valid password associated with the user name or DN entered
above. Leave this field blank for anonymous bind.
Confirm Password Confirm the password by entering it a second time.

McAfee Email Gateway 6.7.2 Administration Guide 369

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

When you have made the desired changes, click Submit.

Configuring LDAP rules

The LDAP Integration - Manage Rules window displays any existing LDAP rules.
Figure 209 LDAP Integration - Manage Rules window

Table 209 LDAP Integration - Manage Rules fields

Field Description
ID This column displays the assigned ID number for each specific rule. Each
ID is a hyperlink that will display details about the associated rule.
Name This column displays the name of each rule, established when the rule
was configured.
Protocol This column shows the protocol associated with each rule.
Type This column shows the type for each rule, either “Real Time” or
“Synchronized.” The type determines the kinds of operations that can be
associated with the rule and the way query results are handled.
Enabled Selecting or unselecting this checkbox toggles the rule between enabled
and disabled status.
Delete Select the checkbox beside any rule, then click Submit to delete the rule
from the system.

Adding a realtime rule

Adding a new rule to the system involves completing a series of screens. No rule can be enabled until it has
been fully created.
If you want to add a new LDAP rule to the system, click Add New at the bottom of the LDAP Integration -
Manage Rules window. The Add Rule window will appear.

370 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Figure 210 LDAP Definition - Add Rule window

Table 210 LDAP Definition - Add Rule fields

Field Description
Rule Name Type a unique name to identify this rule.
Protocol Select the appropriate protocol from the list. Options are:
• SMTP
• POP3
• IMAP4
Type Click the proper radio button to choose the type of actions for which this
rule is being configured. Your choices are:
• Real Time, or
• Synchronized
Operations The next four items allow you to configure operations that will use the
LDAP server.
Routing Select this checkbox if you want to use this rule for LDAP routing.
Address Validation Select this checkbox if you want to validate addresses using this rule.
Address Select this checkbox if you want to use the LDAP directory for Address
Masquerading Masquerading. This option is valid only for Realtime rules.
Policy Select this checkbox if you want to allow Email Gateway processes to
check group membership in the local data in order to apply their rules.
This option is valid for Synchronized rules only.
Buttons The bottom of the window includes three buttons:
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.

Click Next. The Assign Domain Information window displays.

McAfee Email Gateway 6.7.2 Administration Guide 371

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Adding domain information

Figure 211 Assign Domain Information window

This window provides the necessary fields to allow you to associate the domain to which the rule will apply
with the rule itself.

Table 211 Assign Domain Information fields

Field Description
Type Select the desired type of association you wish to configure:
• Global
• Domain Group
• Domain List
Domain Group If Domain Group is the selected type, type the desired group name.
Domain Names If Domain List is the selected type, type a comma-separated list of
domain names. Domain name validation of characters will apply.
Buttons The bottom of the window includes three buttons:
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.
• Finished – this button will accept data and exit the process of adding
a new rule. You can come back to your place later using the editing
process.

Click Next. The Assign Profile Information window appears.

372 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Assigning Profiles
Figure 212 Assign Profile Information window

This window allows you to assign one or more profiles to this rule.

Table 212 Assign Profile Information fields

Field Description
Profile This portion of the window is a table listing any existing associations.
Assignment
Configuration
Profile Name This column shows the name configured for each profile.
Order This column shows the processing order for each profile associated with
the rule.
Delete Selecting the Delete checkbox, then clicking Finished will delete that rule
from the system.
Add Profile The lower panel of the window allows you to add new profiles to the rule.
Profile Name Type the name of a profile that has already been configured, exactly as it
was originally written.
Order Select from the pick list the sequence in the processing order where this
profile is to be processed.
Buttons The bottom of the window includes four buttons:
• Select – this button adds the new profile you just configured to the rule
and opens the Query Browser window.
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.
• Finished – this button will accept data and exit the process of adding
a new rule. You can come back to your place later using the editing
process.

Click Select. The next window allows you to configure queries using the rule you have just configured.

McAfee Email Gateway 6.7.2 Administration Guide 373

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Queries
Figure 213 Query Browser window

Table 213 Query Browser fields

Field Description
Type The type of rule you are adding displays at the top of the panel. The entry
is not editable.
Query Configuration
Search DN Type the Distinguished Name for the server where the query should be
executed.
Search Filter Type the search criteria for finding the recipient’s email address.
Validate Attribute Type a comma-separated list of attribute names to be used to limit the
size of the result for a particular DN matching the search criteria. This
field is editable only when Address Validation is selected.
Mailhost Attribute Type a comma-separated list of attribute names that contain routing
information for a particular DN matching the search criteria. This field is
editable only when Mail Routing is selected.
Masq. Attribute Type a single attribute name (NO comma-separated lists) that contains
the canonical (main) email address for a particular DN that matches the
search criteria. This field is editable only when Address Masquerading is
selected.
Test Parameters Type the required data to test the query and validate the test results.
Click the Test button to execute the test.
Buttons The bottom of the window includes four buttons:
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.
• Finished – this button accepts any data you have entered and takes
you the final window where you can review your rule.

374 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

If you click Next, the Assign Profile Information window appears to allow you to assign another profile to
the rule if desired. When you have reviewed the window, click Next again to go to the final window where
you can enable your rule.

Confirming rules
Figure 214 Rule Confirmation window

Table 214 Rule Confirmation fields

Field Description
Rule Operation This panel of the window displays details about the operations configured
Configuration for the rule.
Domain Assignment This panel displays the domains associated with the rule.
Configuration
Profile Assignment This portion of the window lists the profiles that have been associated
Configuration with the rule.
Do you want to This checkbox allows you to enable the rule you have just created. When
enable this rule? you click Finished, the rule will display on the Rules List.

After you have reviewed the window, click Finished. The LDAP Rules window updates showing the new
rule.

McAfee Email Gateway 6.7.2 Administration Guide 375

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Adding a synchronized rule

The process for adding synchronized rules follows the same series of screens as realtime rules, but there
are differences among the parameters that can be set. The process begins with the LDAP Integration Rules
window.
To add the new rule, click Add New. The LDAP Definition - Add Rule window appears.
Figure 215 LDAP Definition - Add Rule window

Table 215 LDAP Definition - Add Rule fields

Field Description
Rule Name Type a unique name to identify this rule.
Protocol Select the appropriate protocol from the list. Options are:
• SMTP
• POP3
• IMAP4
Type Click the proper radio button to choose the type of actions for which this
rule is being configured. Your choices are:
• Real Time
• Synchronized
Operations The next four items allow you to configure operations that will use the
LDAP server.
Routing Select this checkbox if you want to use this rule for LDAP routing.
Address Validation Select this checkbox if you want to validate addresses using this rule.
Address Select this checkbox if you want to use the LDAP directory for Address
Masquerading Masquerading. This option is valid only for Realtime rules.
Policy Select this checkbox if you want to allow Email Gateway processes to
check group membership in the local data in order to apply their rules.
This option is valid for Synchronized rules only.

Click Next.

376 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Adding domain information

Figure 216 Assign Domain Information window

Table 216 Assign Domain Information fields

Field Description
Type Select the desired type of association you want to configure:
• Global
• Domain Group
• Domain List
All synchronized rules are Global rules, so there is no choice to make for
this field.
Domain Group If you select Domain Group, above, select the name of the domain group
from the drop-down list.
For synchronized rules, this selection is not applicable.
Domain Names If Domain List is the selected type, type a comma-separated list of
domain names. Domain name validation of characters will apply.
For synchronized rules, this selection is not applicable.
Buttons The bottom of the window includes three buttons:
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset - this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.

Click Next to proceed to the next step.

McAfee Email Gateway 6.7.2 Administration Guide 377

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Assigning profiles
Figure 217 Assign Profile Information window

Table 217 Assign Profile Information fields

Field Description
Profile This portion of the window is a table listing any existing profiles.
Assignment
Configuration
Profile Name This column shows the name configured for each profile.
Order This column shows the processing order for each profile associated with
the rule.
Delete Selecting the Delete checkbox, then clicking Finished will delete that rule
from the system.
Add Profile The lower panel of the window allows you to add new profiles to the rule.
Profile Name Type the name of a profile that has already been configured, exactly as it
was originally written.
Order Select from the pick list the sequence in the processing order where this
profile is to be processed.
Buttons The bottom of the window includes four buttons:
• Select – this button adds the new profile you just configured to the
rule and opens the Query Browser window.
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.
• Finished – this button will accept data and exit the process of adding
a new rule. You can come back to your place later using the editing
process.

Click Select to proceed to the next step. The Query Browser window will appear, allowing you to configure
queries that use the rule you have configured.

378 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Queries
Figure 218 Query Browser window

Table 3: Query Browser fields

Field Description
Type The type of rule you are creating displays here.
Query Configuration
Search DN Type the Distinguished Name for the server where the query should be
executed.
Group Filter Type the filter string to be used for identifying groups, by which you
define the limits of the search.
Member Filter Type the filter string (for identifying members) that will define the limits
of the search.
Group Attribute Type the attribute of the group that contains information identifying the
members that make up the group.
Group Routing If routing information is stored at the group level, type the attribute the
Attribute query will treat as containing the routing information.
Member Attributes Email Attribute - type the attribute the query will treat as containing the
member’s email address.
Routing Attribute - If routing information is stored at the member level,
type the attribute the query will use to find the routing information.
Test Click the Test button to execute the test, using the data entered above.
Buttons The bottom of the window includes four buttons:
• Back – this button will take you back to the first window in the “Add
New Rule” series without accepting any data you have entered.
• Reset – this button will clear any data you have entered on this
window, taking the window back to its original condition.
• Next – this button will accept any data you have entered and will take
you to the next window in the series.
• Finished – this button accepts any data you have entered and takes
you the final window where you can review your rule.

Click Next to continue. The Assign Profile Information window will reappear to allow you to assign another
profile if necessary.

McAfee Email Gateway 6.7.2 Administration Guide 379

 Lightweight Directory Access Protocol (LDAP)
LDAP configuration

If you add a profile and click Select, a new Query Browser window will appear to allow you to configure
queries for the new profile. If you do not add a new profile, click Next again to go to the Rule Confirmation
window.

Confirming the rule

Figure 219 Rule Confirmation window

This window allows you to review the configuration of the new rule, and to enable the rule if the
configuration is correct and you want to enable it.

Table 218 Rule Confirmation fields

Field Description
Rule Operation This panel of the window displays the details about the operations you
Configuration configured for this rule.
Domain Assignment This panel displays the domains that have been associated with the rule.
Configuration
Profile Assignment This portion of the window lists the profiles that have been associated with
Configuration the rule.
Do you want to This checkbox allows you to enable the rule you have just created.
enable this rule? When you click Finish, the rule will appear on the rules list.

When you have reviewed the configuration and decided whether or not to enable the rule, click Finished.
The LDAP Integration - Manage Rules window will update to add the new rule.

380 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
LDAP configuration

Figure 220 LDAP Integration - Manage Rules window updated

Editing a rule
If you want to edit an existing LDAP rule, click the ID hyperlink. The window expands to show details
regarding the rule you selected. Click any of the hyperlinks in the detail display to open the particular
window where that parameter is configured. You can edit the data on some of those screens and save your
changes.
The details for a realtime rule are shown below.
Figure 221 LDAP Integration - Manage Rules window expanded

Editing a synchronized rule provides the same options.

Table 219 LDAP Integration - Manage Rules fields

Field Description
ID This column displays the assigned ID number for each specific rule. Each
ID is a hyperlink that will display details about the associated rule.
Name This column displays the name of each rule, established when the rule
was configured.
Protocol The protocol associated with each rule shows in this column.
Type This column shows the type for each rule, either Realtime or
Synchronized. The type determines the kinds of operations that can be
associated with the rule and the way query results are handled.

McAfee Email Gateway 6.7.2 Administration Guide 381

 Lightweight Directory Access Protocol (LDAP)
Configuring LDAP properties

Table 219 LDAP Integration - Manage Rules fields (continued)

Field Description
Enabled Selecting or unselecting this checkbox toggles the rule between enabled
and disabled status.
Delete Select the checkbox beside any rule, then click Submit to delete the rule
from the system.
Profiles (ordered)
Operations The configured operations appear in this field. The hyperlink opens the
Add/Edit LDAP Rule Definition window.
Domain Type The domain type for the rule displays in this field. The hyperlink opens
the Assign Domain Information window.
Domain Names If domain names (for Domain List rules) are listed in this field. The
hyperlink opens the Assign Domain Information window.
Profile (Query This space shows the profile names assigned to the rule, and offers a link
Browser) to the Query Browser window. Profiles appear in their processing order,
if multiple profiles have been assigned to the rule. The Profiles field label
is a hyperlink that opens the Assign Profile Information window.

When you have edited the configuration, click Submit to record your changes.

LDAP connection control

LDAP rejections for any IP address that meets or exceeds a defined threshold will be subjected to a
TrustedSource query. If the query produces a reputation score greater than zero, the IP address will be
added to the Connection Control deny list.
Note: If you wish to use LDAP connection control, and the Email Gateway appliance is protected by an Edge
appliance, you must add the Edge appliance to the connection control exclude list.

Configuring LDAP properties

Figure 222 LDAP Integration Configuration window

Table 220 LDAP Integration Configuration fields

Field Description
Synchronization
Synchronization Type a number (from 1 to 24) to represent the interval in hours between
Interval synchronization instances
Synchronization Type a number (from 1 to 500) to indicate the maximum number of
Results Count results to be displayed as interpreted results on the Query Browser.

382 McAfee Email Gateway 6.7.2 Administration Guide

Lightweight Directory Access Protocol (LDAP)
Configuring LDAP properties

Table 220 LDAP Integration Configuration fields (continued)

Field Description
Synchronization Type a comma-separated list of rule IDs to determine order in which
Rules Order synchronized rules should be processed.
Failure Handling
Enable Fail Open If this option is enabled, Email Gateway will fall back to normal routing
when an LDAP server cannot be contacted.
LDAP Profile Failure Type a number (between 1 and 50) to represent the number of times an
Count LDAP profile can fail before it is considered unavailable.
LDAP Profile Monitor Type a number (between 1 and 1440) to determine the interval in
Interval minutes between attempts to test connectivity.
Profile Failure Alert Select the alert type to be sent if an LDAP profile fails.
Type
LDAP Search Type a number to determine the period of inactivity in minutes (?) that
Timeout must expire before an LDAP search times out.
Routing
Determine Route If this option is enabled, SMTPI will determine the routing for email
After Masquerading messages after address masquerading has been performed.

When you have completed the information correctly, click Submit to record your configuration.

McAfee Email Gateway 6.7.2 Administration Guide 383

 Lightweight Directory Access Protocol (LDAP)
Configuring LDAP properties

384 McAfee Email Gateway 6.7.2 Administration Guide

23 WebMail Protection
Contents
Configuring WebMail protection
HTTP routing
Strong client authentication
Customizing the WebMail log-in

Because browser-based email continues to grow in popularity and enterprises increasingly turn to
applications such as Lotus iNotes, Outlook Web Access, and GroupWise WebAccess, Email Gateway
provides WebMail Protection to offer the same protection against HTTP network attacks as it does for SMTP
attacks. In addition to providing a hardened face to the web-enabled mail servers running the web mail
applications, WebMail Protection also offers additional security measures such as HTTPS (SSL) messaging,
Secure Logoff, optional Strong Client Authentication, and more.

Configuring WebMail protection

WebMail Protection is a Email Gateway service or subsystem responsible for proxying HTTP/HTTPS email for
a web-enabled mail system. The WebMail Protection - Configure window allows basic configuration of the
service. The service can be started, stopped, and set to auto-start.
Figure 223 WebMail Protection - Configure window

Table 221 WebMail Protection - Configure fields

Field Description
Service This column contains the name of the service. The service name is also a
hyperlink that opens the service properties window.
Auto-Start This column indicates whether or not the service is configured to be
started automatically if it is not running when it is checked by Health
Monitor. A check mark indicates the service is configured to restart. And
X indicates it is not so configured. Clicking the current symbol will toggle
the configuration on and off.
Running A green light icon in this field indicates the service is currently running. A
red icon indicates it is not running. Clicking the icon will toggle the service
off and on.
Service Uptime This column displays the time in days, hours, minutes and seconds the
service has been running since it was last started.

Configuring WebMail properties

Clicking the service name hyperlink opens the WebMail Protection Configuration window.

McAfee Email Gateway 6.7.2 Administration Guide 385

 WebMail Protection
Configuring WebMail protection

Figure 224 WebMail Protection Configuration window

Table 222 WebMail Protection Configuration fields

Field Description
General
Log Level Email Gateway generates detailed logs that record the activities of all its
subsystems. The detailed logs can be saved to disk and sent to McAfee
engineers for troubleshooting purposes.
The Log Level set here determines the amount of detail written to the log.
Enable Signature WebMail Protection incorporates an Intrusion Protection engine that
Protection examines packets of email data as it flows through the Email Gateway
appliance. It compares packet information against a database of
hundreds of known “attack signatures.” If a Mail IPS license was installed
on Email Gateway, IPS signatures can be updated from the IPS Update
license on a regular basis.
See the Signature Configuration section in this chapter for configuration
information.
A handful of signatures have been disabled by default because of a
potential conflict with WebMail Protection functionality or functionality
common to some applications. Before enabling Signature Protection,
ensure that someone knowledgeable about attack signatures carefully
reviews the entire list of available signatures.
Alert Type Email Gateway can generate an alert (delivered by its Alert Manager) if it
detects a signature-based web attack or a session or inactivity timeout.
Select from the Alert Type pick list the level of alert the Email Gateway
Alert Manager should generate when any of these events occur.
The Alert Manager must be configured to deliver alerts for the specified
level of alert and for the class of Email Gateway subsystems in which the
WebMail Protection subsystem currently belongs. See Chapter 30, “Alert
Manager,” in this Administration Guide for more information about
configuring alerts.
Connection Management
Maximum URL Buffer overflows are a common tactic for taking control of an application,
buffer (in KB) such as web-enabled mail server software. By flooding the web-enabled
mail server with long command strings, an attacker can trick it into
running his own malicious code.
Specify in this field the maximum number of bytes of data in a URL that
WebMail Protection will allow.

386 McAfee Email Gateway 6.7.2 Administration Guide

WebMail Protection
Configuring WebMail protection

Table 222 WebMail Protection Configuration fields (continued)

Field Description
Maximum POST To prevent hackers from using a web form’s Submit action as a vehicle
buffer (in KB) for attacking an internal web-enabled mail server, type a maximum
number of bytes of data allowed to be submitted in a POST method. Since
large maximum limits can offer hackers the opportunity to craft
dangerous “payloads,” many administrators choose to limit the POST
buffer size to 5-10KB, essentially disallowing the transmission of file
attachments.
This limit applies when any action in the web mail client points to a URL.
If file attachments to web mail are allowed, the maximum POST buffer
limit must be relatively high (for example, >1,000 KB).
Maximum Directory A common attack against web-enabled mail servers is to traverse
Traversals directories using “./” in URLs (for example,
GET://http://yourdomain.com/exchange/../../../restrictedfile.cfg).
Dot-dot-forward slash allows navigation upward to parent directories.
Either knowledge of the web-enabled mail server application in use or
dumb luck allows hackers to traverse to files or directories on the machine
running the web-enabled mail server applications.
Type a number representing the maximum number of directory traversals
WebMail Protection will allow. If WebMail Protection detects more than
this number of traversals (that is, instances of ../) in a path statement, it
will automatically drop the session. And under no circumstance will
WebMail Protection allow a user to traverse above the directory specified
in the WebMail Protection HTTP Routing tables.
Time-Outs
Session Timeout To close the window of vulnerability inherent in lengthy open sessions,
(secs) WebMail Protection can automatically log out users after a specified
period of time. Type a number, from 0 to 1,800, representing the number
of seconds a session can remain open before WebMail Protection closes
it. 1,800 seconds equals 30 minutes. A “0” value represents unlimited —
WebMail Protection will not close the session until a user manually logs
out or closes the browser.
Inactivity Timeout WebMail Protection can close a session after a specified period of
(secs) inactivity. Type a number, from 0 to 1,800, representing the number of
seconds of user inactivity before WebMail Protection closes the session.
1,800 seconds equals 30 minutes. A “0” value represents unlimited —
WebMail Protection will not close the session until a user manually logs
out or closes the browser.
Environment Configuration
Enable Exchange Enable this option if your Exchange 5.5 software is configured to require
5.5 Mailbox Name a Mailbox Name in addition to Account Name and Password. Email
Gateway prompts users to type their Mailbox Name (email address) when
they log on to Outlook Web Access.
This option applies only to Portal Page configuration of WebMail
Protection. Routing configuration is discussed later in this chapter.
Enable Frontend The Enable Frontend HTTPS option should be enabled when a specific
HTTPS network situation occurs. If an appliance of some kind - perhaps a load
balancer or SSL handler - is positioned between the user's web browser
and the Email Gateway, and that appliance handles encrypted traffic
between the browser and itself, this option ensures that mail sent back to
the browser is also encrypted. Mail between the handler and Email
Gateway and the mail server is still unencrypted.
When you enable the option, mail is still sent in unencrypted form to the
mail server. However, when the server returns the packet, the URL is now
set to https (the mail is still unencrypted). Because of this setting, when
the mail is passed to the handler, the handler knows to encrypt the
outbound mail to the web browser.
Pre-Windows 2000 Enabling this option allows Email Gateway to function with Windows
versions older that Windows 2000, such as Windows 98 or Windows NT.
Single Sign-On Enabling this option allows users to authenticate once (at log-in) and
thereafter have access to all their permitted program areas with no
further authentication.

McAfee Email Gateway 6.7.2 Administration Guide 387

 WebMail Protection
HTTP routing

Signature configuration
WebMail Protection provides real-time detection of attempted attacks through its intrusion detection
engine. By examining all packets passing across port 80 or secure port 443, it can see if they match
signatures of known attacks. Furthermore, WebMail Protection uses protocol analysis to overcome hackers’
URL path confusion-generating techniques, like the insertion of hex, double-hex, and UNICODE strings,
designed to circumvent signature detection.
Figure 225 WebMail Signature - Configure window

Table 223 WebMail Signature - Configure fields

Field Description
ID This column lists the unique ID number for each signature.
Name The names of recognized attack signatures are listed in this column.
Enable You can enable and disable individual signatures by selecting the
checkbox.

Configure which attack signatures WebMail Protection should use from this window. When a signature is
checked, WebMail Protection will look for that potential attack as it examines packets passing through it
(the Enable hyperlink at the top of the column toggles all signatures on or off). Click Submit after
selections have been made.

HTTP routing
WebMail Protection can proxy the web sessions for users who ordinarily would have connected directly to
the internal web-enabled mail servers. By sitting between users out in the Internet and the internal
web-enabled mail servers, WebMail Protection can protect against network attacks, provide SSL encryption
of the web mail, and securely close browser sessions it proxies.
Administrators must map a route to the web-enabled mail server so WebMail Protection knows how to
proxy end users’ web mail requests to the internal server hosting their mail box. The HTTP Routing
hyperlink in the left navigation frame displays a window that offers Path-Based Routing, Host-Based
Routing, and Portal Page tabs. Each tab represents a proxy solution for a particular type of web mail server
environment.
Depending on the configuration of the internal mail server(s), one of the routing options here will be used.
Select the option you want from the drop-down list at the top of the window.
• Use Path-based Routing when each internal web-enabled mail server uses a unique path string pointing
to its own web mail application (for example, /exchange, /, /mail, and so forth). End users will point their
browsers to the Email Gateway fully qualified host name, followed by the path string to the web mail
application. WebMail Protection will resolve each server’s unique path string to its URL.

388 McAfee Email Gateway 6.7.2 Administration Guide

WebMail Protection
HTTP routing

• Use Host-based Routing when there are multiple internal web-enabled mail servers and the path strings
pointing to the web mail application are identical (for example / or /exchange). Create one virtual host
name/IP address on the DNS server for each web-enabled mail server WebMail Protection proxies. The A
and PTR records for each virtual host name point to Email Gateway. WebMail Protection maps each of its
virtual IP addresses to a specific internal web-enabled mail server, thus routing end users to the
web-enabled mail server hosting their mail box.

• Use the Portal Page when WebMail Protection is proxying web mail specifically for one or more Outlook
Web Access/Exchange servers, and True Logoff or Secure Logoff is required. With True Logoff or Secure
Logoff, WebMail Protection will totally close, on logoff, the session to the web-enabled mail server so that
subsequent individuals using the same open browser cannot back into a web mail session.

The table below provides routing recommendations for specific email environments.

Table 224 Recommended email routings

Environment Recommendation
Outlook Web Access Portal Page Routing
Microsoft Exchange 5.5 and 2000 Portal Page Routing
iNotes with one server Path-Based Routing
iNotes with multiple servers Host-Based Routing
Groupwise with one server Path-Based Routing
Groupwise with multiple servers Host-Base Routing

Path-Based routing
Path-based routing is used when all internal web-enabled mail servers use a unique path string pointing to
their web mail application. WebMail Protection maps the unique path string to the URL of each web-enabled
mail server.
Figure 226 HTTP Routing - Path Based Routing - Manage tab

McAfee Email Gateway 6.7.2 Administration Guide 389

 WebMail Protection
HTTP routing

Table 225 HTTP Routing - Path Based Routing - Manage fields

Field Description
Protocol The Protocol column indicates whether WebMail Protection will use the
secure HTTPS or non-secure HTTP protocol between end users’ browsers
and itself. End users must specify the “HTTPS” protocol in the URL when
they browse for their mail if WebMail Protection is configured to use it.
Path This column shows the path to the web-enabled mail server application.
The path string for each web-enabled mail server must be unique, for
example, /exchange, /mail, and / (GroupWise requires a single forward
slash—/—as the path). If the path strings are not unique, use Host-based
Routing.
URL The column lists the fully qualified host name (or the IP address) in the
URL input field of the web-enabled mail server that WebMail Protection will
proxy. Include the protocol prefix (HTTP:// or HTTPS://) specifying
whether the connection between Email Gateway and the internal server is
secure or not. The URL must also include the trailing path string specified
in the Path input field above, and a trailing forward slash at the very end.
Neither Exchange 5.5 nor 2000 supports the HTTPS protocol.
An example of a URL is:
http://exchange1.domain.com/exchange/.
Enable Select a server’s Enable checkbox and click Submit to enable the server
for Path-based Routing.
Delete Select a server’s Delete checkbox and click Submit to delete the server
from the Path-based Routing table.

Adding a routing path

To add a new routing path to the table, use the data fields at the bottom of the Path Based Routing tab.

Table 226 Path Based Routing fields

Field Description
Hostname In this column type the fully qualified domain name of the host for the
routing path.
Note: Internationalized domain names are not supported.
Certificate Name Select the display name for the certificate to be used when the secure
(HTTPS) protocol is used.
IP Address From the drop-down list of available IPs, select an IP address to be bound
to the hostname you entered above.
You must also map the hostname and IP address combination in your
DNS server.
Protocol Select the protocol from the pick list to specify whether Email Gateway
will use the secure HTTPS or the non-secure HTTP protocol between end
users’ browsers and itself.
Path Type the path to the web-enabled mail server application. The path string
for each web-enabled mail server must be unique, for example,
/exchange, /mail, and / (GroupWise requires a single forward
slash—/—as the path). If the path strings are not unique, use Host-based
Routing.
URL Type the fully qualified host name (or the IP address) in the URL input
field of the web-enabled mail server WebMail Protection will proxy.
Include the protocol prefix (HTTP:// or HTTPS://) specifying whether the
connection between Email Gateway and the internal server is secure or
not. The URL must also include the trailing “path string” specified in the
Path input field above, and a railing forward slash at the very end.
An example of a URL is:
http://exchange1.domain.com/exchange/.

When the information is correctly entered, click Submit to record the new path.

390 McAfee Email Gateway 6.7.2 Administration Guide

WebMail Protection
HTTP routing

Typical configurations
A typical configuration for OWA 5.5 is:
• Protocol: HTTP

• Path: /exchange

• URL: http://owaserver.company.com/exchange

• Exchange 2000: Off

• Host Name: Email Gateway.company.com

• A typical configuration for OWA 2000 is:

• Protocol: HTTP

• Path: /exchange

• URL: http://owaserver.company.com/exchange

• Exchange 2000: On

• Host Name: Email Gateway.company.com

Application-specific notes
Some applications require specific configuration options:

Outlook Web Access (versions 5.5 & 2000)

Unless the Exchange administrator manually edited the path to the OWA application, the default path for
OWA is /exchange. If the path was modified on the Exchange server, ensure that the same path is entered
in WebMail Protection’s Path input field.

Outlook Web Access (version 2000 only)

Two entries in the Path-based Routing table are required for a Microsoft Exchange 2000 web-enabled mail
server. One entry must contain the normal path string /exchange. In addition to that, however, a second
entry is required to point WebMail Protection to images used by the OWA application. Therefore, create a
second entry for the Exchange 2000 server using /exchweb as the image path string in the Path input
field.
Note: End users do not use this second string in their URL when pointing their web browsers to Email Gateway.

IIS
Windows NT’s Challenge Response (NTLM Directory Security in the Internet Service Manager) must be
turned off if IIS is employed on the web-enabled mail server. Use Basic authentication only on the IIS
server.

Lotus iNotes
Two entries in the Path-based Routing table are required for each Lotus iNotes web-enabled mail server.
One entry must contain the normal path string /mail. In addition to that, however, a second entry is
required to point WebMail Protection to images used by the iNotes application. Therefore, create a second
entry for the iNotes server using /icon as the image path string in the Path input field.
Note: End users do not use this second string in the URL when pointing their web browsers to Email Gateway.

McAfee Email Gateway 6.7.2 Administration Guide 391

 WebMail Protection
HTTP routing

Host based routing

When there are multiple internal web-enabled mail servers using identical path strings to the various web
mail applications, Host-based Routing provides a solution by way of virtual IP addresses and host names.
Administrators must create one virtual IP address/host name on the DNS server that points to Email
Gateway (via A and PTR records) for each web-enabled mail server WebMail Protection proxies. These A
and PTR records point to Email Gateway, not the mail servers! WebMail Protection maps each of the virtual
IP addresses to an internal web mail server in the Host-based Routing table. End users will point their
browsers to the WebMail Protection virtual host name associated in the Host-Based routing table with the
particular web-enabled mail server hosting their mail account.
Figure 227 HTTP Routing - Host Based Routing - Manage tab

Table 227 HTTP Routing - Host Based Routing - Manage fields

Field Description
Protocol This column shows whether WebMail Protection should use the secure
HTTPS or non-secure HTTP protocol between end users’ browsers and
itself. Once a valid Security Certificate is installed on Email Gateway, it is
capable of encrypting all web mail between end users and itself. End users
must specify the HTTPS protocol in the URL when they browse for their
email if WebMail Protection is configured to use it.
Certificate Name This column lists the X.509 Security Certificate that WebMail Protection
will use to provide a secure session between end users' browsers and
itself. The list displays only X.509 Security Certificates that have been
installed on the Email Gateway appliance.
IP Address The column lists the virtual IP addresses (for which a DNS A and PTR
record were created). Each virtual IP address entered in this table is
associated with the specific web-enabled mail server named in the URL
field immediately to the right.
URL This column provides the qualified domain name for the internal
web-enabled mail server. An example of a URL is:
HTTPS://yourservername.yourdomain.com/.
Host Type the virtual fully qualified host name of the Email Gateway appliance
(for example virtual Email Gatewayname.domainname.com).

392 McAfee Email Gateway 6.7.2 Administration Guide

WebMail Protection
HTTP routing

Table 227 HTTP Routing - Host Based Routing - Manage fields (continued)
Field Description
Enable Selecting the checkbox will allow you to enable or disable the associated
host for use in host-based routing.
Delete To delete a server from the Host-based Routing table, select its Delete
checkbox and click Submit.

Adding a new routing host

To add a new routing host, type or select data in the fields at the bottom of the Host Based Routing Tab.

Table 228 Host Based Routing - Manage fields

Field Description
Protocol Select the proper protocol that Email Gateway should use between the
end users' browsers and itself (secure HTTPS or non-secure HTTP). End
users must specify the HTTPS protocol in the URL when they browse for
their email if WebMail Protection is configured to use it.
IP Address Type the virtual IP addresses (for which a DNS A and PTR record are
created). Each virtual IP address entered in this table is associated with
the specific web-enabled mail server named in the URL field.
URL Type the IP address for the internal web-enabled mail server. The URL
must include the protocol prefix (HTTP:// or HTTPS://) as this indicates
whether the connection between Email Gateway and the internal mail
server is secure or not. The URL must not include the path string to the
web-enabled mail server application, but must include a trailing forward
slash at the end of the URL. An example of a URL is:
HTTPS://10.20.30.40/
Neither Exchange 5.5 nor Exchange 2000 supports the HTTPS protocol.
Additionally, host-based routing for an iNotes server requires that the
external and internal protocols match. That is, if users connecting to
Email Gateway use HTTPS in the URL, then the Email Gateway connection
to the Domino web server must also use HTTPS.
Hostname Type the virtual fully qualified host name of the Email Gateway appliance
(for example virtualities Gatewayname.domainname.com).
Certificate Name Select the display name for the certificate to be used when the secure
(HTTPS) protocol is used.
This field is enabled only if HTTPS protocol is selected.

When the information is correctly entered, click Submit to record the new host.
Provide end users with the following URLs:
https://virtualEmail Gatewayname.yourdomain.com/ (for GroupWise users)

https://virtualEmail Gatewayname.yourdomain.com/exchange (for Exchange users)

https://virtualEmail Gatewayname.yourdomain.com/mail/username.nsf (for iNotes users) If Web

Delivery Redirect from Notes.Net is being used, this can change the URL that end users are required to
enter.

where
• virtualEmail Gatewayname is the virtual Email Gateway host name associated with the web-enabled
mail server hosting the user’s mail box.

• yourdomain.com is the domain to which Email Gateway belongs.

If IIS is running on the web-enabled mail server, Windows NT’s Challenge Response (NTLM Directory Security in the
Internet Service Manager) must be disabled. Use Basic Authentication only. See the Microsoft knowledgebase
article Q317627 for more information on NTLM Directory Security.

McAfee Email Gateway 6.7.2 Administration Guide 393

 WebMail Protection
HTTP routing

Portal page routing

Use the routing table in the Portal Page only if the internal web mail system employs one or more Microsoft
Exchange/Outlook Web Access servers. When WebMail Protection routing is configured in this Portal Page,
True/Secure Logoff for Microsoft Exchange is automatically enabled. That is, WebMail Protection will
guarantee that HTTP/HTTPS sessions are closed completely when end users finish browsing for their email.
Figure 228 HTTP Routing - Portal Routing - Manage tab

Table 229 HTTP Routing - Portal Routing - Manage fields

Field Description
Protocol The column displays a list showing whether WebMail Protection should
use the secure HTTPS or non-secure HTTP protocol between end users’
browsers and itself. End users must specify the HTTPS protocol in the URL
when browsing for their email if WebMail Protection is configured to use it.
Server Name This column lists the server names (arbitrary names used only by
WebMail Protection to map to the actual mail servers configured in the
URL and Host Name field on the Add HTTP Routing Portal window).
URL The table shows the URL (or IP address) of the web-enabled mail server
to be associated with each Server name identified above.
Exchange Indicates by the checkbox if this server is running Outlook Web
2000/2003 Access/Exchange 2000 or 2003.
Secondary This checkbox indicates that for a particular portal secondary
Authentication authorization has been configured. WebMail Protection will present a
single log on (with a secondary authentication area) to the end user, but
pass the username and password both to the mail server and the
authentication server. If either authentication fails, WebMail Protection
will drop the session.
Enable Select the checkbox to enable the associated port for routing.
Delete Selecting the checkbox and then clicking Submit will delete the portal
from the table.

Adding a new portal

To add a new portal to the table, use the fields at the bottom of the Portal Page Routing tab.

394 McAfee Email Gateway 6.7.2 Administration Guide

 WebMail Protection
Strong client authentication

Table 230 Portal Routing - Manage fields

Field Description
Hostname In this column type the host name associated with the new port.
Certificate Name Select the certificate name to be used when the associated port is
configured for the secure HTTPS protocol.
IP Address Type the IP address of the host you are configuring.
Protocol Select the protocol for this portal from the pick list. You can choose either
the secure HTTPS protocol or the non-secure HTTP protocol.
Server Name Provide a server name for a web-enabled mail server. (The server name
entered here is an arbitrary name, used only by WebMail Protection to
create a map to the actual web-enabled mail server specified in the URL
and Host Name input fields.) When end users make their initial HTTP(s)
connection, WebMail Protection will present a browser window listing the
server names for all mail servers it is hosting. Users will select the Server
name associated with the mail server hosting their mail box.
URL Type the URL (or IP address) of the web-enabled mail server to be
associated with the Server name identified above. Be sure to include the
protocol designation (http or https).
Neither Exchange 5.5 nor Exchange 2000 supports the HTTPS protocol.
Exchange Select the Exchange 2000/2003 checkbox only if this server is running
2000/2003 Outlook Web Access/Exchange 2000 or 2003.
Secondary Auth If the internal web mail system uses RSA SecurID® for user
authentication, select the Secondary Auth checkbox. WebMail
Protection will present a single log on (with a secondary authentication
area) to the end user, but pass the username and password both to the
mail server as well as the authentication server. (If either authentication
fails, WebMail Protection will drop the session.)
RSA SecurID® must already be configured and integrated into Outlook
Web Access before WebMail Protection can proxy web mail sessions using
this authentication method. WebMail Protection only supports RSA
SecurID® in OWA environments.

When the information is correctly entered, click Submit to record the new portal.
Note: Some users' browsers can freeze when accessing the OWA web server or display a “Cannot render image”
message. This is a “browser issue.” The problem is resolved by clearing the browser’s cache and restarting the
browser.

If a user attempts to log on to the Outlook Web Access server and the session fails because of an
incorrectly-typed username or password, WebMail Protection records this as a log on failure in the WebMail
Protection Daily Report. WebMail Protection only counts this failure when an OWA log on at WebMail
Protection’s Portal Page fails.

Strong client authentication

Just as the Email Gateway appliance uses a “server certificate” to authenticate itself to other servers, client
certificates can be installed on end users’ browsers so they can authenticate themselves to WebMail
Protection when sending and receiving their web mail. Administrators must request a Private Hierarchy
Root Certificate from a Trusted Root Certificate Authority, and use that to issue client certificates to users in
their network. The public key of the Private Hierarchy Root Certificate must be installed in WebMail
Protection so it can validate end users. If Strong Client Authentication is enabled, only those individuals
using a browser containing a valid client certificate can send and receive email via WebMail Protection’s
proxy service.
Installation is explained below.

McAfee Email Gateway 6.7.2 Administration Guide 395

 WebMail Protection
Strong client authentication

Figure 229 Strong Client Authentication - Configure window

Each time users log on to WebMail Protection’s proxy service, a Client Authentication dialog box appears
on-window, prompting them to select the Security Certificate installed in their browser.
Note: If users have more than one certificate installed, ensure that they select the root certificate whose
corresponding public key was pasted into WebMail Protection’s Strong Client Authentication window.

After clicking OK, the user is logged onto their web-enabled mail server.
Failure to use Strong Client Authentication negatively affects email security. Strong Client Authentication is
applicable for those WebMail Protection routing configurations for which the protocol setting is HTTPS
(secure) and not for HTTP (non-secure).

Installing public keys

Follow the instructions below to paste the public key of your private Hierarchy Root Certificate into the
Certificate Information text field.
1 From any Internet Explorer browser window, pull down the Tools menu to Internet Options.

2 Click the Content tab of the Internet Options page and click the Certificates button.

3 Click the Personal tab in the Certificates page. Then select the personal certificate installed in your
browser and click the View button.

4 In the resulting Certificate page, select the Details tab and click the Copy to file... button. This launches
a simple Wizard to export your certificate. The first step of the Wizard requires you to select an export
certificate format. Select the second option, Base-64 encoded X.509 (.CER). Follow the remaining
prompts to name and select a destination for the exported certificate.

5 Open the certificate file you just saved to disk in your favorite text editor. (Ensure that the application
can see all files — the certificate file extension is .cer.) Copy the entire contents of the certificate file and
paste into Email Gateway Certificate Information text field.

6 Click Submit to save the input.

To access information about the certificate, click the View Certificate hyperlink at the bottom of the
window. The Certificate Information window displays.

396 McAfee Email Gateway 6.7.2 Administration Guide

 WebMail Protection
Customizing the WebMail log-in

Customizing the WebMail log-in

The WebMail Protection login page can be customized to promote the enterprise's company identity. Begin
by navigating to the Customized Login window (Encryption | WebMail Protection | Customize Login).
Figure 230 WebMail Login - Customize window

When the window appears, it displays the list of configured customization profiles.
Note: Email Gateway currently supports only UTF-8 encoding for HTML files. Since ASCII is a subset of UTF-8, it is
supported as well. If the user edits the customized HTML in any editor, and especially if a symbol (trademark,
copyright, and so forth) is inserted, the encoding must be in UTF-8.

Adding a new customization profile

To add a new customization profile, do the following:
1 On the WebMail Login - Customize window, click Add New. The first portion of the customization window
appears.

2 Provide the information to complete the window (see Table 231).

Figure 231 WebMail Login - Add New window

Table 231 WebMail Login - Customize fields

Field Description
Name Enter a name for the new profile.
Description Enter a brief description of the profile to communicate its intended use.

3 Click Submit. The window will refresh to display the full customization options.

4 Provide the information to complete the window (see Table 232).

McAfee Email Gateway 6.7.2 Administration Guide 397

 WebMail Protection
Customizing the WebMail log-in

5 When you have finished setting up the configuration, click Submit.

Figure 232 WebMail Login - Customize window (expanded)

Table 232 WebMail Login - Customize fields (expanded)

Field Description
Enable Select this check box to enable use of this customization profile.
ID: This field shows the profile’s unique ID number.
Name: This field shows the profile name.
Description: This field contains the descriptive information you entered when the addition began.
Resource Upload: Browse to the folder that contains the logo, graphic or file you want to apply to your
customization. Select the item you want to use. Select the check box to apply your selection to
the associated asset.
Note: You can select different logos or graphics to use with different assets.
Webmail The lower left portion of the window lists all currently configured assets. Each asset type is
Customization collapsible and can be expanded to show lists.
Assets
Login Page Expand this asset type to view all configured assets for the login page. Click the name link for
any listed asset to show a preview of the customized page in the lower right section of the
window.
Style Sheet Expand this asset type to view all configured assets for the stylesheet. Click the name link to
show the stylesheet.

398 McAfee Email Gateway 6.7.2 Administration Guide

WebMail Protection
Customizing the WebMail log-in

Editing an existing customization profile

To edit a customization profile, do the following:
1 Click the profile name on the WebMail Login - Customize window. The expanded customize window for
that profile appears.

2 Provide the information to complete the window (see Table 232).

3 When you have finished setting up the configuration, click Submit.

Editing the stylesheet

You can also customize the current style sheet for the WebMail login from the WebMail Login - Customize
window. You should undertake this only if you are familiar with HTML code. The file may be edited, but its
filename must remain the same.
To edit the css file, do the following:
1 On the WebMail Login - Customize window, expand Style Sheet.

2 Click the css filename. A preview appears in the preview window.

3 Click Download Default Resource. Depending on your browser, a save window appears.

4 Save the css file to a convenient location.

5 Open the css file, edit it to suit your needs, then save it.

6 Return to the Customize window and, from the Browse field, navigate to your edited css file and select it.

7 Click Submit. Your file will be renamed and then be used by the system.

Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.

Deleting resource files

You can delete a file you have associated with an asset. To delete a resource file:
1 Select the Delete check box next to the file name.

2 Click Submit. The file is removed from the Assets list.

Deleting a customization profile

To delete a customization profile:
1 Check the Delete box next the profile you want to remove.

2 Click Submit. The profile will be deleted.

McAfee Email Gateway 6.7.2 Administration Guide 399

 WebMail Protection
Customizing the WebMail log-in

400 McAfee Email Gateway 6.7.2 Administration Guide

24 Mail Intrusion Protection Service
Contents
About application level protection
Configuring Application Level Protection
Integrity check

The Mail-IPS (Intrusion Protection System) program area provides a variety of tools designed to detect
network attacks against the email gateway, as well as a tool to test for weaknesses or vulnerabilities in
specific internal mail servers. Email Gateway will automatically generate alerts for certain types of network
attacks, notifying administrators immediately by email, pager, or SNMP that an event has occurred. For all
attack events, Email Gateway will log their occurrence so they can be viewed in the Email Gateway log files
and daily reports, and in the Email Gateway Dashboard. Administrators, therefore, should configure the
Email Gateway Alert Manager (go to Reporting | Alert Manager) to send to them alerts that the Mail-IPS
services generate. And administrators should routinely monitor the Email Gateway Dashboard and Mail-IPS
Report throughout each day.

About application level protection

Application level protection defines protection for email application. Email Gateway offers tools designed to
protect against attacks directed at these applications.

Denial of Service protection

Email Gateway automatically monitors and logs repeated connections to a specific port from the same IP
address. If an administrator-defined number of connections to a single port are attempted within a
specified period of time, Email Gateway assumes that it is a Denial of Service (DoS) attack and will drop all
incoming connections to that port from that address for a user-specified amount of time. The Denial of
Service threshold (a specified number of connections within a defined length of time) is set in Intrusion
Defender | Mail-IPS | Application Level | Configure with the Denial of Service Count and Denial of
Service Window parameters.
Figure 233 Denial of Service Protection window

McAfee Email Gateway 6.7.2 Administration Guide 401

 Mail Intrusion Protection Service
About application level protection

The Denial of Service Protection table lists a summary of all DoS attacks recorded since Email Gateway
cleanup process deleted the DoS data; each time this page is refreshed, the data is updated with the most
recent attacks. The information here can also be viewed in the daily Mail-IPS Report created at
approximately midnight each day. Note, however, that while Email Gateway Denial of Service window can
show several days’ (or more) worth of information, the daily Mail-IPS report will only show 24 hours worth
of data.

Table 233 Denial of Service Protection fields

Field Description
Service This column reports which of the Email Gateway services encountered the
Denial of Service (DoS) attack: POP3/POP3S, IMAP4/IMAP4S, or
SMTPI/SMTPIS.
Source IP This column reports the IP address from which the DoS attack originated.
Consider adding the IP address to Email Gateway Local Deny List to block
all further SMTP connections from that source.
Date This column reports the timestamp when the DoS threshold was reached.
If the same IP address generates another DoS later in the day, the
previous timestamp is updated to reflect the time of the new attack.
Connections This column reports the number of connections that were dropped after
the DoS threshold was reached.
Remember that Email Gateway will drop further connections only for the
length of time specified as the “Denial of Service Window.”
If multiple DoS attacks from the same IP address are detected throughout
the day, Email Gateway will display in this column a running total of
dropped connections that occurred during the separate “drop windows”
that follow each time a threshold was reached.

Do not confuse the Denial of Service threshold with the SMTPProxy, POP3 and IMAP4 load-throttling
thresholds. The DoS threshold occurs at the Network layer, while load throttling occurs at the Application
level.
Note: When an IP address is placed on Email Gateway Allow Relay list, it will not be evaluated for Denial of
Service attacks. The might be a potential liability.

Password strength
If Password Strength Monitor is enabled, passwords are analyzed as Email Gateway POP3 and IMAP4
Services proxy username and password to the internal mail server. Email Gateway does not store or save
the password to disk—rather, it analyzes the text strings in memory “on the fly.” Email Gateway uses an
algorithm that tests each password’s relative strength, displaying its results in the Password Strength
Monitor table on this page. The table shows a cumulative summary of all passwords checked since Email
Gateway last cleanup deleted old data. The data on this page is updated each time the page is refreshed.
Figure 234 Password Strength window

402 McAfee Email Gateway 6.7.2 Administration Guide

Mail Intrusion Protection Service
About application level protection

Table 234 Password Strength fields

Field Description
Indicator The warning level for each strength level is indicted by a colored “light”
icon. The levels range from green (strong) through yellow (weak) to red
(extremely weak).
Strength To monitor Strength, the Email Gateway algorithm checks for the
following password characteristics:
• Password contains the individual’s User ID or username.
• Password matches a word in a user-defined word list.
• Very weak: less than 8 characters, and either all alpha or all numeric.
• Weak: 8 or more characters, and either all alpha or all numeric.
• Moderate: between 5 to 7 characters and combination of alpha and
numeric.
• Strong: 8 or more characters and combination of alpha, numeric, and
special characters.
Total This column displays how many users have passwords at each level of
strength.”

The password strength dictionary

Clicking the Show Dictionary button on the Password Strength window opens a window that shows details
about the user-defined words against which passwords are checked.
Figure 235 Password Strength Dictionary window

Using the data fields at the bottom of the window, you can add new words by entering the text sting and
clicking Submit, or import lists.

Password cracking
If Password Failure Monitor is enabled, Email Gateway will log every instance that a failed log on threshold
has been reached (administrators establish the threshold with Password Failure Count and Password Failure
Interval parameters). Additionally, if the number of failed log on attempts reaches the threshold, Email
Gateway can generate an email, pager, or SNMP alert to the administrator. This on-window display of
Password Cracking lists a cumulative summary of threshold-level failed log-ons since Email Gateway last
cleanup deleted old data; the data is updated each time this page is refreshed. The daily Mail-IPS Report on
Password Cracking begins anew each day at midnight, and displays only the previous 24 hours worth of
data.

McAfee Email Gateway 6.7.2 Administration Guide 403

 Mail Intrusion Protection Service
Configuring Application Level Protection

Figure 236 Password Cracking window

Table 235 Password Cracking fields

Field Description
Service This column reports which of the Email Gateway services encountered the
Password Cracking attempt: POP3 or IMAP4.
Source IP This column reports the IP address where the attempted log on originated.
Date This column reports the timestamp when the Password Cracking threshold
was reached.
User Accounts This column reports the username used for the attempted log on.
Attempts This column reports a cumulative total of failed attempts, including the
failed attempts prior to the threshold being reached. For example, if the
threshold was 10 and was reached at 10 AM in the morning, but a hacker
made 75 additional password cracking attempts, during the day, The
Password Cracking table would report 85 attempts at the end of the day.

Configuring Application Level Protection

Use the values entered in this window to set the threshold for application-level attacks aimed at the internal
network.
Figure 237 Application Level Configuration window

404 McAfee Email Gateway 6.7.2 Administration Guide

Mail Intrusion Protection Service
Configuring Application Level Protection

Table 236 Application Level Configuration fields

Field Description
Password Monitoring
Password Failure If password failure monitoring is enabled, Email Gateway will track the
Monitor number of unsuccessful attempts to log on using an incorrect password.
If enabled, you must configure a password failure count and interval.
Password Failure If a user enters an invalid password/username the number of times
Count specified here, within the time frame indicated below, Email Gateway
assumes someone is attempting to crack a user’s password. Type a
number between 1 and 100.
Password Failure Type an number to represent the time interval in seconds during which
Interval Email Gateway will assume a specified number of login failures indicates
an attack. In that case, Email Gateway will lock the user name out of the
system.
Password Strength If enabled, Email Gateway will pass all passwords, submitted by end
Monitor users’ mail clients as they retrieve their email, through an algorithm that
measures their relative strength. The algorithm checks for length, use of
upper and lower case, and alphanumeric characters, and the equivalency
between the password and username and administrator-defined
keywords. Passwords are parsed in memory and are not saved to disk.
Denial of Service
Denial of Service If Denial of Service Protection is enabled, Email Gateway will monitor all
Protection TCP connections to all email ports on which it listens (25, 110, 143, and
so forth), and block future connections for any IP address that exceeds
the Denial of Service threshold (created with the two values that appear
immediately below). Email Gateway will discontinue accepting
connections from the offending IP address for the length of time specified
in the Denial of Service Window. Once that length of time passes, Email
Gateway will again begin allowing connections from that source IP
address.
Ensure that the Email Gateway Alert Manager is configured to send
Warning alerts for the POP3, IMAP4, and SMTPI Services so an
administrator can immediately add the offending IP address to the Email
Gateway Local Deny List, after which Email Gateway will no longer accept
connections from that IP address.
In some environments, applications legitimately make high numbers of
connections which Email Gateway can interpret as a Denial of Service
attack. Consult with the network administrator before setting this value.
Denial of Service Type a number, from 1 to 65,535, representing the maximum number of
Count allowed connections to a single port before which a Denial of Service
attack is assumed. (The default value of 100 is generally an acceptable
value.) When a single IP address generates the specified number of
connections within the time frame indicated below, Email Gateway
assumes a Denial of Service attack drops further connections from that
source.
Denial of Service Type a number, from 1 to 65,535, representing the length of time in
Window (secs) seconds in which connections from a single IP address will be accepted
after which a Denial of Service attack is assumed. (The default value of
“100” is generally acceptable.) If Email Gateway receives the number of
connections specified in the “Count” field above within this “window,”
further connections from the source IP address will be dropped. Email
Gateway also uses this value as the length of time Email Gateway rejects
further connections. Once the time has lapsed, Email Gateway again
begins accepting connections from the source IP address.

When the information is correctly entered, click Submit to save the configuration.

McAfee Email Gateway 6.7.2 Administration Guide 405

 Mail Intrusion Protection Service
Integrity check

Integrity check
Email Gateway is foremost an appliance to protect the internal mail servers sitting behind it. An integral
component of its security, however, is ensuring that it (that is, Email Gateway) has not been compromised
by an attacker. The Program Monitor and File Monitor services, therefore, check the Email Gateway
program files and file system in order to detect whether or not an attempt has been made to alter code in
any of its files, or if an attempt was made to insert Trojan horses or delete important system files. The first
time Email Gateway restarts after the Initial Configuration Wizard is run, its Program Monitor and File
Monitor test the system in order to build an initial database of Email Gateway file set and file system.
Thereafter, these two services run nightly, immediately before the Mail-IPS log is generated. Administrators
can also run the checks “on demand” at any time by clicking Check System in the Integrity - Check
System window.
Figure 238 Integrity - Check System window

Program integrity
Every night, at approximately midnight, Email Gateway examines every executable file within its scope to
verify that they have not been altered. The Program Integrity page displays how many files were scanned,
and the number of files that failed its test, (are now different from their original version).
After you click Check System, Email Gateway will check, approximately every 10 seconds, to determine if
Program Integrity Monitor has finished its tests. Then it will refresh the page with the results. If Program
Integrity Monitor ever reports that a single file failed, contact McAfee Technical Support immediately.

Table 237 Program Integrity - Check System fields

Field Description
Start Time The date and specific time the test began appears in this field.
End Time The date and specific time the test ended appears in this field.
Total Programs The total number of programs checked by the Program Integrity test
Monitored shows here.
Total Programs The number of programs, if any, that failed the integrity test shows here.
Failed
Check System This button allows you to run a Program Integrity check at will, should
circumstances warrant it.

File system integrity

Similarly, every night at approximately midnight, Email Gateway examines its internal filesystem to ensure
that no non-Email Gateway-generated files have been created on it or that none of the Email Gateway files
were deleted. To manually run the Email Gateway File Monitoring in-between scheduled sessions, click
Check System. It will take a little less than a minute to run its tests.

406 McAfee Email Gateway 6.7.2 Administration Guide

Mail Intrusion Protection Service
Integrity check

Approximately every 10 seconds, Email Gateway will check if Filesystem Integrity Monitor has finished its
tests, and then refresh the page with the results. If Filesystem Integrity Monitor ever reports that a single
file failed, contact McAfee Technical Support immediately.

Table 238 File Integrity - Check System fields

Field Description
Start Time The date and specific time the test began appears in this field.
End Time The date and specific time the test ended appears in this field.
Total System Files The total number of files checked by the File System Integrity test shows
Monitored here.
Total System Files The number of files, if any, that failed the integrity test shows here.
Failed
Check System This button allows you to run a File System Integrity check at will, should
circumstances warrant it.

The information available here can also be viewed in the Email Gateway Dashboard and the Mail-IPS Report
that is created daily.

McAfee Email Gateway 6.7.2 Administration Guide 407

 Mail Intrusion Protection Service
Integrity check

408 McAfee Email Gateway 6.7.2 Administration Guide

25 Virtual Hosts
Contents
About Virtual Hosts
Managing Virtual Hosts
Configuring Virtual Hosts
Using Virtual Hosts

About Virtual Hosts

This set of features allows you to control your mail flow in ways that permit more granular tracking and
policy administration. Coupled with Virtual Host Administration, you can use these features to spread the
administrative workload without loss of overall security.
Virtual Host functionality provides the following capabilities:
• Provides the ability to create Virtual Host IP addresses for inbound and outbound traffic, and to set specific
parameters for the Mail Firewall.

• Allows a single Email Gateway appliance to segment the mail flow for difference Virtual Host IP addresses.

• Permits the creation of distinct email policies and spam policies for specific domains.

Virtual IP addresses and Virtual Hosts enhance the configurability of protection for your network.
Note: You will need to configure IP addresses under the Email Gateway System tab (System | Configuration|
IP Addresses), and domains under the IntrusionDefender tab (IntrusionDefender | Mail Routing | Domain
Based). At least one IP address and one domain will be required.

General guidelines
There are a few basic guidelines you will need to remember as you configure Virtual Hosts:
• A Virtual Host can be assigned one or more domains.

• A domain can be assigned to more than one Virtual Host only under certain circumstances (See “Adding
a Virtual Host: Configuring Domains” later in this chapter.

• The SuperAdministrator (admin account) has complete and total access to all areas of the Email Gateway
appliance, including the ability to create and manage user accounts and assign permissions.

• An Appliance Administrator has assigned permissions for all domains and Virtual Hosts on the Email
Gateway appliance. Appliance Administrators might or might not be given permission to create and
manage user accounts.

• Virtual Host administrators have their assigned access rights and privileges for only those Virtual Hosts
they have been assigned. They might or might not have user creation rights for those Virtual Hosts.

A Virtual Host is an administrator-defined entity that allows grouping of domains to satisfy the needs
mentioned above. It is a collection of domains (one or more) that permits the Email Gateway customer to:
• Allow administrators to manage rules and quarantine queues for certain domains; and,

• To segment message traffic using specific IP addresses.

There are two types of Virtual Hosts: listeners, and non-listeners. The type of Virtual Host you create is
determined by a checkbox on the Add New window for Virtual Hosts.

McAfee Email Gateway 6.7.2 Administration Guide 409

 Virtual Hosts
Managing Virtual Hosts

A Listener is a Virtual Host that listens for email traffic on the specific IP addresses assigned to that Virtual
Host. As a result, the Listener handles mail for the domains in that Virtual Host through those IPs.
Additionally, a Listener can be configured to listen for inbound email traffic, outbound traffic, or both, based
upon your selection from the “Type” drop-down list on the window.
A Non-Listener is a Virtual Host that listens for traffic on the Email Gateway appliance’s default IP
addresses to handle mail destined for the domains within the Virtual Host, but not routed through specific
IP addresses. The Non-Listener configuration allows assigned administrators to manage specific Virtual
Host domains, but without having to segment the mail flow.

Managing Virtual Hosts

The Virtual Hosts - Manage window displays information about all configured Virtual Hosts, showing their
status as enabled or disabled. You can also configure new Virtual Hosts by navigating from this window, or
edit the configuration of existing Virtual Hosts.
Figure 239 Virtual Hosts - Manage window

Table 239 Virtual Hosts - Manage fields

Field Description
ID This column displays the unique, system generated ID number for each
configured Virtual Host. The ID number is a hyperlink that will expand the
Virtual Host listing to provide access to additional links. These links take
you to the appropriate screens where specific configuration parameters
can be viewed or edited.
Name The name assigned to each Virtual Host at the time of its creation appears
in this column. The name is also a hyperlink that expands the Virtual Host
listing.
Listener If this Virtual Host is configured to be a Listener, that fact is indicated by
an ‘x’ in this column.
A listener is a Virtual Host that is intended to be managed by a Domain
Administrator. Configuration will include the ability to “listen” for email
traffic for the assigned domains on its own IP address(es). Enabling this
option causes the Virtual Host to appear to be a separate Email Gateway
on a TCP/IP network, using a different hostname for sending mail.

410 McAfee Email Gateway 6.7.2 Administration Guide

 Virtual Hosts
Configuring Virtual Hosts

Table 239 Virtual Hosts - Manage fields (continued)

Field Description
Type This column indicates the direction of email traffic this Virtual Host will
process, if applicable: Inbound, Outbound or both.
Inbound email traffic includes mail that will be processed through this
Virtual Host destined for delivery within the domains hosted by the Virtual
Host. Outbound traffic is mail to be processed for delivery to recipients
who are not part of this Virtual Host.
IP Addresses This column lists the IP addresses assigned to each Virtual Host and the
mail flow description for each IP.
Each Virtual Host can have up to 4 assigned IP addresses: Inbound
SMTPI, Inbound SMTPO, Outbound SMTPI and Outbound SMTPO.
Enable You can enable or disable a specific Virtual Host on this window by
selecting and deselecting this checkbox.
Delete Selecting this checkbox and clicking Submit will cause the associated
Virtual Host to be deleted at the next cleanup cycle.

Clicking the ID or Name hyperlink for any existing Virtual Host will expand the window to allow you to select
an existing component of that Virtual Host. The associated window will appear, allowing you to review or
edit that component’s configuration. More information about each of the components is presented in
Configuring Virtual Hosts, below.
The screen shot above shows the expanded information for a fully configured Virtual Host. Since it is
possible to configure a Virtual Host in more than one Web Administration session, only those portions of the
configuration that have been completed will be available for viewing and editing from the expanded data.
Furthermore, Virtual Hosts that are not configured as listeners will only show the Domains link.
Note: You cannot enable a Virtual Host until configuration is complete.

Configuring Virtual Hosts

To begin configuring a new Virtual Host, click Add New at the bottom of the Virtual Hosts - Manage
window. The Virtual Hosts - Add New window appears. However, there are other things that must be done
first to facilitate adding the new Virtual Host.

Prerequisites
Before you can complete the configuration of a Virtual Host, you must have at least one available
(unassigned) IP address configured. This configuration is done in System | Configuration | IP Addresses.
You will also need to have configured at least one domain that can be assigned to the Virtual Host. You can
add domains at IntrusionDefender | Mail Routing | Domain Based | Add New.

Adding a Virtual Host

Virtual Hosts can only be created by Appliance Administrators, including the SuperAdministrator. However,
Virtual Host administrators can modify their respective Virtual Host settings, with the exception of adding
new domains or removing those already assigned. Changes to assigned domains must be performed by
appliance-level administrators.t
The Default Virtual Host (Virtual Host ID 0) will always be present. It cannot be deleted, edited or disabled.
The only modification allowed is to change the IP addresses assigned to it. All domains not assigned to
other Virtual Hosts are assigned to the Default Virtual Host. When a new VIrtual Host is created, it must
have at least one domain assigned. That domain will no longer be assigned to the Default Virtual Host.
The process for configuring a new VIrtual Host requires an accumulative procedure involving a series of
screens taken in succession. The process begins with the Virtual Hosts - Add New window.

McAfee Email Gateway 6.7.2 Administration Guide 411

 Virtual Hosts
Configuring Virtual Hosts

Configuring IP addresses and domains

The first steps in creating the new Virtual Host can be accomplished on the Add New window itself. Here
you can describe the basic Virtual Host, assign appropriate IP addresses and assign available domains.

IP addresses
Each Listener Virtual Host has either two or four IP address interfaces, depending upon the Listener Type
you selected. Listeners for either inbound or outbound messages will have two interfaces; Listeners for both
inbound and outbound will have four. You can select the IP address for each interface from the drop-down
lists.
The interfaces are:
• Inbound SMTPI – this is the SMTP Proxy interface for inbound mail from the Internet.

• Inbound SMTPO – the SMTPO interface delivers inbound mail to the internal mail servers.

• Outbound SMTPI – this interface is the SMTP Proxy for outbound mail from the internal servers.

• Outbound SMTPO – this interface delivers outbound mail to the Internet.

You can use a unique IP address for each interface if you so desire, but that isn’t necessary. You can use
one IP address for up to all four interfaces on the same Virtual Host.
Under certain circumstances, you can also use the same IP addresses for different Virtual Hosts. If the
same IP is not shared for the same purposes, it can be used by more than one virtual host. For example,
you can have a Virtual Host listening only for inbound traffic and another one listening only for outbound
traffic; those two Virtual Hosts could share the same IP address, since the IP is not used for the same
purpose in both Virtual Hosts. The Sample Scenarios table below might help explain how this works.
Note: The table does not represent all possible configurations; it just provides a few examples.

Table 240 Sample VH IP address combinations

Scenario 1 Scenario 2 Scenario 3
Virtual Hosts VH1 – Domain 1 VH1 – Domain 1 VH1 – Domain 1
VH2 – Domain 2 VH2 – Domain 2 VH2 – Domain 2
Message Flow Both configured Both configured Inbound – VH1
Inbound & Outbound Inbound & Outbound
Outbound – VH2
Customer’s Desires Separate IPs for each Single IP for VH1 IP1 exposed to the
Virtual Host Internet
4 Separate IPs for VH2
IP2 exposed to the
internal network
SMTPI Inbound 100.100.100.1 – VH1 100.100.100.1 – VH1 100.100.100.1 – VH1
100.100.100.2 – VH2 100.100.100.2 – VH2 N/A – VH2
SMTPO Inbound 100.100.100.1 – VH1 100.100.100.1 – VH1 100.100.100.2 – VH1
100.100.100.2 – VH2 100.100.100.3 – VH2 N/A – VH2
SMTPI Outbound 100.100.100.1 – VH1 100.100.100.1 – VH1 N/A – VH1
100.100.100.2 – VH2 100.100.100.4 – VH2 100.100.100.2 – VH2
SMTPO Outbound 100.100.100.1 – VH1 100.100.100.1 – VH1 N/A – VH1
100.100.100.2 – VH2 100.100.100.5 – VH2 100.100.100.1 – VH2

Domains
The ability to assign the same domain to more than one Virtual Host depends upon how your Virtual Hosts
are configured. If you have a Virtual Host set to listen for inbound messages only, then the domains in that
Virtual Host are available to be included in another Virtual Host that listens for outbound traffic only.
However, if you included a domain in a Virtual Host that listens for both inbound and outbound messages,
that domain will not be available for inclusion in any other Virtual Host.

412 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Figure 240 Virtual Hosts - Add New window

Table 241 Virtual Hosts - Add New fields

Field Description
Name Type a name for the new Virtual Host.
Listener If you want the Virtual Host to be a listener, select this checkbox.
Type Select the direction for email traffic for which this Virtual Host will listen:
• Inbound – messages destined for delivery to domains assigned to this
Virtual Host
• Outbound – messages sent by domains assigned to this Virtual Host
and destined for delivery to recipients not included in this Virtual Host
• Inbound and Outbound – email traffic in both directions.
It s possible to change a listener VH from “Both” to just Inbound or just
Outbound. It is NOT possible to change either Inbound or Outbound to
Both.
Enable Default Select the checkbox to enable the default DNS server. If the server is
Inbound DNS Server enabled, the Virtual Host will use the default DNS server for inbound
traffic. If it is NOT enabled, you must specify the DNS server the Virtual
Host will use. You can specify up to three DNS servers, and the Virtual
Host will attempt to use them in the order you have set.
Enable Default Select the checkbox to enable the default DNS server. If the server is
Outbound DNS enabled, the Virtual Host will use the default DNS server for outbound
Server traffic. If it is NOT enabled, you must specify the DNS server the Virtual
Host will use. You can specify up to three DNS servers, and the Virtual
Host will attempt to use them in the order you have set.
Inbound (IP From the pick lists, select the IP addresses for Inbound mail. You must
Addresses) specify an IP for SMTPI (into the appliance) and SMTPO (out of the
appliance) for Inbound mail.
Outbound (IP From the pick lists, select the IP addresses for Outbound mail. You must
Addresses) specify an IP for SMTPI (into the appliance) and SMTPO (out of the
appliance) for Outbound mail.
Domains The list on the left side of the window displays the domain names for
available domains for the message type selected above. The list on the
right contains the domain names of domains assigned to this Virtual Host.

McAfee Email Gateway 6.7.2 Administration Guide 413

 Virtual Hosts
Configuring Virtual Hosts

Complete the necessary information and select at least one available domain for this Virtual Host. Select
the domain in the Available list, and use the right-pointing arrow to move it to the Selected list. The double
arrows will assign all available domains to this Virtual Host. The left-pointing arrows will allow you to
remove one or more domains from the Virtual Host, placing them back on the Available list.
When this window is complete, click Next. The Internal Servers - Configure window will display.
If you are configuring a Virtual Host that is not to be configured as a listener, the button to the lower right
of the window will read Finish. When you click this button, the window will display the Virtual Hosts -
Manage window again, and your new Virtual Host will be included. Non-listener Virtual Hosts require no
further configuration.

Configuring internal mail servers

This window permits you to identify IP addresses for internal servers that will route messages to external
domains through this Virtual Host. It also provides the capability to add other existing IP addresses.
Figure 241 Internal Servers - Configure window

Table 242 Internal Servers - Configure fields

Field Description
Virtual Host The top of the window, just beneath the window title, displays the name
Header and basic information about the Virtual Host. This data is not editable.
IP Address This column lists the IP addresses for servers to which this Virtual Host
can deliver Outbound messages.
Side Note If the IP addresses include any explanatory side notes, those notes will
appear in this column.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
associated IP address to be deleted from this window.
Adding a New IP The data fields at the bottom of the window permit adding a new IP
Address address to the table.
Add an IP: Type a new internal server IP address you wish to add.
Side Note for IP: Type a side note for the new IP if you so desire.

If you are adding a server’s IP address, click Submit. The IP will appear in your list.
When you have entered the desired IP Addresses, click Next.

414 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Note: You can save the configuration that has been done so far and exit the configuration process by clicking the
Finish button wherever it is available.

Configuring SMTPI
This window allows you to view the properties for incoming mail for this Virtual Host, and to edit them. The
parameters are collected into logical groupings on the window.
Figure 242 SMTPI Service Configuration window

Table 243 SMTPI Service Configuration fields

Field Description
Virtual Host The top of the window, just beneath the window title, displays the name
Header and basic information about the Virtual Host. This data is not editable.
General
Default Route Type the hostname or the IP address for the default route here. You can
type multiple routes to serve as fallback options when they are separated
by commas.

McAfee Email Gateway 6.7.2 Administration Guide 415

 Virtual Hosts
Configuring Virtual Hosts

Table 243 SMTPI Service Configuration fields (continued)

Field Description
Banner If you wish to use an alternate welcome banner to avoid displaying
information about the mail infrastructure, type the banner here. The
banner is limited to 80 characters and can not contain new line
characters.
Connection Management
SIZE Extension Type the maximum size (in megabytes) for messages Email Gateway will
(MB) – External accept from outside the network. 0 = unlimited size.
SIZE Extension Type the maximum size (in megabytes) for messages that can be
(MB) – Internal accepted from inside the network. 0 = unlimited size.
Maximum Type a number from 25 to 500 to represent the maximum number of
Recipients Per recipients to be allowed per message.
Message
Maximum Messages Type a number from 0 to 50 to represent the maximum number of
Per Connection messages allowed per connection. 0 = unlimited messages.
The limit does not apply to connections that have Allow Relay permission.
Enable Recipient Select the checkbox to enable recipient rejections threshold validation.
Rejections You must also configure the threshold below.
Threshold
Recipient Rejections Type the maximum number of recipient rejections allowed on an SMTP
Threshold Per connection before marking the connection as unusable for future
Connection commands.
Validate SMTPI Select this checkbox to enable SMTPI to validate that only connections
Outbound from the internal/inbound servers are allowed from the SMTPI Outbound
Connections Virtual Host interface.
This option applies only to Both or Outbound Virtual Hosts.
Delivery Retry Handling
Skip Internal Server Select this checkbox if you want to enable Email Gateway to bypass
for Outbound internal mail servers for messages destined for delivery to an external
Messages domain.
Reject Invalid Select this checkbox to enable Email Gateway to reject mail from an
MailFrom address that is part of the routing domain but is not in the Allow Relay list.
Insert Received Select this checkbox to enable Email Gateway to add itself to the RFC822
Headers header information of messages to identify its own role in routing the
messages.
Pattern Matching
Enable Recipient Select this checkbox to enable Email Gateway pattern matching
Pattern Match capabilities.
Patterns to Match Type the list of patterns to match as a comma-separated list. Only *.* *_*
and *-* are currently supported.
Pattern Rejection Type the rejection message to be used for invalid patterns in the
Message recipient’s address. Do not use double quotes.
Whitelist for Pattern Type a comma-separated list of email addresses that Email Gateway
Match should bypass for pattern matching.
Relaying & Authentication
Authentication: This option allows messages to be relayed only if an internal mail server
SMTP Auth authenticates the user with an encrypted validation process. If you enable
this option, you must also select the authentication method from the list
below.
Authentication: Select the authentication method to be used for user authentication: POP
SMTP Validate or SMTP.
Method
Authentication: If you enabled SMTP Authentication above, type the hostname of the
SMTP Validate Host server that provides POP3 or SMTP authentication.

416 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Table 243 SMTPI Service Configuration fields (continued)

Field Description
Allow relaying to When this option is disabled, only users who are authenticated by a POP
external domains or SMTP process or machines whose IP addresses or subnets are included
in the Allow Relay List will be allowed to relay messages through Email
Gateway to external domains. If the option is enabled, any user can relay
messages through Email Gateway to external domains. NOT enabling the
option is recommended practice.
Authentication: POP If this option is enabled, Email Gateway will relay a message only if the
before SMTP users “popped” their messages and an internal server validated them.
Email Gateway will remember the POP authentication for 15 minutes.
After 15 minutes, the use must “pop” the mail a second time to force the
POP server to authenticate the account again.
If you enable this option, you must also enable the Denial of Service
option in Mail IPS | Application Level | DoS Protection.
Message Splitting
Enable Message Select this checkbox to enable Email Gateway to split messages for the
Splitting recipients listed in the address field below.
Message Splitting Type email addresses for which incoming messages will be split. These
Addresses addresses will receive a second copy of he message with a different ID,
and the message will be treated according to policies that apply to this
group. Limit the number of email addresses to 24.
Other Protocols
Enable Secure Enable this option to cause Email Gateway to accept incoming requests
Service on the configured SSL port.
Secure Client Enable this option to allow Email Gateway to accommodate SSL
Communication connections on the non-secure port 25 if the sending server requests it.
(SSL)
Enable UUCP Enable this option to allow UUCP (Unix-to-Unix Copy Protocol) addressing,
Addressing including the use of quotation marks as separators. If the option is not
enabled, Email Gateway will reject UUCP addresses.

When SMTPI configuration is complete, click Next. The SMTPO Service Configuration window will display.

McAfee Email Gateway 6.7.2 Administration Guide 417

 Virtual Hosts
Configuring Virtual Hosts

Configuring SMTPO
This window allows you to view and edit the properties for outbound mail for this Virtual Host.
Figure 243 SMTPO Service Configuration window

Table 244 SMTPO Service Configuration fields

Field Description
Virtual Host The top of the window, just beneath the window title, displays the name
Header and basic information about the Virtual Host. This data is not editable.
General
Send FQDN on Select this checkbox to enable Email Gateway to send the fully qualified
Helo/Ehlo domain name as part of the ehlo/helo command to the connecting server.
Otherwise, only the domain name will be sent.
Delivery Retry Handling
Enable Basic Enable this option to allow Email Gateway to make additional attempts to
Schedule deliver failed messages.
Basic Schedule Type up to four values (in seconds) in the data fields in incremental order
(enter up to 4 to specify the retry interval if a receiving server is unable to receive a
values in seconds) message on the first attempt.
Enable Extended Enable this option to allow Email Gateway to make even further attempts
Schedule to deliver failed messages after the expiration of the basic schedule.

418 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Table 244 SMTPO Service Configuration fields (continued)

Field Description
Extended Schedule - Type a value from 1 to 24 to represent the interval in hours between retry
Frequency (once attempts for the duration set below.
every indicated
hours)
Extended Schedule Type a number to configure the number of hours, days or attempts (from
– Duration 1 to 100) to indicate the duration of the extended schedule.
Extended Schedule Click the option to represent the duration type for the extended schedule.
– Duration Type
Action for Select from the list the action you want Email Gateway to take on
Undeliverable messages that ultimately cannot be delivered.
Messages (after
final attempt)
Authentication
Strong Server Type the appropriate value to enable Email Gateway to require receiving
Authentication servers to authenticate themselves before messages are delivered.
Options are:
• 0 – disabled, no authentication required
• 1 – require a security certificate and compare the server host name
against the host name on the certificate
• 2 – check the message domain name to see that it matches the
domain identified in the security certificate
Deliver mail if Enable this option to permit Email Gateway to deliver email to servers if
Strong Server the domain or host name cannot be resolved with the server’s security
Authentication fails certificate.
Recipient Server Enable this option to require the strongest possible authentication before
Certificate sending messages. Email Gateway will validate the security certificate
Verification with the trusted root source that issued it.
If the option is enabled and verification fails, the connection will be
dropped. If the option is disabled, the verification failure will be logged
but the connection will be allowed and the message will be delivered.
Delivery Status Notification
Enable Notification Select this checkbox to enable delivery status notifications to the senders
for Sender of messages.
Enable Notification Select this checkbox to enable delivery status notifications to additional
for Additional recipients. You must also provide email addresses for these recipients
Recipients below.
Additional Type email addresses for the additional recipients you enabled
Recipients Email immediately above. Multiple addresses must be separated by commas.
Addresses
Enable “Destination Enable this option to generate delivery status notification warning
Domain messages after each unsuccessful attempt to deliver a message.
Unreachable – Otherwise, Email Gateway will only send an alert after the final delivery
Warning” attempt fails.
Notifications
Notification Templates
Destination Domain From the pick list, select the template to be used for Domain Unreachable
Unreachable – Final – Final Attempt notifications when the final attempt to deliver a message
Attempt has failed.
Destination Domain Select the template to use for DSNs warning when a delivery attempt
Unreachable – other than the final attempt fails.
Warning
Destination Domain Select the template to us for notifications when the destination domain
resolves to Email resolves to the Email Gateway appliance itself.
Gateway
Invalid Destination Select the template to be used to generate messages when the
Domain destination domain is invalid.
Destination Domain From the drop-down list, select the notification template to be used in
could not be delivering a Delivery Status Notification when recipient/sender data is not
reached accepted or when an IO/MIME/TLS error occurs.

McAfee Email Gateway 6.7.2 Administration Guide 419

 Virtual Hosts
Configuring Virtual Hosts

When SMTPO configuration is complete, click Next. The Allow Relay - Configure window will display.

Configuring Allow Relay

This window allows you to configure IP subnets from which messages can be relayed to external domains
by this Virtual Host.
Figure 244 Allow Relay - Configure window

Table 245 Allow Relay - Configure fields

Field Description
Virtual Host The top of the window, just beneath the window title, displays the name
Header and basic information about the Virtual Host. This data is not editable.
IP Subnet This column lists the IP subnets that have already been added to the Allow
Relay list.
Side Note If side notes were included for any IP subnet, they will appear in this
column.
Delete Selecting the checkbox and then clicking Submit will cause the IP subnet
to be deleted from the list.
Add New Subnet The fields below allow you to add IP subnets to the Allow Relay list.
IP Subnet: Type the IP subnet you wish to add.
Side Note for IP: If you like, you can type a side note to explain or identify the subnet.
Add IP Subnets from You can add one or more subnets from a file by navigating to that file or
a file: entering the complete path.

420 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Table 245 Allow Relay - Configure fields (continued)

Field Description
Character Set Select the character set to be used for encoding messages. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.
Export You can export a list of IP subnets as a backup by clicking this hyperlink.

When Allow Relay configuration is complete, click Submit. The window will update. When you are finished
adding subnets, click Next. The Local Deny List - Configure window will appear.

Configuring the Local Deny List

This window permits you to configure IP addresses or subnets from which this Virtual Host will not receive
messages. Email from any IP address or subnet listed will be dropped.
Figure 245 Local Deny List - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 421

 Virtual Hosts
Configuring Virtual Hosts

Table 246 Local Deny List - Configure fields

Field Description
Virtual Host The top of the window, just beneath the window title, displays the name
Header and basic information about the Virtual Host. This data is not editable.
IP Address or This column lists the IP addresses or subnets that have already been
Subnet added to the Deny List.
Side Note If side notes were included for any IP address or subnet, they will appear
in this column.
Delete Selecting the checkbox and then clicking Submit will cause the IP subnet
to be deleted from the list.
Adding a new Address or Subnet
IP Address or Type the IP address or subnet you wish to add.
Subnet:
Side Note for IP: If you like, you can type a side note to explain or identify the address or
subnet.
Add IP addresses or You can add one or more addresses or subnets from a file by navigating
subnets from a file: to that file or entering the complete path.
Character Set Select the character set to be used for encoding messages. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.
Export You can export a list of IP addresses and subnets as a backup by clicking
this hyperlink.

When Deny List configuration is complete, click Submit. The window will refresh. When you have finished
adding subnets, click Finish. You will be returned to the Virtual Hosts - Manage window, where the new
Virtual Host will now appear.

422 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Configuring Virtual Hosts

Figure 246 Virtual Hosts - Manage window updated

Should you wish to edit the new Virtual Host, click the ID link or the Name link to expand the entry. Then
you can click any of the newly displayed hyperlinks to navigate to the appropriate window.
The VIrtual Host can be enabled, if it is not already enabled, by selecting the Enable checkbox. An existing
Virtual Host can also be disabled by deselecting this option, with no loss of configuration data.
Configuration of your new Virtual Host is now complete. The Virtual Host is ready for use.

Editing a Virtual Host

To edit a Virtual Host, click the Virtual Host Name on the Virtual Hosts - Manage window. Depending upon
the Listener selection you have made, the appropriate edit window will display.

Deleting a Virtual Host

Should you need to delete an existing Virtual Host for any reason, this is the required procedure. Begin on
the Virtual Hosts - Manage window. Locate the Virtual Host you would like to delete. Click the Delete
checkbox.
If the Virtual Host you have selected to be deleted is a Listener, the Virtual Hosts - Manage window will
expand to show at least one data field. For Inbound only or Outbound only Listeners, one data field will
appear. For Virtual Hosts that are both Inbound and Outbound Listeners, two fields are required.

Table 247 Fallback data fields

Field Description
Inbound Fallback If the listener Virtual Host processes inbound traffic, you will need to
select an Inbound Fallback Virtual Host. The domains assigned to the
original Virtual Host will be re-assigned to the fallback.
The Default Virtual Host is the default selection here, as well. You can
select any other existing Listener Virtual Host.
Outbound Fallback If the listener Virtual Host processes outbound traffic, you will need to
select an Outbound Fallback Virtual Host. The domains assigned to the
original Virtual Host will be re-assigned to the fallback.
The Default Virtual Host is selected by default. You can select any other
existing Listener Virtual Host.

McAfee Email Gateway 6.7.2 Administration Guide 423

 Virtual Hosts
Using Virtual Hosts

Select the necessary fallback Virtual Hosts, then click Submit. The Virtual Hosts - Manage window will
refresh, indicating that the Virtual Host is scheduled for deletion.
The actual deletion will occur when all existing email messages that are being processed by the Virtual
Host are finished. Then the Cleanup operation will delete the designated Virtual Host. All domains that were
assigned to that Virtual Host are now assigned to the Virtual Host you designated as the fallback; however,
that Virtual Host is no longer classified as a fallback, and is viewed as a normal Virtual Host with the
additional domains assigned to it. The fallback status is active only until the scheduled Virtual Host is
actually deleted.

Rules to remember
When you wish to delete a Virtual Host, there are a few essential rules you will need to remember.
1 Whenever you delete a listener Virtual Host, you must select a fallback Virtual Host to which mail traffic
will go when the deleted Virtual Host is gone. If no other Virtual Host is available or if you fail to select
one, the Default Virtual Host will be the fallback.

2 When a Virtual Host becomes the fall back for another, the fallback Virtual Host cannot be deleted
(scheduled for deletion) until all the mail traffic has been cleared from the original (deleted) Virtual Host
and that Virtual Host is actually deleted.

3 You cannot change the network configuration of any Virtual Host while it is in fallback status; other editing
is possible.

4 When the originally deleted Virtual Host has been removed, the fallback Virtual Host becomes a regular
Virtual Host again, and is subject to deletion, editing, and so forth.

Using Virtual Hosts

Virtual Hosts can be used to define policies for one or more domains, and allow those policies to be applied
and monitored by administrators whose access is limited to specified Virtual Hosts. Throughout the features
of Email Gateway, the capability to specify policies at the Virtual Host level will appear on the Apply Rules -
Add New screens.

Applying rules
The way any administrators can create policies will depend upon the type of administrator they are (for
more information about the types of administrators, see Virtual Host administration in this chapter). The
SuperAdministrator and the Appliance Administrators create policy the same way. They will see an Add New
window.
Figure 247 Image Analysis - Add Apply Rules window - appliance administrator view

424 McAfee Email Gateway 6.7.2 Administration Guide

Virtual Hosts
Using Virtual Hosts

These appliance level administrators automatically log onto the Default Virtual Host, which always exists,
when they sign onto Email Gateway. The Add New window, by default, allows them to create policy for that
Virtual Host. They also have one other option from this window. They can select the checkbox for Apply to
All Virtual Hosts. If they do that, the policies they create will apply to every Virtual Host on the appliance.
The policy options from the default login are for the Default Virtual Host only, or for all Virtual Hosts.
To log out, the appliance level administrator clicks the Logout Default Virtual Host link at the top of the
Email Gateway window. You do not immediately leave Email Gateway. Instead, a window appears that will
allow you to select a specific Virtual Host.
From this window, the appliance level administrator can select an individual Virtual Host for which policies
can be applied. When a Virtual Host administrator logs into Email Gateway, this is the first window
presented. Only those Virtual Hosts for which they have permissions will appear. The Add New window the
Virtual Host administrator sees does not show the Apply to All Virtual Hosts option.
The Virtual Host administrator can only create policy for the Virtual Hosts assigned, and must do so one
Virtual Host at a time. The Add New window displayed for the Virtual Host administrator has no option for
applying policy to all Virtual Hosts.
Appliance level administrators can apply rules to individual Virtual Hosts, as well. They follow the same
process as the Virtual Host administrators.
Note: If the Email Gateway appliance is configured to be managed by a Control Center, the rules and policies
pushed by the Control Center can take precedence and overwrite rules applied locally on the Email Gateway itself.

Virtual Host administration

Virtual Host Administration permits the primary administrator to create other Appliance Administrators who
can be responsible for configuring and monitoring the entire appliance, or Virtual Host administrators who
can administer Virtual Hosts they are assigned. Improved administrative practices can result from the
distribution of responsibilities.
Virtual host administration provides the following enhancements:
• Allows the primary administrator (SuperAdministrator) to create Virtual Host administrators or Appliance
Administrators.

• Provides the ability for the SuperAdministrator to:

• Create Virtual Host administrators.

• Assign roles to the individual Virtual Host administrators.

• Define domains by assigning them to Virtual Hosts, and assigning Virtual Host administrators to the
Virtual Hosts.

• Permits Virtual Host administrators to create Virtual Host-specific rules and policies, applicable only to the
assigned Virtual Hosts.

Enterprises can use this functionality to provide more granular control of their networks.
You will first need to configure IP addresses under the System tab and Virtual Hosts under the
IntrusionDefender tab. Then you can configure the user accounts for Appliance Administrators and Virtual
Host administrators under the Administration tab, using the original admin access (SuperAdministrator).

Creating user accounts for Virtual Host administration

User accounts must be created in the Administration program area by the SuperAdministrator or other
administrator who has been granted user account creation rights (Administration | WebAdmin
Configuration | User Account | Create Account). If those rights have not been granted, the User Account
functions in Web Administration will not be available.

McAfee Email Gateway 6.7.2 Administration Guide 425

 Virtual Hosts
Using Virtual Hosts

For creating the user accounts for the new administrator, you have two options regarding the type of
administrator being created. The new user can be an Appliance Administrator, who will have whatever
rights are granted across ALL Virtual Hosts and domains on the Email Gateway appliance. Or the new user
can be created as a Virtual Host administrator, who will have whatever rights are granted only for those
Virtual Hosts that are assigned. Either option allows the SuperAdministrator to delegate some of the
administrative workload.
If the new administrator is to be an Appliance Administrator, the User Account - Create window will not
include Virtual Host information. The roles assigned are propagated through all Virtual Hosts.
In this case, the creating administrator can assign full access rights or read-only rights to the new
administrator for any or all the Roles listed on the window. If User Creation Rights are granted, the
Appliance Administrator can create new users for any domain or Virtual Host on the appliance and enable
any roles the creating administrator is allowed.
When the configuration is complete, the creating administrator clicks Add New. The new Appliance
Administrator is added to the User Accounts - Manage window.
If the new administrator is to be a Virtual Host administrator (the Appliance Admin checkbox is not
selected), the User Accounts - Create window will include the Virtual Hosts information, as shown below.
The two tables at the bottom of the window show all Virtual Hosts that are available to be assigned to the
Virtual Host administrator, and any that have already been selected for assignment. The arrows between
the lists permit moving Virtual Hosts.
Note: The Virtual Host administrator will only be able to access, manage and configure the specific Virtual Hosts
assigned. Other Virtual Hosts will not be visible.

When the configuration for the Virtual Host administrator is entered properly, the creating administrator
clicks Add New. The new administrator is added to the User Accounts - Manage window.

426 McAfee Email Gateway 6.7.2 Administration Guide

26 Other Intrusion Defenders
Contents
About DNS Hijack Protection
About Anomaly Detection

About DNS Hijack Protection

Email Gateway daily, as well as on demand, Program Integrity and Filesystem Integrity tests (Mail-IPS |
System Level) ensure that administrators know in a timely fashion if hackers have added, deleted, or
tampered with any files on the Email Gateway appliance. DNS Hijack Protection extends that protection to
the enterprise DNS server by comparing the known, good MX and A record information on the DNS servers
with the MX and A record information Email Gateway has cached locally on disk. If the MX or A records on
the DNS server ever change from what Email Gateway expects them to be, the administrator is
immediately notified. Email Gateway can perform this DNS query and comparison every time Health
Monitor performs its tests.
To configure DNS Hijack Protection, navigate to the configuration window. This window allows you to enable
and configure the service.
Figure 248 DNS Hijack Protection - Configure window

There are three configuration options for DNS Hijack Protection:

Table 248 DNS Hijack Protection - Configure fields

Field Option
Disable DNS Hijack When Email Gateway is initialized during initial installation, DNS Hijack
Protection Protection is disabled by default. However, since there is virtually no
performance overhead to the system with it enabled, it is recommend that
this be enabled. If the service is enabled, you must specify immediately
below whether to obtain just the mail servers’ MX records, or both MX and
A records, and specify the DNS servers from which it will get them.
Enable DNS Hijack This option will obtain and locally store the MX (mail exchange) record
Protection (MX information for each mail server. When you have clicked this option and
Record only) clicked Submit, DNS Server radio buttons and a Get Snapshot button
appear immediately below.
Enable DNS Hijack This option will obtain and locally store the MX (mail exchange) record and
Protection (A A record information for each mail server. When you have clicked this
Records also) option and clicked Submit, DNS Server radio buttons and a Get
Snapshot button appear immediately below.

After making the selection, click Submit. Then specify the server preference to be configured.

McAfee Email Gateway 6.7.2 Administration Guide 427

 Other Intrusion Defenders
About Anomaly Detection

Figure 249 DNS Hijack Protection - Configure window expanded

Table 249 DNS Hijack Protection - Configure additional fields

Field Description
Use Email Gateway Click this option to retrieve the MX/A records from the DNS server(s)
Default DNS Server identified in System | Configuration | Email Gateway. (The IP
addresses of up to three DNS servers were provided during the Initial
Configuration Wizard when Email Gateway was first installed. These are
the default DNS servers.)
Specify DNS Server Click this option to specify DNS servers other than those identified in
System | Configuration | Email Gateway. When clicked, three input
fields are immediately displayed. Type the IP addresses of up to three
alternate DNS servers.

After DNS Hijack Protection is enabled, a snapshot of the MX and A records and IP address on the DNS
server for each domain Email Gateway proxies must be captured. Email Gateway will store this information
in its own database and use it to compare the current MX and A records when it checks the DNS server at
the user-defined interval. The DNS Hijack Protection page offers the following options:
Click Get Snapshot to query the DNS server(s) and write the MX and A record information to the Email
Gateway database. Within a few moments the MX information for each domain Email Gateway hosts is
displayed. Email Gateway will now monitor each domain listed in this table for possible DNS Hijacking. If for
any reason it is decided that Email Gateway should stop monitoring the MX information for a domain, select
its Delete checkbox and click Submit.
If the MX and A record of a mail server ever change for a valid reason, remember to update the Email
Gateway database by taking a new snapshot of the DNS records.
Click Submit when done.
If at some future time Email Gateway is configured to host additional mail servers (added in
IntrusionDefender | Mail Routing | Domain-based), return to this page in order to capture a fresh
snapshot of the new mail servers’ MX and A records. When doing so, Email Gateway will re-introduce into
this table MX and A record information for domains that might have been previously deleted. If a domain
was previously removed from DNS Hijack Protection, remember to delete it once again after the new
snapshot is taken.

About Anomaly Detection

Anomaly Detection is a heuristic engine that examines patterns of email traffic in a network. It is email
message characteristic-aware — that is, it recognizes when specific email characteristics have been seen in
the network over a period of time. Administrators can configure the Anomaly Detection Engine (ADE) to
issue alerts or create rules that act on future messages when specific patterns of email are detected.

428 McAfee Email Gateway 6.7.2 Administration Guide

Other Intrusion Defenders
About Anomaly Detection

The heuristic is based on thresholds where time, frequency, and email characteristics converge. That is, if a
specified number of emails with the defined characteristic(s) enter the network within the designated
window of time, ADE can create a rule that takes an action on all future messages with that characteristic,
or send an email notification to the administrator.
Anomaly Detection is an historical, not a real-time, analysis of events—it does not process messages like
Email Gateway Queue Services. That is, at an administrator-defined interval, it looks in the Email Gateway
database that stores information about all the email it processed since it last ran its check. If a threshold
was reached during the previous period of time, Email Gateway will either generate an alert message or
create a rule, depending on the ADE’s configuration.

Configuring Anomaly Detection

The Anomaly Detection Services - Configure page allows you to select start, stop, and auto-start options,
as well as set a logging level for the service.
Figure 250 Anomaly Detection Services - Configure window

Table 250 Anomaly Detection Services - Configure fields

Field Description
Service The first column contains the service name, which is Anomaly Detection
Engine.
Auto-Start A check mark in this column indicates the service is configured to be
restarted automatically if Health Monitor finds it has stopped. A red X
indicates the service will not be restarted. Clicking the icon toggles
auto-start on and off.
Running A green light icon in this column indicates the service is currently running.
A red icon indicates it is not running. Clicking the icon will start or stop the
service.
System Uptime This column shows the elapsed time in days, hours, minutes and seconds
the service has been running since it was last started.

Clicking the service name hyperlink opens the Anomaly Detection Engine Configuration window. The only
configuration possible on this window is setting the log level to determine how much detail will be entered
into the logs when anomalies are detected.
Figure 251 Anomaly Detection Engine Configuration window

Creating anomaly rules

The rules created here are, in a sense, queries that look for and then respond to the types of email events
identified in the table below. Queries based on some message characteristics are only capable of creating
rules that generate alert messages. Queries based on other characteristics can create rules that take an
action on future occurrences of a message-type. Among the characteristics that allow actions, there is
some variation: some allow the ability to Rename Subject Line, Quarantine, or Drop, while others only
allow Drop actions.

McAfee Email Gateway 6.7.2 Administration Guide 429

 Other Intrusion Defenders
About Anomaly Detection

Figure 252 Anomaly Detection - Create Rule window

Create an anomaly detection query by selecting a type of email event’s checkbox and entering values for
Detection Period and Threshold Value.
Note: If more than one email event is selected, Email Gateway can only generate an alert—actions are not
allowed when an ADE rule is based on multiple events.

Table 251 Anomaly Detection - Create Rule fields

Field Description
Anomaly The list of conditions that can trigger rules shows in this column. Each
anomaly is preceded by a checkbox that can be used to select that
anomaly to be included in the rule.
Detection Period (in Type a number (from 6 to 9999) representing how often, in minutes, the
Minutes) ADE should wake up to review all email that Email Gateway processed
while it slept. For example, if the detection period is 60 minutes, ADE will
wake up and examine all messages received during each previous hour.
If it finds the specified number of occurrences of the selected event-type,
it will send an alert or create a rule when further messages of that type
enter the network.
The detection period must be greater than five minutes. Periods of five
minutes or less will not work.
Threshold Value Type a number (from 1 to 9999) representing a threshold or minimum
number of email-types that must be detected in order for an alert to be
generated or an action to be taken when additional instances occur. For
example, if the threshold is 100, Email Gateway will wake up and
examine all messages received during each previous sleep-cycle. If it
finds at least 100 instances of the selected event-type, it will send an
alert notifying you that the anomaly threshold has been reached or create
a rule so that when future instances of the anomaly occur, Email Gateway
will perform an action on them.
Rule The data fields below allow you to configure rules that scan messages for
configuration the anomalies you selected above.
Select Alert Type Select the type of alert to be sent whenever this rule is triggered.
Select Action Type Select the desired action Email Gateway should take when the rule is
triggered. If more than one anomaly has been selected for the rule, Email
Gateway cannot take action; it can only send alerts.
Choose Quarantine If the chosen action is Quarantine or Remote Quarantine, select the
Type appropriate quarantine type from the pick list.

430 McAfee Email Gateway 6.7.2 Administration Guide

Other Intrusion Defenders
About Anomaly Detection

Table 251 Anomaly Detection - Create Rule fields (continued)

Field Description
Action Data Some actions require you to supply additional data, such as an email
address or a number of days for quarantine. Type any such information
in the data field.
Rule Name Type a unique name for the rule being created.

When you have completed the configuration data, click Submit. The window will refresh to acknowledge
your addition.
Your new rule will appear in the Anomaly Detection - View Rules list.

Showing anomaly rules

The Anomaly Detection - View Rules window displays all rules that have been created, showing their
detection period, threshold, alert type, action, and action data. Edit any of the rule parameters as desired
by entering new values.
Figure 253 Anomaly Detection - View Rules window

Table 252 Anomaly Detection - View Rules fields

Field Description
Rule Name The rule name appears at the top of the Anomaly column. The name is
not editable.
Disable If you want to disable the rule so that it is not used in scanning messages,
click this radio button.
Delete Clicking this radio button will cause the rule to be deleted from the table
when you click Submit.
Anomaly This column lists the specific anomalies that are included in this rule.
Detection Period (in This column shows, for each anomaly, the period of time ADE will use to
Minutes) monitor the number of occurrences of this anomaly to see if the threshold
value is reached.
Threshold Value The number displayed here represents the number of occurrences of the
anomaly within the detection period required to trigger the rule.
Alert Type The kind of alert that will be generated in response to this anomaly shows
in this column.
Action If action is configured for this anomaly, that action will be listed in this
column.
Quarantine Type If Quarantine or Remote Quarantine is the selected action, the quarantine
type will show here.
Action Data Any action value required for the selected action will be displayed in this
column.

McAfee Email Gateway 6.7.2 Administration Guide 431

 Other Intrusion Defenders
About Anomaly Detection

432 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 8

Reporting

Chapter 27, Reporting

Chapter 28, Message Archives

Chapter 29, Alert Manager

Chapter 30, Advanced Reporting

27 Reporting
Contents
About reporting
The Reports window
Viewing reports

About reporting
Email Gateway reporting and monitoring tools are what make Email Gateway such a robust and usable
appliance. Through its logs, administrators can determine exactly which Email Gateway processes
examined a message—indeed, whether or not Email Gateway even received the message. When a Email
Gateway policy acts upon a message, the reports and logs will describe exactly what condition of the policy
caused Email Gateway to act.
In addition to reporting on Email Gateway internal message-processing, this program area also contains
Health Monitor — a subsystem that examines all other core application subsystems, as well as hardware, to
ensure that the appliance is operating as designed. And on the belief that Email Gateway cannot truly
protect an enterprise’s email system if the appliance, itself, is vulnerable, an Alert Manager can be
configured to generate email, pager, or SNMP trap alerts to the administrator whenever Health Monitor
detects that Email Gateway is not performing as designed.

The Reports window

When you log onto the Reporting program area, the opening window is the Reports window. This window
lists the Email Gateway reports and briefly describes them. Each Report Name is a hyperlink that opens a
more detailed page about the specific report, revealing recent history and allowing you to review or transfer
reports.

McAfee Email Gateway 6.7.2 Administration Guide 435

 Reporting
Viewing reports

Figure 254 Reports window

The report lists are scrollable, allowing you to see a complete listing of all Email Gateway reports. Clicking
any report hyperlink reveals details.
The reports are divided into two groups, based on their format. Both PDF and HTML reports are available.
You can select reports of either type and view them, or transfer them to file locations of your own choosing
using the buttons on each window. Samples of both report formats are shown below.

Viewing reports
Some detail screens offer lists of reports that can be viewed or downloaded. This is specifically true of the
HTML report screens.
Figure 255 Reports window, selecting an HTML report

When you select a specific report, listed by date, and click the View hyperlink, the report for that date will
display. Some detail screens, particularly among the PDF reports, present graphic information.

436 McAfee Email Gateway 6.7.2 Administration Guide

Reporting
Viewing reports

If you would like to change the time period that is represented by the report, click the Select Interval
button at the top of the window. Fields will appear that allow you to specify a new date range, then get that
report.
When you click Get Report, the report window refreshes. You can view the report you requested, using the
new interval, by clicking the View link.
Note: When you view reports like the Overall Compliance Summary Report, where both summary and detailed
action information displays, the total message count for all messages processed (summary) might not match the
total for messages processed by each queue (detailed). One message can trigger action in more than one queue,
which shows in the detailed report.

McAfee Email Gateway 6.7.2 Administration Guide 437

 Reporting
Viewing reports

438 McAfee Email Gateway 6.7.2 Administration Guide

28 Message Archives
Contents
Configuring Message Archives
Applying Message Archiving

Configuring Message Archives

Email Gateway allows you to store email messages as required. The Message Archive Target - Manage
window displays the existing Archive Targets for this Email Gateway.
Figure 256 Message Archive Target - Manage window

Selecting “Enable Global Archive” reveals a drop-down list showing available targets.

Table 253 Message Archive Target - Manage fields

Field Description
Message Archive The upper portion of the window allows you to configure Global Archiving
Target
Enable Global Select the checkbox to enable Email Gateway to archive all messages it
Archive processes.
If Global Archive is not enabled, you can still archive specific messages.
Non-global archiving is generally configured on the Add New Rule screens
of Email Gateway features. More information is provided in this chapter.
Select Target If you enable Global Archive, the Select Target drop-down list is enabled
as well. Select from the list the configured Target Name Email Gateway
should use for global archiving.
Only targets configured for the Scheduled method will be included in the
list.
Configured The lower portion of the window lists all Archive Targets for either method
Archive Targets – Scheduled or Immediate – that have been configured for this Email
Gateway.

McAfee Email Gateway 6.7.2 Administration Guide 439

 Message Archives
Configuring Message Archives

Table 253 Message Archive Target - Manage fields (continued)

Field Description
ID This column shows the unique system-generated ID number for each
configured Target. The number is also a hyperlink that will allow you to
edit an existing target.
Target Name The name provided when each target was created displays in this column.
Method This column will contain the archiving method for each target. Options
are:
• Scheduled – messages archived by this method will be sent to the
archive target on a pre-defined schedule (once every defined number
of hours).
• Immediate – messages archived using this method will be sent to the
archive target as soon as they are processed.
Type The transferal method for each target appears in this column. Options
are:
• FTP for scheduled archiving (Global or other scheduled archival)
• SCP for scheduled archiving (Global or other scheduled archival)
• IP for immediate archival.
Delete Selecting the Delete checkbox and subsequently clicking Submit will
cause the selected target to be deleted.

If you have selected a new target or set a target for deletion, click Submit to record your selection.

Adding an archive target - scheduled

To add a new Archive Target, simply click Add New at the bottom of the Message Archive Target - Manage
window. The Message Archive - New window will appear.
Figure 257 Message Archive - New window

Table 254 Message Archive - New fields (scheduled archiving)

Field Description
Target Name Provide a unique name for the new Archive Target in the data field.
Archive Method Select Scheduled from the drop-down list.
Type Select the type of archive method Email Gateway should use when
transferring the messages:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
An SCP server must be configured and running on the archive
machine.
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. The FTP server must be configured and running on
the archive server.
Email Gateway issues a passive FTP command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.

440 McAfee Email Gateway 6.7.2 Administration Guide

Message Archives
Configuring Message Archives

Table 254 Message Archive - New fields (scheduled archiving) (continued)

Field Description
Hostname Type the hostname (fully qualified domain name) for the server where the
archives will be stored.
Path Type the complete path to the server identified above.
Frequency (Hours) Select the frequency with which Email Gateway is to archive the
messages. Specific intervals between 1 and 24 hours are available.
User Name Type the user name for a user who has FTP/SCP permissions.
Password Type a valid password for the user identified above.
Confirm Password Confirm the password by entering it a second time.

When the configuration parameters are complete, click Submit. The Message Archive Target - Manage
window will refresh to add your new target.

Adding an archive target - immediate

To add an Immediate Archive Target, click Add New at the bottom of the Message Archive Target -
Manage window. When the Message Archive - New window appears, select Immediate as the Archive
Method.
Figure 258 Message Archive - New window

Table 255 Message Archive - New fields (immediate archiving)

Field Description
Target Name Provide a unique name for the new Archive Target in the data field.
Archive Method Select Immediate as the method for the target.
Type Select either IP or Email as the transmission type for this target.
IP Address or Email Type the IP address or the email address to which archival messages
Address should be sent for this target.
X-Header Name Type a unique name to identify the type of x-header Email Gateway
should add to the message header for any message archived to this
target.
X-Header Value Type the actual x-header text that will appear in the message header.

When the configuration parameters are complete, click Submit. The Message Archive Target -Manage
window will refresh to add your new target.

Editing a message archive

You can edit Archive Targets of either type. Begin by selecting either the ID or the Target Name of the
specific target on the Message Archive Target - Manage window. The Message Archive - Edit window will
appear. The Edit window for each type of Archive Method is identical to the Add New window for that
method. You can make the necessary changes to the configuration, then click Submit to save the new
configuration.

McAfee Email Gateway 6.7.2 Administration Guide 441

 Message Archives
Applying Message Archiving

Applying Message Archiving

Email Gateway provides flexibility in configuring the archiving of messages. You can choose to archive
every message processed by enabling Global Archive functionality, or you can archive only those messages
that trigger specific rules.

Global archiving
If Global Archive is enabled on the Message Archive Target - Manage window, Email Gateway will save a
copy of all inbound and outbound messages to disk. At the frequency specified for the Archive Target
selected for global archiving, it will create a zipped file of all the messages processed since the last archival
interval. Email Gateway can then transfer them via SCP or FTP to a destination server.

Rule based archiving

Whether Global Archive is enabled or not, Email Gateway also provides the ability to archive specific
messages. This functionality is configured on the Add New Rule screens of various Email Gateway features.
If rule based archival is possible for a rule, the bottom of the associated Add New Rule window will provide
parameter settings to allow you to configure the archiving.
By enabling specific archiving in this way, you instruct Email Gateway to archive every message that
triggers the associated rule. This archiving can be done on a scheduled basis or on an immediate basis, as
determined by the Archive Target you select.
You can verify your archiving configuration for each applicable feature on the associated Manage Rules
window.

442 McAfee Email Gateway 6.7.2 Administration Guide

29 Alert Manager
Contents
About alerts
About alert classes
About alert mechanisms
Adding an alert mechanism
The Alert Viewer

About alerts
Email Gateway continuously monitors its core subsystems, as well as its ability to communicate with
internal mail servers. If any part of Email Gateway functionality fails to perform as designed, Email
Gateway will generate an alert. The alerts, by themselves, don’t do anything. Rather, the Alert
Manager—which processes all Email Gateway-generated alerts—must be configured to send them to an
administrator.
Email Gateway alert management is configured on the basis of two categories of information:
• Email Gateway subsystems: The Email Gateway application is comprised of core subsystems. Each one
is designed to generate alerts when anomalous conditions are experienced. Administrators will create
logical groupings of these subsystems.

• Alert Levels: Email Gateway is designed to look for specific types of problems—such as a subsystem
stopping unexpectedly, or restarting after it was stopped. There are a finite number of anomalies that
Email Gateway can report on (see Appendix A). Each anomaly can be assigned one of seven alert levels
according to the degree of criticality of the problem.

Email Gateway administrators will create an alert mechanism (email, pager, SNMP trap) for any or all of the
alert levels, for each grouping of subsystems they have created.
The possible alerts Email Gateway can send are as follows:.
• Information: This alert is for information only. No problem exists. It reports, for example, that an SNMP
heartbeat has been sent.

• Notification: This alert is slightly more important than information. It reports information about an Email
Gateway process or service. For example, it reports that an anti-virus update has been received.

• Warning: A warning should get your attention. It implies that administrative action is warranted. For
example, Email Gateway generates a warning when a Denial of Service attack has been detected.

• Error: An error is serious. Email Gateway generates error messages when a single process is not
performing as intended. For example, it generates an error alert if it detects that Email Gateway Content
Analysis Queue stops processing messages.

• Critical: A critical alert is even more serious. Email Gateway generates this alert when an error affects
the entire appliance. It reports, for example, when Email Gateway cannot reach a DNS server.

• Shutdown: This alert is reserved for future functionality.

• Restart: This alert is reserved for future functionality.

McAfee Email Gateway 6.7.2 Administration Guide 443

 Alert Manager
About alert classes

About alert classes

The Alert Class - Manage window allows you to define groups of related services. Groups can be added,
edited and deleted, and services can be assigned and reassigned to groups through this functionality.
Figure 259 Alert Class - Manage window

By default, Email Gateway starts with one logical grouping, or class, of subsystems: Common. You can
create any logical grouping of services that serves their needs. Individual services or subsystems can be
moved from one grouping or class to another, and classes can be deleted altogether. The purpose of
creating classes of subsystems is to be granular in terms of which alert notifications are received. When the
classes have been added, Alert Levels can be configured for them using the Alert Mechanism function.
If a subsystem is deleted from a group and not added to another, Email Gateway will automatically create
(or recreate) a class named Common and place the unassigned subsystem there. Alerts that might be
generated by a subsystem in the Common class are not delivered to an administrator unless an alert
mechanism for the Common class is created.

Adding an alert class

To add a new class, click the Add New Alert Class button at the bottom of the window.
Figure 260 Alert Class - Add window

To add the new class, type the name for the class in the New Alert Class data field, then select from the
scrolling list one or more services to be included in the class. Click Add when the selection is finished. The
window will refresh. You can repeat the process until you have the set of classes necessary for your system.

444 McAfee Email Gateway 6.7.2 Administration Guide

 Alert Manager
About alert mechanisms

Editing an Alert Class

You can also edit an existing class. Begin by clicking class name hyperlink.

Table 256 Alert Class- Manage fields

Field Description
Service This column shows the current list of subsystems assigned to this class.
Delete Checking the Delete checkbox for any subsystem will delete it from the
class. The subsystem will go back to the default (Common) class.
Assign Services The column displays all services; select one or more of them to be added
to the class.
Alert Class The name of the Alert Class being edited appears at the bottom of the
window. The name is not editable.

When you have completed the desired changes, click Submit. The Alert Class - Manage window will
refresh, showing your new configuration.
You can delete an entire class from the list by checking Delete for all the services and clicking Submit. A
confirmation alert will appear; click OK to complete the deletion. All the services will go back to the default
(Common) class.
After the Alert Classes have been created, create the Alert Mechanism for each class to determine how
alerts will be delivered.

About alert mechanisms

The Alert Mechanism - Manage page is where Alert Manager is configured to send alerts to you by email,
pager, or SNMP traps. An alert mechanism must be configured for each level of alert, and for each group or
class of Email Gateway subsystems for which you want notification. For example, if administrators want to
be notified whenever the SMTPO Service stops performing (reported as an Error alert by Email Gateway),
an Error email, pager, or SNMP alert mechanism must be configured for the class that contains the SMTPO
Service. Conversely, if alert mechanisms for Information alerts are not created for a particular class, no
Information alerts for any subsystem within that class will be sent.
Figure 261 Alert Mechanism - Manage window

The Alert Mechanism - Manage page contains three pick lists allowing configuration of alerts notifications,
and displays a table of all configured alerts

McAfee Email Gateway 6.7.2 Administration Guide 445

 Alert Manager
Adding an alert mechanism

Table 257 Alert Mechanism - Manage fields

Field Description
Alert Class The Alert Class pick list contains the names of all classes of subsystems
that have been created. (Email Gateway creates a default Common class
to contain unused subsystems.)
Select a class from the list, and then select related values in the Alert
Type and Notification Type pick lists.
Alert Type The pick list contains the seven Alert Levels that Email Gateway can
generate. Select an alert level from the list. Options are:
• Information
• Notification
• Warning
• Error
• Critical
• Shutdown
• Restart
For each class, select a level or type of alert as well as an Alert Mode.
Alert Mode The pick list offers three choices for alert delivery:
• Email – one or more email addresses will be required.
• Pager – requires the host name of the server that processes
pager messaging, plus one or more pager addresses. (Multiple pager
addresses must be separated from each other with commas. Do not
include spaces between commas and subsequent addresses.)
• SNMP – requires the host name of the SNMP server, the port number
through which communication with it occurs, and the version number
of the SNMP application.
Add Click this button to set up a new Alert Mechanism.
Configured alert The table in the lower part of the window contains information about all
mechanisms the existing alert mechanisms.
Alert Class This column shows by name all alert classes for which alert mechanisms
have been defined.
Alert Type This column lists the alert type associated with each class.
Server This column is populated with the server names where the recipient type
resides.
User Address The user address that is to receive the alert shows here.
Delete Selecting the checkbox and then clicking Submit will cause the alert
mechanism to be deleted from the list.

Note: The Common Class will always control the generation of Alerts for sched functions and for license
expiration. These two services are not configurable and cannot be moved from Common. Therefore, if you want
to generate Alerts for sched or for license expiration, you must configure Alert Mechanisms for the Common
Class.

Adding an alert mechanism

To add a new alert mechanism, use the pick lists at the top of the window. Select the class, the type of
alert, and the alert mode. When you click Add, the appropriate secondary window will appear.

Adding an email mechanism

The window shown below illustrates the information required for Email mechanisms. You must supply the
server name and the email address for delivery of the alert notification.

446 McAfee Email Gateway 6.7.2 Administration Guide

 Alert Manager
The Alert Viewer

Figure 262 Alert Mechanism - Add window

When you have entered the information, click Submit. The Alert Mechanism - Manage window will refresh
to add your new mechanism.

Adding a pager mechanism

For a Pager notification, you must supply the server name where the pager address is located, and you
must type the user address. When you click Submit, the main Alert Mechanism - Manage window
refreshes.

Adding an SNMP alert mechanism

Adding an SNMP Alert Mechanism requires the same process. Begin by selecting the SNMP Alert from the
drop-down lists on the Alert Mechanism - Manage window. For this mechanism, you must supply the server
name as before, plus the SNMP version to be used and the port over which the alert will be transmitted.
When you click Submit, the window will refresh.
For details about the alerts sent by Email Gateway, see Appendix A.

The Alert Viewer

The Alert Viewer window presents an on-window view of all the alerts Email Gateway has generated during
the past three hours.
Figure 263 Alert Viewer window

McAfee Email Gateway 6.7.2 Administration Guide 447

 Alert Manager
The Alert Viewer

Table 258 Alert Viewer fields

Field Description
ID This column displays the internally-generated ID number of each alert.
The ID number is also a hyperlink that opens a secondary browser
window displaying details of the alert.
Class This column displays the name of the class that contains the subsystem
that generated the alert.
The Class column heading is also a hyperlink, allowing you to sort the
contents of the Alert Viewer table by class in ascending and descending
order.
Type This column identifies the level of the alert.
The Type column heading is also a hyperlink, allowing you to sort the
contents of the Alert Viewer table by alert level in ascending and
descending order.
Received Date This column identifies the timestamp when the alert was generated.
The Received Date column heading is also a hyperlink, allowing you to
sort the contents of the Alert Viewer table by Received Date in ascending
and descending order.
Sent Date This column identifies the timestamp when the alert was delivered.
The Sent Date column heading is also a hyperlink, allowing you to sort
the contents of the Alert Viewer table by Sent Date in ascending and
descending order.
Status This column identifies the “status” of the alert, and will display one of
three values:
• New: This is a new alert for which delivery has not been attempted.
• Delivered: Email Gateway successfully delivered the alert.
• Not Delivered: Email Gateway has not yet delivered the alert.
The Status column heading is also a hyperlink, allowing you to sort the
contents of the Alert Viewer table by Status in ascending and descending
order.
Navigation At the lower right of the window you will find data fields and navigation
arrows that will help you move through multiple pages of alerts.

When the alert ID hyperlink in the Alert Viewer table is clicked, the message line on the window expands,
displaying information about the alert.

448 McAfee Email Gateway 6.7.2 Administration Guide

30 Advanced Reporting
Contents
About Reports configuration
SNMP polling
About Email Gateway logs
Mail flow logs
General logs
Configuring logs
Configuring Syslog

About Reports configuration

Email Gateway generates a variety of reports informing you of all of Email Gateway activity. The reports
cover two broad categories: the email that Email Gateway processes, and Email Gateway internal activity.
Email activity can be viewed either as summaries or as detailed reports. The summaries show the top
senders and receivers during a 24 hours period, who sent or received the most mail by volume (in
megabytes), who sent or received the most encrypted messages, and so forth. Of particular interest to
administrators is the summary report that provides spam statistics needed for decisions in a concise and
easily understandable form.
All reports will be automatically sent to the recipient or recipients whose email addresses are specified if
Email Gateway is configured to do so. In addition, Email Gateway will generate, “on demand,” a report
detailing every email policy that has been created. That is, you can view which Content Analysis
“dictionaries” have been created and are in use, to whom Envelope Analysis policies have been applied, and
so forth.
You can configure the reports that Email Gateway will generate and the disposition of the reports on the
Reports - Configure window.

McAfee Email Gateway 6.7.2 Administration Guide 449

 Advanced Reporting
About Reports configuration

Figure 264 Reports - Configure window

Table 259 Reports - Configure fields

Field Description
FTP/SCP The top panel of the window is used to configure transfer and archiving
Configuration for all reports.
Archive Method Select an archive method Email Gateway should use when transferring
the Reports:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
An SCP server must be configured and running on the archive
machine.
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. The FTP server must be configured and running on
the archive server. Email Gateway issues a passive FTP command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.
Hostname Type the host name of the archive server.
User Name Type a valid username with SCP or FTP privileges.
Password Type a valid password.
Confirm Password Confirm the password by entering it again.

450 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
About Reports configuration

Table 259 Reports - Configure fields (continued)

Field Description
Path Type the path string to the location on the archive server where Email
Gateway should transfer the Reports.
The relative path must be entered—that is the starting point or
subsequent directory below which the user account has access privileges.
Examples are: /Email Gateway or ./Email Gateway (the two are
functionally identical). Some Windows FTP servers can not translate
on-the-fly forward slashes ( / ) to back slashes ( \ ). In those cases, back
slashes are required as path delimiters.
Schedule Time Select from the Hour and Minute pick lists a time when Email Gateway
should automatically transfer the Reports. It is recommended that
administrators choose a transfer time after 4 AM to allow enough time for
the reports to run and rollover the previous days logs.
Compress at Size Type a number to represent, in MB, the size at which Email Gateway will
compress reports to save disk space.
Top N users to be Type a number to determine how many users will be displayed in each
displayed report (for example, the top 10 or 15).
Treat action LOG as When an action of LOG is triggered, how should the messages that
triggered action be represented in the Executive Report: as good or bad?
Connection to Select the ratio of messages to connections for the Message Blocking
Message Ratio report. If you select the Admin Defined ratio, you can set the ratio to any
number from 1 to 100 messages per connection. Options:
• Industry Standard - the ratio is automatically set to 4 messages per
connection.
• Admin Defined - you can set your own ratio.
The Reports List The lower portions of the window are used to configure the individual
reports.
Report Name This field in each block contains the name of the report being configured.
See the list of report descriptions included below.
Options Some reports have an associated Options list. It this list is present, select
the option you prefer for this report.
Details - this option specifies that the report will show details of activity,
but will not include the records that triggered activity.
Details and Records - this option configures the report to include both the
details and the associated records.
Action The Action pick list offers three options:
• Disable: When disabled, the report is not generated.
• Create: When selected, Email Gateway generates the report but does
not automatically send it by email. The report can be viewed in the
Web Administration interface, and can automatically and/or manually
be transferred to an archive server via the SCP or FTP protocols.
• Create and Email: When selected, Email Gateway generates the
report and emails it to specified users. The report can also be viewed
within the Web Administration interface, and can automatically and/or
manually be transferred to an archive server via the SCP or FTP
protocols.
Transfer FTP/SCP If the report is to be transferred (archived), select the checkbox.
Delete Select the checkbox and click Submit to delete the report.
Hostname Type the host name or the IP address of the server to which the reports
are to be sent.
Email Address(es) The Email Address(es) input field is disabled unless Create and Email
was selected in the Action column. Multiple email addresses can be
entered, with each address separated by a comma. (Do not include
spaces between commas and subsequent email addresses.)
Run Now The four policy configuration reports shown in the top panel of the reports
list can be run on demand. These reports show the current configuration
of the specified policies in Email Gateway.

When the information has been properly entered, click Submit to implement the configuration.

McAfee Email Gateway 6.7.2 Administration Guide 451

 Advanced Reporting
About Reports configuration
Report descriptions
Email Gateway can produce the following reports, if configured to do so. The following tables show the
HTML reports and the PDF reports you can configure:
HTML reports
Table 260 Email Gateway HTML reports
Report Name
Executive Report
Incoming Report
Secure WebMail Report
Mail IDS Report
Policy Compliance
Report – AV Keyword
Blocking
Outgoing Report
Policy Compliance
Report – Detailed
Policy Compliance
Report – GLBA
Policy Compliance
Report – HIPAA
Policy Compliance
Report – SOX Financial
Policy Compliance
Report – Summary and
Statistics
Policy Compliance
Report – User Based
Policy Configuration
Report
Policy Configuration
Report – GLBA
Policy Configuration
Report – HIPAA
Policy Configuration
Report – SOX Financial
System Defined Policies
Report
Vulnerability Assessment
PDF reports
Table 261 Email Gateway PDF reports
Report
Anti Fraud Summary
Anti Zombie Summary
452 McAfee Email Gateway 6.7.2 Administration Guide
Description
Summarizes total messages inbound and outbound, plus blocked
messages inbound and outbound, for the day, week, month quarter and
year. Useful in identifying trends.
Provides totals and averages of inbound messages for one day, plus
Top Ten statistics for key concepts.
Provides totals and averages, session counts, connection denials, and
so forth, for WebMail Protection.
Shows the results of Email Gateway intrusion monitoring and activity,
password strength, denial of service protection, program and
filesystem integrity, and so forth.
Policy Compliance Report - AV Keyword Blocking
Provides totals and averages of outbound messages for one day, plus
“Top Ten” statistics for key concepts.
Shows in detail every action that Email Gateway executed on any
message because of an email policy.
Shows in detail every action that Email Gateway executed because of
an email policy configured to protect GLBA compliance.
Shows in detail every action that Email Gateway executed of an email
policy configure to protect HIPAA compliance.
Shows in detail every action that Email Gateway executed because of
an email policy configured to protect SOX-Financial compliance.
Presents information about the top 20 email policies Email Gateway
enforced, and the users who were impacted by them.
Presents the actions Email Gateway executed, but sorts the results by
the individual users affected by the policies.
Shows a detailed listing of all rules that have been created, sorted by
functional area. This report can be run at your discretion.
Shows a detailed listing of all rules that have been created, applicable
to GLBA compliance.
Shows a detailed listing of all rules that have been created, applicable
to HIPAA compliance.
Shows a detailed listing of all rules that have been created, applicable
to SOX Financial compliance.
Displays currently enabled system-defined policies and the results of
their enforcement, sorted by functional area.
Shows the results of a Vulnerability Assessment (defining
vulnerabilities to intrusion, and so forth), for a single IP address.
Vulnerability Assessments can be run at your discretion.
Description
Displays Email Gateway's actions against fraud and phishing attacks.
Displays Email Gateway's results in protecting the email network from
zombie attacks.
Advanced Reporting
About Reports configuration

Table 261 Email Gateway PDF reports (continued)

Report
Compliance Action
Details
Compliance Category
Summary
Domain Executive
Summary
Executive Summary
Message Blocking Report
Overall Compliance
Summary
Overall Encryption
Summary
Overall Spam Summary
Overall Virus Summary
Spam Action Summary
Spam Effectiveness
Top Spam Lists
Top Virus Signatures
User Spam Summary
Virus Action Summary
Virus Signature Engines
Description
Displays a graphical view of actions taken by the Compliance Queue in
a time interval.
Displays Corporate Compliance action counts by category.
Domain Based Executive Summary Report.
Displays a graphical view of the number of messages processed by
Email Gateway.
Displays Message Blocking activities.
Displays a graphical view of messages processed by the Compliance
Queue in a time interval.
Displays a graphical view of messages processed by the Encryption
Queue in a time interval.
Displays a graphical view of messages processed by the Spam queue in
a time interval.
Displays a graphical view of messages processed by the Virus Queue in
a time interval.
Displays a graphical view of actions taken by the Spam Queue in a time
interval.
Spam Effectiveness report on a group of users.
Displays the number of spam messages received from the top sending
individuals, sending hosts, and recipients, sorted by the number of
messages. Also displays the number of spam messages released and
reported by the top users, sorted by the number of messages
Displays the top virus signatures blocked by each licensed virus engine
in a time interval.
Displays a graphical view of messages released by end users from
quarantine and reported by end users as spam in a time interval. Spam
notification cleanup interval should be set greater than 24 hours for data
to be available for this report.
Displays a graphical view of actions taken by the Virus Queue in a time
interval.
Displays the number of messages detected as sweep error, password
protected, or virus-infected by a licensed virus engine in a time interval,
for inbound and outbound message flow.

CSV reports
Email Gateway can generate a daily comma separated values-formatted (CSV) text file that records the
From, To, Size, Date, Time, and every action Email Gateway performed on every message processed that
day. While the daily Incoming and Outgoing Reports only show totals and top 10s for each day, this report
lists every single email that was processed. This file is a data dump showing every action Email Gateway
took on a message—whether actions were taken because of an email policy, or if messages were delivered
with no action taken. Because this file contains so much data, CSV files can easily reach 50-100MB in size
in high mail-volume environments. Administrators are cautioned, therefore, to configure the cleanup
schedule for Log Files data so that these files do not remain on Email Gateway disk longer than three or
four days (See System | Cleanup Schedule | “Reports data”).
Note: The Policy Compliance Report - Detailed must be enabled before you can configure and generate the CSV
reports. The following window allows you to configure the reports.

McAfee Email Gateway 6.7.2 Administration Guide 453

 Advanced Reporting
About Reports configuration

Figure 265 CSV Reports - Configure window

Email Gateway can transfer CSV files to an archive server, either manually or automatically. If archive
server information is provided in the FTP/SCP Configuration input fields at the top of the page and the
Transfer checkbox is selected in the table below, Email Gateway will automatically transfer the file at the
specified hour. When the Archive Information input fields are left blank, or if the Transfer checkbox is
deselected in the table below, CSV Reports can be manually transferred by entering archive server
information in the secondary browser window that appears after clicking the Show all files hyperlink.

Table 262 CSV Reports - Configure fields

Field Description
FTP/SCP The top portion of the window is used to configure the archiving of the
Configuration daily CSV reports.
Archive Method Select an archive method Email Gateway should use when transferring
the Reports:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
(An SCP server must be configured and running on the archive
machine.)
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. (The FTP server must be configured and running on
the archive server.) Note that Email Gateway issues a passive FTP
command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.
Hostname Type the host name of the archive server.
User Name Type a valid username with SCP or FTP privileges.
Password Type a valid password.
Confirm Password Confirm the password by entering it again.
Path Type the path string to the location on the archive server where Email
Gateway should transfer the Reports.
The relative path must be entered—that is the starting point or
subsequent directory below which the user account has access privileges.
Examples are: /Email Gateway or ./Email Gateway (the two are
functionally identical). Bear in mind that some Windows FTP servers can
not translate on-the-fly forward slashes ( / ) to back slashes ( \ ). In those
cases, back slashes are required as path delimiters.

454 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
About Reports configuration

Table 262 CSV Reports - Configure fields (continued)

Field Description
Schedule Time Select from the Hour and Minute pick lists a time when Email Gateway
should automatically transfer the Reports. It is recommended that
administrators choose a transfer time after 4 AM to allow enough time for
the reports to run and rollover the previous days logs.
File Information The lower portion of the window provides configuration information for
the individual reports.
File Name This field contains the name of the report being configured.
Action Enable or disable creation of the CSV Report by selecting the appropriate
value from the pick list. Options are:
• Create – Email Gateway will create the CSV report, or
• Disable – the CSV Report will not be created.
Transfer FTP/SCP If the report is to be transferred (archived), select the checkbox.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
report to be deleted.
Show all files Clicking this link opens a window that list all CSV files that have not yet
been deleted according to the Cleanup Schedule.

The “show all files” contains the following information.

Table 263 CSV show all files fields

Field Description
FTP/SCP The top portion of the window is used to configure the archiving of the
Configuration daily CSV reports.
Archive Method Select an archive method Email Gateway should use when transferring
the Reports:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
(An SCP server must be configured and running on the archive
machine.)
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. (The FTP server must be configured and running on
the archive server.) Note that Email Gateway issues a passive FTP
command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.
Hostname Type the host name of the archive server.
User Name Type a valid username with SCP or FTP privileges.
Password Type a valid password.
Confirm Password Confirm the password by entering it again.
Path Type the path string to the location on the archive server where Email
Gateway should transfer the Reports.
The relative path must be entered—that is the starting point or
subsequent directory below which the user account has access privileges.
Examples are: /Email Gateway or ./Email Gateway (the two are
functionally identical). Bear in mind that some Windows FTP servers can
not translate on-the-fly forward slashes ( / ) to back slashes ( \ ). In those
cases, back slashes are required as path delimiters.
File Information The lower portion of the window lists all available reports by date.
File Name The files are listed by name in ascending date order.
Download Click the hyperlink to download the file for viewing.
Transfer FTP/SCP If the report is to be transferred (archived), select the checkbox.

McAfee Email Gateway 6.7.2 Administration Guide 455

 Advanced Reporting
About Reports configuration

Understanding the CSV file

The contents of the CSV file is a raw data dump from the Email Gateway database. When Email Gateway
queries the database, and the database returns its data, the raw data is not returned in any specific order.
Message ID numbers and dates, for example, do not follow each other sequentially. The only order implicit
in the file is that all data is grouped according to one of four types of information: Message information,
Domain information, Policy information, and Message Part information.
Email Gateway presents, in pieces, information about how it processed each individual messages. In some
cases, Email Gateway will only present just one piece of information because that is all there is to report,
and that information will be displayed in a single line in the CSV file. In other cases, Email Gateway can
report multiple pieces of information, with each piece appearing on separate lines of the file. Once the file is
imported into a third-party application, use the application’s tools to sort or order the data so that all the
pieces of the message are grouped together.
The data in the CSV file contains up to ten comma-separated fields on each row or line. (Depending on the
amount of data in a line, and the application in which the data is being viewed, message data can wrap to a
second line.)
The first field represents what kind of information is displayed on that row. One of three values will
appear:
• 1 = Message information

• 2 = Domain information

• 3 = Policy information

• 4 = Message part information

The remaining fields on each row differ, depending on the type of information being displayed.
Figure 266 Message Information

The first field indicates the information type. Each row of Message information begins with the numeral 1.
The second field is the “message ID” – a number that uniquely identifies the message. The message ID is
a critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs.
The third field is the message’s Subject, reported in its entirety.
The fourth field is the message’s date – the timestamp when Email Gateway received the message.
The fifth field is the message’s size in bytes.
The sixth field is the Mail From address – from whom the message originated.
The seventh field is the list of Recipient addresses – to whom the message was addressed.
The eighth field is the source IP address – the IP address of the message sender.
The ninth field is the Message direction. One of these values will appear:

456 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
About Reports configuration

• 0 = Inbound

• 1 = Outbound

The tenth field identifies the internal user. One of these values will appear:
• 0 = Both External

• 1 = From Internal (the sender)

• 2 = To Internal (the recipient)

• 3 = Both Internal

The eleventh field identifies the message type, to indicate if the message was received by SMTP Proxy
using TLS (SSL). One of these Message Type values will appear:
• MSG_TYPE_NORMAL = 0

• MSG_TYPE_NOTIFICATION = 1

• MSG_TYPE_FORWARDED = 2

• MSG_TYPE COPIED = 3

• MSG_TYPE_DSN = 4

• MSG_TYPE_SWM = 5

• MSG_TYPE_REPORTS = 6

• MSG_TYPE_EUSR_OUT = 7

• MSG_TYPE_EST_OUT = 8

• MSG_TYPE_EUSR_IN = 9

• MSG_TYPE_EST_IN = 10

• MSG_TYPE_SECURE = 11

• MSG_TYPE_FWD_ATTACH = 12

The twelfth field indicates if the messages was encrypted or signed. One of these values will appear:
• 0 = Unsigned

• 1 = Signed
• 2 = Encrypted

• 3 = Decrypted
Figure 267 Domain Information

The first field indicates the information type. Each row of Domain information begins with the numeral 2.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs.Although message IDs might look like they are grouped serially, there is no Email
Gateway requirement that they are sorted in this CSV file.

McAfee Email Gateway 6.7.2 Administration Guide 457

 Advanced Reporting
About Reports configuration

The third field is the recipient’s domain.

The fourth field identifies the recipient(s) of the message.
The fifth field identifies the internal host to which the message was delivered.
The sixth field identifies the delivery mode – one of six values will appear:
• 0 = Normal, plain-text message

• 1 = TLS delivery

• 2 = S/MIME delivery

• 3 = PGP delivery

• 4 = SWM (Secure Web Delivery) delivery

• 5 = TLS deny (A TLS delivery was attempted, but a Email Gateway policy denying TLS for that user forced
the message to be delivered in plain-text.)

The seventh field describes the message’s status, and will display one of eight values:
• 1 = Not yet picked up for delivery (The message was deleted by the SMTPO Service, or it is in the
Quarantine Queue because of a failed delivery attempt or other Email Gateway policy.)

• 0 = Picked

• 1 = Connected

• 2 = Transmitted

• 4 = Delivered

• 5 = Undeliverable dropped

• 7 = UI Dropped (The message was dropped by the web administrator.)

• 8 = SWM (Secure Web Delivery) delivery

Figure 268 Policy Information

The first field indicates the information type. Each row of Policy information begins with the numeral 3.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs. Although message IDs might look like they are grouped serially, there is no Email
Gateway requirement that they are sorted in this CSV file.
The third field identifies a message’s part number. This field reports a numeric value representing which
part of the message is being described. (Messages can have many MIME parts—Email Gateway defaults to
only accepting messages that contain less than 1,000 parts.) A 0 in this field represents the whole
message. Any other value is the part number. A message’s parts are not necessarily grouped together in
the CSV file – a third party utility is required to group all message parts by their ID number, and then sort
them in ascending or descending order.

458 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
About Reports configuration

The fourth field is a number that identifies each possible Email Gateway action. This number is used
internally by Email Gateway, but corresponds to the actions that Email Gateway policies enforce. View the
table of actions in the Appendices to this Administration Guide.
The fifth field might or might not be present, depending on the policy Email Gateway enforced. For
example, a policy with a quarantine action requires a number as an action value indicating how many days
a message is to be quarantined, and a policy with a drop action can have a text message (replacing the
dropped message part) as an action value. (Note that text action values can be lengthy, and force the row
in the CSV file to wrap to additional lines.) Depending on the action, the fifth field can contain numerous
data elements that describe the totality of the action, for example, message Subject, Recipient address, or
timestamp.
The sixth field is the timestamp of the action – the time the action occurred.
Figure 269 Message Part Information

The first field indicates the information type. Each row of Message Part information begins with the
numeral 4.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs. Note that though message IDs might look like they are grouped serially, there is no
Email Gateway requirement that they are sorted in this CSV file.
The third field identifies a message’s part number. This field reports a numeric value representing which
part of the message is being described. (Messages can have many MIME parts – Email Gateway defaults to
only accepting messages that contain less than 1,000 parts.) A 0 in this field represents the whole
message. Any other value is the part number. A message’s parts are not necessarily grouped together in
the CSV file – a third party utility is required to group all message parts by their ID number, and then sort
them in ascending or descending order.
The fourth field identifies the message content type.
The fifth field identifies if the part is an attachment or the message body. One of two values will appear:
• 0 = Attachment

• 1 = Body

The sixth field identifies the attachment name.

The seventh field describes the part format as identified by the Content Extraction Engine.

Opening a CSV file in Excel

If you attempt to open a large CSV file in Microsoft Excel, you might encounter an error because the file is
too large, or you might see truncation of rows or columns. This is due to the limits of Excel.
Excel can open a single worksheet of up to 65,536 rows or 256 columns. You can have multiple worksheets
per book, but if any worksheet exceed these limits, you will encounter the problem. You can remedy the
problem by opening the source file with a text editor, then saving the file into multiple files with numbers of
rows or columns that fall within the limits.

McAfee Email Gateway 6.7.2 Administration Guide 459

 Advanced Reporting
SNMP polling

SNMP polling
Email Gateway includes an SNMP polling feature that provides the capability for a polling station or package
to collect data from the Email Gateway appliance via the SNMP protocol. This feature is helpful in mapping
alert events to SNMP traps. The Email Gateway appliance publishes a MIB view that allows “read only”
access to data to be used in processing a variety of queries. There is NO “write” access permitted, so the
data remains secure. The feature allows you to set the polling interval.
Email Gateway SNMP polling supports SNMP v1 and SNMP v2.

SNMP polling configuration

The SNMP polling feature can be accessed from the Reporting tab (Reporting | SNMP Polling).
Figure 270 SNMP Polling - Configure window

Table 264 SNMP Polling - Configure fields

Field Description
Service This field contains the service name. In this case, the name is
Internal-snmpd2, the name of the SNMP polling service.
Select the name to configure the polling time interval.
Auto-Start A red X or green check icon indicates whether or not the service is set to
start automatically when the Email Gateway appliance is rebooted. If an
icon is green, the service will begin running when Email Gateway restarts.
In addition, if the icon is green, the Email Gateway Health Monitor will
restart any service except SMTPO that has stopped for any reason when
it performs its tests on all appliance subsystems. If an icon is red, the
service will not start on reboot, nor when Health Monitor runs its system
tests.
A service can continue to run after its auto-start setting is turned off.
The red and green light icons are hyperlinks. Clicking the icon/hyperlink
toggles the auto-start option on and off.
Running A red or green light icon indicates whether or not the service is currently
running.
In some situations, the Running icon might not refresh when clicked, i.e.
change from green to red. If the icon does not toggle as expected, click
the Mail Services - Configure hyperlink in the left navigation frame of
the Web Administration interface to refresh the page, rather than clicking
the Running icon a second time.
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
service has been running since it was last restarted.
If the uptime appears less than expected, it might indicate that the
service was manually stopped and restarted by an administrator, or was
stopped by an administrator and was restarted automatically by the Email
Gateway Health Monitor.

Configure the SNMP collection interval by selecting the service name.

460 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
SNMP polling

Figure 271 SNMP Service Configuration window

On this window, you can set the polling interval by entering a time in seconds. The allowable range is from
60 to 3600 seconds. This interval defines the wait time between SNMP polling occurrences.

Public SNMP variables for Email Gateway

The following variables are provided to the SNMP polling station from the Email Gateway SNMP daemon.

Table 265 SNMP Variables

S# Variable Name Description
1 ctCPUSystem Current system-space CPU utilization
2 ctCPUIdle Current idle CPU
3 ctCPUUser Current user-space CPU utilization
4 ctMemoryFree Currently free memory (in bytes)
5 ctMemoryActive Currently active memory (in bytes)
6 ctMemoryInactive Currently inactive memory (in bytes)
7 ctMemorySwap Current swap space in use (in bytes)
8 ctDiskIOtps Disk I/O transactions per second
9 ctDiskIOmbps Disk I/O in megabytes per second
10 ctDiskFSct Current percentage of the ct partition used
11 ctDiskFSvar Current percentage of the var partition used
12 ctDiskFStmp Current percentage of the tmp partition used
13 ctNetworkIOin Current rate of data into the physical network
interface (bits/sec)
14 ctNetworkIOout Current rate of data out of the physical network
interface (bits/sec)
15 ctServiceSmtpo Status of smtpo service (0 = not running, 1 =
running)
16 ctServiceSmtpproxy Status of smtpproxy service (0 = not running, 1 =
running)
17 ctQueueLevel Number of messages currently being processed by
queues
18 ctQueueProcessedAVQ Number of messages processed by AVQ since local
midnight
19 ctQueueActionAVQ Number of messages processed by AVQ since local
midnight that required action
20 ctQueueProcessedCFQ Number of messages processed by CFQ since local
midnight
21 ctQueueActionCFQ Number of messages processed by CFQ since local
midnight that required action
22 ctQueueProcessedMMQ Number of messages processed by MMQ since local
midnight
23 ctQueueActionMMQ Number of messages processed by MMQ since local
midnight that required action
24 ctQueueProcessedRIPQ Number of messages processed by RIPQ since local
midnight

McAfee Email Gateway 6.7.2 Administration Guide 461

 Advanced Reporting
About Email Gateway logs

Table 265 SNMP Variables (continued)

S# Variable Name Description
25 ctQueueActionRIPQ Number of messages processed by RIPQ since local
midnight that required action
26 ctQueueProcessedJOINQ Number of messages processed by JOINQ since local
midnight
27 ctQueueActionJOINQ Number of messages processed by JOINQ since local
midnight that required action
28 ctQueueProcessedSPAMQ Number of messages processed by SPAMQ since local
midnight
29 ctQueueActionSPAMQ Number of messages processed by SPAMQ since local
midnight that required action
30 ctQueueProcessedCCQ Number of messages processed by CCQ since local
midnight
31 ctQueueActionCCQ Number of messages processed by CCQ since local
midnight that required action

Before Email Gateway SNMP traps can provide all the available information to the SNMP service, you must
compile the appropriate Email Gateway MIB file within your SNMP application. You can download the MIB
you will need for SNMP polling from the Support KnowledgeBase, article 7220. The file you need to
download is CT-SNMP-PUBLIC-MIB.txt.

About Email Gateway logs

Email Gateway maintains up-to-the-minute log files that you can access to investigate problems or analyze
the solution’s activities. The logs include appropriate details to make them useful to a variety of users,
including executive management, administrators, compliance officers and other users.

Log levels
Email Gateway allows you to configure the type of log entries that will be generated and the amount of
detail that will be maintained in log files.The possible log levels are shown in the table below

Table 266 Log levels

Level Description
Critical Captures information about an urgent condition, such as a general
database failure.
Error Captures information only about errors that occur that might require
Administrative support or assistance from McAfee Support. This is the
default setting when Email Gateway is first installed.
Information Captures general process flow information, such as the order of functions
through which messages flow, and so forth.
Detailed Most verbose setting. Captures process flow in great detail, including
information at the program level. Especially useful for analyzing
problems, and so forth.

Log standardization
To enable customers to parse log data more easily with scripts and system information and event managers
(SEIMs), McAfee has implemented an innovative format for all mail flow logs. Email Gateway writes these
logs in binary format that can be efficiently stored and can be readily adapted to display and generate
reports.
The new mail flow log:
• Consolidates logs for SMTPProxy, SuperQueue, and SMTPO into a single log

• Makes tracing details of message flow more intuitive

462 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Reporting
Mail flow logs

• Reduces file size and improves processing.

Mail flow logs

Email Gateway uses Event Logging to create the mail flow logs. It generates the general logs (reporting
activity other than mail flow) in ASCII format.

Event logging
Event logging tracks and records each mail flow action Email Gateway takes. It records each individual
action as an event in binary format; each log message is an event.
Note: One email message will generate many events. Events are generated per action, not per message.

Email Gateway identifies events at three levels:

• Transactions – each of the three mail flow components (SMTPI, SuperQueue, and SMTPO) can generate
events.

• Event classes – a range of ID numbers belongs to each of the transaction components. Events are
grouped into classes by their ID numbers.

• Events – each defined event has a unique ID number that makes identifying and tracking specific events
easier.
Note: For a detailed listing of event classes and defined events, see Appendix J, Event Logging Elements in this
Administration Guide.

Within the events, Email Gateway identifies specific actions:

• SMTPI (SMTPProxy) uses the connection ID to identify its actions.

• SuperQue and SMTPO use the message ID.

Formatting the logs with binary parsers

You can format your using the binary parsers, available from the Support Center, using the showevents
command with the ofmt option. You can obtain the binary parsers for Windows XP, for Linux, or for
FreeBSD for the Support Center. Source code is available for other operating systems.

Sample syntax
./showevents.sh -s ifile=”<binary log filename>” -sofmt=”<keywords>” -d head

Keywords
The following keywords are allowed. The keywords must be separated by ampersands (&) as shown here:
./showevents.sh -s ifile=”scmail-logs.bin” -s ofmt=“time&eud&eagrstr” -d head
• time

• msgorconnid – message or connection ID

• thrdid – thread ID

• childid – child ID

• eid – event ID

• estr – event string

• earglen – event argument length

• eagrstr – event argument string

Examples
See all the events belonging to a particular binary log file for smtpproxy:

McAfee Email Gateway 6.7.2 Administration Guide 463

 Advanced Reporting
Mail flow logs

$./showevents.sh -s ifile=”/ct/data/admin/log/scmail-logs.bin” -g “module=smtpproxy” -d

head
You can also view events from other modules by replacing 'smptproxy' with the module name (for
example smtpo, superque etc)

Display all the events logged ON Nov 14 for a given time duration:
$./showevents.sh -s ifile=”/ct/data/admin/log/scmail-logs.bin.ends10081114” -g
“stime=20081114:14:20:00” -g “etime=20081114:18:00:00” -d head
Tracking messages from the point of entrance to exit is a two step process when Source IP/Port and an
approximate time is known:
1 Using eventid 9308 grep for ‘IP:Port’ and get the message id and connection id

$./showevents.sh -s ifile=”scmail-logs.bin.ends20080902” -d head -g eid=9308 | grep

“10.14.1.36:58228”
sample output:

20080901:00:19:09|22590300344740|9308|Message information <Source IP:Port:Message

ID>|10.14.1.36:58228:4904983|
20080901:00:34:59|22590304235624|9308|Message information <Source IP:Port:Message
ID>|10.14.1.36:58228:4912581|
20080901:00:40:14|22590305529529|9308|Message information <Source IP:Port:Message
ID>|10.14.1.36:58228:4920357|
2 Use the connection id and message id that we are interested in:

$./showevents.sh -s ifile=”scmail-logs.bin.ends20080902” -d head -g msgid=4912581 -g

connid=22590304235624
If the log file's size is massive then it can seem like showevents has hung up, which is not true.
Note: When the connection ID is not give, showevents will process the query more quickly due to indexing.

To see the spamprofiler scores for every message:

$./showevents.sh -s ifile=”/ct/data/admin/log/scmail-logs.bin” -s
ofmt=”msgorconnid%eid&estr&eargstr” -g “eid=3339” -d head
10878274|3339|ESP total points for Message ID: <esp:msgid> -|<85:10878274>|
10878237|3339|ESP total points for Message ID: <esp:msgid> -|<-168:10878237>|
10878244|3339|ESP total points for Message ID: <esp:msgid> -|<27:10878244>|
10878223|3339|ESP total points for Message ID: <esp:msgid> -|<111:10878223>|
10878209|3339|ESP total points for Message ID: <esp:msgid> -|<111:10878209>|
10878215|3339|ESP total points for Message ID: <esp:msgid> -|<144:10878215>|
10878214|3339|ESP total points for Message ID: <esp:msgid> -|<99:10878214>|
10878259|3339|ESP total points for Message ID: <esp:msgid> -|<137:10878259>|
10878251|3339|ESP total points for Message ID: <esp:msgid> -|<-211:10878251>|
10878220|3339|ESP total points for Message ID: <esp:msgid> -|<106:10878220>|
10878221|3339|ESP total points for Message ID: <esp:msgid> -|<101:10878221>|
10878256|3339|ESP total points for Message ID: <esp:msgid> -|<143:10878256>|
10878257|3339|ESP total points for Message ID: <esp:msgid> -|<172:10878257>|
10878278|3339|ESP total points for Message ID: <esp:msgid> -|<126:10878278>|
10878229|3339|ESP total points for Message ID: <esp:msgid> -|<139:10878229>|
10878235|3339|ESP total points for Message ID: <esp:msgid> -|<149:10878235>
To see all the data for a particular message ID:

464 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
Mail flow logs

$ ./showevents.sh -s ifile=”/ct/data/admin/log/scmail-logs.bin” -g “msgid=25815150” -d

head
20081107:11:39:44|25815150|9989|Message data -|{'USRTO': ['user24@x3.ctdev.net'],
'USRFRM': ['user24@x3.ctdev.net'], 'DOMTO': ['x3.ctdev.net'], 'SUBJ': 'attempting to
send e-mails to you', 'DOMFRM': ['x3.ctdev.net']}|
20081107:11:39:44|25815150|9990|User - GroupID info -|{'x3.ctdev.net': [1],
'user24@x3.ctdev.net': [1]}|
20081107:11:39:44|25815150|9991|Group ID - Name -|{1: 'global'}|
20081107:11:39:44|25815150|10038|Processing started for Message ID : <msgid> -|25815150|
20081107:11:39:44|25815150|7939|sub-feature list: -|{9: [1], 6: [4]}|
20081107:11:39:44|25815150|7941|queue order on msg: -|[2]|
20081107:11:39:44|25815150|7940|Final sub-feature list -|{9: [1], 6: [4]}|
20081107:11:39:44|25815150|7942|Final queue order -|[2]|
20081107:11:39:44|25815150|7191|Part, Type, Xtn, Format; <part:type:xtn:format>
-|<1:multipart/alternative:txt:2>|
20081107:11:39:44|25815150|7187|Text file not generated for part -|3|
20081107:11:39:44|25815150|7191|Part, Type, Xtn, Format; <part:type:xtn:format>
-|<3:text/html:htm:236>|
20081107:11:39:44|25815150|7191|Part, Type, Xtn, Format; <part:type:xtn:format>
-|<2:text/plain:txt:2>|
20081107:11:39:44|25815150|9992|Applied Policies, Applied Rules: <policies:rules>
-|<[7L]:[1]>|
20081107:11:39:44|25815150|1030|**Found -|[]|
20081107:11:39:44|25815150|1031|LOG_STAT_ATT_FIL: final_list -|{}|
20081107:11:39:44|25815150|7172|LOG_STAT_FINAL <msg_id:log_str> -|<25815150:PUSHED TO
NEXT Q>|
20081107:11:39:44|25815150|5123|Checking for headers actions.||
20081107:11:39:44|25815150|5137|This message is not outbound and destined to external
domain.||
20081107:11:39:44|25815150|5130|No action to be taken for the message -|25815150|
20081107:11:39:44|25815150|10039|Processing completed for Message ID : <msgid>
-|25815150|
20081107:11:39:45|25815150|9474|Channel outbound flag -|2|
20081107:11:39:45|25815150|9475|Max retry attempts -|4|
20081107:11:39:45|25815150|9476|Starting to process msgid -|25815150|
20081107:11:39:45|25815150|9481|Processing Domain -|DEFAULT|
20081107:11:39:45|25815150|9515|DNS Lookup Returned -|[(1, '10.14.2.123',
('10.14.2.123',))] fromCache=False|
20081107:11:39:45|25815150|9516|Connecting to Domain -|DEFAULT|
20081107:11:39:45|25815150|9487|Block timeout in seconds -|300|
20081107:11:39:45|25815150|9488|Connecting to MX -|10.14.2.123|
20081107:11:39:45|25815150|9489|Connecting to A -|10.14.2.123|
20081107:11:39:45|25815150|9491|Channels Vip vipid:bindhost -|0:10.14.1.62|
20081107:11:39:45|25815150|4099|Connecting to <BindHost:ConnectHost:ConnectPort>
-|<10.14.1.62:10.14.2.123:25>|
20081107:11:39:45|25815150|9492|Connection Status <status> -|1|

McAfee Email Gateway 6.7.2 Administration Guide 465

 Advanced Reporting
Mail flow logs

20081107:11:39:45|25815150|4102|STARTTLS failed <code:resp> -|<500:Syntax error, wrong

command sequence, expected command is 'MAIL'>|
20081107:11:39:45|25815150|4099|Connecting to <BindHost:ConnectHost:ConnectPort>
-|<10.14.1.62:10.14.2.123:25>|
20081107:11:39:45|25815150|9523|Starting SendSmtpMsg in domain -|DEFAULT|
20081107:11:39:45|25815150|9570|BATV values are DSN_BVP_enable: <IsEnabled> mail_from:
<Mail From> mdoutbound <IsOutbound> selfdeliveryMode <Delivery Mode>
-|0:user24@x3.ctdev.net:2:0|
20081107:11:39:45|25815150|9524|LOG_STAT <mail from>, <rcpt fix>, <size>, <date>,
<secure Conn>. -|user24@x3.ctdev.net:['user24@x3.ctdev.net']:8473:2008/11/07
11:39:45:0|
20081107:11:39:48|25815150|9506|Closing SMTP Connection||
20081107:11:39:48|25815150|9480|Finished processing msgid -|25815150|

Viewing the logs directly using binary parsers

You can view the logs directly using the showevents command.

Sample syntax:
/ct/bin/showevents [-s name=value] [-g name=value] [-d operation]

Options
The following options are allowed.
• -s <name=value> – setters to configure the application usage

• cfile=<filename> – event configuration file to read the event IDs and descriptions

• ifile=<filename> –

• ofmt=<keywords> – display only these columns

• -g <name=value> – grep for events with the given properties
Note: For the -g <name=value> filter, you can define an integer option in decimal format (for example, 16) or
in hex format (for example, 0xF).

• -d <operation>

• einfo – event classification information

• head – print events from the head

• tail – tail the log file and print events

• hdr – event log header information

Filter matching uses an OR relationship between the same type of filters, and uses an AND relationship
between different types.

Examples:
-g eid=4097 -g eid=6665
will display all events with the event ID 4097 or 6665

-g eid=4097 -g msgid=1000
will display all events that have both the message ID 1000 and the event ID 4097.

Generating reports from logs

You can use the event logs to generate reports you need. You can either:
• train your log reader to read directly from the binary,

466 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
Mail flow logs

• or parse the binary file first (using the parser mentioned above) then modify your report generator (or
create your own).

CLI commands
You can access information about your event logging files through three command line options:
• show events – this command dumps the entire binary file, allowing you to search for particular data you
want.

[Email Gateway]:show events | grep 10819870

• show stat mph – shows messages per hour Email Gateway has processed, beginning at midnight. The
statistic resets at the beginning of each 24-hour period.

• show stat cph – shows connections per hour, beginning at midnight, for the current 24-hour period.

Examples of data generated by the show stat commands appears below:

[Email Gateway]:show stats mph 20081021
20081021::01:00:00 45646
20081021::01:59:59 63617
20081021::02:59:59 63453
20081021::04:00:00 59531
20081021::04:59:59 63469
20081021::05:59:59 56560
20081021::07:00:00 60700
20081021::07:59:59 57861
20081021::08:59:59 59709
20081021::09:59:59 66442
20081021::11:00:00 62460
20081021::11:59:59 63947
20081021::13:00:00 58932
20081021::13:59:59 57998
20081021::14:59:59 61240
20081021::16:00:00 58490
20081021::17:00:00 60393
20081021::17:59:59 64914
20081021::19:00:00 63532
20081021::19:59:59 63313
20081021::20:59:59 52875
20081021::22:00:00 64053
20081021::22:59:59 63348
20081022::00:00:00 58160

[Email Gateway]:show stats cph 20081021

20081021::01:00:00 43728
20081021::01:59:59 61016
20081021::02:59:59 60871

McAfee Email Gateway 6.7.2 Administration Guide 467

 Advanced Reporting
General logs

20081021::04:00:00 57075
20081021::04:59:59 60876
20081021::05:59:59 54274
20081021::07:00:00 58233
20081021::07:59:59 55592
20081021::08:59:59 57319
20081021::09:59:59 63801
20081021::11:00:00 59973
20081021::11:59:59 61380
20081021::13:00:00 56542
20081021::13:59:59 55674
20081021::14:59:59 58775
20081021::16:00:00 56160
20081021::17:00:00 58003
20081021::17:59:59 62301
20081021::19:00:00 60914
20081021::19:59:59 60882
20081021::20:59:59 50730
20081021::22:00:00 61464
20081021::22:59:59 60784
20081022::00:00:00 55818
The information is cumulative for the entire day. If you type today’s date, the data will only reflect activity
since midnight.

General logs
Email Gateway generates logs that record functionality other than mail flow in ASCII format. The two types
of general logs are Detailed Logs and Summary Logs.

Detailed logs
Email Gateway records in its Detailed Logs all the actions it takes as it processes messages and for all
aspects of its core functionality. The amount of detail recorded in these logs is controlled by the Logging
Level configured for each of the Email Gateway services and features.
Ordinarily, a log level of Information is adequate for day-to-day monitoring and will provide enough
information to indicate that a Service is running properly, and at that level, will not bloat in size to an
unmanageable level. It is recommended, however, that the logging level be set to Detailed for the first
several weeks after Email Gateway is placed in the mail flow of the network. This will ensure that adequate
information is available if troubleshooting problems is required. Once Email Gateway is processing without
incident, the logging level should be changed.
Similarly, the logging level for the Queue services should be raised to Detailed during the period that policy
testing is underway. That level will be required to see the specific reasons a message was detected and
acted upon by one of Email Gateway policies. Once the policy testing is complete, these log levels can be
changed.
In high mail-volume environments, some logs can grow very large, up to 100-200 MB in size. Log files
larger than just 1 MB will typically take longer to open in the Email Gateway web interface than
administrators will care to wait. Administrators are encouraged, then, to use an SSH client to open these
logs. Within the command line interface, logs open instantly, and queries within them are as fast.

468 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
General logs

Email Gateway generates one special detailed log, Email Gateway Setup. Generated only once, after the
initial Email Gateway setup and configuration, this log reports the details of the setup process.

Summary logs
Detailed Log files record the specific actions Email Gateway takes when processing messages, and the
information is spread across multiple files. The Summary Log consolidates all message processing data into
one file, and displays the information in a slightly different way. If Email Gateway does not accept a
message (for example, the sending IP address is on the Email Gateway Local Deny List and the message
is dropped by the SMTPI Service), the only line in the Summary Log for that message will look like the
example above.
Figure 272 Example summary log content

If Email Gateway accepted and processed the message, the first line of the Summary Log for that message
will look like the example above. For each message that Email Gateway processed, each Email Gateway
Queue process will write a separate line indicating what action it took. To view all the lines in the Summary
Log for a single message, use the grep command on the message ID.
The Summary Log displays seven pipe-separated ( | ) fields of data. Each line in the Summary Log displays
information about each Email Gateway process that examined or processed a message. Note that the
descriptions of Email Gateway processes are not grouped together by message. The processes of multiple
messages are commingled. As with the Detailed Logs, administrators must follow the trail of bread crumbs
using the Message Identifier to trace a single message in this log. The Summary Log can be viewed in real
time for troubleshooting and policy-tuning purposes, or it can be exported so that a third party application
can perform advanced grouping, sorting, and querying within it.
1 The first field is the date and timestamp when the message was received by the SMTPI Service.

2 The second field is the process ID – a number used internally by Email Gateway to identify which Email
Gateway processes are processing a message. For example, the JoinQ has one process number, while the
SMTPO Service has another process number.

3 The third field is the message identifier – a number Email Gateway uses to uniquely identify a message.
If the message is accepted by the SMTPI Service, the message identifier becomes the Message ID.

However, if the message is not accepted by Email Gateway (for example, the message is from an IP
address that appears on a Deny List), this value will be the source IP address and port number.

4 The fourth field is the Action number – a 0 or a 1 – indicating whether Email Gateway took an action on
the message because of the rules of an email policy. A 0 means no action was taken – the message
passed straight through Email Gateway untouched. A 1 means that Email Gateway performed some action
on the message.

5 The fifth field is an internal numeric code representing the action Email Gateway took – a number
representing, for example, whether Email Gateway stamped an outgoing message with a footer, or
deleted a file attachment, and so forth.

6 The sixth field displays textual information returned by the process. For example, process 21 (the SMTPI
Service) will return the Mail From, Mail To, and Message ID number of a message, and the 200 process
(the Virus Scan Queue) will report No virus found in this message.

McAfee Email Gateway 6.7.2 Administration Guide 469

 Advanced Reporting
Configuring logs

7 The seventh field displays any details about the action as applicable. For example, an Envelope Analysis
rule based on a particular Subject will have the text of the rule’s Subject displayed here.
8 The eighth field shows the ESP score and message hash for the message.

9 The ninth field displays LDAP message drop information, if applicable.

10 The tenth field contains the SMTPI full throttle or sleep information.

Email Gateway can transfer Summary Log files to an archive server, either manually or automatically.

Notes on viewing logs

To avoid confusion in viewing logs, remember that a correctly generated log file can be empty, if the
services it represents have been configured but have had no activity.
A second potential source of confusion can arise when you view logs via the Command Line Interface. The
information retrieved by this method might appear out of date because the CLI cannot access a log file until
the day after it is created. The database table that provides the information for the log is updated by a
process that runs once per day.
Due to logging framework changes for the current version of Email Gateway, the date and time for all
information logs (per message logs) and for reconfiguration entries will show the process start time, rather
than the current time.

Configuring logs
Both Detailed Logs and Summary Logs can be configured on the same window.
Figure 273 Detailed/Summary Logs - Configure window

470 McAfee Email Gateway 6.7.2 Administration Guide

Advanced Reporting
Configuring logs

Table 267 Detailed/Summary Logs - Configure fields

Field Description
FTP/SCP The top portion of the window is used to configure the archiving of the
Configuration daily logs.
Archive Method Select an archive method Email Gateway should use when transferring
the Logs:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
(An SCP server must be configured and running on the archive
machine.)
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. (The FTP server must be configured and running on
the archive server.) Note that Email Gateway issues a passive FTP
command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.
Hostname Type the host name of the archive server.
User Name Type a valid username with SCP or FTP privileges.
Password Type a valid password.
Confirm Password Confirm the password by entering it again.
Path Type the path string to the location on the archive server where Email
Gateway should transfer the logs.
The relative path must be entered—that is the starting point or
subsequent directory below which the user account has access privileges.
Examples are: /Email Gateway or ./Email Gateway (the two are
functionally identical). Bear in mind that some Windows FTP servers can
not translate on-the-fly forward slashes ( / ) to back slashes ( \ ). In those
cases, back slashes are required as path delimiters.
Schedule Time Select from the Hour and Minute pick lists a time when Email Gateway
should automatically transfer the Logs. It is recommended that
administrators choose a transfer time after 4 AM to allow enough time for
the reports to run and rollover the previous days logs.
File Information The lower portion of the window is a table that shows information about
all the detailed logs.
View Click the hyperlink for any individual log file to open that file for viewing.
Download Click the hyperlink for any log file to download that file.
Transfer FTP/SCP If the file is to be archived, select the checkbox.
Delete Select the checkbox and then click Submit to delete the log.
File Name This column lists by feature or function name the logs that Email Gateway
generates.
Show all files Selecting this hyperlink opens a window that lists all available versions of
the specific log. Log files remain available until they are deleted by the
Cleanup process.

Clicking show all files opens a window like the example shown below.

McAfee Email Gateway 6.7.2 Administration Guide 471

 Advanced Reporting
Configuring logs

Figure 274 File Information Summary Log window

Table 268 File Information Summary Log fields

Field Description
FTP/SCP The top portion of the window is used to configure the archiving of the
Configuration specific logs.
Archive Method Select an archive method Email Gateway should use when transferring
the Logs:
• SCP: Select SCP to transfer the file securely using the SCP protocol.
An SCP server must be configured and running on the archive
machine.
• FTP: Select FTP to transfer the file in plain text (non-securely) using
the FTP protocol. The FTP server must be configured and running on
the archive server. Email Gateway issues a passive FTP command.
If multiple Email Gateway appliances are configured to transfer files the
hostname is appended to the filename.
Hostname Type the host name of the archive server.
User Name Type a valid username with SCP or FTP privileges.
Password Type a valid password.
Confirm Password Confirm the password by entering it again.
Path Type the path string to the location on the archive server where Email
Gateway should transfer the logs.
The relative path must be entered—that is the starting point or
subsequent directory below which the user account has access privileges.
Examples are: /Email Gateway or ./Email Gateway (the two are
functionally identical). Bear in mind that some Windows FTP servers can
not translate on-the-fly forward slashes ( / ) to back slashes ( \ ). In those
cases, back slashes are required as path delimiters.
File Information The lower portion of the window shows available logs of the type selected,
in date order.
Download Click the hyperlink for any log file to download that file.
Transfer FTP/SCP If the file is to be archived, select the checkbox.
File Name This column lists the available versions of the specific log file in ascending
date order.

472 McAfee Email Gateway 6.7.2 Administration Guide

 Advanced Reporting
Configuring Syslog

Configuring Syslog
Email Gateway can generate and transmit the same data it generates for its Summary Log on SysLog
format for integration with a network’s SysLog logging system.
In addition to configuring Email Gateway to communicate with the SysLog server – as provided below – the
SysLog server must be configured to recognize Email Gateway data. Email Gateway uses the SysLog User
facility and Info level for the data it sends. Therefore, a user.info variable must be created for
/var/log/Email Gatewayname_syslog on the receiving host.
Note: File Information Summary Log window

Figure 275 Syslog Configuration window

Table 269 Syslog Configuration fields

Field Description
Send Summary Logs Select the Send Summary Logs to SysLog Server checkbox to enable
to SysLog Server Email Gateway SysLog output.
SysLog Host Type the IP address or host name of the SysLog Server. Note that a
SysLog Server configuration determines whether an IP address or
host name should be used here. (Refer to the SysLog Server
documentation.) If the Server is configured for IP address and its host
name is entered here, Email Gateway might not be able to deliver its data
to it.
SysLog Port Type the port number Email Gateway should use to connect to the SysLog
Server.
Protocol Type Select the network protocol used by the SysLog Server: TCP or UDP.
(Ordinarily, SysLog uses UDP.)

When the information is complete and correct, click Submit to record the configuration.
Three parameters have been added to the Syslog format:
• ESP score and message hash;

• LDAP message drops; and,

• SMTPI full throttle/sleep information.

McAfee Email Gateway 6.7.2 Administration Guide 473

 Advanced Reporting
Configuring Syslog

474 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 9

Administration

Chapter 31, Email Gateway Administration

Chapter 32, Health Monitor

31 Email Gateway Administration
Contents
User accounts
Logging onto Email Gateway
Configuring password policy
Allowed IPs
Configuring WebAdmin settings
User preferences
Clustering
General administration

User accounts
The Email Gateway administrator can create user accounts for additional personnel who are granted
permission to perform specific duties in administering the Email Gateway appliance. You can select which
program areas users are allowed to access, and whether their access is read only or read/write.
There is one super user account for the Email Gateway administrator. This super user account name is
admin. Initially, only the admin user account has access to this User Accounts window. This allows you
secure control over access to Email Gateway.
Email Gateway generates a daily log showing each user’s login and the Email Gateway windows accessed.

About user accounts

When creating the user accounts for other administrators, you have four options regarding the type of
administrator being created. The new user can be:
• An Appliance Administrator, who will have whatever rights are granted across all Virtual Hosts and
domains on the Email Gateway appliance.

• A Virtual Host administrator, who will have whatever rights are granted only for those Virtual Hosts that
are assigned.

• A compliance officer, whose rights will be limited to conducting message searches in order to research
potential compliance violations and related problems.

• An ePO user, who has rights to the Dashboard only, and who can monitor Email Gateway from an ePolicy
Orchestrator appliance.

Any of these options allow the SuperAdministrator to delegate some of the administrative workload.

Appliance administrators
If the new administrator is to be an appliance administrator, the User Accounts - Create window does not
include Virtual Host information. In this case, the creating administrator can assign full access rights or
read-only rights to the new administrator for any or all the roles listed on the window. If User Creation
Rights are granted, the Appliance Administrator can create new users for any domain on the appliance and
give the new user any roles the creating Appliance Administrator is allowed.

McAfee Email Gateway 6.7.2 Administration Guide 477

 Email Gateway Administration
User accounts

Virtual Host administrators

If the new administrator is to be a Virtual Host administrator (the Appliance Admin checkbox is not
selected), the User Accounts - Create window includes the Virtual Hosts (VIPs) information. The two tables
at the bottom of the window show all Virtual Hosts that are available to be assigned to the Virtual Host
administrator, and any that have been selected for assignment. Use the arrows between the lists to move
VIPs. If User Creation Rights are granted, the Virtual Host administrator can create new users for only the
assigned domains.
For further information regarding Virtual Host Administration, see Chapter 25, Virtual Hosts in this
Administration Guide.

Compliance officers
If the new administrator is to be a compliance officer, the Roles selections on the User Accounts - Create
window will be unavailable.
The compliance officer has specialized access rights, limited to conducting message searches on the Email
Gateway appliance. This allows the officer to research potential compliance violations and related issues.
Compliance officers can be assigned rights for the entire appliance or for assigned Virtual Hosts.
When the compliance officer logs into Email Gateway, the displayed opening window is unique. For more
details, go to Compliance Officer searches in Chapter 3, Queue Information.

ePO users
ePO users can only access the Dashboard. All permission checkboxes are unavailable, but read-only
permission for the Dashboard is automatically granted. No other permissions can be assigned. The creation
process is the same as other user types. ePO users can be configured on standalone MEG appliances and
MEG appliances with Advanced Encryption, but not for standalone Encryption appliances. The user will
monitor Email Gateway from an ePO server using this account.
Note: Email Gateway also has a default account named epo. The ePO server itself uses this account to
communicate with Email Gateway and fetch events (MEG counter values for a specified time).

Creating user accounts

Only the administrator (using the admin super-user account) can create or edit user accounts when Email
Gateway is first deployed. Other administrators can be given the right to create users. For some users
(such as new trainees) you might want to assign read-only access to Email Gateway roles until the user
gains familiarity with Email Gateway and its features. Other users, by the nature of their positions, might
require read and write access only to specific portions of the system. The User Account - Create window
allows you to assign and change permissions as required.
Use the User Accounts - Create window to add or edit accounts.
1 On the Administration tab, click Web Admin Configuration.

2 Click User Account, then click Create Account.

3 Provide the information to complete the window (see Table 270).

4 Click Add New. The account is added to the User Accounts - Manage window.

478 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
User accounts

Figure 276 User Accounts - Create window (showing Virtual Host Admin role)

Table 270 User Accounts - Create fields

Field Description
New User The left side of the window contains the data fields for naming the user
and assigning a password.
User Name If you are adding a new account, type the user name in this field. If you
are editing an existing account, the field populated.
The user name can be up to 16 characters long with no space. The
following characters are allowed:
• A-Z (first character only)
• a-z, 0-9, _ (underscore) first character
• a-z, 0-9, - (dash), _ (underscore) for second through 16th characters.
New Password Type the new password for the account.
Passwords must be at least 8 characters long, with no spaces. Allowable
characters are: A-Z, a-z, 0-9, _ (underscore), - (dash).
Confirm Password Confirm the password by entering it again.
Appliance Admin Select the checkbox if the new administrator is to have access to all
domains and Virtual Hosts on this Email Gateway.
Compliance Officer Select this checkbox if the new user is to be configured as a compliance
officer.
ePO User Select this checkbox if the user can only monitor Email Gateway by using
ePolicy Orchestrator.
User Creation Rights Select this checkbox to grant this new administrator the right to create
new users. The scope of this permission is dependent upon this new
administrator’s status as either an Appliance Administrator or a Virtual
Host administrator.
Password Never Select this checkbox if you want the administrator’s password to be
Expires exempt from any password expiration parameters that can be configured
on this Email Gateway.

McAfee Email Gateway 6.7.2 Administration Guide 479

 Email Gateway Administration
User accounts

Table 270 User Accounts - Create fields (continued)

Field Description
Force Password Select the checkbox to force the new user to change his password on his
Change first log on.
Note: The creating administrator creates each new user’s password
when he creates the account.
Assign Role The right side of the window contains a table that lets you grant or deny
Permission access to specific roles in Email Gateway and assign permissions for those
roles where access is granted.
Roles This column shows the available Email Gateway roles. The list is not
configurable.
Enable Select this checkbox to allow the user access to this role. If only the
Enable checkbox is selected for the role, the user has full Read-Write
permissions to that role.
Read Only If a role is enabled, you can check this checkbox to restrict permission to
read only access.
Virtual Hosts If Appliance Admin is not selected, the User Accounts - Create window
display a listing of all available Virtual Hosts for this Email Gateway. You
can select one or more from the “Available” list and assign them to a new
Virtual Host administrator.

Managing user accounts

The User Accounts - Manage window shows all configured user accounts for this Email Gateway. Use this
window to monitor, edit, lock and unlock, and delete user accounts.
Note: The admin account cannot be edited, locked or deleted.

Figure 277 User Accounts - Manage window

1 On the Administration tab, click Web Admin Configuration.

2 Click User Account, then click Manage Accounts.

The User Accounts - Manage window appears, showing the log on name and other basic information
for each user account.

480 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
User accounts

Table 271 User Accounts - Manage fields

Field Description
User This column lists the user names for all users who have permissions on
Email Gateway.
Last Login This column displays the date and time of the user’s last login. If the user
has not yet logged in, a “Never Logged In!” message appears.
Edit For all accounts other than the Admin account, an Edit icon appears in
this column. Click the icon for a user account and make changes in the
User Accounts - Edit window.
Note: This icon does not appear for the admin or account, or for the
account that is currently logged onto Email Gateway.
Locked If the account is locked for reasons such as exceeding the maximum
number of unsuccessful login attempts, this box is checked. You can
unlock the account by deselecting the checkbox, or lock an account by
selecting it if circumstances warrant.
Delete Selecting the checkbox and then clicking Submit deletes the account.
Selecting the Delete link deletes all but the admin account.

If you have made any changes to accounts on this list, click Submit. The changes will be implemented.
Details about the roles assigned to each user on the list appear when you click the User name on the
window. The account selected expands to reveal the permissions granted and the Virtual Hosts assigned to
that user.
Figure 278 User Accounts - Manage window expanded (showing appliance administrator account)

Table 272 User Accounts - Manage fields (permission details)

Field Description
Write Permissions If the user has write permissions for any roles, the list in this column will
show those roles. If no write permissions are granted, the column shows
N/A.
Read Permissions If the user has read-only permissions for any roles, the list shows all
those roles. If only write permissions are granted, the column shows N/A.
Virtual Hosts This field shows the names of any Virtual Hosts assigned to the user.
Appliance Administrators have permissions for all Virtual Hosts.

McAfee Email Gateway 6.7.2 Administration Guide 481

 Email Gateway Administration
Logging onto Email Gateway

Editing a user account

You can edit any parameter of an existing user account except the account name. The Edit screen shows
the same parameters used to create the account.
To edit a user account, do the following:
1 On the Administration tab, click Web Admin Configuration.

2 Click User Account, then click Manage Accounts. The User Accounts - Manage window appears, showing
the log on name and other basic information for each user account.

3 Click the Edit icon associated with the account you are editing. The User Account - Edit screen appears.

4 Make necessary changes to the account information (see Table 270).

5 Click Submit to save your changes.

Logging onto Email Gateway

The log on process depends upon the presence or absence of Virtual Hosts (see Chapter 25, Virtual Hosts)
and the type of administrator who is accessing the appliance.
Every user sees the same basic login window, and can type a valid user name and password.
Figure 279 Email Gateway login window

If no Virtual Hosts are configured on the appliance, all users are appliance-level administrators. If Virtual
Hosts are configured, the user can be either an Appliance Administrator, a compliance officer, or a Virtual
Host administrator, each with its own login process. Virtual Hosts have no impact for ePO Users.

482 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
Logging onto Email Gateway

Appliance administrators
Appliance administrators have access rights to everything on the Email Gateway appliance, including all
domains and all Virtual Hosts. All Email Gateways have a Default Virtual Host, and an appliance-level
administrator always logs onto the Default Virtual Host.
When an appliance-level user logs on, the following selection window appears.
Figure 280 Appliance administrator login on an appliance with Virtual Hosts

To enter the Default Virtual Host, click Close.

Information at the top of the menu on the left side of the window confirms your status and location. An
From here, you can administer Email Gateway based upon your access rights. Any policies you create will
be applied to the Default Virtual Host, and can be applied to all Virtual Hosts. See Chapter 25, Virtual Hosts,
for more details.
To log out, click Logoff Default Virtual Host in the upper right corner of the Email Gateway window.
• If no Virtual Hosts other than the Default are present, this logs you all the way out of Email Gateway.

• If other Virtual Hosts are present, the action displays the Virtual Host selection window again. The window
shows a list of all the configured Virtual Hosts. You can select any of them by clicking the name in the left
column. The new login location is confirmed at the top of the left menu.

To administer a single Virtual Host, including configuring policies for it, the Appliance Administrator must
log out of the Default Virtual Host and log onto the specific Virtual Host. Administering Virtual Hosts (other
than all of them at once) requires logging into each one of them, one at a time.
To get an overview of the way any Virtual Host is configured, click details next to that Virtual Host.

McAfee Email Gateway 6.7.2 Administration Guide 483

 Email Gateway Administration
Logging onto Email Gateway

Figure 281 Virtual Host overview

When you have completed the desired tasks on any Virtual Host, click Logoff at the top of the Email
Gateway window again. The Virtual Host selection window displays, showing a list of all Virtual Hosts except
the one you just accessed. You might go back to the Default Virtual Host or to another Virtual Host by
selecting the appropriate name, or log out completely by clicking Logout at the top of the window.

Virtual Host administrators

Virtual Host administrators have access only to those Virtual Hosts assigned to them. When the Virtual Host
administrator logs onto Email Gateway, the left menu displays the specific Virtual Host. If the Virtual Host
administrator has access to more than one Virtual Host, the menu displays the first one on the list of those
assigned, and displays a confirmation screen that allows selection of another assigned Virtual Host.
Figure 282 Virtual Host administrator Login

To log out, the Virtual Host administrator clicks the Logoff (Virtual Host Name) link.
• If the Virtual Host administrator is assigned only one Virtual Host, this action closes the Email Gateway
session and displays the main login window.

484 McAfee Email Gateway 6.7.2 Administration Guide

 Email Gateway Administration
Configuring password policy

• If the Virtual Host administrator has access to more than one Virtual Host, the Virtual Host selection
window reappears. The Virtual Host administrator can select any other Virtual Host, display high-level
configuration information by clicking the details, or end the Email Gateway session by clicking Logout.

Compliance officers
You can create a special type of user account for a compliance officer. This user logs into Email Gateway
with a user name and password like any other user, but the opening window limits access to the
investigation of quarantined messages. The compliance officer may have appliance-level or Virtual Host
level access rights.

ePO Users
The ePO user logs into Email Gateway with a user name and password. The only tab the ePO user can
access is the Dashboard.

Configuring password policy

You can determine password structure and set expiration policies on the Password Policy Configuration
window.
1 On the Administration tab, click Web Admin Configuration.

2 Click Configure Password Policy. The Password Policy Configuration window appears.

3 Provide the information to complete the window (see Table 273).

4 Click Submit.

Figure 283 Password Policy Configuration window

McAfee Email Gateway 6.7.2 Administration Guide 485

 Email Gateway Administration
Configuring password policy

Table 273 Password Policy Configuration fields

Field Description
Password Length
Minimum Password Type a number to represent the minimum length for each allowable
Length password. The range is from 8 to 32 characters or digits.
Password Strength
Password Must Select the checkbox to require each password to include one or more
Contain Alpha alphabetic characters. Set the minimum number of characters required.
Characters
Minimum Number of Type a number from 1 to 32 to represent the minimum number of
Alpha Characters alphabetic characters in each password. The default is 1.
Alpha Character From the drop-down list, select the character styles allowed for
Style passwords. The options are:
• lower – lowercase characters only
• UPPER – uppercase characters only
• lower & UPPER – a combination of lower- and uppercase characters.
Password Must Select the checkbox to require each password to include one or more
Contain Digits numbers. You must also set the minimum number of digits required.
Minimum Number of Type a number from 1 to 32 to represent the minimum number of
Digits numeric characters in each password. The default is 1.
Password Must Select the checkbox to require each password to include one or more
Contain Special special characters. You must also set the minimum number of special
Characters characters required.
Minimum Number of Type a number from 1 to 32 to represent the minimum number of special
Special Characters characters in each password. The default is 1.
Password Must Select the checkbox if each password must adhere to a pre-defined
Contain a Regular Regular Expression (REGEX).
Expression (REGEX)
Regular Expression Type the actual Regular Expression that each password must adhere to.
(REGEX)
Password Expiration
Password Expiration Select the checkbox to enable password expiration. If this box is selected,
all passwords will expire at the predetermined age (Expiration Period)
defined below. Users will not be warned about pending expiration unless
you configure reminders. Users created with Password Never Expires
enabled will not be subject to the password expiration policies defined on
this window.
Password Expiration If you enabled password expiration, you must set an expiration period.
Period (days) Type a number from 90 to 365 representing the period of time each
password will remain active. The default is 90 days.
Minimum period Type a number between 1 and 365 to represent the minimum number of
between days that must pass between password changes. The default is 1.
subsequent
password changes
(days)
Password Expiration Select the checkbox to generate on-window reminders to users whose
Reminder passwords are approaching expiration. You must also configure the
number of days prior to expiration when these reminders will begin.
Expiration Reminder Type the number of days from 1 to 30 to represent the time when
– Number of days expiration notices will begin for users whose passwords are ready to
prior to Expiration expire. The default is 14 days prior to expiration.
Password History
Number of Previous Email Gateway maintains a history of the passwords set for each user.
Passwords to Not Type a number from 1 to 99 to represent the minimum number of most
Allow recent passwords that cannot be repeated. The default is the ten most
recent passwords. Using the default, once a password is no longer among
the most recent ten, it can be reused.

When the configuration is finished, click Submit to record it.

486 McAfee Email Gateway 6.7.2 Administration Guide

 Email Gateway Administration
Allowed IPs

Allowed IPs
If the Allowed IPs option is enabled, Email Gateway will accept only browser connections (for Web
Administration) from computers with the IP addresses specified in the table. If this option is not enabled,
Email Gateway administrators can log on from any workstation.
Caution: If IP-based access control (ACL) is enabled without entering valid IP addresses from which
administrators can connect to Email Gateway, all Email Gateway administrators will be immediately locked out of
the Web Administration interface. Administrators must log on to Email Gateway Command Line Interface, form
either from an SSH client or a keyboard and monitor attached to the appliance, and disable this setting. The CLI
command to disable IP-based access control is: system restore acl (see Chapter 36, Using the Command Line).

1 On the Administration tab, click Web Admin Configuration.

2 Click Allowed IPs. The Allowed IPs window appears.

3 Provide the information to complete the window (see Table 274).

4 Click Submit.

Figure 284 Allowed IPs window

Table 274 Allowed IPs fields

Field Description
Enable IP-based Selecting this checkbox enables access to this Email Gateway appliance
access control only from the listed addresses.
Currently allowed The table near the top of the window lists all the IP addresses that are
IPs currently allowed to access Email Gateway if IP-based access is enabled.
Other user accounts are blocked.
IP Address This column displays IP addresses and subnets allowed to access Email
Gateway Web Administration interface.
Side Note This column displays any notes an administrator might have provided to
identify to whom or where the IP address belongs.
Delete Select the Delete checkbox and click Submit to delete an address from
this table.
Adding new IP The data fields allow you to add new IP addresses to the permission list.
addresses

McAfee Email Gateway 6.7.2 Administration Guide 487

 Email Gateway Administration
Configuring WebAdmin settings

Table 274 Allowed IPs fields (continued)

Field Description
Add an IP Address You can type either an IP address or a subnet.
Side Note for IP Provide any text that can help identify or describe the address.
Add IP Address from If a list of addresses already exists in a text file, they can be imported in
a File one step, rather than being entered individually. The addresses must
reside in a plain ASCII text file. Each address must appear on a separate
line.
Browse to the text file and click Submit.
Character Set Select the character set to be used for encoding lists of IPs. Options are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-can – ISO standard character set for Chinese
• jpg – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by jpg and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-or – ISO standard character set for Korean
• euchre – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• AUC-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.
Export If you want to store the current Allowed IPs list as a backup text file, click
the Export hyperlink.

Caution: If you enable IP-address access control and your Email Gateway appliance is connected to an ePolicy
Orchestrator server, the IP address for that server must be included in the Allowed IPs list. For more information
about ePO, see ePolicy Orchestrator configuration in Chapter 33, System Configuration.

Configuring WebAdmin settings

Use the Webadmin Configuration window to configure specific behaviors for the Web Admin interface.
1 On the Administration tab, click Web Admin Configuration.

2 Click Settings. The WebAdmin Configuration window appears.

3 Provide the information to complete the window (see Table 275).

4 Click Add New. The account is added to the User Accounts - Manage window.

488 McAfee Email Gateway 6.7.2 Administration Guide

 Email Gateway Administration
User preferences

Figure 285 Webadmin Configuration window

Table 275 Webadmin Configuration fields

Field Description
General
Log Level Select the log level from the drop-down list. This setting determines the
amount of detail entered into the logs regarding WebAdmin activity.
Administration Type a time in minutes at the expiration of which Web Admin will time out
Inactivity Timeout the user’s login session due to inactivity, forcing a new login.
(minutes) The acceptable range is from 1 to 30 minutes; the default is 30 minutes.
Auto Refresh every Type an interval in minutes to determine the refresh rate for Web Admin
(minutes) screens.
The acceptable range is from 1 to 30 minutes; the default is 4 minutes.
Log On - Disclaimer
Enable Log On Select the checkbox to allow a disclaimer message when the user opens
Disclaimer Text the Login window.
Log On Disclaimer In the scrolling field, type the actual text to be displayed to any user who
Text is preparing to log onto Email Gateway.

User preferences
You can configure the appearance of the Dashboard and the Queue Manager screens and set other
preferences.

Dashboard preferences
You can configure the reports, tables or graphs that appear on the Dashboard, and their locations, using
the Dashboard User Preferences - Configure window. You can also access the window from the Dashboard
itself by clicking the Configure icon at the lower right corner of the window.
On the Administration tab, click Web Admin Configuration. Click User Preferences, then click
Dashboard. The Dashboard User Preferences - Configure window appears. The center column lists all
portlets (each one representing a reporting mechanism) that have not been configured to appear on the
existing Dashboard.

McAfee Email Gateway 6.7.2 Administration Guide 489

 Email Gateway Administration
User preferences

Figure 286 Dashboard User Preferences - Configure window

To add portlets to the Dashboard, do the following:

1 Select one or more of the Available Portlets.

2 Then click the arrow pointing to the panel (Left Panel or Right Panel) where you want the new
information to appear. The portlet will be moved to that panel.

3 Click Save to complete the configuration.

The new portlet appears at the bottom of the panel by default. If you want to change the placement of any
portlet, do the following:
1 Select the portlet.

2 Use the up or down arrow beside the panel to move it to a new location.

3 Click Save to record the change.

To remove portlets from the Dashboard, do the following:

1 Select one or more portlets from either the Left Panel or the Right Panel.

2 Click the arrow pointing to the Available Portlets panel. The portlet will be moved to that panel.

3 Click Save to complete the configuration.

For more information about the reports and charts on the Dashboard, see Chapter 1, The Dashboard.

Queue Manager preferences

Use the Queue Manager User Preferences - Configure window to configure the appearance of the various
message screens in the Queue Manager program area.
1 On the Administration tab, click Web Admin Configuration.

2 Click User Preferences, then click Queue Manager. The Queue Manager User Preferences - Configure
window appears.

3 Provide the information to complete the window (see Table 276).

4 Click Submit.

490 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
User preferences

Figure 287 Queue Manager User Preferences - Configure window

Table 276 Queue Manager User Preferences - Configure fields

Field Description
Column Name This column lists all the potential columns that can appear on the Queue
Manager’s message detail lists. Choices are:
• From
• To
• Subject
• Size
• Date
• Schedule Time
• Current Queue
• IP
• Virtual Hosts
• ID
Show Select this checkbox if the column is to appear on the window.
Abbreviate Selecting this checkbox will logically abbreviate text in the associated
columns to ensure that the text fits better and is understandable.
Width Type the number of characters allowed in the column.

When the parameters have been configured, click Submit. The format will be implemented.

Miscellaneous preferences
Use the Miscellaneous User Preferences - Configure window to configure the view the user gets at log on,
the availability of Quick Snapshots from navigation, and the bookmarking capability.
1 On the Administration tab, click Web Admin Configuration.

2 Click User Preferences, then click Miscellaneous. The Miscellaneous User Preferences - Configure
window appears.

3 Provide the information to complete the window (see Table 277).

4 Click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 491

 Email Gateway Administration
Clustering

Figure 288 Miscellaneous User Preferences - Configure window

Table 277 Miscellaneous User Preferences - Configure fields

Field Description
Skip Dashboard Select this checkbox to display the alternative opening window at log on,
After Login rather than the Dashboard.
Remove Quick Select this checkbox to remove the Quick Snapshots from the top menu
Snapshot from Top tabs. When the user selects any tab, the snapshots will not display.
Menu Navigation
Enable bookmarking Select this checkbox to allow the user to bookmark windows visited
regularly.
Bookmark list size Type the maximum number of screens that can be included in the
bookmarked list.
Auto Refresh Log Type the number of lines of log data the tail log will initially pull.
Initial Pull
Auto Refresh Log Type a value to represent how often in milliseconds the tail log command
Pull Frequency should pull log data.
Auto Refresh Log Type the maximum size on the window, in bytes, the tail log should show.
Maximum Size
Preferred Virtual Select the Virtual Host to be shown at log on. The list always contains the
Host Default Virtual Host, plus any other Virtual Hosts that have been created.
Whitelist Days in Type the number of days that a whitelist rule can be marked with a yellow
Yellow Zone flag on the Whitelist - View Rules window.
Whitelist Days in Type the number of days that a whitelist rule can be marked with a red
Red Zone flag on the Whitelist - View Rules window.

Note: For more information about whitelisting and the “Last Hit Date” indicators, see Viewing whitelists.

Clustering
Clustering allows you to configure a group of Email Gateway appliances to mirror the same configuration
across all appliances in the cluster. All the configured items that must be similar on different appliances
performing the same function within a network are shared from a primary appliance.
Note: Clustering can only be applied to Encryption features (Advanced Encryption).

A cluster is a number of Email Gateway appliances that have a peer-to-peer relationship. The items that
are shared are not configurable. Any message that triggers shared items will be immediately replicated
across all other members in the cluster.
Caution: Email Gateway and Advanced Encryption will not synchronize users that existed prior to the time you
establish a cluster.

492 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
Clustering

Starting a cluster
Figure 289 Cluster window (start cluster)

To start a new cluster, do the following:

1 Log onto an Email Gateway appliance. Email Gateway opens.

Note: You can start a new cluster only from an appliance that is not already in a cluster.

2 On the Administration tab, click Cluster. The Cluster window appears.

3 Click the radio button labelled Start New Cluster. The IP address for the appliance is added to the peer
list.

4 Click Submit. The new cluster is now ready to accept other appliances.

Adding an appliance
Figure 290 Cluster window (join cluster)

To add an appliance to an existing cluster, do the following:

1 Log onto an Email Gateway appliance. Email Gateway opens.

Note: You can add an appliance that is not already part of a cluster.

2 On the Administration tab, click Cluster. The Cluster window appears.

3 Click the radio button labelled Join Existing Cluster. The IP address for the appliance is added to the
peer list.

4 Click Submit. The appliance is added to the cluster.

Note: The maximum number of appliances allowed in a cluster is four. Adding a fifth appliance disrupts the
stability of the cluster.

McAfee Email Gateway 6.7.2 Administration Guide 493

 Email Gateway Administration
General administration

Removing an appliance
Figure 291 Cluster window (for removal)

To remove an appliance from a cluster, do the following:

1 Log onto an Email Gateway appliance. Email Gateway opens.

2 On the Administration tab, click Cluster. The Cluster window appears.

Note: If the appliance is part of a cluster, the window includes the Remove From Cluster button.

3 Click Remove From Cluster.

4 Click Submit. The appliance is removed.

General administration
You can configure important general functions for your Email Gateway on the Administration tab. They
include the following:
• The cleanup schedule

• Appliance certificates

• Administration account password changes.

The Cleanup Schedule

Email Gateway accumulates many files and much data over time. McAfee recommends that you configure
the cleanup schedule to regularly purge the system of unnecessary files and data.
To configure the cleanup schedule, do the following:
1 On the Administration tab, click Web Admin Configuration.

2 Click Cleanup Schedule. The Cleanup Schedule - Configure window appears.

3 Provide the information to complete the window (see Table 278).

4 Click Submit.

494 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Administration
General administration

Figure 292 Cleanup Schedule - Configure window

You must specify three options to configure the schedule:

• The files to be cleaned.

• The cleanup interval – how long a file can remain on the disk before it is cleaned from the disk.

• The cleanup cycle – how often (or when) the cleanup cycle will run.

Table 278 Cleanup Schedule - Configure fields

Field Description
File Type From the drop-down list, select the type of file for which you are
configuring a cleanup schedule.
Quarantine Type If you selected Quarantine Data as the file type, select All Quarantines
or a specific quarantine type from the drop-down list.
Granular Schedule If you select a specific quarantine type, this checkbox is enabled. Select
it if you want to specify an individual cleanup schedule for this quarantine
type. Otherwise, the general cleanup schedule for all quarantines applies.
Cleanup Interval Specify the number of hours or days that this particular kind of file should
remain in the database.
Frequency Schedule Click this option to create a fixed-interval schedule for the cleanup cycle.
Select an interval of from 1 to 72 hours between cycles.
Detailed Schedule Click this option to create a detailed schedule for the cleanup cycle. The
schedule is configured in two steps:
Select the day during which the cleanup cycle is to run. You can select
only one day at a time. However, after you submit the detailed schedule
for one day, you can do it again for another day and the system will
accumulate the daily schedules. It is therefore possible to create
individual detailed schedules for all seven days per week.
Select a checkboxes to enable Auto Cleanup at the selected t times. You
can select from 0 to 24 cleanup times per day.

Configuring Appliance Certificates

Use this window to select the X.509 Certificate Email Gateway uses for TLS/SSL encryption. All installed
X.509 certificates will show on the drop-down list.
1 On the Administration tab, click Web Admin Configuration.

2 Click Configure Appliance Certificate. The Appliance Certificates - Configure window appears.

3 Select a certificate from the drop-down list.

4 Click Submit.

McAfee Email Gateway 6.7.2 Administration Guide 495

 Email Gateway Administration
General administration

Figure 293 Appliance Certificate - Configure window

Changing the Admin Password

You are strongly encouraged to change the default admin password during your first administrative session.
After that, you can change the password at your discretion.
1 On the Administration tab, click Web Admin Configuration.

2 Click Change Password. The Change Password window appears.

3 Type the new password in the New Password field.

4 Confirm it by typing it again in the Confirm Password field.

5 Click Submit. The password is changed.

Note: The Admin password can be changed, but the admin user name can not be changed or deleted.

Figure 294 Change Password window

496 McAfee Email Gateway 6.7.2 Administration Guide

32 Health Monitor
Contents
Configuring the Health Monitor
Health Monitor’s tests
Configuring Email Gateway alerts

Configuring the Health Monitor

Health Monitor is an Email Gateway subsystem that examines the appliance’s overall performance, running
a series of tests to ensure that all services and processes are performing as designed. Health Monitor wakes
up at a user-defined interval and runs automatically in the background to test its many subsystems. Email
Gateway also monitors the status of any internal servers that are in-line with Email Gateway (Health
Monitor sends the mail server a connection request to ensure that it is responsive).
Note: An intermediary device between Email Gateway and the mail server might interfere with proper detection
by making an incorrect determination from the intermediary device’s response.

The Health Monitor window provides a link that allows you to run a Health Monitor cycle on demand (Run
Now); it also presents the properties that allow you to configure Health Monitor.
Use the Health Monitor Configuration window to define Health Monitor’s properties.
1 On the Administration tab, click Web Admin Configuration.

2 Click Health Monitor, then click Configuration. The Health Monitor Configuration window appears.

3 Provide the information to complete the window (see Table 279).

4 Click Submit.

Note: Click View Log to view detailed Health Monitor results.

McAfee Email Gateway 6.7.2 Administration Guide 497

 Health Monitor
Configuring the Health Monitor

Figure 295 Health Monitor Configuration window

Table 279 Health Monitor Configuration fields

Field Description
General
Log Level Email Gateway offers four levels of logging, primarily to assist McAfee
Support engineers when technical support is required. Select the log level
you prefer.
Run Interval (secs) Type the number of seconds from when the Health Monitor completes one
run to when it starts another. It is recommended that this Run Interval
not be set lower than the default 300 seconds (five minutes). During
periods of high Email Gateway activity—for example, heavy mail load—it
can take several minutes or more for Health Monitor to finish its tests.
Failure Handling
Failure Count Type how many times Health Monitor should repeat a failed system test
before recording the failed test as an error. If this value is set to 10 and
a certain test fails 9 times but passes on the next try, Email Gateway does
not record an error. Only if the test fails on the successive attempt will
Email Gateway log it as a error and move on to the next test. It is highly
recommended that this default value (10) not be changed without first
consulting with McAfee Technical Support.
If Notification Enabled is selected, and the Email Gateway Alert
Manager is configured for it, Email Gateway sends an email, pager, or
SNMP alert to you when this occurs.
Restart SMTPO If, during its process, Health Monitor finds that SMTPO is not running, you
have the option of restarting. If you want Health Monitor to restart
SMTPO, select this checkbox.
Monitoring
Disk Space/Inodes While there is a small disk partition devoted to the appliance’s operating
Used Alert (%) system, all of the Email Gateway program files, email Message Store, and
temporary files reside on one, separate partition. Enter a number in this
field to represent how full the partition can become before generating an
alarm. If Notification Enabled is selected, and the Email Gateway Alert
Manager is configured for it, Email Gateway sends an email, pager, or
SNMP alert to you when this threshold is reached.
The default threshold (75%) is accepted in the beginning. After Email
Gateway is fully in-line in the mail flow, and its logs and reports have
accumulated on disk for several days, use the Email Gateway System
Graphs to view actual disk utilization. You can also see Email Gateway
disk utilization using the Command Line Interface.

498 McAfee Email Gateway 6.7.2 Administration Guide

 Health Monitor
Health Monitor’s tests

Table 279 Health Monitor Configuration fields (continued)

Field Description
Deny Connections at Type the value, from 1 to 90, to represent the maximum percentage of
Disk/Inodes Usage disk space utilization after which Email Gateway stops accepting new
(%) messages. Email Gateway SMTPI Service stops accepting new SMTP
connection requests when this threshold is reached. This value must be
higher than the Disk Space/Inodes Used Alert value.
Queue Inactivity During Health Monitor’s tests, it looks at the time stamp when a message
Timeout (secs) entered one of the queues, then compares it to the current system time.
Type the number of seconds a message can remain in a queue before
Health Monitor assumes the queue has encountered an error, stops the
queue and restarts it.
If Queue Inactivity Time-out is set to ‘0’ (with the expectation that
email should be processed by the queues immediately), Health Monitor
might inaccurately report in its Detailed Log that a problem has occurred.
If there is a slow pipeline to the internal mail server and/or high email
volume, Health Monitor reports queue inactivity errors even though
messages might be processed and flowing as expected.
Initially, accept the default period of inactivity of ten minutes (600
seconds). If the Email Gateway is processing large numbers of messages
in a high email volume environment, increase the number of seconds.
Unprocessed Type the number of messages to serve as the threshold for the Outbound
Message Threshold Queue. This integer represents the maximum number of unprocessed
for Outbound Queue messages that should be in the queue. If the threshold is met or
exceeded, Health Monitor generates an alert.
Unprocessed Type a number of messages to serve as the threshold for all queues. This
Message Threshold integer represents the maximum number of unprocessed messages that
for All Queues should be in any one of the other queues at any time. If the threshold is
met or exceeded, Health Monitor generates an Alert.
Notifications
Notification Enabled If this option is selected, Health Monitor sends alerts for any detected
errors to the Email Gateway Alert Manager. Though the Alert Manager can
receive the alerts from the Health Monitor, the alerts are not delivered to
you unless the Alert Manager is configured to do so.
Notification Rather than repeatedly generating alerts every time it detects the same
Schedule (secs) error in successive tests, Health Monitor generates alerts only according
to this notification schedule. After the fourth notification, Health Monitor
will continue sending alerts (if the condition persists) every nnn minutes,
where nnn is the interval between the third and fourth notifications. For
example., if the notification schedule is 1 minute, 20 minutes, 1 hour, and
4 hours, subsequent notifications will be sent every three hours
thereafter.
Type in increasing order the number of seconds Health Monitor should
wait before sending the same alert to the Email Gateway Alert Manager
if, on a successive test, the condition still exists.

Health Monitor’s tests

The following table lists the tests Health Monitor runs.

Table 280 Health Monitor tests

Test Test Name
httpd Web Administration Test
sys-crypto System Status Test – Crypto
sys-disk System Status Test – Disk
sys-inode System Status Test – Inode
sshd_maint SSHD Command Line Interface (CLI) Test
tomcat Web Administration JSP Test
sys-cmctunnel System Status Test - Control Center Connection Test

McAfee Email Gateway 6.7.2 Administration Guide 499

 Health Monitor
Configuring Email Gateway alerts

Table 280 Health Monitor tests (continued)

Test Test Name
reports Reports Test
admin Admin Server Test
smtpo-count SMTP Outbound Queue Count Test
superq-count SuperQueue Count Test
superq SuperQueue Test
smtpo SMTP Outbound Queue Test
smtpproxy SMTP Inbound Proxy Test
pop3proxy POP3 Proxy Test
imap4proxy IMAP4 Proxy Test
sys-dnshijack System Status Test - DNS Hijack
iwm WebMail Protection Test
swm-tomcat SWM Web Admin JSP Test
urq-tomcat URQ Web Admin JSP Test
eusrquarantine EUQ Server Test

Configuring Email Gateway alerts

Use the Health Monitor Alerts - Configure window to configure the type of alert that is generated by each of
Health Monitor’s tests.
Note: If you want to generate alerts for every test, you must configure the alerts for each test individually.

1 On the Administration tab, click Web Admin Configuration.

2 Click Health Monitor, then click Configure Alerts. The Health Monitor Alerts - Configure window appears.

3 Provide the information to complete the window (see Table 281).

4 Click Submit.

Figure 296 Health Monitor Alerts - Configure window

Table 281 Health Monitor Alerts - Configure fields

Field Description
Test Name From the drop-down list, select the test for which you want to configure alerts.
Error Alert Type From the drop-down list, select the specific type of alert to be generated when
Health Monitors detects an error from the specified test.
Success Alert Type From the drop-down list, select the type of alert to be generated when the test
runs successfully.
Restart Failure Alert Select the specific type of alert to be generated when Health Monitor cannot
Type restart the feature or function being tested.

500 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 10

System

Chapter 33, System Configuration

Chapter 34, System Updates

Chapter 35, General System Functions

33 System Configuration
Contents
Appliance configuration
ePolicy Orchestrator configuration
Configuring IP addresses
Configuring WebAdmin and CLI
Routing
The serial port
SSH configuration
System backup and restore
The Check Tool

Appliance configuration
Initially, the Appliance Configuration window displays information that was entered during the Initial
Configuration Wizard when Email Gateway was first installed. At any time afterward, these settings can be
changed as required.
Figure 297 Appliance Configuration window

Table 282 Appliance Configuration fields

Field Description
General
Domain Name Type the domain name to which Email Gateway belongs.
Fully Qualified Type the Fully Qualified Domain Name for the server where Email
Domain Name Gateway resides.
DNS Servers
DNS-1 Type the IP address of the primary DNS server. (At least one DNS server
must be provided.)
DNS-2 Type the IP address of a secondary DNS server. (A second DNS server is
optional.)
DNS-3 Type the IP address of a tertiary DNS server. (A tertiary DNS server is
optional.)

McAfee Email Gateway 6.7.2 Administration Guide 503

 System Configuration
ePolicy Orchestrator configuration

To change the configuration of the appliance, make changes to any the fields on the window. When the
changes have been made, click Submit. The window will refresh.

ePolicy Orchestrator configuration

Using ePolicy Orchestrator (ePO), you can consolidate information from all the MEG appliances in your
network, reporting the results as if they were produced by one appliance. From the ePO server, you can
drill down to find information about individual appliances. You also have the ability to open a browser
window directly from ePO to the Administration GUI of each appliance.

Key concepts
Two particular terms used in conjunction with ePO require clarification.

Events
The Email Gateway appliances on the managed system generate software events constantly during normal
operation.These can range from information events about regular operation, such as when MEG enforces
policies locally, to events such as alerts generated by Email Gateway. Email Gateway sends these events to
the ePO server every hour, ePO stores them in the database. A typical deployment of ePolicy Orchestrator
in a large network can generate thousands of these events an hour. ePolicy Orchestrator consolidates this
data into graphs and charts.

Extensions
Extensions are ZIP files you install on the ePO server in order to manage another security product in your
environment. The extensions contain the files, components, and information necessary to manage such a
product.

Configuring ePO functions

Use the ePO configuration window to set up your ePO functions. To configure ePO, do the following:
1 In the System tab, navigate to the configuration window (System | Configuration | ePO Configuration).
The ePO Configuration window appears.

2 Provide the information to complete the window (see Table 283).

3 When you have finished, click Submit to save the configuration.

Figure 298 ePO Configuration window

504 McAfee Email Gateway 6.7.2 Administration Guide

System Configuration
ePolicy Orchestrator configuration

Table 283 ePO Configuration fields

Field Description
Event Generation Select the check box to enable MEG to generate events for ePO.
Max Event Count Type the number between 1 and 336 to establish how many events (not
yet pulled by ePO) MEG is allowed to generate. When the number
generated reaches this total, MEG will continue to generate events,
deleting the oldest so as not to exceed the maximum number.
The default setting is 24 events.
Note: This function prevents storage capacity issues in the event ePO
cannot pull events from MEG for some reason.
Download ePO extension Click the link to download the ePO extensions for MEG as a compressed
file. Extract and install the extensions.
Download ePO extension Click the link to download the help files associated with the extensions.
help. Extract and install the help files.

Caution: If you enable event generation between your Email Gateway appliance and an ePolicy Orchestrator
server, the IP address for that server must be included in the Allowed IPs list. For more information about allowed
IP addresses, see Allowed IPs in Chapter 31, Email Gateway Administration.

ePolicy Orchestrator provides the following information on an hourly basis about all MEG appliances in the
network, combined.

Table 284 ePO information types

Information type Description
Update status ePO reports the update status of each managed MEG appliance,
including:
• Version
• Hotfixes installed
• TRU version
• AV engine version for each installed engine
• AV signature version for each installed engine
The date for each update is included.
Services status ePO reports the running status of each enabled service, including:
• SMTPI
• SMTPO
• SuperQueue
• POP3
• IMAP
• WebMail
• Anomaly Detection
• CLI
• Support
Charts ePO displays both System and Queue charts, including:
• System charts
• Network errors
• File system use
• Queue charts
• Queue statistics
• Queue process statistics
• Queue action statistics
For more information about these charts (for an individual appliance),
see Chapter 1, The Dashboard.
Message blocking This summary includes overall message blocking data (messages
summary allowed/blocked).
Alert summary ePO displays a summary of the number of alerts generated, by alert
type.

McAfee Email Gateway 6.7.2 Administration Guide 505

 System Configuration
Configuring IP addresses

Table 284 ePO information types

Information type
Connection blocking
status
Feature action status
Description
ePO shows information about connections, including the following:
• Connections accepted
• LDAP rejections
• Connection Control rejections
• Phishing rejections
• BATV rejections
• TrustedSource rejections
• Total connections blocked.
ePO shows the allow and block actions by specific features, including:
• Anti-spam protection
• Anti-virus protection
• Policy systems

Configuring IP addresses
Email Gateway provides the capability to configure a variety of IP addresses. This provision is particularly
important with the concept of Virtual Hosts and the related delegation of administrative tasks.
Email Gateway allows the configuration of two types of email addresses: Primary and Alias. The number of
Primary IP Addresses a Email Gateway appliance can support is directly related to the number of active
Network Interface Cards (NICs) it has. You can configure one Primary IP Address per NIC. All other IP
Addresses will be Aliases.
Each Alias IP Address is associated with only one NIC. Email traffic for that Alias IP flows through the NIC
assigned to the Primary IP Address.
All existing IP Addresses that are currently configured for this Email Gateway appliance will be displayed on
the IP Addresses - Manage window. The IP address information will be separated into sections, one section
for each active NIC.
Figure 299 IP Addresses - Manage window

506 McAfee Email Gateway 6.7.2 Administration Guide

System Configuration
Configuring IP addresses

Table 285 IP Addresses - Manage fields

Field Description
ID This column displays the unique, system-generated ID number for each
configured IP address.
IP Address The actual IP address is listed in this column.
Primary If the IP address is a Primary IP (the main IP address for a specific
Network Interface Card), this column will contain an ‘X’ in the appropriate
row. If the IP address is an Alias (assigned to a Primary IP), the column
will be blank.
Netmask This column will list the netmask that defines each IP Address.
Ethernet Setting The selected Ethernet setting for each Primary IP Address will be
displayed here. Alias IP Addresses will use the setting associated with
their assigned Primary IP Addresses.
Assigned To If the IP Address is assigned to any feature or functionality in Email
Gateway, the assignment will be recorded in this column.
Change State If an IP address is newly added or newly edited, it will appear with a
Pending status in this column. When the system has been restarted, the
IP Address will be activated, and the column will show a Completed state.
Delete Selecting the checkbox and then clicking Submit will cause the IP
Address to be deleted from the system.

If you have set any IP Address for deletion, click Submit. If you wish to prevent pending changes from
being carried out, click Clear All Pending.

Adding an IP address
To add a new IP Address, click the Add New button at the bottom of the IP Addresses - Manage window.
The Add New window will display. The appearance of the window will depend upon whether you are adding
a primary IP Address or an Alias.
Figure 300 IP Addresses - New window

Table 286 IP Addresses - New fields

Field Description
Interface From the drop-down list, select the type of interface for this new IP
address. You can select Primary or Alias.
You can have one Primary IP Address for each Network Interface Card
(NIC) on your system. IP Addresses in excess of that number must be
Alias IPs, assigned to one of the Primary IP addresses.
IP Address Type the actual IP address you want to add.
IP Netmask Type the IP netmask that defines the network.
If the IP is to be an Alias, the netmask must match the netmask for the
Primary IP Address.

McAfee Email Gateway 6.7.2 Administration Guide 507

 System Configuration
Configuring WebAdmin and CLI

Table 286 IP Addresses - New fields (continued)

Field Description
Ethernet Setting Select the IP Address for a Primary IP Address from the pick list. Alias IP
Addresses will not have this option.
Ethernet settings apply only to primary IP addresses.
Side Note You can type descriptive text to identify this IP address if you wish.

When the new IP Address configuration is complete, click Submit. The IP Addresses - Manage window will
refresh, adding the new IP Address and showing it in the Pending state. Activating (completing) the IP
Address will require a level 4 Restart. After the restart, the status will change to Complete.

Editing an existing IP address

To edit an existing IP Address, begin by clicking the ID number on the IP Addresses - Manage window. The
IP Addresses - Edit window for that IP address will appear.

Table 287 IP Addresses - Edit fields

Field Description
Interface This field shows the interface number for this IP Address. This field is not
editable.
IP Address Type the actual IP address you want to add. You can replace the existing
IP address.
IP Netmask Select the proper netmask for this IP.
Ethernet Setting Select the correct Ethernet setting from the drop-down list.
Side Note You can type descriptive text to identify this IP address if you wish.
Assigned To This field shows the Virtual Hosts and services to which the IP address is
currently assigned. This field in not editable.

Editing an Alias IP Address requires similar data.

When the changes to the configuration for this IP Address are completed, click Submit. The IP Addresses -
Manage window will refresh, showing this IP Address with a Pending status. Activating (completing) the IP
Address changes will require a level 4 Restart.

Configuring WebAdmin and CLI

This feature allows you to set the IP addresses that are to be used for Web Administration access to the
Email Gateway appliance, and access via the Command Line Interface.
Figure 301 Web Admin & CLI - Configure window

Table 288 Web Admin & CLI - Configure fields

Field Description
IP Address for From the pick list, select the appropriate IP address to be used for
WebAdmin UI accessing Email Gateway via the WebAdmin UI.
IP Address for CLI From the pick list, select the appropriate IP address to be used for
accessing Email Gateway via the Command Line Interface.

508 McAfee Email Gateway 6.7.2 Administration Guide

 System Configuration
Routing

When the proper IP addresses have been selected, click Submit to record the changes.
Note: Configuration or changes to either access method will require restarting that access type before the new IP
address will become effective.

Routing
When messages are addressed to mail servers that Email Gateway cannot directly reach (because Email
Gateway is in a DMZ or for other reasons), a static route must be created so the mail Email Gateway
proxies can be delivered to the internal mail servers. The Routing - Configure window allows you to create
this route.
Figure 302 Routing - Configure window

Table 289 Routing - Configure fields

Field Description
ID This column lists the unique system-generated ID number for each
configured route.
IP Address/Subnet Type the IP address of the machine that Email Gateway must deliver its
mail to.
The Default Router represents the IP address and the default gateway
Email Gateway will use if no other static route and gateway have been
configured.
Netmask Select from the NetMask pick list the subnet mask used by the machine.
Gateway Type the IP address of the gateway that knows how to reach the machine
Email Gateway needs to deliver its mail to.
Change State This column shows the current status of each configured route. Each
listing will show a “Pending” state until changes are committed using the
buttons at the bottom of the window.
Delete Select a machine’s Delete checkbox and click Submit to delete a “route”
from this table.
Command Buttons The buttons at the bottom of the window permit a variety of actions:
• Submit – clicking this button will record any changes you have made
to the configuration.
• Reset – click this button to return the window, without saving, to the
configuration that was present before you made changes
• Clear All Pending – clicking this button will clear all changes that are
currently in the pending state so they cannot be committed.
• Add New – clicking this button opens a window that will allow you to
add a new static route to the table displayed.

McAfee Email Gateway 6.7.2 Administration Guide 509

 System Configuration
Routing

Adding a new route

To add a new routing to the list, click the Add New button at the bottom of the Routing - Configure window.
The Add New window will display.
Figure 303 Routing - Configure - New window

Table 290 Routing - Configure - New fields

Field Description
IP Address/Network Type the IP address or the network for the server with which Email
Gateway is to communicate.
Netmask Select the netmask from the pick list that best defines the network.
Gateway If this network is accessible through a specific gateway, type the IP
address for that gateway.
Upload from File You can upload a list of IP Addresses or Subnets from a file by browsing
to the file location or entering the complete path to the file.
Character Set Select the character set to be used for encoding routing entries. Options
are:
• big5 – used for traditional Chinese in Taiwan and Hong Kong
• iso-2022-cn – ISO standard character set for Chinese
• gbk – used for traditional Chinese for mainland China
• hz – data format for exchanging files of arbitrarily mixed Chinese and
ASCII characters.
• gb 2312 – official character set for the Peoples Republic of China;
superseded by gbk and gb 18030
• gb 18030 – official character set for the Peoples Republic of China
• iso-2022-kr – ISO standard character set for Korean
• euc_kr – extended UNIX code character set for Korean
• iso-2022-jp – ISO standard character set for Japanese
• euc-jp – extended UNIX code character set for Japanese
• shift_jis – a group of character set for Japanese, combining several
standards
• iso-8859-1 (latin1) – character set for most Western European
languages, plus Eastern European Albanian and Afrikaans and Swahili.
• UTF-8 – 8-bit Unicode Transformation format, allowing variable length
character encoding.
Only those character sets supported by both Autonomy and ICONV can be
effectively used.
Export You can export a copy of the routing list to be stored as a backup file by
clicking this link.

When the information is correctly entered, click Submit. The new entity will be added.

510 McAfee Email Gateway 6.7.2 Administration Guide

 System Configuration
The serial port

Editing an existing routing

To Edit an existing routing, begin by clicking the ID number on the Routing - Configure window. The Edit
window will appear. The Routing - Configure - Edit window shows the current configuration for the route,
and allows you to make changes. When you click Submit, your changes will appear in the “Pending” column
until you click Submit again, or until you clear them using the Clear Pending button.

The serial port

The Email Gateway serial port can be configured for either one of two possible uses:
• as the connection port for an uninterruptable power supply, or

• as the access port for command line interface access using a keyboard (and monitor) connected directly
to the Email Gateway appliance.
Figure 304 Serial Port Configuration window

To configure the serial port, you must select the desired use from the pick list, then click Submit to record
the selection.

SSH configuration
Accessibility to Email Gateway command line interface is controlled by the CLI Access Service. If this
subsystem is not running, administrators will be unable to log onto Email Gateway via their favorite SSH
client.
Figure 305 SSH Service - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 511

 System Configuration
SSH configuration

Table 291 SSH Service - Configure fields

Field Description
Service This column identifies the CLI Access Service. Two services are
configurable:
• CLI Access – allows you to use the command line to control the Email
Gateway appliance.
• McAfee Support Access – gives the Support Engineers remote access
to the customer's Email Gateway to enable Support to assist, help
solve problems, and so forth.
The service names are hyperlinks allowing you to configure available
details about each service.
Auto-Start A red X or green check icon indicates whether or not the service is set to
start automatically when the Email Gateway appliance is rebooted. If the
icon is green, the service will begin running when Email Gateway restarts.
In addition, if the icon is green the Email Gateway Health Monitor will
restart a Service that has stopped for any reason when it performs its
tests on all appliance subsystems. If an icon is red, the service will not
start on reboot or when Health Monitor runs its system tests. (Note that
a service can continue to run after its auto-start setting is turned off. A
service cannot start running, however, until its auto-start setting is
turned on.)
The red and green icons are hyperlinks. Clicking the icon/hyperlink
toggles the auto-start option on and off.
Running A red or green light icon indicates whether or not the service is currently
running. (Note that in some situations, the Running icon might not
refresh when clicked, i.e. change from green to red, as expected. If the
icon does not toggle, click the SSH Configuration hyperlink in the left
navigation frame of the Web Administration interface to refresh the page,
rather than clicking the Running icon a second time.)
Service Uptime This column indicates (in days, hours, minutes, and seconds) how long a
service has been running since it was last restarted.

CLI access link

Clicking the CLI Access hyperlink on the SSH Configuration window opens the CLI Access Properties
window. On this window you can set the log level for Command Line Interface.
Figure 306 CLI Access Configuration window

Table 292 CLI Access Configuration fields

Field Description
Log Level Select the appropriate log level for tracking CLI access
actions.
Enable CLI Access Select the checkbox to enable Email Gateway to display a
Login Banner banner when a user logs on via the command line.
CLI Access Login Type the actual text for the banner that will be displayed.
Banner

When the information is entered correctly, click Submit.

512 McAfee Email Gateway 6.7.2 Administration Guide

 System Configuration
System backup and restore

McAfee support access

Similarly, clicking the McAfee Support Access hyperlink opens the associated properties window. On this
window you can configure the port through which McAfee Support can access the appliance.
Figure 307 McAfee Support Access Configuration window

If the appliance is to be managed by an Email Gateway Control Center, that hyperlink will appear on the
SSH Configuration window as well. Click the link to configure the access port for Control Center
management.
When the information is entered correctly, click Submit.
Note: By default, Control Center connects to Email Gateway on port 20022. If there is a need for Control Center
to communicate to the Email Gateway on a different port, contact McAfee Support for instructions or assistance
with changing this configuration. This is particularly important in environments that do not allow Support access.

System backup and restore

Email Gateway allows administrators to create a backup file containing the configuration settings for the
appliance (email policies, Mail and Queue Service settings, and so forth) in case of disk failure. The backup
should only be used to restore data to the same Email Gateway appliance.
Email Gateway includes the capability to perform both immediate and scheduled backups.

Backup now
When you navigate to the Appliance Backup & Restore window, you will see two options at the top of the
window just below the window title. Click Backup Now to create an immediate backup.
Figure 308 Appliance Backup & Restore window

Type and confirm a password to be associated with the backup file and click Submit. This password will be
required when the backup is restored. A confirmation window displays.
Click the View Log button to see the log describing the backup action.
Clicking the Configuration File hyperlink will open a window that provides information about the backup
file and allows you to save the compressed folder for future use.

McAfee Email Gateway 6.7.2 Administration Guide 513

 System Configuration
System backup and restore

When Email Gateway saves a backup configuration to disk, it uses an automatic naming scheme,
identifying the appliance’s name, version number, latest release number, and date (for example,
MEG.4.5.1.1098287820.31.zip). The backup information is encrypted, stored in a proprietary file format
that only Email Gateway can read, and cannot be viewed in Plain Text. The encryption method is one way –
even McAfee Technical Support cannot decrypt this file. The zip file extension has been supplied to the
backup file name solely for the purpose of tricking a browser into downloading the file, rather than trying to
open it.
Caution: Do not forget the password!

Scheduled backups
If you prefer to configure a regularly scheduled backup for the appliance, navigate to the Appliance Backup
& Restore window as before, and click the Schedule Backup radio button. The window will expand as
shown below.
Figure 309 Appliance Backup & Restore window

Table 293 Appliance Backup & Restore fields (scheduled backup)

Field Description
Backup Password Type the password that will be associated with the backup file. This
password will be required when the backup is used to restore the
appliance.
Confirm Backup Confirm the associated password by entering it a second time.
Password
Enable Schedule Select the checkbox to enable the scheduled backups you are configuring.
Backup
Type From the drop-down list, select the method to be used in transmitting the
backup file.
Hostname Type the IP address for the server that will host the backup file.
Path Type the complete path to the location where the backup file will be
stored.
User Type a valid username to identify the user who is creating the backup, and
who can access the backup file.
Password Type a valid password for the user identified above.
Confirm Password Confirm the password by entering it again.
Backup Frequency Type a number to represent the frequency (in hours) at which Email
Gateway will create the scheduled backup files.
The frequency must be equal to or greater than 24 hours.

When you have completed the configuration, click Submit to create the schedule.

514 McAfee Email Gateway 6.7.2 Administration Guide

System Configuration
System backup and restore
Backup data
The table that follows shows the information included in a Email Gateway backup.
Table 294 Backup information
Item
Address Masquerade configuration
Attachment Analysis policy configuration
Alert Manager configuration
Anomaly Detection configuration
FTP/SCP archive server information, wherever
configured
ALL User Interface configuration not
mentioned elsewhere in this table, plus
secondary configuration that the user-defined
configuration controls but which is not
accessible from the GUI.
Policy Manager Bypass configuration
SMTPO bypass configuration
Content Analysis configuration
Cleanup Schedule configuration
Customized Notification messages
Email Gateway Directory Structure (internal
maps of database tables)
DNS Hijack configuration and information
Domain priority
Information about Email Gateway features –
the top-level navigation tabs in the Web Admin
interface.
Message Stamping configuration
Threat Response configuration
Email Gateway version information
Health Monitor alert list and configuration
Email Gateway does not backup the network information (IP address, subnet, DNS, and so forth)
configured in System | Configuration | Appliance Configuration.
McAfee Email Gateway 6.7.2 Administration Guide
Item
Group information
Secure Delivery configuration
IDS Updates configuration
Security Key Management configuration
Email Gateway mouse-over help text
LDAP configuration
Envelope Analysis configuration
Name/number of Email Gateway patch version
Policy Manager configuration
Anti-Spam configuration
Subsystem Service configuration (Mail
Services, Queue Services, and so forth)
Quarantine types
Report configuration
Routing information
IDS signature configuration
End User Spam Reporting configuration and
information
Web Admin User Account configuration
Virus configuration
WebMail Protection configuration
515
 System Configuration
System backup and restore

System restore
Use the Restore function to restore data only to the same Email Gateway appliance. Software feature
licenses – for WebMail Protection, Secure Web Delivery, Anti-Virus, and so forth – cannot be pushed to
other appliances via this restore method.
Figure 310 Appliance Backup & Restore window (restore tab)

Table 295 Appliance Backup & Restore fields (appliance restore)

Field Description
File Type the file name and its complete path, or browse to the backup file's
location using the browse button.
Password Type the password associated with the backup file when it was created.
Restore with Select the checkbox if you want to restore the security certificates that
Certificates were in use by this Email Gateway when the backup was done.
Restore All If you wish to restore the complete configuration of the appliance from
the backup file, select the checkbox.
Granular Restore If you want to restore specific program areas rather than complete
appliance configuration, leave the “Restore All” box deselected, and select
one or more of the policy areas shown on the window.

When a Email Gateway configuration is backed up, that appliance’s host name, IP address/subnet, and User
Accounts are saved. Restoring that backup configuration to another Email Gateway appliance will not
over-write the second box’s host name, IP address, and subnet. However, User Accounts will be restored,
potentially creating a security risk. If the backup file from one Email Gateway is restored onto another
Email Gateway, review and modify the User Accounts as required.
When you select granular restoration or complete restoration (Restore All), the window will refresh to
reveal the particular data requirements for that type.

Granular restore
If you elect to perform a granular restoration, type the required information and select the policy areas you
want to restore.

516 McAfee Email Gateway 6.7.2 Administration Guide

System Configuration
System backup and restore

Figure 311 Appliance Backup & Restore window (granular restoration)

Click Submit to execute the restoration. Email Gateway reads all the configuration data and enters it into
the appliance. The Email Gateway appliance will automatically reboot when the backup is restored.
Clicking the View Log button will open a log window that provides details about the restoration.

Restore all
The Restore All option provides additional restoration options, as shown on the Appliance Restore -
Configure window. You can select Recovery Types of Disaster Recovery or Full Recovery, as needed.

Disaster recovery
If you select Disaster Recovery, the restoration will include a full configuration of all policies, and so forth,
plus all the host information as it existed at the time of the backup. This option is helpful when an appliance
has failed completely.

Full recovery
If you select Full Recovery, the restoration will include all policy areas, but will not include the host
information. The window will also expand to include Virtual Host Recovery.

Virtual Host recovery

Full Recovery includes configuration options for specifying the preferred methods for restoring Virtual Host
data. Email Gateway compares the Virtual Host names on the appliance with the backup file to see if they
match in both places. If they do match, the backup supplies information for all the Virtual Hosts. If the
names do not match, you must indicate how the conflict should be resolved. You can select from three
options:
• Current – If you choose this option, Email Gateway will retain the Virtual Hosts that are currently named
on the appliance. If the same Virtual Host exists in the backup, the backup data will be supplied. Any
information regarding Virtual Hosts not currently configured on the appliance will not be included.

• Backup – If you choose this option, the backup file will supply all the Virtual Host information it has,
including VIP names. Any Virtual Hosts that do not exist on the backup will be dropped.

McAfee Email Gateway 6.7.2 Administration Guide 517

 System Configuration
System backup and restore

• Merge – If you select this option, the backup file supplies data for the VIP names it can match, and all
information for VIPs on the backup but not currently on the appliance. Current Virtual Hosts that are not
part of the backup file will retain their current configuration.

Click Submit to execute the restoration. Email Gateway reads all the configuration data and enters it into
the appliance. The Email Gateway appliance will automatically reboot when the backup is restored.
Clicking the View Log button will open a log window that provides details about the restoration.

Restored data
The data restored by the restoration process is shown in the following table.

Table 296 Restoration information

Item
Address Masquerade configuration
Attachment Analysis policy configuration
Alert Manager configuration
Anomaly Detection configuration
FTP/SCP archive server information, wherever
configured
ALL User Interface configuration not
mentioned elsewhere in this table, plus
secondary configuration that the user-defined
configuration controls but which is not
accessible from the GUI.
Policy Manager Bypass configuration
SMTPO bypass configuration (Automatic
whitelisting)
Content Analysis configuration
Cleanup Schedule configuration
Customized Notification messages
End User Quarantine Release
DNS Hijack configuration and information
Domain priority
Anti-Virus configuration
Message Stamping configuration
Threat Response configuration
Item
Health Monitor alert list and configuration
Group information
Secure Delivery configuration
IDS Updates configuration
Security Key Management configuration
LDAP configuration
Envelope Analysis configuration
Web Admin User Account configuration
Policy Manager configuration
Anti-Spam configuration
Subsystem Service configuration (Mail
Services, Queue Services, and so forth)
Quarantine types
Report configuration
Routing information
IDS signature configuration
End User Spam Reporting configuration and
information
WebMail Protection configuration

518 McAfee Email Gateway 6.7.2 Administration Guide

 System Configuration
The Check Tool

The Check Tool

Email Gateway can test a variety of Network and Internet connections to ensure that the infrastructure
supporting the internal email system is intact and fully functioning. Specifically, it ensures that connections
to internal POP, IMAP, and SMTP servers can be opened, and that the DNS server is reporting the correct
MX and A record data. Other network connections—such as network time, alerts, SLS sync, and LDAP
servers—are also tested.
Figure 312 Check Tool - Run window

Click Run Now to run the test. The window will display a message acknowledging the job. When the job is
finished, you can click View Log File to view a detailed log of the results of the test.

McAfee Email Gateway 6.7.2 Administration Guide 519

 System Configuration
The Check Tool

520 McAfee Email Gateway 6.7.2 Administration Guide

34 System Updates
Contents
Available updates
Managing updates
Configuring Auto-Updates
Support scripts

Available updates
Keeping Email Gateway current requires you to find and install the latest updates for a variety of services.
The System program area provides the necessary means for maintaining Email Gateway effectiveness.
The following types of updates are available for download and installation:

Software updates
These updates are intended to provide the latest versions of Email Gateway software to allow you to stay as
current as possible.

Hotfix updates
This type of update is generally intended to fix one or more issues that have been encountered in Email
Gateway version currently installed.

Anti-Virus updates
These updates provide the latest additions to the signature engines that are licensed on this Email Gateway
appliance.

TRU Optimize packages

These Threat Response Update packages adjust specific Email Gateway parameters based on best practices
information gained through research and experience. They update the general configuration of your Email
Gateway.

TRU Response packages

These packages contain TRU signatures, including the latest URLs, that are downloaded on an hourly basis
in order to help stop spam. They are intended to detect and combat newly-recognized threats or attacks.

Pre-configuration updates
Pre-configuration updates are normally installed after a new version of the Email Gateway software, for
example when a new appliance is installed, and are intended to add any improvements that have been
created since the previous software was installed.

Compliance updates
These updates are intended to provide optimum configuration parameters for the Compliance functions.

McAfee Email Gateway 6.7.2 Administration Guide 521

 System Updates
Managing updates

Mail-IPS updates
These updates provide the most current information for use in preventing intrusions into the mail system.
All these updates can be managed from the Updates window.

Managing updates
The Updates window displays information about installed software and file updates, as well as those
currently available for installation.
Figure 313 Updates window

Table 297 Updates fields

Field Description
Load a Package If the update package you need resides in a file that can be downloaded,
rather than on the update server, you can type the complete path to the
file or browse to it. When you click Upload, the package will appear on
the update window.
Select Update Type Select the type of update you want from the drop-down list. When you
have made your selection, Email Gateway will query the server for the
latest information about the update type, and the window will show both
installed and available updates.
Installed Updates This panel of the window displays information about updates that are
currently installed on this Email Gateway.
Name This column lists the name for each update, including the vendor name
and any identifying information.

522 McAfee Email Gateway 6.7.2 Administration Guide

System Updates
Managing updates

Table 297 Updates fields (continued)

Field Description
Priority The value in this column represents the relative importance or urgency of
each update. The priority is set by McAfee when the update is made
available. The options are:
• Critical – the update is extremely important and should be installed
immediately;
• Major – the update is important and should be installed at the earliest
convenience; and,
• Minor – the update might be desirable, but it might be considered
optional and can be installed at you discretion.
Date Released This column contains the official release date for each update, including
day, date and time of release.
Available Updates The lower panel of the window shows information about updates that are
currently available to be installed. You can control installation by using
the buttons at the bottom of the window
Name This column lists the name for each update, including the vendor name
and any identifying information.
Priority The value in this column represents the relative importance or urgency of
each update. The priority is set by McAfee when the update is made
available. The options are:
• Critical – the update is extremely important and should be installed
immediately;
• Major – the update is important and should be installed at the earliest
convenience; and,
• Minor – the update might be desirable, but it might be considered
optional and can be installed at you discretion.
Date Released This column contains the official release date for each update, including
day, date and time of release.
Select By selecting a checkbox in this column, you identify the associated update
for installation.
Delete If you wish to delete an update without installing it, select the checkbox
in its row. When you initiate installation, the update will be deleted.
Commands Click the appropriate button to initiate Install or Express Install
actions, or to View Log entries showing the latest installation
information.

The figure that follows shows the window populated with Anti-Virus update information. This view illustrates
another capability as well. If you click the name of any installed or available update, the window expands to
show details about that update.

Applying the updates

The process for downloading and installing updates is identical for all types. You can carry out the
installation process using either of two commands, as you saw earlier.

Install
This button carries out a manual installation. You select the update or updates you want to install using the
Select checkbox, then click Install. The update feature will install the updates you have selected. This
method requires that you know any interdependencies among the available updates and your installed
software and that you meet any prerequisites.

Express install
If you use the Express Install button, you do not have to make selections of updates. Email Gateway will
check all updates and the current installation for any interdependencies or requirements and try to resolve
them. It will then install all the available updates that can be safely installed. You do not necessarily have to
know about all interdependencies. If there are conflicts or dependencies that cannot be resolved, some
updates will remain available.

McAfee Email Gateway 6.7.2 Administration Guide 523

 System Updates
Configuring Auto-Updates

Viewing logs
Clicking the View Log File button opens a new browser window showing the status of the update process. A
sample update log is shown below.
Figure 314 Updates log

Configuring Auto-Updates
Caution: If this Email Gateway appliance is to be managed via an Email Gateway Control Center, please
coordinate with the Control Center Administrator about setting Automatic Updates!

If the Control Center is supposed to pull updates from the McAfee Update Server and then provide them to
managed Email Gateways, Auto-Updates should be set on the Control Center’s Central Management tab
and should be disabled on the Email Gateway appliance itself. If you desire to have the Email Gateway
appliance pull its own updates from the server, enable that functionality on the Email Gateway appliance
and do NOT enable it on the Control Center.
The Configure Auto Updates sub-menu displays the licensed Subscription Services installed on the
appliance. Each Service can be configured to query McAfee’s update server for newly available files. Email
Gateway will automatically download and install any files that become available.
Figure 315 Configure Auto Updates window

524 McAfee Email Gateway 6.7.2 Administration Guide

 System Updates
Support scripts

Table 298 Configure Auto Updates fields

Field Description
Service The list of updatable services displays in this column.
Automatically For each service you want to configure for automatic updates, select the
Update checkbox in this column.
Interval (minutes) For each updated service, specify the interval in minutes at which you
want to query the update server for new updates. The default is 30
minutes.

When the services are configured appropriately, click Submit to record the configuration.

Support scripts
Use this window to administer any special scripts provided by Technical Support. These scripts can gather
troubleshooting information about the appliance. The scripts are usually provided in an encrypted and
archived format as front-loadable compressed files, and are installed by the customer.
Figure 316 Support Scripts window

Table 299 Support Scripts fields

Field Description
Installed Scripts The upper section of the window lists all runnable support scripts that have been installed on
this Email Gateway appliance.
Name This column displays the user-friendly name for each support script.
Date Installed This column shows the date the script was installed.
Expiry Date This column displays the date each support script will expire.
Note: Expired scripts are not automatically removed. Use the Delete command to remove
them.
#Run The remaining number of times you can run the script.
Note: Support delivers each script with a specified number of possible runs. Each time you run
the script, the number decrements by 1.

McAfee Email Gateway 6.7.2 Administration Guide 525

 System Updates
Support scripts

Table 299 Support Scripts fields

Field Description
Execute Select this checkbox to select the script for execution.
Note: More than one script can be run at the same time.
Delete Select this check box to select the script for deletion.
Note: If you delete a script, all corresponding output results are deleted as well.
Progress This column shows the scripts current running status (IDLE, RUNNING).
Script Run Results The lower section of the window lists the outputs of scripts that have been run. The results can
be downloaded.
Name This column displays the user-friendly name for each support script.
Run Date This column shows the date the script was run.
Download Click the hyperlink to store this specific result to your own directory.
Delete Select this check box to select the script result for deletion.
Commands The window includes the following commands.
Load a Package Locate a stored support script and upload it. Upload is active by default.
Submit Click this button to complete the sequence of operations you have selected. Submit is active
by default.
Check Status Click this button to update the progress (status) of scripts you are currently executing. Check
Status is active by default.
Note: Once you execute a script, you must use this button to check progress. The status does
not automatically update.
Abort Click this button to halt a running script. Abort is enabled only when scripts are in progress.
Note: The Abort command stops all running scripts, even if they were stared in separate
batches.
Reset Click this button to clear all check boxes for Execute and/or Delete. Reset is active by default.
View Log Click this button to start tailing the script execution log. View Log is active by default.

To install and run a support script, do the following:

1 Receive a script as a zip (compressed) file from Technical Support, and store it locally.

2 Log onto Email Gateway and navigate to System | Support Scripts. The Support Scripts window appears.

3 Click Browse.

4 Navigate to the location where you stored the script and select it. The navigation path appears in the Load
a Package field.

5 Click Upload. The support script is extracted and appears in the upper section of the window.

6 Select the Execute check box next to the script you want to run, then click Submit. The script runs, and
the results appear in the lower section of the window.
Note: If you have a problem uploading or running the script, contact Technical Support.

526 McAfee Email Gateway 6.7.2 Administration Guide

35 General System Functions
Contents
UPS statistics
Powering down and restarting
Setting the date and time
License Manager
Resetting keys
Control Center communication
FIPS Compliance configuration

UPS statistics
If Email Gateway is connected to a supported Uninterruptable Power Supply (UPS), it will display useful
information about the status of the UPS. If Email Gateway is not connected to a supported UPS, this page
will say that a UPS is not present.
Figure 317 UPS Statistics - window

Powering down and restarting

On occasion, it might be necessary to shut down the Email Gateway appliance or some portion of its
processes. The Power Down/Restart screen allows you to do this gracefully with minimal risk of damage to
files.
Figure 318 Power Down/Restart Service - Configure window

McAfee Email Gateway 6.7.2 Administration Guide 527

 General System Functions
Setting the date and time

As is indicated on the screen, you have the option of gracefully shutting down only as much as necessary.
The options on the screen define those features and functions that will be impacted by the restart process.
After Email Gateway is running, never press the reset switch on the front of the appliance until Email
Gateway has been gracefully shut down from within either the graphical Web Administration or Command
Line interface. Pressing the reset switch while Email Gateway is currently running forces Email Gateway to
“hard boot” - a process that will corrupt its internal databases, and render it inoperable. Damage to Email
Gateway’s database will require McAfee’s Technical Support engineers to manually repair and rebuild the
corrupted files.
During the restarting process, a reminder message will display.
Figure 319 Example restart warning message

Setting the date and time

The displayed date and time reflects Email Gateway’s internal date and time at the moment this page is
opened or the Refresh Time button is clicked. If NTP time servers are entered during appliance
configuration, Email Gateway “syncs” itself with one of the servers once every minute.

528 McAfee Email Gateway 6.7.2 Administration Guide

General System Functions
Setting the date and time

Figure 320 Date/Time - Set window

Manually adjust the time or date by specifying date and time values from the pick lists. After manually
selecting new values, click Save to update Email Gateway.
If a time or date is entered further ahead than the administrative inactivity time-out interval, Email
Gateway will log out all administrators currently logged onto the graphical user interface. Simply log back in
and continue the administrative session as usual. If the time is reset backward, administrators will be
prompted to reboot the appliance in order for the setting to take effect.
Caution: Use extreme caution whenever you manually change the internal Email Gateway time and date more
than one minute from what the NTP time server is reporting. (If NTP server information was provided in Email
Gateway’s Configuration window, Email Gateway automatically synchronizes with the server once every minute.)
Within the next minute after the time is manually changed, the automatic time server synchronization will reset
Email Gateway’s clock again.

Manually changing the internal clock more than one minute ahead or back will also affect Email
Gateway’s queues (for example, Outbound Queue, Content Analysis Queue, and so forth) and mail
services (such as SMTPI Service, SMTPO Service, and so forth). These processes all run on a cycle time —
on average, several times a minute. After processing messages and before going to sleep, they calculate
the time stamp for when they will next wake up to process new messages. If the internal clock is moved
forward one whole day, for example, the queues and services will instruct Email Gateway that their next
wake up time is going to be tomorrow plus nnn seconds (where nnn = the real cycle time). However, one
minute later, the time servers will re-sync Email Gateway’s clock back to today without resetting Email
Gateway’s queues’ and mail services’ wake up time. The queues and services will wait until tomorrow to
wake up and begin processing messages again. Therefore, if the clock is ever manually changed by more
than one minute, always stop and restart each of the queues and services to reset their wake up times.
Force Email Gateway to immediately synchronize with an Internet Time (NTP) Server by selecting Sync
with NTP Server. The name of a valid time server must have entered in the System | Configuration |
Email Gateway page to do this.

Setting the Time Zone

The lower portion of the Date/Time - Set screen is a listing of all the world’s time zones. Select the correct
one for this Email Gateway by highlighting the name of the appropriate city that is located within the same
time zone as the appliance. Record that setting by clicking Save. The screen also provides information
about the time zones to ensure you choose properly. The currently configured time zone is shown by
Region and Area in the lower left corner of the screen.

McAfee Email Gateway 6.7.2 Administration Guide 529

 General System Functions
License Manager

Email Gateway writes a timestamp in its database noting when each message enters the Outbound Queue
for delivery. Email Gateway uses this timestamp as a reference for when it can “pick up” messages for
delivery. Therefore, if the clock is set backward and there are currently messages in the outbound queue,
those messages’ delivery will be delayed until Email Gateway’s internal clock “catches up” to the
time-stamp originally entered in the database.

Daylight Savings Time

Email Gateway automatically adjusts for Daylight Savings Time (DST) at 2 A.M. on the first Sunday of April
and reverts to Standard Time at 2 A.M. on the last Sunday of October.

License Manager
The License Manager table shows all Product Licenses that have been installed on Email Gateway. Some of
the Licenses correspond to the tabbed program areas in the Email Gateway interface (for example,
Mail-Firewall, Mail-VPN, and so forth), where others refer to subscription services (for example, Anti-Virus,
Threat Response Updates, and so forth).
Figure 321 License Manager - Update window

Table 300 License Manager - Update fields

Field Description
Keys icon Click the Retrieve Install Key button to acquire any license you have
requested. The license will be installed on your appliance.
Features The licensable features installed on your Email Gateway are listed in
this column.

530 McAfee Email Gateway 6.7.2 Administration Guide

 General System Functions
Resetting keys

Table 300 License Manager - Update fields (continued)

Field Description
Sub-Features Each feature will have one or more subfeatures listed in this column.
Some subfeatures are licensed separately.
Expire Date The expiration date for each license is listed next to the associated
subfeature. If license expiration does not apply, the column will show
N/A.

Administrators can add licenses or extend the expiration date for product features or services at any time.
(Licenses accumulate—that is, concatenate—on the appliance.)
If a Secure Delivery license is installed after Email Gateway's initial installation, you must logout and log
back in to Email Gateway's Web Administration in order for the Secure Delivery program tab to display in
the top navigation bar of the Web Admin interface. Also, when an anti-virus licenses expires, it disappears
from the Web Administration interface and its functionality ceases on the midnight before the date of
expiration. Anti-virus license renewals should be installed prior to license expiration. If a renewal license is
installed after license expiration, administrators will have to manually re-configure anti-virus settings and
place the Virus Scan Queue back into the Queue Order.
In enterprise environments where Email Gateway Control Centers are managing multiple Email Gateway
slaves, the Control Center is responsible for acquiring and renewing all licenses. The Control Center will
automatically push product feature or service licenses to its Email Gateways.
While administrators were prompted to install a License Key when first running the Email Gateway Initial
Configuration Wizard, they can install additional Licenses within this License Manager window. Paste in the
License Number input field the key that McAfee Technical Support issued and click Submit. That program
area that key enables is immediately available after logging out of the Web Administration interface and
logging back in.

Resetting keys
You can regenerate and install SSH keys for your Email Gateway appliance using the Reset Keys window.
This action creates new SSH public and private keys and installs them on both the appliance and the Update
Server.
Follow these steps to restore the Email Gateway appliance:
1 Navigate to System | Reset Keys. The Reset Keys - Configure window appears.

Figure 322 Reset Keys - Configure window

2 The system checks network connectivity, and displays a confirmation message.

3 Click Reset Keys. The action creates and installs the new SSH keys.

Note: This action will overwrite all default keys.

For Control Centers that have had keys reset, a new Control Center key must be generated and stored on
the Email Gateways, and the Email Gateways must be re-attached to the Control Center.
If your appliance has no access to McAfee’s Update Server via port 20022, the Reset Keys window provides
a button that allows you to download an encrypted keys file. With your logon ID and password, use the
Product Activation form from Support (https://supportcenter.securecomputing.com/home.php) to
generate/download keys. The form requires your hardware serial number, software serial number, and
hardware identifier. Click Contact Us in the upper right corner of the WebAdmin user interface to obtain
this information.

McAfee Email Gateway 6.7.2 Administration Guide 531

 General System Functions
Control Center communication

Control Center communication

The Centralized Management option allows administrators to configure an Email Gateway appliance as a
slave to another Email Gateway configured as an Email Gateway Control Center master. In enterprise
environments with multiple Email Gateways protecting multiple domains and mail servers, centralized
management allows an administrator to easily manage policies, push software and anti-virus file updates,
as well as pull logs, reports, and alert messages.
Contact McAfee Sales to learn if Centralized Management Console architecture can aid in a particular
enterprise email environment.

Storing Control Center keys

If a Email Gateway appliance is to be managed by a Control Center, it must have the Control Center’s public
key installed.
Figure 323 Control Center Key - Store window

The Store Control Center Key page contains a Browse button. Use it to navigate to the file containing the
Control Center public key which the Administrator exported and saved to disk. The master/slave
connections can only be mediated though this public key. The key provides for encrypted sessions between
the Control Center and its slaves—a master and slave cannot communicate without it.
After navigating to and selecting the Control Center’s public key file, click Store Control Center Key to
install the Control Center’s public key.
The Reset button clears the Browse navigation input field if Store Control Center Key has not yet been
clicked.

Control Center attributes

If a Control Center appliance is managing this Email Gateway appliance, the Control Center Attributes
screen provides information about the Control Center server and allows you to configure portions of the
connection.
Figure 324 Control Center Server - Attributes window

532 McAfee Email Gateway 6.7.2 Administration Guide

General System Functions
Control Center communication

Table 301 Control Center Server - Attributes fields

Field Description
Control Center Serial The number in this field identifies the specific Control Center appliance
Number that manages this Email Gateway.
Send Alerts to Control Selecting this checkbox directs all alerts for this Email Gateway appliance
Center to the Control Center managing it. If the box is deselected, the alerts will
come to the Email Gateway itself.
Send Logs to Control Selecting this checkbox directs all logs for this Email Gateway appliance
Center to the Control Center managing it. If the box is deselected, the logs will
come to the Email Gateway itself.
Send Reports to Selecting this checkbox directs all reports for this Email Gateway
Control Center appliance to the Control Center managing it. If the box is deselected, the
reports will come to the Email Gateway itself.

If a Email Gateway appliance is not managed by an Email Gateway Control Center, the Server - Attributes
window displays a message conveying that fact.

Control Center SSH configuration

Use this window to stop and start Control Center’s SSH connection to the managed Email Gateway
appliances. The window shows the current status of this service and current information about it (see
Figure 325 SSH Configuration window

Table 302 SSH Configuration fields

Field Description
Service This field shows the name of the service. Click the service name link to configure the access
port Control Center uses to connect to Email Gateway appliances.
Auto-Start This field indicates whether or not the service configured for automatic starting by Health
Monitor. A red X indicates the service is not so configured. A green check mark shows it is set
to restart. Clicking the current indicator toggles the service on or off.
Running This field indicates the current status of the service – running or not running.
Service Uptime This field shows how long (in days, hours, minutes and seconds) the service has been running
since the last time it restarted.

To configure the access port, do the following:

1 Click the service name link in the SSH Configuration window. The Control Center Access Configuration
window appears.

2 Accept the default port for Control Center access, or enter the port number you want to use.

Note: The default port for Control Center access is 20022.

Caution: If your Email Gateway is part of an environment that does not enable Support access ( see McAfee
support access in Chapter 35, General System Functions), you must ensure that both Control Center and Email
Gateway use the same port number.

3 Click Submit to save the configuration.

McAfee Email Gateway 6.7.2 Administration Guide 533

 General System Functions
FIPS Compliance configuration

Figure 326 Control Center Access Configuration window

Email Gateway uses the TCP port you configure here for connectivity to the Control Center.

FIPS Compliance configuration

The Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are United
States Government standards that provide a benchmark for implementing cryptographic software. They
specify best practices for implementing crypto algorithms, handling key material and data buffers, and
working with the operating system. Compliance with the standard is required for some enterprises that
engage in business with the U.S. government and other regulated industries, such as financial and
health-care institutions. Federal agencies and departments can validate the appropriate cryptographic
ciphers are in use.
McAfee Email Gateway provides the capability for FIPS 140-2 compliance. If you enable FIPS Compliance
Verification, Email Gateway will allow only those encryption ciphers that are capable of meeting the
compliance standard. If you do not enable it, Email Gateway will accept encryption ciphers that are not
FIPS compliant.
Figure 327 FIPS Compliance - Configure window

To enable FIPS Compliance Verification, do the following:

1 On the System tab, click FIPS Compliance (System | FIPS Compliance). The FIPS Compliance -
Configure window appears.

2 Select the Enable FIPS Compliance Verification check box on the FIPS Compliance - Configure window.

3 Click Submit to complete your configuration.

534 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 11

The Command Line

Chapter 36, Using the Command Line

36 Using the Command Line
Contents
The command line
The commands

The command line

Email Gateway allows you to access much of the functionality available through the Graphical User
Interface (GUI) from the command line. You can access the command line through either of two methods:
• Via the Console, which is a keyboard connected directly to the Email Gateway appliance, or

• From a workstation, using a Secure Shell (SSH).

Role management for the command line is accomplished at log-in. The user name and password you enter
will be used to verify access rights and permissions.

Accessing the CLI from the console

If a keyboard and a monitor are connected to the Email Gateway appliance and the Email Gateway is
currently running, the monitor shows a log-on prompt. The keyboard must be attached to the Email
Gateway appliance before the appliance is powered on. After you enter a valid user name and password,
the command functions can be accessed by typing simple commands.
The user name and password should generally be the same as those used for GUI access. It is important to
remember that, unlike using GUI functions, you will NOT be logged off after a pre-configured period of
time; the log-in remains active until you log out. For security reasons, one should not walk away from the
console without first logging out by typing exit at the command prompt.

Accessing the CLI from a secure shell

You can also access the command line from a workstation that uses a Secure Shell application (via port 22).
You log on by entering a valid GUI user name and password.
If the appliance is a model that contains two or more Network Interface Cards (NICs), and if Out-of-Band
Management is enabled, the hostname of the Out-of-Band NIC will be required to allow connection to the
CLI.
SSH clients vary widely, and keyboard mapping is different from client to client. Depending upon which
client you are using, you might be required to re-map the backspace key.
Once logged in, you are able to type commands as necessary.

The commands
Commands consist of a command word followed by one or more parameters. Separate the command word
and the parameters from each other with a single space. Press Enter after the last parameter to execute
the command. The information that appears in the CLI complies with any restrictions or parameters that
have been configured in the GUI. Any restrictions or permissions applicable in the GUI also apply to the CLI.
Furthermore, the amount of information in the detailed logs viewed in the GUI is controlled by the logging
level set in the Email Gateway GUI.

McAfee Email Gateway 6.7.2 Administration Guide 537

 Using the Command Line
The commands

McAfee does not provide customers root access to the appliance; therefore, the CLI has limited shell
capabilities. Many of the commands found in a UNIX environment are not available. Only the following
commands can be executed:
help clear edit reset run set show capture connect system tail
test

HELP command
On-screen help can be accessed by typing help. If you type help at the Email Gateway command prompt,
the screen displays the top-level commands that can be used (along with any associated help text). Typing
help before any allowed command word or command string (command word plus parameters) displays
help for that subset.
[Email Gateway]: help
Command Summary
The words appearing on the line below are the top level commands. Type an individual word
to see the parameters for that command. Type 'help <word>' to see help for that command.
help edit wizard connect capture reset run set show system tail test
Commands are composed of a command word followed by one or more parameters. Separate the
command word and parameters from each other with a single space. Press Enter after the
last parameter.
On-screen help is available by typing help. Typing help before any command word displays
help for that command. For some commands, typing help before the command word and
parameters can provide more information.
[Email Gateway]:

EDIT command
The edit command is used to modify specific configuration settings for the parameters interface, route
and support. It impacts the way Email Gateway appears to and works with clients.
Examples showing the syntax for the edit command are shown in the simulated screen shot below.
The edit command is used to manage (add/delete/modify):
• Network interface

• Routing table

• IP host names & addresses

In addition to these functions, this command can also be used to enable or disable the support access
feature.
Examples showing the syntax for the edit command are shown in the simulated screen shot below.
Command Summary:
edit interface add
modify
delete
clearpending
host
add
modify
delete
route setdefault

538 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

add
modify
delete
clearpending
support enable
disable
Example:
[Email Gateway]: edit interface
<PRIMARY> IP Address [10.50.1.234]
<PRIMARY> Netmask [255.255.255.0]
<PRIMARY> Select media type from the list, or press ENTER to use default:
0. Default
1. autoselect
2. 10baseT/UTP
3. 10baseT/UTP (full-duplex)
4. 100baseTX
5. 100baseTX (full-duplex)
6. 1000baseTX
7. 1000baseTX (full-duplex)
Media Type (0-7) [0]:
Warning! The setting will affect the way [Email Gateway] works with clients. Are you sure
(Y/N) n
Change has been discarded.

Connect command
The connect command used to connect to a remote host using SSL/TLS. It is a very useful diagnostics tool
for SSL servers. If a connection is established with an SSL server, any data received from the server is
displayed. As this command is used to verify the connectivity over different protocol suites, the session will
end after the connection status is displayed to user
Command Summary:
connect secure <ipaddress> <port>
[Secure Mail]: connect secure google.com 443
Which secure protocol you wish to verify?
Press, [1] if HTTPS/STARTTLS
[2] if SMIME/SLAD
: 1
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
verify return:1
[Secure Mail]:

McAfee Email Gateway 6.7.2 Administration Guide 539

 Using the Command Line
The commands

Capture command
The capture command dumps the headers of packets on a network interface for later viewing.
This command interactively takes the following user inputs:
• <interface> -

A network interface on which the packets needs to be captured

• <options>

• -i <interface> Listen on network interface

• -X When printing hex, print ascii too. This is very handy for analyzing new protocols.

• -s < snaplen > Snarf snaplen bytes of data from each packet rather than the default of 68. You
should limit snaplen to smallest number that will capture the protocol information your are
interested in. Setting snaplen to 0 means use the required length to catch whole packets.

• -n Don't convert addresses such as host addresses, port numbers etc. to names.

• < expression >

A boolean expression that selects which packets will be dumped. If no expression is given, all packets
on the net will be dumped. Otherwise, only packets for which expression is “tru” will be dumped.
Please refer Network monitoring specification for 'expression' on tcpdump command for more details
on writing an expression.

The expression should begin with some logical operator such as and/or/not as we have inbuilt
expression prepended that describes the constraints on the packets that can be captured.

The internal expression format is:

host <IP ADDR> and not host localhost <User's Expression>

• < output file >

Write the raw packets to file rather than parsing and printing them out. Standard output is used if
file is ‘-’.

After collecting all the required inputs from user, this command dumps the headers of packets on a network
interface that match the <expression>.
Command Summary:
network traffic
[Secure Mail]: capture network traffic
Select an IP entry from the following:
ID IP Address Type Netmask
-- ---------- ---- -------
1 10.14.3.9 PRIMARY 255.255.128.0

Please select an ID to modify: 1

Enter options:
Enter expression:
Enter output file [Default: netcap-1241463048.cap]:
Enter Time Limit [Default: 15 Seconds]:
Enter Size Limit [Default: 5 MB]:
[Secure Mail]:

540 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

RUN command
The run command allows you to execute specific commands at will. The two commands permitted are run
clean (to clean expired or deleted messages in a quarantine queue, to clean expired messages in other
queues) and run reports for a specified date. These commands can be configured within the GUI to
execute on a daily basis without intervention, but the run command allows on-command execution.
Because it executes a complex SQL query of the MEG database, the run command, whether for cleaning or
reporting functions, will have a significant impact on overall performance. Therefore, this command should
always be scheduled to run at a non-peak utilization period.
The simulated screen below shows the parameters and syntax for the run clean command string. The run
clean quarantine command will clear or delete messages in the quarantine queue that have reached the
time limit specified when the queues are configured. The run clean message command will clear or clean
messages in other queues that have met the configured time limit.
Command Summary:
run clean
message
quarantine
reports <MM/DD/YYYY>

[Email Gateway]: run clean quarantine

Forcing immediate clean-up will highly impact the performance of the appliance. Are you
sure? (Y/N) n
Discarded the changes.
[Email Gateway]:

[Email Gateway]: run clean message

Forcing immediate clean-up will highly impact the performance of the appliance. Are you
sure? (Y/N)
Discarded the changes.
[Email Gateway]:
The parameters and syntax for the run report command are as shown below. The run report command will
create all enabled reports from the Reports Configuration screen, with the exception of the Policy
Configuration Report and the Vulnerability Assessment report, both of which are run only at the
administrator's discretion.
[Email Gateway]:
[Email Gateway]: run reports
*** Invalid command: Usage - run reports <MM/DD/YYYY> ***
[Email Gateway]:
[Email Gateway]: run reports 10/12/2009
Generating reports will highly impact the performance of the appliance. Are you sure?
(Y/N) n
No report job submitted.
[Email Gateway]:

McAfee Email Gateway 6.7.2 Administration Guide 541

 Using the Command Line
The commands

SET command
The set command is used to start, stop, enable and disable Email Gateway services, to configure the serial
port, and to unlock user accounts that have been locked due to excessive failed login attempts. The set
command accepts three parameters: serial, service, and user unlock. Once you enter the command and
first parameter, the screen displays a list of sub-parameters.
Command Summary:
set node
usage
serial cli
ups
service enable <SERVICE>
disable <SERVICE>
start <SERVICE>
stop <SERVICE>
user unlock <USERNAME>
attribute
<SERVICE> = Email Gateway Services:
smtpproxy, smtpsproxy, smtpo, pop3proxy pop3sproxy, imap4proxy,
imap4sproxy, etc.
<USERNAME> = Email Gateway User Account
The set serial command configures the Email Gateway serial port to do one of two things: to allow
connection of a keyboard (console) directly to the appliance, using the cli sub-parameter; or to allow
connection of an uninterruptable power supply, using the ups sub-parameter.
[Email Gateway]:
[Email Gateway]: set serial
*** Invalid command: Usage - set serial [cli|ups] ***

[Email Gateway]: set serial ups

The serial port is already set.

[Email Gateway]: set serial cli

Warning! The change may take up to 5 minutes...
Serial port has changed.

[Email Gateway]: set serial ups

Warning! The change may take up to 5 minutes...
Serial port has changed.
[Email Gateway]:
The set service command is used to enable, disable, start or stop a Email Gateway service.
Caution: A disabled service cannot be started.

A service can also be disabled in the GUI by deselected the Autostart option for that service.
[Email Gateway]:
[Email Gateway]: set service

542 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

*** Invalid command: Usage - set service [enable|disable|start|stop] ***

[Email Gateway]: set service enable
*** Invalid command: Usage - set service enable <SERVICE> ***
[Email Gateway]: set service disable
*** Invalid command: Usage - set service disable <SERVICE> ***
[Email Gateway]: set service start
*** Invalid command: Usage - server service start <SERVICE> ***
[Email Gateway]: set service stop
*** Invalid command: Usage - server service stop <SERVICE> ***
The set user unlock <username> command is used by the administrator to unlock an appliance that has
been locked due to circumstances like failed login attempts exceeding the maximum allowed. A valid
username is required.
[Email Gateway]: set user
*** Invalid command: Usage - set user [unlock] ***
[Email Gateway]: set user unlock
*** Invalid command: Usage - set user unlock <USER ID> ***
[Email Gateway]:

SHOW command
The SHOW command displays:
1. logs from secure mail services
2. events from secure queues
3. network information such as:
a) connections
b) interface
c) routes
d) addresses
e) statistics
f) errors & collisions
g) previous packet captures
4. system message buffer of the kernel
Command Summary:
show log <SERVICE>
events
mailroute
network connections
interface
route
statistics
errors
buffer
capture

McAfee Email Gateway 6.7.2 Administration Guide 543

 Using the Command Line
The commands

addresses
queue
services
stats
hosts
system disk
info
process
support
messages

Type 'help show <command>’ to get more information on each of these commands.
Example:
[Email Gateway]: help show log
The 'show log' command is used to view today's, or previous days' logs. To see the list
of services whose logs are available, type 'show log'.
To view today's logs for an individual service, type 'show log <SERVICE>' (where
<SERVICE> is one of the services displayed by the 'show log' command). Appending a '?'
after <SERVICE> displays the dates for previous days' logs. Appending the date after
<SERVICE> displays the log for that day.
Examples:
show log smtpproxy = Show today's smtpproxy log
show log smtpproxy? = Show dates for previous days' logs available
show log smtpproxy 20040101 = Show the smtpproxy log from 1/1/2004
[Email Gateway]:
[Email Gateway]: show log
show log
[ade|admin|alert|backuprestore|checktool|cleanup|ct_admin|ct_audit|ct_euser|ct_
swm|eusrquarantine|imap4proxy|ironwebmail|ldapsync|policyconfiguration|pop3prox
y|reports|sched|schedarchive|schedbackup|schedbayes|schedftp|schednightly|sched
rrd|schedupdate|smtpo|smtpproxy|sshd_cli|statscollector|summary|superq|swmq|tra
iner|update|VulnerabilityAssessment|watch] <Date, ? for list, Enter for today>
The show mailroute command displays information about the configured routing for various email
protocols.
[Email Gateway]: show mailroute
*** Invalid command: Usage - show mailroute <IMAP4|POP3|SMTP> ***
[Email Gateway]: show mailroute IMAP4
Protocol Routing Domain Routing Host
-------- -------------- ------------
IMAP4 DEFAULT mail.x3.ctqa.net
IMAP4 x3.ctqa.net mail.x3.ctqa.net
[Email Gateway]:
The show network command shows details about network configuration.

544 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

[Email Gateway]: help show network

The 'show network' command is used to view network related information.
show network connections
interface
route
statistics
errors
buffer
capture
addresses

[Email Gateway]: show network connections

Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 localhost.22502 localhost.1212 ESTABLISHED
tcp4 0 0 localhost.1212 localhost.22502 ESTABLISHED
tcp4 0 0 localhost.3306 localhost.3218 ESTABLISHED
tcp4 0 0 localhost.3218 localhost.3306 ESTABLISHED
tcp4 0 0 localhost.3659 localhost.30340 TIME_WAIT
tcp4 0 0 im.1174 upd.ctqa.net.20022 TIME_WAIT
tcp4 0 0 localhost.22502 localhost.4192 TIME_WAIT
tcp4 0 0 localhost.2769 localhost.3306 TIME_WAIT
tcp4 0 0 localhost.22502 localhost.2688 TIME_WAIT
tcp4 0 0 localhost.2973 localhost.3306 TIME_WAIT
tcp4 74 0 im.4447 im.10443 CLOSE_WAIT
tcp4 0 0 localhost.8009 localhost.3337 ESTABLISHED
tcp4 0 0 localhost.3337 localhost.8009 ESTABLISHED
tcp4 0 0 localhost.8009 *.* LISTEN
tcp4 0 0 im.https *.* LISTEN
tcp4 0 0 im.10443 *.* LISTEN

[Email Gateway]:
[Email Gateway]: show network interface
<PRIMARY> interface
Attribute Current Pending
========= ======= =======
IP Address 10.50.1.234 None
Netmasks 255.255.255.0 None
Media Type None None
Status active None
<OOB> interface DISABLED
Attribute Current Pending

McAfee Email Gateway 6.7.2 Administration Guide 545

 Using the Command Line
The commands

========= ======= =======

IP Address None None
Netmasks None None
Media Type None None
Status no carrier None
[Email Gateway]:
[Email Gateway]: show network route
No static route record.
[Email Gateway]:
The show network statistics command displays the system-wide statistics for the TCP protocol including
total number of packets sent, number of data packets, number of retransmitted packets, number of
unnecessary retransmitted packets, and resends. The packet and data transmission rate is also displayed in
percentages.
[Secure Mail]: show network statistics
tcp:
273466 packets sent
193448 data packets (24133715 bytes)
11 data packets (1376 bytes) retransmitted
5 data packets unnecessarily retransmitted
0 resends initiated by MTU discovery
79576 ack-only packets (0 delayed)

Packet retransmission rate: 0%

Data retransmission rate: 0%

[Secure Mail]:

The show network errors command displays the state of the network interfaces that are auto-configured.
An asterisk (*) after the interface name indicates that the interface is down. The errors and collisions are
displayed in the last two columns for each interface.
Example:
[Secure Mail]: show network errors
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
bce0 1500 <Link#1> 00:15:c5:f1:8f:92 1328221 0 271024 0 0
bce0 1500 10.14/17 ctdev62 264830 - 270791 - -
bce1* 1500 <Link#2> 00:15:c5:f1:8f:90 0 0 0 0 0
lo0 16384 <Link#3> 3412 0 3412 0 0
lo0 16384 fe80:3::1 fe80:3::1 0 - 0 - -
lo0 16384 localhost.ctd ::1 6 - 6 - -
lo0 16384 your-net localhost 3381 - 3381 - -
[Secure Mail]:

546 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

The show network buffer command displays statistics recorded by the memory management routines.
The network manages a private pool of memory buffers (mbuf) which provides analysis for the number of
mbufs in use, clusters in use, and number of denied requests to mbuf.
Example:
[Secure Mail]: show network buffer
504/786/1290 mbufs in use (current/cache/total)
502/570/1072/25600 mbuf clusters in use (current/cache/total/max)
0/384 mbuf+clusters out of packet secondary zone in use (current/cache)
0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/0 9k jumbo clusters in use (current/cache/total/max)
0/0/0/0 16k jumbo clusters in use (current/cache/total/max)
1130K/1336K/2466K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/6/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
2 calls to protocol drain routines

[Secure Mail]:
The show network capture command displays the files containing previously capture packets.
Example:
[Secure Mail]: show network capture
**** Available Network Captures ****
netcap-1241465312.cap
netcap-1241465328.cap
Please enter the capture file to play: netcap-1241465312.cap
Playing Network Capture From (-r/ct/data/admin/tmp/netcap/netcap-1241465312.cap)
reading from file /ct/data/admin/tmp/netcap/netcap-1241465312.cap, link-type EN10MB
(Ethernet)
15:28:34.322821 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 1912142067 win 63908
15:28:36.292045 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 0:52(52) ack 1 win 63908
15:28:36.292221 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 52 win 65535
15:28:36.293342 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 1:69(68) ack 52 win 65535
15:28:36.400924 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 69 win 63840
15:28:36.776912 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 52:104(52) ack 69 win
63840
15:28:36.777065 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 104 win 65535
15:28:36.777593 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 69:121(52) ack 104 win
65535
15:28:36.947840 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 121 win 63788

McAfee Email Gateway 6.7.2 Administration Guide 547

 Using the Command Line
The commands

15:28:38.273854 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 121:237(116) ack 104 win

65535
15:28:38.273879 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 237:321(84) ack 104 win
65535
15:28:38.274124 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 321:405(84) ack 104 win
65535
15:28:38.274163 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 405:505(100) ack 104 win
65535
15:28:38.274202 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 321 win 63588
15:28:38.274370 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 505 win 63404
15:28:39.699484 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 104:156(52) ack 505 win
63404
15:28:39.699532 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 156 win 65535
15:28:39.699713 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 505:557(52) ack 156 win
65535
15:28:39.900895 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 557 win 63352
15:28:40.151557 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 156:208(52) ack 557 win
63352
15:28:40.151605 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 208 win 65535
15:28:40.152010 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 557:641(84) ack 208 win
65535
15:28:40.187333 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 641:709(68) ack 208 win
65535
15:28:40.187667 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 709 win 63200

[Secure Mail]:

The show network addresses command displays all of the current ARP (Address Resolution Protocol)
entries for the current host. All the network addresses are shown as numbers as opposed to displaying
symbolic addresses.
Example:
[Secure Mail]: show network addresses
? (10.14.0.1) at 00:19:07:a6:e8:00 on bce0 [ethernet]
? (10.14.1.11) at 00:18:8b:32:79:9a on bce0 [ethernet]
? (10.14.1.62) at 00:15:c5:f1:8f:92 on bce0 permanent [ethernet]
[Secure Mail]:
The show queue command displays configuration information about processing order.
[Email Gateway]: show queue
Queue Position and Name
=======================
1 Internal Queues - MIME Ripper
2 Internal Queue - Content Extraction
3 Super Queue
4 Queue - Anti Spam
5 Queue - Virus Scan

548 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

6 Queue - Envelope Analysis

7 Queue - Content Analysis
8 Internal Queue - MIME Joining
9 SMTPO Service
[Email Gateway]:
The show services command displays the current status of the Email Gateway services.
[Email Gateway]: show services
Mail Processes
Service Auto-Start Running Uptime(D:H:M:S)
=======================================================================
WebMail Protection Y Y 0000:00:02:17
SMTPI Service Y Y 0000:22:51:44
SMTPIS Service Y Y 0000:22:51:44
SMTPO Service Y Y 0000:22:51:44
POP3 Service Y Y 0000:22:51:44
POP3S Service Y Y 0000:22:51:44
IMAP4 Service Y Y 0000:22:51:44
IMAP4S Service Y Y 0000:22:51:43
Queue Processes
Service Auto-Start Running Uptime(D:H:M:S)
=======================================================================
Super Queue Y Y 0000:00:00:31
Misc Processes
Service Auto-Start Running Uptime(D:H:M:S)
=======================================================================
CLI Access Y Y 0000:22:51:44
CipherTrust Support Ac Y Y 0000:04:56:10
Alert Manager Y Y 0000:22:51:42
Network IDS Y Y 0000:22:51:43
Anomaly Detection Engi Y Y 0000:22:51:40
Internal Processes
Service Auto-Start Running Uptime(D:H:M:S)
================================================
Int - Webadmin Y Y 0000:00:02:17
Int - Tomcat Y Y 0000:22:51:37
Int - Health Monitor Y Y 0000:22:51:39
Int - Reports Y Y 0000:12:27:05
Int - Scheduler Y Y 0000:22:51:42
Internal Queues - MIME Y Y 0000:22:51:42
Internal Queue - MIME Y Y 0000:22:51:42
Internal Queue - Conte Y Y 0000:22:51:42
[Email Gateway]:

McAfee Email Gateway 6.7.2 Administration Guide 549

 Using the Command Line
The commands

The show system command string displays critical information about the Email Gateway system, including
disk status and process statistics.
Command Summary:
show system
disk
info
process
support
messages

[Email Gateway]: show system disk

Mounted Size Used Avail Capacity iused ifree %iused
/ct 34G 1.3G 30G 4% 12129 8191645 0%
[Email Gateway]:

[Email Gateway]: show system process

Time % User % Sys % Nice % Intrpt % Idle
00:00 5 0 0 0 95
00:01 6 0 0 0 94
00:04 3 2 0 0 95
00:05 3 2 0 0 95
00:06 4 0 0 0 96
00:06 4 2 0 0 94
00:07 4 1 0 1 95
00:08 5 1 0 0 94
00:09 7 0 0 0 93
[Email Gateway]:

[Email Gateway]: show system support

Support access is enabled.
Support access listen port has set to {port:20022}.
[Email Gateway]:
The show hosts command displays the IP host names and addresses for the local host and other hosts in
the Internet network. This information is used to translate a host name into its internet address. When your
system is using a name server, this information is used only if the name server cannot resolve the host
name.
When the local host is using the DNS protocol, the resolver routine queries a remote DNS server before
using this information. In a flat network with no DNS, the resolver routines uses this information for host
name and address data.
[Email Gateway]: show hosts

ID IP Address Domain Name Alias

-- -------------- -------------- --------------

550 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

127.0.0.1 localhost.securecomputing.com localhost

10.14.1.62 ctdev62.ctdev.net ctdev62
24 10.12.64.6 ctcvs04.ciphertrust.com ctcvs04
25 10.12.64.11 dns.ctdev.net
26 10.12.64.7 ctcvs05.ciphertrust.com ctcvs05
27 10.12.64.11 ct46bld.securecomputing.com ct46bld
28 10.0.0.49 update4.ciphertrust.net
29 10.0.0.49 license4.ciphertrust.net

[Email Gateway]:

SYSTEM command
The system command is used to reboot/shutdown Email Gateway and restore the factory settings. (You
can restore either the security certificate, network settings, or disable ACL on the WebAdmin.) Restoring
factory settings can be used to recover when the Graphical User Interface of Email Gateway Web
Administration has become unavailable due to misconfiguration.
The system command accepts the following parameters: shutdown reboot restart restore. Restore
accepts these parameters: acl, certificate, and network.

TAIL command
The tail command shows a real-time view of all Email Gateway logs, beginning with the 10 most recent
entries. The command accepts the parameter: log The tail command accepts no additional switches.
The tail log command accepts the additional parameters of the names of Email Gateway logs. Typing tail
log will reveal a list of all available logs.
Command Summary:
tail log <SERVICE>
[Email Gateway]: tail log
tail log
[ade|admin|alert|backuprestore|checktool|cleanup|ct_admin|ct_audit|ct_euser|ct_
swm|eusrquarantine|imap4proxy|ironwebmail|ldapsync|policyconfiguration|pop3prox
y|reports|sched|schedarchive|schedbackup|schedbayes|schedftp|schednightly|sched
rrd|schedupdate|smtpo|smtpproxy|sshd_cli|statscollector|summary|superq|swmq|tra
iner|update|VulnerabilityAssessment|watch] <Date, ? for list, Enter for today>

[Email Gateway]:
[Email Gateway]: tail log cfq
Channel2::6:10122004 15:14:50:LOG_STAT_FINAL|6|PUSHED TO NEXT Q
Channel3::7:10122004 15:15:20:LOG_STAT_ATT_FIL: {}
Channel3::7:10122004 15:15:20:LOG_STAT_CONT_FIL: {}
Channel3::7:10122004 15:15:20:LOG_STAT_FINAL|7|PUSHED TO NEXT Q
Channel4::8:10122004 16:48:25:LOG_STAT_ATT_FIL: {}
Channel4::8:10122004 16:48:25:LOG_STAT_CONT_FIL: {}
Channel4::8:10122004 16:48:25:LOG_STAT_FINAL|8|PUSHED TO NEXT Q

McAfee Email Gateway 6.7.2 Administration Guide 551

 Using the Command Line
The commands

Channel5::9:10122004 17:05:07:LOG_STAT_ATT_FIL: {}
Channel5::9:10122004 17:05:07:LOG_STAT_CONT_FIL: {}
Channel5::9:10122004 17:05:07:LOG_STAT_FINAL|9|PUSHED TO NEXT Q

TEST command
The test command is used to test network connections by using different methods, as well as to check
specific server connections. The test command accepts the following parameters: dns mail ping port
route server.
Examples are shown below:
Command Summary:
test dns forward <DNS SERVER IP> <HOSTNAME>
mx <DNS SERVER IP> <DOMAIN NAME>
reverse <DNS SERVER IP> <IP ADDRESS>
mailroute <MAIL SERVER IP> <SENDER> <RECIPIENT>
ping <HOST>
port <IP ADDRESS> <PORT>
route <DOMAIN NAME>
server rlb <IP ADDRESS> <RBL SERVER> <DNS SERVER IP> <QUEUE TYPE>
sls
update
[Email Gateway]:
[Email Gateway]: test server sls
# 10/13/04 11:42:01 EDT /ct/apps/sls/client/conf/map
# Re-resolve names after 13:41:56 Check RTTs after 11:57:01
# 8000.00 ms threshold, -8000.00 ms average 1 total, 1 working addresses
IPv6 off
sls1.ciphertrust.net,-123789 client101
# * 10.50.1.16,-qa1.DCC.ciphertrust ID 1040
# 100% of 32 requests ok 10.85 ms RTT 6 ms queue wait

History command
The history command will display a list of previously run commands. You can execute a previous command
listed in the history by prefixing the number from the list with an exclamation point.
Examples are shown below:
[Email Gateway]:
[Email Gateway]: history
1 history
2 show network interface
3 history
4 history
5 show log
6 show log admin
7 history

552 McAfee Email Gateway 6.7.2 Administration Guide

Using the Command Line
The commands

8 show queue quarantine

9 history

!n executes command n from the top.

!-n executes commands from the bottom.

Reset command
The RESET command is used to reset:
1 The try count and delivery schedule of undelivered messages that are in the retry schedule. This will not
work for messages in Outbound Quarantine. Multiple domains can be entered using a space separated
format.

2 The network statistics counters. Although only TCP statistics are displayed, all the counters for other
protocols will be reset to zero also.

Command Summary:
reset message smtpo
network counters

McAfee Email Gateway 6.7.2 Administration Guide 553

 Using the Command Line
The commands

554 McAfee Email Gateway 6.7.2 Administration Guide

SECTION 12

Appendices

Appendix A, Email Gateway Generated Alerts

Appendix B, File Formats for Uploads

Appendix C, Actions and Action Codes

Appendix D, Process ID Numbers

Appendix E, Configuring WebMail Protection for MS

Exchange

Appendix F, Special Tips

Appendix G, Email Gateway Action Order of

Precedence

Appendix H, Text Filtering

Appendix I, Compliance Trainer

Appendix J, Event Logging Elements

A Email Gateway Generated Alerts

Contents
The subsystems
The alerts

The subsystems
Email Gateway automatically generates a variety of alerts for the following subsystems:

Table 303 Email Gateway Subsystems

Subsystem Description
Anomaly Detection The Anomaly Detection Engine looks historically at your email activity and
detects patterns or events that you define.
Anti-Virus Queue The Anti-Virus Queue scans messages for viruses.
Content Analysis Queue The Content Analysis Queue looks for keywords within emails and
attachments and takes user-defined action accordingly.
Envelope Analysis Queue The Envelope Analysis Queue applies a variety or rules to messages, such as
checking to whom it is addressed or from whom it was sent.
Spam Queue The Spam Queue uses a variety of technologies to discover whether messages
are spam or not, such as performing reverse DNS, RBL, Razor and Statistical
Lookup Service (SLS) lookups.
Health Monitor Health Monitor examines Email Gateway performance, running a series of
tests to ensure that all its services are performing as intended.
Internal Queues Before messages even enter the Anti-Virus, Anti-Spam, Content Analysis or
Envelope Analysis Queues, a Rip Queue rips messages into their separate
MIME parts. Similarly, when all the queues have finished processing
messages, a Join Queue reassembles each message.
SMTPI Service The SMTPI Service processes all non-email Gateway being delivered to the
Email Gateway appliance.
SMTPIS Service The SMTPIS Service processes all email Gateway being delivered to the Email
Gateway appliance.
SMTPO Service The SMTPO Service processes all mail delivered outside the Email Gateway
appliance.
POP3 Service The POP3 Service processes all non-secure POP3 mail retrieval requests.
POP3S Service The POP3S Service processes all secure POP3 mail retrieval requests.
IMAP4 Service The IMAP4 Service processes all non-secure IMAP4 mail retrieval requests.
IMAP4S Service The IMAP4S Service processes all secure IMAP4 mail retrieval requests.
WebMail Protection WebMail Protection provides protection for browser-based email (protection
against HTTP network attacks).
SWM Queue The SWM queue holds all emails for Secure Delivery.
Update Processes Update processes are used to ensure that the most current versions of
features and functionality are available in the proper versions of Email
Gateway.
SuperQueue The SuperQueue includes all the processing queues between SMTPI and
SMTPO.

McAfee Email Gateway 6.7.2 Administration Guide 557

 Email Gateway Generated Alerts
The alerts

The alerts
The following table lists the alerts Email Gateway is capable of generating.

Table 304 Email Gateway Alerts

Email Gateway Cause Alert text Alert type
process
Health Monitor Heartbeat Heartbeat Trap Information
When Email Gateway generates a
heartbeat for your SNMP console, it can
generate an information alert.
Health Monitor SMTPO Up SMTP Out UP Trap Notification
When Email Gateway restarts the SMTPO
(outbound delivery) service after a
failure, it can generate a notification
alert.
Health Monitor SMTPO Down SMTP Out DOWN Error
Trap If Email Gateway has to shut down the
SMTPO (outbound delivery) service due
to excessive memory load or other
factors, it can generate an error alert.
Health Monitor SMTPO Error SMTP Out ERROR Warning/Error
Trap If the SMTPO (outbound delivery) service
experiences other errors, Email Gateway
can generate either warning or error
alerts. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor SMTPPROXY Up SMTPPROXY UP Notification
Trap When Email Gateway restarts the SMTPI
(incoming delivery) service after a
failure, it can send a notification alert.
Health Monitor SMTPPROXY Down SMTPPROXY Error
DOWN Trap
If Email Gateway has to shut down the
SMTPI (incoming delivery) service due to
excessive memory load or other factors,
it can generate an error alert.
Health Monitor SMTPPROXY Error SMTPPROXY Warning/Error
ERROR Trap
If the SMTPI (incoming delivery) service
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor SMTPPROXY SMTPPROXY Notification
Restart RESTART Trap
When Email Gateway restarts the
SMTPPROXY service, it can generate a
notification alert.
Health Monitor SMTPSPROXY Up SMTPSPROXY UP Notification
Trap
When Email Gateway restarts the
SMTPIS (secure incoming delivery)
service after a failure, it can generate a
notification alert.
Health Monitor SMTPSPROXY-Erro SMTPSPROXY Warning/Error
r ERROR Trap
If the SMTPIS (secure incoming delivery)
service experiences other errors, Email
Gateway can generate either warning or
error messages. (Email Gateway
intelligently tracks persistent problems
and escalates the alert message
accordingly.)

558 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Health Monitor SMTPSPROXY SMTPSPROXY Notification
Restart RESTART Trap When Email Gateway restarts the SMPTI
service, it can generate a notification.
Health Monitor POP3PROXY-Up POP3PROXY UP Notification
Trap When Email Gateway restarts the POP3
(message retrieval) service after a
failure, it can generate a notification
alert.
Health Monitor POP3PROXY-Down POP3PROXY Error
DOWN Trap If Email Gateway has to shut down the
POP3 (message retrieval) service due to
excessive memory load or other factors,
it can generate an error alert.
Health Monitor POP3PROXY-Error POP3PROXY Warning/Error
ERROR Trap If the POP3 (message retrieval) service
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor POP3PROXY POP3PROXY Notification
Restart RESTART Trap
When Email Gateway restarts the
POP3PROXY service, it can generate a
notification.
Health Monitor POP3SPROXY-Up POP3SPROXY UP Notification
Trap
When Email Gateway restarts the POP3S
(secure message retrieval) service after
a failure, it can generate a notification
alert.
Health Monitor POP3SPROXY-Dow POP3SPROXY Error
n DOWN Trap
If Email Gateway has to shut down the
POP3S (secure message retrieval)
service due to excessive memory load or
other factors, it can generate an error
alert.
Health Monitor POP3SPROXY-Erro POP3SPROXY Warning/Error
r ERROR Trap
If the POP3S (secure message retrieval)
service experiences other errors, Email
Gateway can generate either warning or
error messages. (Email Gateway
intelligently tracks persistent problems
and escalates the alert message
accordingly.)
Health Monitor POP3SPROXY POP3SPROXY Notification
Restart RESTART Trap
When Email Gateway restarts the
POP3PROXY service, it can generate a
notification.
Health Monitor IMAP4PROXY-Up IMAP4PROXY UP Notification
Trap
When Email Gateway restarts the IMAP4
(message retrieval) service after a
failure, it can generate a notification
alert.
Health Monitor IMAP4PROXY-Dow IMAP4PROXY Error
n DOWN Trap
If Email Gateway has to shut down the
IMAP4 (message retrieval) service due to
memory load or other factors, it can
generate an error alert.

McAfee Email Gateway 6.7.2 Administration Guide 559

 Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Health Monitor IMAP4PROXY-Erro IMAP4PROXY Warning/Error
r ERROR Trap If the IMAP4 (message retrieval) service
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor IMAP4PROXY IMAP4PROXY Notification
Restart RESTART Trap When Email Gateway restarts the
IMAP4PROXY service, it can generate a
notification.
Health Monitor IMAP4SPROXY-Up IMAP4SPROXY UP Notification
Trap When Email Gateway restarts the
IMAP4S (secure message retrieval)
service after a failure, it can generate a
notification alert.
Health Monitor IMAP4SPROXY-Do IMAP4SPROXY Error
wn DOWN Trap If Email Gateway has to shut down the
IMAP4S (secure message retrieval)
service due to excessive memory load or
other factors, it can generate an error
alert.
Health Monitor IMAP4SPROXY-Err IMAP4SPROXY Warning/Error
or ERROR Trap
If the IMAP4S (secure message retrieval)
service experiences other errors, Email
Gateway can generate either warning or
error messages. (Email Gateway
intelligently tracks persistent problems
and escalates the alert message
accordingly.)
Health Monitor IMAP4SPROXY IMAP4SPROXY Notification
Restart RESTART Trap
When Email Gateway restarts the
IMAP4SPROXY service, it can generate a
notification.
Health Monitor Tomcat-Up TOMCAT UP Trap Notification
When Email Gateway restarts the JSP
interpreter (powering the browser
interface) after a failure, it can generate
a notification alert.
Health Monitor Tomcat-Down TOMCAT DOWN Error
Trap
If Email Gateway JSP interpreter
(powering the browser interface) shuts
due to excessive memory load or other
factors, it can generate an error alert.
Health Monitor Tomcat-Error TOMCAT ERROR Warning/Error
Trap
If Email Gateway JSP interpreter
(powering the browser interface)
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor Tomcat Restart TOMCAT RESTART Notification
Trap
When Email Gateway restarts the
Tomcat, it can generate a notification.
Health Monitor Content Extraction VFQ Restart Trap Notification
Queue-Restart
When Email Gateway restarts the Rip
Queue, it can generate a notification.

560 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Health Monitor Administration-Up Admin UP Trap Notification
When Email Gateway restarts the
Administration service after a failure, it
can generate a notification alert.
Health Monitor Administration-Do Admin DOWN Trap Error
wn If Email Gateway Administration service
shuts down due to excessive memory
load or other factors, it can generate an
error alert.
Health Monitor Administration-Err Admin Error Trap Warning/Error
or If Email Gateway Administration service
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor Administration-Re Admin Restart Notification
start Trap When Email Gateway restarts the
Administration service, it can generate a
notification.
Health Monitor SuperQueue-Up SuperQ UP Trap Notification
When Email Gateway restarts the
SuperQueue after a failure, it can
generate a notification alert.
Health Monitor SuperQueue-Down SuperQ DOWN Error
Trap
If Email Gateway SuperQueue shuts
down due to excessive memory load or
other factors, it can generate an error
alert.
Health Monitor SuperQueue-Error SuperQ ERROR Warning/Error
Trap
If Email Gateway SuperQueue
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor Join Queue-Error JOINQ ERROR Trap Warning/Error
If Email Gateway Join Queue
(responsible for putting the MIME parts
back together again) experiences other
errors, Email Gateway can generate
either warning or error messages. (Email
Gateway intelligently tracks persistent
problems and escalates the alert
message accordingly.)
Health Monitor Disk-Up SYS-DISK UP Trap Notification
Each time Email Gateway is restarted, it
can generate a notification alert that the
hard disk utilization is less than the
user-defined threshold. (It will not
generate subsequent “up” alerts unless
the appliance is restarted.)
Health Monitor Disk Down SYS-DISK DOWN Error
Trap
Each time the hard disk shuts down,
Email Gateway can generate an error
alert.

McAfee Email Gateway 6.7.2 Administration Guide 561

 Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Health Monitor Network Status Up SYS-NETSTAT UP Notification
Trap When Email Gateway restarts the
Network Status service, it can generate a
notification.
Health Monitor Internal Server-Up INTERNAL-SERVE Notification
R UP Trap Each time Email Gateway is restarted, it
can send a notification that the internal
mail server is responding normally. (It
will not generate subsequent “up” alerts
unless the internal mail server is
restarted.)
Health Monitor Internal INTERNAL SERVER Error
Server-Down DOWN Trap Each time the internal mail server shuts
down, Email Gateway can send an error
notification.
Health Monitor Internal INTERNAL SERVER Warning/Error
Server-Error ERROR Trap If the internal mail server fails to
respond, Email Gateway can generate
either a warning or error alert.
Health Monitor DNS Hijack-Up SYS-DNSHIJACK Notification
UP Trap
When Email Gateway restarts DNS Hijack
protection, it can send a notification that
the protection is responding normally.
Health Monitor DNS Hijack-Down SYS-DNSHIJACK Error
DOWN Trap
If the Email Gateway DNS Hijack
protection shuts down, Email Gateway
can send an error message.
Health Monitor DNS Hijack Error SYS-DNSHIJACK Warning/Error
ERROR Trap
If the DNS Hijack service experiences
other errors, Email Gateway can
generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor Command Line SSHD Console UP Notification
Interface-Up Trap
When Email Gateway restarts the
Command Line Interface, it can send a
notification that the protection is
responding normally.
Health Monitor Command Line SSHD Console Error
Interface-Down DOWN Trap
If the Email Gateway Command Line
Interface shuts down, Email Gateway can
send an error message.
Health Monitor Command Line SSHD Console Warning/Error
Interface-Error ERROR Trap
If the Command Line Interface
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
SSHD-Maint Support pipe-Up SSHD Maint UP Notification
Trap
When Email Gateway restarts the
support pipe, it can send a notification
that the protection is responding
normally.

562 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
SSHD-Maint Support SSHD Maint DOWN Error
pipe-Down Trap If the Email Gateway support pipe shuts
down, Email Gateway can send an error
message.
Health Monitor Support pipe-Error SSHD Maint Warning/Notification
ERROR Trap If the support pipe experiences other
errors, Email Gateway can generate
either warning or error messages. (Email
Gateway intelligently tracks persistent
problems and escalates the alert
message accordingly.)
Health Monitor Support Pipe SSHD Maint Notification
Restart RESTART Trap When Email Gateway restarts the
Support Pipe, it can generate a
notification.
Health Monitor Spam Queue Error SPAM ERROR Trap Warning/Error
If the Email Gateway Anti-Spam Queue
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
Health Monitor IWM Restart IWM RESTART Notification
Trap
When Email Gateway restarts the IWM
service, it can generate a notification.
Health Monitor Command Line SSHD Console Notification
Interface Restart RESTART Trap
When Email Gateway restarts the
Command Line Interface, it can generate
a notification.
SMTPO TLS-Failure SMTP Out TLS Warning
(SMTPO) Negotiation Failure
Whenever the Email Gateway SMTPO
Trap
service tries and fails to establish a TLS
handshake with another server, it can
generate a warning alert.
SMTPO TLS-Cert-Failure SMTP Out TLS Warning
Certificate
If the recipient server has a Security
Verification Failure
Certificate that cannot be validated by a
Trap
Trusted Root Certificate Authority, Email
Gateway can generate a warning alert.
SMTPO TLS-Auth-Failure SMTP Out Warning
Certificate
If the recipient server has a Security
Authentication
Certificate containing an invalid host or
Failure Trap
domain name, Email Gateway can
generate a warning.
SMTPO DNS-Failure SMTP Out DNS Notification
Server ERROR
When the DNS server is down, Email
Trap
Gateway can generate a critical alert.
SMTPO DSN-Final SMTP Out Final Information
DSN Intimation
When Email Gateway issues a final
Trap
Delivery Status Notification that a
message cannot be delivered, it can also
generate this information alert.
SMTPO SWM Failure SWM Delivery Notification
Failed
When Secure Web Mail is unable to
deliver a message, Email Gateway can
generate a notification.

McAfee Email Gateway 6.7.2 Administration Guide 563

 Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
SMTPI/SMTPIS Denial of SMTPPROXY DOS Warning
Service-Attack Attack Trap When Email Gateway detects that the
(SMTPI/S) Denial of Service threshold has been
reached via SMTPI connections, it can
generate a warning alert.
SMTPI/SMTPIS TLS Failure SMTPPROXY TLS Information
(SMTPI/SMTPIS) Negotiation Failure Whenever the Email Gateway SMTPI
Trap service fails to establish a TLS handshake
with another server or client machine, it
can generate a warning alert.
SMTPI/SMTPIS Real-time STMPPROXY RBL Notification
Blackhole Lookup Failure When Email Gateway receives a
List-Failure Trap connection request from an IP address
listed on an RBL list, it can generate a
warning alert.
SMTPI/SMTPIS Reverse SMTPPROXY Notification
DNS-Failure Reverse DNS When a reverse DNS lookup invalidates a
Lookup Failure server or client machine, Email Gateway
Trap can generate a notification alert.
SMTPI/SMTPIS Relay-Failure SMTPPROXY Relay Information
Attempt Intimation
Whenever a user attempts to relay email
Trap
off of Email Gateway but is unsuccessful,
it can generate an information alert.
SMTPI/SMTPIS Full Throttle SMTPPROXY Under Critical
Full Throttle
If the Email Gateway Load Throttling
Intimation Trap
threshold is ever reached, it can generate
a critical alert.
SMTPI/SMTPIS Auth-Failure SMTPPROXY Information
(SMTPI/SMTPIS) Authentication
Whenever a user is required to be
Failure Trap
authenticated, but is not, Email Gateway
can generate an information alert.
SMTPI/SMTPIS Deny List SMTPPROXY DENY Warning
List Trap
Whenever a connection is dropped
because the sender is on the Email
Gateway “deny” list, a warning alert can
be generated.
SMTPI/SMTPIS SMTP Size SMTPPROXY Information
Exceeded Message Exceeds
Whenever a message is not accepted
Limit Trap
because the size of the message exceeds
the set limit, Email Gateway can
generate an information alert.
POP3/POP3S Denial of Service POP3PROXY DOS Warning
Attack Attack Trap
When Email Gateway detects that the
(POP3/POP3S)
Denial of Service threshold has been
reached via POP3 or POP3S connections,
it can generate a warning alert.
POP3/POP3S Password Cracking POP3PROXY Information
Attempt Password Cracking
Whenever the Password Cracking
(POP3/POP3S) Attempt Trap
threshold has been reached via POP3 or
POP3S connections, an information alert
can be generated.
IMAP4/IMAP4S Denial of Service IMAP4PROXY DOS Warning
Attack Attack Trap
When Email Gateway detects that the
(IMAP4/IMAP4S)
Denial of Service threshold has been
reached via SMTPI or SMTPIS
connections, it can generate a warning.

564 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
IMAP4/IMAP4S Password Cracking IMAP4PROXY Information
Attempt Password Cracking Whenever the Password Cracking
(IMAP4/IMAP4S) Attempt Trap threshold has been reached via IMAP4 or
IMAP4S connections, an information alert
can be generated.
Anti Virus Queue Viruses Found AVQ Virus Found Information
Intimation Trap Whenever a virus is detected in a
message, an information alert can be
generated.
SuperQueue MIME Parsing RIPQ MIME Parsing Information
Failure Failure Trap Whenever Email Gateway is unable to
successfully “parse” or interpret a
message’s MIME boundaries, an
information alert can be generated.
Anomaly Detection Anomaly ADE from same IP User-defined
Detection-IP Trap You can set the alert level for the
Address “messages from the same IP address”
anomaly.
Anomaly Detection Anomaly ADE same From User-defined
Detection-From Address Trap
You can set the alert level for the
Address
“messages from the same email address”
anomaly.
Anomaly Detection Anomaly ADE Same User-defined
Detection-Messag Message Size Trap
You can set the alert level for the
e Size
“messages are the same size” anomaly.
Anomaly Detection Anomaly ADE Same User-defined
Detection-Messag Message Subject
You can set the alert level for the
e Subject Trap
“messages with the same subject line”
anomaly.
Anomaly Detection Anomaly ADE Same User-defined
Detection-Messag Attachment Trap
You can set the alert level for the
e Attachment
“messages have the same attachment”
anomaly.
Anomaly Detection Anomaly ADE Same User-defined
Detection-Attachm Attachment
You can set the alert level for the
ent Extension Extension Trap
“messages have the same attachment
file extension” anomaly.
Anomaly Detection Anomaly ADE Same Virus User-defined
Detection-Virus Trap
You can set the alert level for the
“messages are infected with a virus”
anomaly.
Anomaly Detection Anomaly ADE Same Unique User-defined
Detection-Same Virus Trap
You can set the alert level for the
Virus
“messages are infected with the same
virus” anomaly.
Anomaly Detection Anomaly Detection ADE Complex Rule User Defined
Complex Rule Trap
You can set the alert level for alerts to be
generated when a complex ADE rule is
triggered.
Sched-License Expiration 60 day 60 Days License Information
(nightly) warning Notification
Email Gateway will generate one
information alert 60 days before a license
is due to expire.
Sched-Backup Backup failure Backup operation Critical
failed.
When a backup operation fails for any
reason, this alert is issued.

McAfee Email Gateway 6.7.2 Administration Guide 565

 Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Sched-Backup Backup transport Backup files Critical
failure transport failed When backup files cannot be
transported, this alert is issued.
Sched-License Expiration 30 day 30 Days License Warning
(nightly) warning Notification Email Gateway will generate one warning
alert 30 days before a license is due to
expire.
Sched-License Expiration 10 day Less than 10 Days Critical
(nightly) warning License Email Gateway will begin generating
Notification daily alerts 10 days before a license is
due to expire.
Virus Updates Queue-Update AVQ Virus Update Information
Success Completed Email Gateway will generate an
Successfully information alert when an anti-virus
update is downloaded and installed
successfully.
Virus Updates Queue-Update AVQ Virus Update Notification
Failure Failed Email Gateway will generate a
notification alert if an anti-virus update
fails to download and install successfully.
Update Failed Update Failed Notification
If Email Gateway experiences a failed
attempt to download or install an update,
it can generate a notification.
Update Success Update Completed Notification
Successfully
When Email Gateway successfully
downloads and installs a file update, it
can generate a notification alert.
Spam Queue RBL Failure SPAM RBL Lookup For Log Actions - No alert; For Drop
Failure Trap Action - Information; For Other Actions
- Information
Spam Queue Reverse DNS SPAM Reverse For Log Actions - No alert; For Drop
Failure DNS Lookup Action - Information; For Other Actions
- Information
Spam Queue SLS Detected SLS Detected the For Log Actions - No alert; For Drop
Message as Spam Action - Information; For Other Actions
- Information
Spam Queue ESP Detected Enterprise Spam For Log Actions - No alert; For Drop
Profiler Detected Action - Information; For Other Actions
the Message as - Information
Spam
Spam Queue System Defined System Defined For Log Actions - No alert; For Drop
Header Analysis Header Analysis Action - Information; For Other Actions
Detected Detected the - Information
Message as Spam
Spam Queue End User Spam End User Spam For Log Actions - No alert; For Drop
Reporting Trap Detected the Action - Information; For Other Actions
Message as Spam - Information
Spam Queue User Defined User Defined For Log Actions - No alert; For Drop
Header Analysis Header Analysis Action - Information; For Other Actions
Detected Detected the - Information
Message as Spam
Spam Queue Enterprise Spam Enterprise Spam For Log Actions - No alert; For Drop
Reporting Trap Detected the Action - Information; For Other Actions
Message as Spam - Information

566 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Generated Alerts
The alerts

Table 304 Email Gateway Alerts (continued)

Email Gateway Cause Alert text Alert type
process
Control Center Server SYS-Control Restart
Connectivity error Center tunnel If Control Center detects a connectivity
error with the Data or Admin Server, it
attempts to reestablish the connection.
Control Center Email Gateway Error
connectivity error If Control Center to Email Gateway
connection fails, Control Center will issue
an Error alert.
SWM Error SWMQ ERROR Warning/Error
Trap If the Email Gateway SWM Queue
experiences other errors, Email Gateway
can generate either warning or error
messages. (Email Gateway intelligently
tracks persistent problems and escalates
the alert message accordingly.)
SWM Notification Failure SWMQ Notify Notification
Failure Trap When the secure web delivery queue is
unable to generate a notification, Email
Gateway generates a notification.
WebMail Protection Up IWM UP Trap User Defined
You can set the alert type for this
circumstance.
WebMail Protection Down IWM DOWN Trap User Defined
You can set the alert type for this
circumstance.
WebMail Protection Error IWM ERROR Trap User Defined
You can set the alert type for this
circumstance.
WebMail Protection Signature Attack IWM Signature User Defined
Attack Trap
You can set the alert type for this
circumstance.
WebMail Protection Buffer Overflow IWM Buffer User Defined
Attack Overflow Attack
You can set the alert type for this
Trap
circumstance.
WebMail Protection Authentication IWM User Defined
Failed Authentication
You can set the alert type for this
Failed Trap
circumstance.
WebMail Protection Session Timed Out IWM Session User Defined
Timeout Trap
You can set the alert type for this
circumstance.

McAfee Email Gateway 6.7.2 Administration Guide 567

 Email Gateway Generated Alerts
The alerts

568 McAfee Email Gateway 6.7.2 Administration Guide

B File Formats for Uploads

In ALL file formats for uploads, all the pipe symbols ( | ) are required, even if they delimit empty fields or optional
fields.

Contents
Whitelist rules
.Mail Firewall - Allow Relay
Group Manager - Definition
Attachment Analysis
Content Analysis dictionaries
Mail Firewall - Mail Routing

Whitelist rules
If you upload a new whitelist rule, the new rule will overwrite the existing entry.
The whitelist rule file must contain one or more lines in the following format:
who|direction|data|exclude option|entry expiration|anti_spam_bypass|
policy_manager_bypass|antivirus_bypass
The imported entry looks like this example:
1|100|foo.com|0|1|5:1,2|6:1,3,5|7:1,2,3,5
The allowed parameters are:

Table 305 Whitelist rule parameters

Parameter Required? Options
who Yes from domain = 1
to domain = 2
from email = 3
to email = 4
IP address = 5
direction Yes inbound = 100
outbound = 101
both = 102
data Yes from domain = valid domain name
to domain = valid domain name
from email = valid email address
to email = valid email address
IP address = valid IP address
Note
Names are case sensitive.

McAfee Email Gateway 6.7.2 Administration Guide 569

 File Formats for Uploads
Whitelist rules

Table 305 Whitelist rule parameters (continued)

Parameter Required? Options
exclude option Yes If you select “to domain” or “to email” as your “who”
option, the Exclude checkbox displays. If you select the
checkbox, the rule will apply to all messages except those
from your indicated email address or domain. Parameters
are:
• 0 = disabled; rule applies to all messages
• 1 = enabled; the designated domain or email address
is excluded from the rule
expiration Yes whitelist entry allowed to expire = 0
whitelist entry not allowed to expire = 1
queues At least one All (anti_spam_bypass, policy_manager_bypass, and
bypass definition antivirus_bypass) have the same format:
is required. queue_number: bypass_list
bypass_list has this format:
bypass_id,bypass_id,...
Queue definitions can be given in any order.

Allowed queue and bypass IDs are shown in the following table:

Table 306 Queue and bypass IDs

Queue Queue Number Bypass IDs
Anti-Virus 5 Sophos Engine = 1
McAfee Engine = 2
Authentium Engine = 3
Policy Manager 6 Mail Monitoring = 1
Encrypted Message Filtering = 2
Off Hour Delivery = 3
Attachment Filtering = 4
Content Filtering = 5
Message Stamping = 6
Anti-Spam 7 Reverse DNS = 1
Realtime Blackhole List = 2
Statistical Lookup Service = 3
System Defined Header Analysis = 5
User Defined Header Analysis = 6
Enterprise Spam Profiler = 9
Bayesian Engine = 10
Sender Policy Framework = 11

Examples
1|100|foo.com|0|1|5:1,2|6:1,3,5|7:1,2,3,5

What it says:
For inbound mail from the domain foo.com: bypass the Sophos and McAfee anti-virus engines; bypass Mail
Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and bypass Reverser DNS, Realtime
Blackhole List, Statistical Lookup Service and System Defined Header Analysis in Anti-Spam. The domain
cannot be excluded, and the entry will not expire.

570 McAfee Email Gateway 6.7.2 Administration Guide

 File Formats for Uploads
.Mail Firewall - Allow Relay

2|101|0|0|baz.com|5:1,2|6:1,3,5|7:1,2,3,5

What it says
For outbound mail to the domain baz.com: bypass the Sophos and McAfee anti-virus engines; bypass Mail
Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and bypass Reverser DNS, Realtime
Blackhole List, Statistical Lookup Service and System Defined Header Analysis in Anti-Spam. The domain is
not to be excluded, and the rule will be allowed to expire.

4|102|0|0|abcd@foo.com|5:1,2|6:1,3,5|7:1,2,3,5

What it says
For both inbound and outbound mail to the email address abcd@foo.com: bypass the Sophos and McAfee
anti-virus engines; bypass Mail Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and
bypass Reverser DNS, Realtime Blackhole List, Statistical Lookup Service and System Defined Header
Analysis in Anti-Spam.The email address is not excluded from the rule, and the entry will expire

.Mail Firewall - Allow Relay

File should contain one or more lines in the format:
IP_subnet|IP_sidenote
IP_subnet - is the required and is the value identical with old versions
IP_sidenote - is optional (to make new line here you can use “<br>”, to upload sidenote which shows more
than one space in the row you should replace them with “&nbsp;”)
Good examples:
10.60.1|some text
1.2.3.4|
1.2.11|first line<br>second line of sidenote
4.3.2|ths &nbsp; is text with extra spaces
Bad examples:
xyz|xyz - xyz is not good IP subnet
10.65.1.111 - missing pipe symbol

Group Manager - Definition

File should contain one or more lines in the format:
group_name|domain_based|data_list
group_name - is required and its the name of the group
domain_based - is required and can have value “0” if it is not domain based or “1” if it is.
data_list - is comma delimited list of domain names or email addresses depends on the domain_based field
value
Good examples:
group1|0|abc@ct.com
group2|1|abc.com,cde.com,fgh.org
You can upload more than one group at a time.

McAfee Email Gateway 6.7.2 Administration Guide 571

 File Formats for Uploads
Attachment Analysis

Attachment Analysis
The Attachment Analysis rules file should contain at least one row in the following format:
default_value|file_ext_name|is_file|action|action_value|alternative_action|altenative_a
ction_value|quarantine_type|sender|sender_template|internal_user|internal_user_template
|others|other_email_1|others_template_1|other_email_2|others_template_2|other_email_3|o
thers_template_3|archival|archival_target
Allowed parameters are:

Table 307 Attachment Analysis parameters

Parameter Required? Options
default value Do not use default = 0
Show default = 1 (file_ext_name will display as
*DEFAULT* but will be stored as * in the database
file extension name Yes, unless This is the actual file extension name.
default_value is 1
is file This is not a file = 0
This entry is a file = 1
action Yes Policy Action Type IDs:
• Pass Through = 1
• Log = 8
• Rename = 3
• Copy Message = 2
• Subject Rewrite = 10
• Drop Part = 4
• Secure Delivery = 11
• Quarantine = 6
• Remote Quarantine = 13
• Drop Message = 9
• Re-route = 7
action value Value associated with the selected action, if
applicable.
alternative action Policy Action Type IDs:
See list above.
alternative action Value associated with the selected alternative
value action, if applicable.
quarantine type Quarantine Type ID (as displayed in Queue
Manager | Advanced | Quarantine Types).
sender Do not notify sender = 0
Send notification to sender = 1
sender template Required if sender = Template ID (as displayed in Compliance |
1. Compliance Advanced | Mail Notification).
internal user Do not notify internal user = 0
Send notification to internal user = 1
internal user Required if internal Template ID (as displayed in Compliance |
template user = 1 Compliance Advanced | Mail Notification).
others Do not notify others = 0
Send notifications to others = 1 (requires at least
other_email_1 and others_template_1)
other email 1 Required if others = Email address to which notifications should be sent.
1
others template 1 Required if others = Template ID (as displayed in Compliance |
1 Compliance Advanced | Mail Notification).

572 McAfee Email Gateway 6.7.2 Administration Guide

File Formats for Uploads
Attachment Analysis

Table 307 Attachment Analysis parameters (continued)

Parameter Required? Options
other email 2 Email address to which notifications should be sent.
others template 2 Template ID (as displayed in Compliance |
Compliance Advanced | Mail Notification).
other email 3 Email address to which notifications should be sent.
others template 3 Template ID (as displayed in Compliance |
Compliance Advanced | Mail Notification).
archival Messages should not be archived = 0
Archive messages = 1
archival target Archive target ID (as displayed in Reporting |
Message Archive)

Examples
1||0|8|||||0||0||0|||||||0|

What it says
This entry is to show as Default, and it is NOT a file. Occurrences should be logged. No notifications will be
sent, and triggering messages will not be archived.
0|test|0|8|||||0||0||0|||||||0|

What it says
This entry is listed as test, and it is NOT a file. Occurrences should be logged. No notifications will be sent,
and triggering messages will not be archived.
0|test|1|6|12|||2|1|2|1|2|1|demo&ciphertrust.com|2|demoto@ciphertrust.com|2|||0|

What it says
This entry is listed as test, and it is a file. Triggering messages will be quarantined for 12 days, with no
alternative actions. The quarantine type is 2. Notifications should be sent to: the sender, using sender
template 2; the internal user, using internal user template 2; and to other users demo@ciphertrust.com
using others template 2, and demo2@ciphertrust.com also using others template 2. Triggering messages
should not be archived.
0|testrt|1|3|wee|6|11|2|1|2|0||1|demo@ciphertrust.com|2|demo2@ciphertrust.com|2|||1|1

What it says
This entry is listed as testrt, and it is a file. Triggering messages will be renamed “wee” with alternative
action of quarantine for 11 days in quarantine type 2. Notifications will be sent to: the sender, using sender
template 2; and to other users demo@ciphertrust.com using others template 2, and
demo2@ciphertrust.com also using others template 2. Triggering messages will be archived to archive
target 1.

McAfee Email Gateway 6.7.2 Administration Guide 573

 File Formats for Uploads
Content Analysis dictionaries

Content Analysis dictionaries

The Content Analysis Dictionary entry file should contain at least one row in the following format:
Content_Type|Search_Type|Search_Text|weight|Status|header|body|Attachment|count_once|co
unt_max|Reg_Ex_Flags|Side_Notes
Allowed parameters are:

Table 308 Content Analysis parameters

Parameter Required? Options
Content Type Yes Words or phrases = 100
URLs = 101
Regular Expressions = 102
Search Type Yes If content type is URLs:
• URL = 102
• URL with Path Information = 103
If content type is Words/Phrases or Regular
Expressions:
• Word Boundary = 100
• Substring = 101
Search Text Yes The specific word/phrase, url or regular expression
to be entered as dictionary content.
Weight Yes The value representing the weight for one instance
of the specific entry.
Status Yes Do not include = 0
Include = 1
Header At least one of the All have the same options:
three is required
Body Do not scan = 0
Attachment Scan = 1
At least one of these parameters must be set to 1.
Count Once Yes Count as directed by Count Max = 0
Count once = 1
Count Max Yes An integer representing the maximum contribution
for this particular entry.
If Count Once is set to 1, Count Max is 1 by default.
If Count Once is 0, Count Max must be entered. If
Count Max is set to 0, Content Analysis will
contribute the weight for the entry multiplied by the
total occurrences.
RegEx Flags No IGNORECASE =100 (Email Gateway will perform
case-insensitive matching)
LOC ALE = 101 (causes search characters to be
dependent upon the current locale)
MULTILINE = 102 (causes the pattern characters
“^” and “$” to match multiple lines)
DOTALL = 103 (the “.” special character will match
any character at all, including a newline)
UNICODE = 104 (search characters will be
dependent upon the Unicode character database)
VERBOSE = 105 (allows writing regular expressions
that look more like normal language)
Multiple flags can be included in a colon-separated
list
Side Notes No Applies only to Regular Expressions.
The description for Search_Text for Regular
Expression.

574 McAfee Email Gateway 6.7.2 Administration Guide

 File Formats for Uploads
Mail Firewall - Mail Routing

Examples
102|100|TEST|23|1|1|0|0|1|0|101:105|TEST

What it says
Word boundary search for the Regular Expression TEST in the message header. The weight is 23 points per
occurrence. The score is to be included in the dictionary contribution. Count the entry only once per
message. Apply the LOCALE and VERBOSE RegEx flags. The side note is TEST.
101|101|TEST1|23|0|1|0|0|0|33||

What it says
URL search for the URL TEST1 (not including path information) in the message header. The weight is 23
points per occurrence, and the score is not to be included in the dictionary’s contribution. Count the entry
to a maximum of 33 points.
100|101|TEST2|23|0|1|1|1|1|||

What it says
Substring search for the word/phrase TEST2 in the message header, body and attachments. The weight is
23 points per occurrence, and is not to be included in the dictionary’s contribution. Count the entry once
per message.

Mail Firewall - Mail Routing

The file should contain one or more lines in the following format:
routing_protocol|domain_name|routing_type|machine_or_dns_name|IP_side_note
Allowable parameters are:

Table 309 Mail routing parameters

Parameter Required? Options
routing protocol Yes Must be one of three protocols:
• SMTP
• POP3
• IMAP4
domain name Yes Can be a domain name or a sub-domain
routing type Yes Must be one of four types:
• DNS
• STATIC
• ALTERNATE_MX
• STATIC_OUTBOUND
If the protocol selected above is POP3 or IMAP4, the
routing type must be STATIC
machine or dns Yes This parameter can be one or more IP addresses or
name domain names in a comma-separated list. If the
routing type is ALTERNATE_MX, only one IP address
is allowed.
IP Side Note No Can be any text note, normally describing the
routing entry.

McAfee Email Gateway 6.7.2 Administration Guide 575

 File Formats for Uploads
Mail Firewall - Mail Routing

Examples:
SMTP|ctdev.net|DNS|10.65.1.30|A sample IP side note

What it says
This routing follows the SMTP protocol for the domain “ctdev.net.” The routing type is DNS, hosted at
10.65.1.30. It includes a side note as shown.
POP3|ctdev.net|STATIC|10.65.1.10|Another sample side note

What it says
This routing follows the POP3 protocol for the domain “ctdev.net.” The routing type is STATIC, hosted at
10.65.1.10. It includes a side note as shown.
SMTP|ciphertrust.com|STATIC_OUTBOUND|10.65.1.31|Sample Note #3

What it says
This routing follows the SMTP protocol for the domain “ciphertrust.com.” The routing type is
STATIC_OUTBOUND, hosted at 10.65.1.31. It includes a side note as shown.
SMTP|ctdev.net|ALTERNATE_MX|10.43.1.8|Sample Note #4

What it says
This routing follows the SMTP protocol for the domain “ctdev.net.” The routing type is ALTERNATE_MX,
hosted at 10.43.1.8. It includes a side note as shown.
IMAP4|ciphertrust.com|STATIC|10.34.2.10|Sample Note #5

What it says
This routing follows the IMAP4 protocol for the domain “ciphertrust.com.” The routing type is STATIC,
hosted at 10.34.2.10. It includes a side note as shown.

576 McAfee Email Gateway 6.7.2 Administration Guide

C Actions and Action Codes

Contents
Email Gateway actions
Email Gateway action codes

Email Gateway actions

The various features in McAfee Email Gateway permit you to configure specific actions Email Gateway
should take. Some of these actions require additional information in terms of action values (additional
parameters). The table below lists possible actions and action values.
Note: The specific actions you can apply will be determined by the feature being configured. Not all actions are
available under all circumstances. See “Action Codes” for the options available for specific features.

Table 310 Email Gateway actions

Action Description Additional values
Secured Delivery Email Gateway will always deliver
messages to or from the specified user,
group or domain securely.
First, Email Gateway will attempt to
deliver the message using S/MIME. If
S/MIME is not supported, Email Gateway
will look for PGP certificates and attempt
that secure method. If neither is available
or neither is supported by the other mail
server, Email Gateway will attempt SSL
delivery. And if none of these methods can
be supported, Email Gateway will deliver
the message via HTTPS, it’s Secure Web
Delivery.
Select this option to encrypt messages
that contain sensitive or proprietary
information.
Log Email Gateway will deliver the message,
but will also record in the Daily Policy
Compliance Report the message matched
configured conditions for an applied rule.
Prefix Email Gateway will add a prefix to a found This action requires a text string of
dictionary word or phrase, based on a text any printable characters, up to 256
string supplied by you. This can be useful characters long. Email Gateway will
when creating rules for specific prefix found words with this string.
dictionaries.
Example: CHECK CODE!
Word prefixing works only when the found
word is in the body of the message or in a
plain text attachment. Although Email
Gateway can find words in other formats
(for example, Microsoft Word), it cannot
edit them (add the prefix).
Subject Rewrite Email Gateway will prepend the messages This action requires a text string to be
subject line with a text string provided by prepended to the Subject line. Any
you. printable characters are allowed, up
to 256 characters.

McAfee Email Gateway 6.7.2 Administration Guide 577

 Actions and Action Codes
Email Gateway actions
Table 310 Email Gateway actions (continued)
Action Description
Add Header Email Gateway will insert a custom
RFC822 header, primarily to allow any
other applications that can parse the
header to act upon the message.
Re-route Email Gateway will re-route the message
to a specified machine for additional
processing. The message will not be
delivered to the original destination.
Drop Message Email Gateway will drop the entire
message. administrators can elect to send
a brief system-generated email
announcing the message was dropped.
Quarantine Email Gateway will send the message to
one of its quarantine queues, as specified
by you.
Remote Quarantine Email Gateway will send the message into
quarantine on another server configured
as a Central Quarantine Server.
For more information about CQS, please
see Chapter 5 in this Administration
Guide.
Forward Message Email Gateway will send the message to
an alternative email address rather than
to the original recipient.
Drop Part Email Gateway will drop just the file
attachment, not the entire message. You
can also specify an information message
to be appended as a text file. If no text file
is specified, Email Gateway will replace
the dropped part with a blank text file.
578 McAfee Email Gateway 6.7.2 Administration Guide
Additional values
A text string that follows the RFC822
protocol is required. The custom
header format is:
“X-headername:headervalue”
where headername is an arbitrary
name for the custom header, and
headervalue is the text string to
display in the header.
The headervalue string following the
colon cannot be over 15 characters,
and the custom header name can not
contain a colon.
If Re-route is specified, the IP
address to which messages will be
sent is required.
If you want to send the notification
email, Send Notification must be
enabled for the applicable rules.
If Quarantine is specified as the
action, the Quarantine Type pick list
is enabled, and selection of a queue is
required.
A number (from 1 to 15) must also be
entered to specify the number of
days the message will remain in
quarantine before it is returned to
normal mail flow. A value of zero (0)
means “Do not deliver.” Any message
quarantined with a value of 0 will be
deleted according to the Cleanup
Schedule for quarantine data. For
more information about the Cleanup
Schedule, see Chapter 31, Email
Gateway Administration.
This action also requires designation
of a quarantine type and an action
value of 0 for days in quarantine.
Additionally, the CQS must be
properly configured, and the Email
Gateway must be configured to take
advantage of the CQS. For more
information, see Chapter 5, Remote
Quarantine.
This action requires a valid email
address to which the message will be
forwarded. Multiple addresses can be
entered as a comma-separated list
without spaces.
This action allows the option of a text
string containing any printable
characters, up to 256 characters
long. Email Gateway will append this
string as a plain text file to replace
the dropped attachment.
Actions and Action Codes
Email Gateway actions

Table 310 Email Gateway actions (continued)

Action Description
Replace Email Gateway will replace found words or
phrases with the text string provided by
you.
Word replacement works when the found
word is in the subject or the body of the
message or in a plain text attachment.
Although Email Gateway can find words in
other formats (for example, Microsoft
Word), it cannot edit them (replace the
word).
Text replacement will not be attempted
for messages containing both text and
non-text types if text extraction can result
in different versions of the message. Also,
it can not be performed on many types of
multi-part MIME messages.
Copy Message Email Gateway will deliver the original
message, but will send a copy of the
message to an alternate email address.
The alternate address is inserted into the
RFC821 CC: header. It does not display in
the RFC822 CC: header.
Pass Through Email Gateway will allow the message to
proceed with processing despite
triggering the associated rule.
Rename Email Gateway will rename the file or file
extension. For example, executable files
can have their extensions renamed from
“exe” to “ex?”
Allow Plain Message Plain text messaging is allowed; users for
whom the policy applies are not required
to send encrypted messages.
Quarantine Plain If the message is not encrypted, send it to
Message a quarantine queue. This action allows
administrative review of unencrypted
messages.
Remotely Email Gateway will send the message into
Quarantine Plain quarantine on another server configured
Message as a Central Quarantine Server.
For more information about CQS, please
see Chapter 5 in this Administration
Guide.
Drop Plain Message If the message is not encrypted, drop it;
encrypted messaging is required.
Allow Encrypted Encrypted messaging is allowed; users for
Message whom the policy applies are allowed to
send encrypted messages.
Additional values
This action requires a text string
containing up to 256 characters,
consisting of any printable
characters.
This action requires a valid email
address to which the copy will be
sent. Multiple addresses can be
entered as a comma-separated list
without spaces.
This action requires a text string
containing up to 256 characters,
consisting of any printable
characters.
If Quarantine is specified as the
action, the Quarantine Type pick list
is enabled, and selection of a queue is
required.
A number (from 1 to 15) must also be
entered to specify the number of
days the message will remain in
quarantine before it is returned to
normal mail flow. A value of zero (0)
means “Do not deliver.” Any message
quarantined with a value of 0 will be
deleted according to the Cleanup
Schedule for quarantine data. (For
more information about the Cleanup
Schedule, see Chapter 31, Email
Gateway Administration.
This action also requires designation
of a quarantine type and an action
value of 0 for days in quarantine.
Additionally, the CQS must be
properly configured, and the Email
Gateway must be configured to take
advantage of the CQS. (For more
information, see Chapter 5, Remote
Quarantine.

McAfee Email Gateway 6.7.2 Administration Guide 579

 Actions and Action Codes
Email Gateway action codes

Table 310 Email Gateway actions (continued)

Action Description Additional values
Quarantine If the message is encrypted, send it to a If Quarantine is specified as the
Encrypted Message quarantine queue. This action allows action, the Quarantine Type pick list
administrative review of encrypted is enabled, and selection of a queue is
messages. required.
A number (from 1 to 15) must also be
entered to specify the number of
days the message will remain in
quarantine before it is returned to
normal mail flow. A value of zero (0)
means “Do not deliver.” Any message
quarantined with a value of 0 will be
deleted according to the Cleanup
Schedule for quarantine data. For
more information about the Cleanup
Schedule, see Chapter 31, Email
Gateway Administration.
Remotely Email Gateway will send the message into This action also requires designation
Quarantine quarantine on another server configured of a quarantine type and an action
Encrypted Message as a Central Quarantine Server. value of 0 for days in quarantine.
For more information about CQS, please Additionally, the CQS must be
see Chapter 5 in this Administration properly configured, and the Email
Guide. Gateway must be configured to take
advantage of the CQS. For more
information, see Chapter 5, Remote
Quarantine.
Drop Encrypted If the message is encrypted, Email
Message Gateway will drop it; encrypted
messaging is not allowed.
DLP Scan If the action is selected, the message will
be scanned for data loss and related
issues.

Subject re-write changes

When Email Gateway inserts a character string as a subject re-write parameter, Email Gateway will not
automatically convert that string to UTF-8. Instead, it will use the character set that already exists in the
subject line. If a subject line has multiple character sets, Email Gateway will use the first detected character
set.
If the subject line is written in a character set that Email Gateway does not support, it will be converted to
UTF-8.

Email Gateway action codes

The Action Codes generated in Email Gateway are listed in the following tables.

Table 311 Email Gateway action codes

Code Description
Envelope Analysis
101 Subject rewritten by Mail Monitoring
102 Blind copied by Mail Monitoring

104 Quarantined by Mail Monitoring

105 Dropped by Mail Monitoring

106 Rerouted by Mail Monitoring

107 Logged by Mail Monitoring

580 McAfee Email Gateway 6.7.2 Administration Guide

Actions and Action Codes
Email Gateway action codes

Table 311 Email Gateway action codes (continued)

Code Description
108 Securely delivered by Mail Monitoring

109 Forwarded by Mail Monitoring

111 Quarantined remotely by Mail Monitoring

115 Message routed for DLP Scan by Envelope Analysis

Encrypted Message Filtering

201 Encrypted message(s) dropped by Encrypted Message Filtering

202 Plain message(s) dropped by Encrypted Message Filtering

203 Encrypted message(s) quarantined by Encrypted Message Filtering

204 Plain message(s) quarantined by Encrypted Message Filtering

205 Encrypted message(s) allowed by Encrypted Message Filtering

206 Plain message(s) allowed by Encrypted Message Flittering

207 Encrypted message(s) quarantined remotely by Encrypted Message Filtering

208 Plain message(s) quarantined remotely by Encrypted Message Filtering

Attachment Analysis

301 Blind copied by Attachment Filtering

302 Attachment(s) renamed by Attachment Filtering

303 Part(s) dropped by Attachment Filtering

305 Quarantined by Attachment Filtering

306 Rerouted by Attachment Filtering

307 Logged by Attachment Filtering

308 Subject rewritten by Attachment Filtering

309 Dropped by Attachment Filtering

310 Securely delivered by Attachment Filtering

311 Attachment(s) passed through by Attachment Filtering

313 Quarantined remotely by Attachment Filtering

316 Message routed for DLP Scan by Attachment Analysis

Content Analysis

401 Blind copied by Content Filtering

402 Filtered words replaced with text string by Content Filtering

403 Filtered words prefixed with text string by Content Filtering

404 Part(s) dropped by Content Filtering

406 Quarantined by Content Filtering

407 Dropped by Content Filtering

McAfee Email Gateway 6.7.2 Administration Guide 581

 Actions and Action Codes
Email Gateway action codes

Table 311 Email Gateway action codes (continued)

Code Description
408 Rerouted by Content Filtering

409 Logged by Content Filtering

410 Securely delivered by Content Filtering

412 Subject rewritten by Content Filtering

413 Quarantined remotely by Content Filtering

416 Message routed for DLP Scan by Content Analysis

Miscellaneous policies
501 Message(s) stamped
601 Scheduled delivery delayed until Off-Hour Delivery time
602 Notification message generated by Email Gateway

Anti-Virus
701 No action was taken by Virus Scan Queue
702 Dropped by Virus Scan Queue
703 Attachment extension changed by Virus Scan Queue
705 Repackaged by Virus Scan Queue
706 Virus cleaned by Virus Scan Queue
707 Neglecting file encryption errors (password protection)
708 Part(s) dropped by Virus Scan Queue
709 Quarantined by Virus Scan Queue
710 Virus(es) found by Virus Scan Queue
711 Sweep error(s) detected by Virus Scan Queue
712 File encryption (password protection) detected by Virus Scan Queue
713 Attachment extension changed for sweep error(s) by Virus Scan Queue
714 Attachment extension changed for file encryption (password protection) by Virus
Scan Queue
715 Generic scanning error(s) (sweep) ignored by Virus Scan Queue
716 File encryption error(s) (password protection) passed through by Virus Scan
Queue
717 Generic scanning error(s) (sweep) passed through by Virus Scan Queue
718 Virus detected by Sophos in Virus Scan Queue
719 Virus detected by McAfee in Virus Scan Queue
720 Virus detected by Authentium in Virus Scan Queue

MIME Ripper
801 Dropped by Rip Queue due to parse error(s)
802 Repackaged by Rip Queue due to parse error(s)
803 Quarantined by Rip Queue due to parse error(s)
804 Dropped by Rip Queue due to a mail loop
805 Quarantined by Rip Queue due to a mail loop
806 MIME parse failed. Message(s) delivered to recipient after passing through all
configured queues except Content Filtering Queue
807 MIME parse failed. Message(s) delivered to alternate address after passing
through all configured queues except Content Filtering Queue

582 McAfee Email Gateway 6.7.2 Administration Guide

Actions and Action Codes
Email Gateway action codes

Table 311 Email Gateway action codes (continued)

Code Description
Anti-Spam
901 Dropped by Anti-Spam (Realtime Blackhole List)
902 Subject rewritten by Anti-Spam Queue (Realtime Blackhole List)
903 Quarantined by Anti-Spam Queue (Realtime Blackhole List)
904 Logged by Anti-Spam (Realtime Blackhole List)
905 New header added by Anti-Spam (Realtime Blackhole List)
906 Blind copied by Anti-Spam (Realtime Blackhole List)
907 Forwarded by Anti-Spam (Realtime Blackhole List)
908 Rerouted by Anti-Spam (Realtime Blackhole List)
911 Dropped by Anti-Spam (Reverse DNS)
912 Subject rewritten by Anti-Spam (Reverse DNS)
913 Quarantined by Anti-Spam (Reverse DNS)
914 Logged by Anti-Spam (Reverse DNS)
915 New header added by Anti-Spam (Reverse DNS)
916 Blind copied by Anti-Spam (Reverse DNS)
917 Forwarded by Anti-Spam (Reverse DNS0
918 Rerouted by Anti-Spam (Reverse DNS)
931 Dropped by Anti-Spam (Razor)
932 Subject rewritten by Anti-Spam (Razor)
933 Quarantined by Anti-Spam (Razor)
934 Logged by Anti-Spam (Razor)
935 New header added by Anti-Spam (Razor)
936 Blind copied by Anti-Spam (Razor)
937 Forwarded by Anti-Spam (Razor)
941 Dropped by Anti-Spam (System-Defined Header Analysis)
942 Subject rewritten by Anti-Spam Queue (System-Defined Header Analysis)
943 Quarantined by Anti-Spam Queue (System-Defined Header Analysis)
944 Logged by Anti-Spam (System-Defined Header Analysis)
945 New header added by Anti-Spam (System-Defined Header Analysis)
946 Blind copied by Anti-Spam (System-Defined Header Analysis)
947 Forwarded by Anti-Spam (System-Defined Header Analysis)
948 Rerouted by Anti-Spam (System-Defined Header Analysis)
951 Dropped by Anti-Spam (End User Spam Report)
952 Dropped by Anti-Spam (Enterprise Spam Trap Report)
953 Forwarded to global user report agent by Anti-Spam (Enterprise Spam Trap
Report)
954 Repackaged to global enterprise report agent by Anti-Spam (Enterprise Spam
Trap Report)
961 Dropped by Anti-Spam (Enterprise Spam Profiler)
962 Subject rewritten by Anti-Spam Queue (Enterprise Spam Profiler)
963 Quarantined by Anti-Spam Queue (Enterprise Spam Profiler)
964 Logged by Anti-Spam (Enterprise Spam Profiler)
965 New header added by Anti-Spam (Enterprise Spam Profiler)
966 Blind copied by Anti-Spam (Enterprise Spam Profiler)
967 Forwarded by Anti-Spam (Enterprise Spam Profiler)
968 Rerouted by Anti-Spam (Enterprise Spam Profiler)

McAfee Email Gateway 6.7.2 Administration Guide 583

 Actions and Action Codes
Email Gateway action codes

Table 311 Email Gateway action codes (continued)

Code Description
971 Dropped by Anti-Spam (User-Defined Header Analysis)
972 Subject rewritten by Anti-Spam Queue (User-Defined Header Analysis)
973 Quarantined by Anti-Spam Queue (User-Defined Header Analysis)
974 Logged by Anti-Spam (User-Defined Header Analysis)
975 New header added by Anti-Spam (User-Defined Header Analysis)
976 Blind copied by Anti-Spam (User-Defined Header Analysis)
977 Forwarded by Anti-Spam (User-Defined Header Analysis)
978 Securely delivered by Anti-Spam (User-Defined Header Analysis)
979 Rerouted by Anti-Spam (User-Defined Header Analysis)
980 Forged domain detected based on routing list
981 Scores added as an X-header by Enterprise Spam Profiler
982 Quarantined remotely by Anti-Spam (Realtime Blackhole List)
983 Quarantined remotely by Anti-Spam (Reverse DNS)
985 Quarantined remotely by Anti-Spam (System-Defined Header Analysis)
986 Quarantined remotely by Anti-Spam (User-Defined Header Analysis)
987 Quarantined remotely by Anti-Spam (Enterprise Spam Profiler)
988 Dropped by Anti-Spam (Listed in deny list)
989 Logged by Anti-Spam (TrustedSource)
990 Subject rewritten by Anti-Spam (TrustedSource)

General message actions

1001 Dropped from SMTPO by the Queue Manager user interface
1002 Dropped from a queue by the Queue Manager user interface

1003 Forwarded from a quarantine queue by the Queue Manager user interface

1004 Released from a quarantine queue by the Queue Manager user interface

1005 Quarantine extended by Queue Manager (requested by TrustedSource)

1006 Message dropped by Queue Manager (requested by TrustedSource)
1101 Undeliverable message(s) deleted by SMTPO

1102 Undeliverable message(s) quarantined by SMTPO

1201 MIME rebuild failed. Message dropped by Join Queue

1202 MIME rebuild failed. Message quarantined by Join Queue

1203 MIME rebuild failed. Original message delivered by Join Queue

1301 User requested delete message(s) from EUQ notification

1302 User requested release message(s) from EUQ notification
2102 Dynamic quarantine by RIP Queue
3101 Failure in single-thread mode possibly due to high utilization of resources.
Message quarantined.
3102 Failure in single-thread mode possibly due to high utilization of resources.
Message dropped.
3103 Failure in single-thread mode possibly due to high utilization of resources.
Message passed through.

Corporate Compliance
3201 Logged by Corporate Compliance Queue Profiler

584 McAfee Email Gateway 6.7.2 Administration Guide

Actions and Action Codes
Email Gateway action codes

Table 311 Email Gateway action codes (continued)

Code Description
3202 Blind copied by Corporate Compliance Queue Profiler
3203 Subject rewritten by Corporate Compliance Queue Profiler
3204 Forwarded by Corporate Compliance Queue Profiler
3205 Securely delivered by Corporate Compliance Queue Profiler
3206 Quarantined by Corporate Compliance Queue Profiler
3207 Quarantined remotely by Corporate Compliance Queue Profiler
3208 Dropped by Corporate Compliance Queue Profiler
3209 Rerouted by Corporate Compliance Queue Profiler
3210 Trainer notification message dropped by Corporate Compliance Queue Profiler
3214 Message routed for DLP Scan by Advanced Content Analysis
3220 Logged by Image Analysis
3221 Blind copied by Image Analysis
3222 Subject rewritten by Image Analysis
3223 Forwarded by Image Analysis
3224 Securely delivered by Image Analysis
3225 Quarantined by Image Analysis
3226 Quarantined remotely by Image Analysis
3227 Dropped by Image Analysis
3228 Rerouted by Image Analysis
3229 Part(s) dropped by Image Analysis
3231 Scores added as an X-header by Corporate Compliance Queue (CCQ)
3230 Message routed for DLP Scan by Image Analysis
3301 Training message dropped by Corporate Compliance Queue (CCQ)

McAfee Email Gateway 6.7.2 Administration Guide 585

 Actions and Action Codes
Email Gateway action codes

586 McAfee Email Gateway 6.7.2 Administration Guide

D Process ID Numbers

Contents
Process IDs
Queue IDs
Feature IDs
Sub-feature IDs
Default action
Message delivery modes
Message types
Anti-Spam tool IDs
Summary log actions
Message lock values
Message status values
Static rule IDs

Process IDs
The Summary Log file displays an internal ID number used by Email Gateway to identify the many
subsystems that can process a message. The Process ID is displayed in the second pipe-delimited field in
the log. The table below maps the Process ID number to the process' name
.

Table 312 Process IDs

ID Explanation ID Explanation
10 165 Nightly schedule (running nightly
scheduled tasks)
21 SMTPI Service 166 Statistics Collector
22 SMTPIS Service 170 Optimize
30 SMTPO Service 180 Mail-IPS
41 POP3 Service 190 Anomaly Detection Engine
42 POP3S Service 200 Anti-Virus Queue
51 IMAP4 Service 210 Content Analysis Queue
52 IMAP4S Service 220 Envelope Analysis Queue
90 Apache Web Server 230 Rip Queue
91 WebMail Protection 240 Join Queue
100 Tomcat (JavaScript Interpreter) 250 Quarantine Queue
110 Admin (internal service that runs 260 Spam Queue
scripts
120 Alert Manager 270 SSH Command Line Interface
130 Cleanup Schedule 280 SSH Maintenance (monitoring the
SSH port)
140 Health Monitor 290 Secure Web Delivery Queue
150 Report Generator 300 Audit
151 Policy Configuration 330 Bootport

McAfee Email Gateway 6.7.2 Administration Guide 587

 Process ID Numbers
Queue IDs

Table 312 Process IDs (continued)

ID Explanation ID Explanation
160 Schedule (running periodic 900 Check Tool
scheduled tasks)
161 Schedule for FTP 910 Updater
163 Archive

Queue IDs
Email Gateway Queue Services (for example, Envelope Analysis Queue, Anti-Spam Queue, and so forth)
are identified by numbers in Detailed Logs.

Table 313 Queue IDs

ID Explanation
1 Anti-Virus Queue (AVQ)
2 Content Analysis Queue (CFQ)
3 Envelope Analysis Queue (MMQ)
4 Outbound Queue (SMTPO)
5 Rip Queue (RIPQ)
6 Join Queue (JOINq)
8 Anti-Spam Queue (SPAMQ)
10 Secure Web Delivery Queue (SWDQ)
13 Network DLP

Feature IDs
Some of the Email Gateway log files will report a numeric value representing a program feature – that is, a
broad program area in Email Gateway. The table below maps the feature ID number with its program area
.

Table 314 Feature IDs

ID Explanation
1 Mail Firewall
2 Mail-VPN
3 WebMail Protection
4 Mail-IPS
5 Anti-VIrus
6 Policy Manager
7 Anti-Spam
9 Secure Delivery
10 Software/File Updates
11 Centralized Management Console

Sub-feature IDs
Some of the Email Gateway log files will report a numeric value representing a “sub-feature” — that is. a
category of—the Email Gateway Policy Manager. The table below maps the sub-feature ID number with its
policy category.

588 McAfee Email Gateway 6.7.2 Administration Guide

 Process ID Numbers
Default action

Table 315 Sub-feature IDs

ID Explanation
Rule Type 0 System-Generated Rule
1 User-Generated Rule

Subfeature ID 1 Envelope Analysis

2 Desktop Encryption Analysis
3 Off-Hour Delivery
4 Attachment Analysis
5 Content Analysis
6 Message Stamping
User List Type 0 Email address
1 Group

User Included 1 Included

0 Excluded

Default Action 1 Pass through

4 Drop part

Parts to Scan 1 Body

2 Attachments
0 Both body and attachments

Message Direction 0 Inbound

1 Outbound
2 Both inbound and outbound

Default action
Email Gateway Attachment Analysis and Desktop Encryption Analysis policies both include a default action
value. These show up in Detailed Logs as numeric values. The table below maps the default action number
with the specific actions.

Table 316 Default actions

ID Explanation
For Attachment 1 Pass through
Analysis Policies
2 Drop part

For Desktop 1 Drop encrypted message

Encryption
Analysis Policies
2 Drop plain message
3 Quarantine encrypted message
4 Quarantine plain message

McAfee Email Gateway 6.7.2 Administration Guide 589

 Process ID Numbers
Message delivery modes

Table 316 Default actions (continued)

ID Explanation
5 Allow encrypted message
6 Allow plain message

Message delivery modes

Some of the Email Gateway log files will report how messages were delivered.

Table 317 Message delivery modes

ID Explanation
0 Normal (non-secure SMTP delivery)
1 TLS
2 S/MIME
3 PGP
4 Secure Web Delivery
5 Deny TLS

Message types
Email Gateway generates many notification emails to the administrator. These notifications are identified as
numbers in Email Gateway's logs.

Table 318 Message types

ID Explanation
0 Normal
1 Notification (when and Email Gateway policy is enforced)
2 Forwarded (when an email is forwarded as a result of a policy)
3 Copied (when a message is copied as a result of a policy)
4 DSN (delivery status notification when Email Gateway cannot deliver a
message)
5 SWM (notification to a recipient that an email can be read securely via the
Secure Web Delivery mechanism)
6 Reports (email that Email Gateway generates containing daily reports)
7 EUSR_OUT (when Email Gateway delivers End User Spam Reporting data
to McAfee’s Global Collector)
8 EST_OUT (When Email Gateway delivers Enterprise Spam Reporting data to
McAfee’s Global Collector)
9 EUSR_IN (messages that End User Spam Reporters forward to Email
Gateway)
10 EST_IN (messages that spammers send to the Enterprise Spam Reporting
address)
11 Secure (messages that are encrypted with SSL, PGP or S/MIME)
12 FWD_ATTACH (when Email Gateway forwards an email as an attachment)

590 McAfee Email Gateway 6.7.2 Administration Guide

 Process ID Numbers
Anti-Spam tool IDs

Anti-Spam tool IDs

Each of the Email Gateway spam-blocking tools are identified as numbers in the Spam Queue detailed log
.

Table 319 Anti-Spam tool IDs

ID Anti-Spam Tool
1 Reverse DNS
2 Realtime Blackhole List
3 Statistical Lookup Service
5 System Defined Header Analysis
6 User Defined Header Analysis
7 User Spam Reporting
8 Enterprise Spam Reporting
9 Enterprise Spam Profiler

Summary log actions

Email Gateway Summary Log uses the following numeric codes to indicate specific actions it takes on
messages.

Table 320 Summary log actions

ID Explanation
100 No action
101 Multiple Actions
102 Drop message
103 Drop part
104 Forward as attachment
105 Forward
106 Copy as attachment
107 Copy
108 Quarantine
109 Log
110 Rewrite subject
111 Re-route
112 Encrypt
113 Change part
114 Add header
115 Retry message

Message lock values

Each email processed within the Email Gateway SMTPO Service (the Outbound Queue) can have one of 8
states or statuses.

Table 321 Message lock values

Value Explanation
-1 Message has not yet been picked up for delivery
0 Message has been picked up for delivery

McAfee Email Gateway 6.7.2 Administration Guide 591

 Process ID Numbers
Message status values

Table 321 Message lock values (continued)

Value Explanation
1 SMTPO has opened connection to the receiving server to deliver the
message
2 SMTPO is in the process of delivering message data
4 Message has been successfully delivered
5 SMTPO dropped the message because it could not be delivered
7 SMTPO dropped the message because of Email Gateway administrator
intervention
8 SMTPO delivered the message to the Secure Web Delivery Server

Message status values

At any given time, a message can be in any of 4 stages of being processed.

Table 322 Message status values

Value Status
0 The messages on disk, but not currently being processed by any
mail-processing subsystem
1 The message has been picked up by a mail-processing subsystem and is
currently being processed
2 The message has been successfully delivered off Email Gateway
3 The message was dropped by Email Gateway

Static rule IDs

Rules are created via a variety of mechanisms.

Table 323 Static rule IDs

ID Rule
1 Rules created by End User Spam Reporting when in ‘manual’ mode
2 Envelope Analysis rules created by the Anomaly Detection Engine
3 Attachment Analysis rules created by the Anomaly Detection Engine
4 Rules created by End User Spam Reporting when in ‘auto’ mode
5 Rules created by Enterprise Spam Reporting when in ‘auto’ mode
6 Rules created by Enterprise Spam Reporting when in ‘manual’ mode
7 Rules pertaining to IP addresses created by the Anomaly Detection Engine

592 McAfee Email Gateway 6.7.2 Administration Guide

E Configuring WebMail Protection for MS
Exchange

Contents
Exchange 5.5 configuration
Exchange 2000 configuration

Exchange 5.5 configuration

The following outline presents the configuration that might be required on an Exchange 5.5
server:
1 Start the Internet Service Manager

• Select Start->Programs->Windows NT 4.0 Option Pack-> Microsoft Internet Information

Server->Internet Service Manager

• The Microsoft Management Console should start.

2 Access the Properties window for the Exchange Directory

• Within the left directory tree frame, select Internet Information Server->Default Web
Site->Exchange

• Right click on the Exchange directory branch, then click the Properties option.

3 Configure the needed Exchange directory permissions

• On the Exchange Properties window, click the Directory Security tab.

• Click the Edit button under the Anonymous Access and Authentication Control section

• Within the Authentication Methods window click two options:

• Allow Anonymous Access

• Basic Authentication
4 Access the Properties window for the IISADMIN Directory

• Within the left directory tree frame, select Internet Information Server->Default Web Site->
IISADMIN

• Right click on the IISADMIN directory branch, then click the Properties option.

5 Configure the needed IISADMIN directory permissions

• On the IISADMIN Properties window, click the Directory Security tab.

• Click the Edit button under the Anonymous Access and Authentication Control section

• Within the Authentication Methods window click one option:

• Allow Anonymous Access

Tip: For information about configuring WebMail protection, see Chapter 23, WebMail Protection in this
Administration Guide.

McAfee Email Gateway 6.7.2 Administration Guide 593

 Configuring WebMail Protection for MS Exchange
Exchange 2000 configuration

Exchange 2000 configuration

The following outline presents the configuration that might be required on an Exchange 2000
server:
1 Start the Internet Information Service Manager (IIS Mgr)

• Select Start->Programs->Administrative Tools->IIS Mgr

• The Internet Information Service Manager should be displayed.

2 Access the Properties window for the Exchange Directory

• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site->Exchange

• Right click on the Exchange directory branch, and then click the Properties option.

3 Configure the needed Exchange directory permissions

• On the Exchange Properties window, click the Directory Security tab.

• Click the Edit button within the Anonymous Access and Authentication Control section.
• Within the Authentication Methods window click one option:

• Basic Authentication checkbox

• Click the OK button to save your changes.

• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.

• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.

• In the Exchange Properties window, click the OK button to close the window.

4 Access the Properties window for the Exchweb Directory

• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site-> Exchweb

• Right click on the Exchweb directory branch, and then click the Properties option.

5 Configure the needed Exchweb directory permissions

• On the Exchweb Properties window, click the Directory Security tab.

• Click the Edit button within the Anonymous Access and Authentication Control section.

• Within the Authentication Methods window click one option:

• Basic Authentication checkbox

• Click the OK button to save your changes.

• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.

• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.

6 In the Exchweb Properties window, click the OK button to close the window.

594 McAfee Email Gateway 6.7.2 Administration Guide

 Configuring WebMail Protection for MS Exchange
Exchange 2007 configuration

7 Access the Properties window for the IISAdmin Directory

• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site-> IISAdmin

• Right click on the IISAdmin directory branch, and then click the Properties option.

8 Configure the needed IISAdmin directory permissions

• On the IISAdmin Properties window, click the Directory Security tab.

• Click the Edit button under the Anonymous Access and Authentication Control section

• Within the Authentication Methods window click TWO options:

• Basic authentication checkbox

• Integrated Windows authentication checkbox

• Click the OK button to save your changes.

• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.

• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes

9 Access page 3 of the “XWEB: Troubleshooting HTTP 401.x Errors in Outlook Web Access” document and
ensure the Exchange 2000 administrator has added the necessary access rights for:

• Log on Locally access

• Access This Computer From the Network access (essential for remote access)

10 After all changes have been made, the Exchange 2000 administrator should stop and restart the Exchange
2000 server. It would be sufficient to stop and restart the IIS Manager, but there are so many services,
which depend on the IIS Manager that it is easier to restart the server.
Tip: For information about configuring WebMail protection, see Chapter 23, WebMail Protection in this
Administration Guide.

Exchange 2007 configuration

The following outline presents the configuration that might be required on an Exchange 2007 server:
1 Start the Internet Information Service Manager (IIS Mgr)

• Select Start->Programs->Administrative Tools->IIS Mgr

• The Internet Information Service Manager should be displayed.

2 Access the Properties window for the Exchange Directory

• Within the left directory tree frame, click the name of your Exchange 2007 server->Default Web
Site->Exchange

• Right click on the Exchange directory branch, and then click the Properties option.

3 Configure the needed Exchange directory permissions

• On the Exchange Properties window, click the Directory Security tab.

• Click the Edit button within the Anonymous Access and Authentication Control section.

• Within the Authentication Methods window click one option:

McAfee Email Gateway 6.7.2 Administration Guide 595

 Configuring WebMail Protection for MS Exchange
Exchange 2007 configuration

• Basic Authentication checkbox

• Click the OK button to save your changes.

• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.

• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.

• In the Exchange Properties window, click the OK button to close the window.

4 Access the Properties window for the Exchweb Directory

• Within the left directory tree frame, click the name of your Exchange 2007 server->Default Web
Site-> Exchweb

• Right click on the Exchweb directory branch, and then click the Properties option.

5 Configure the needed Exchweb directory permissions

• On the Exchweb Properties window, click the Directory Security tab.

• Click the Edit button within the Anonymous Access and Authentication Control section.

• Within the Authentication Methods window click one option:

• Basic Authentication checkbox

• Click the OK button to save your changes.

• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.

• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.

6 In the Exchweb Properties window, click the OK button to close the window.

7 After all changes have been made, the Exchange 2007 administrator should stop and restart the Exchange
2007 server. It would be sufficient to stop and restart the IIS Manager, but there are so many services
that depend on the IIS Manager that it is easier to restart the server.
Tip: For information about configuring WebMail protection, see Chapter 23, WebMail Protection in this
Administration Guide.

596 McAfee Email Gateway 6.7.2 Administration Guide

F Special Tips

Contents
Special characters in email addresses
Compressed file types

Special characters in email addresses

The email address you type to apply rules to a single individual can contain any letter or number, plus
certain special characters. Allowable characters are shown below
:

! # $ %

& ' * +

- / = ?

^ _ ` {

| } ~

Compressed file types

The list of compressed file types (and their abbreviations) Email Gateway can recognize is as follows:
• Zip files – zip

• disk doubler – dd

• PAK/ARC Archive – arc

• cpio archive – cpio

• SUN PEX Binary Archive – pex

• UU encoded – uu

• Stuffit (Mac) – sea

• UNIX Compress – z

• GZ Compress – gz

• TAR – tar

• Compactor/Compact Pro – uencap

• PGP Compressed Data – pgp

• ASCII-armored PGP encoded – aex

Note: While Email Gateway can detect and verify the file types in this list, it can open only the zip files (.zip) and
extract their content, or check them for embedded file attachments. It cannot open the other types of
compressed files.

McAfee Email Gateway 6.7.2 Administration Guide 597

 Special Tips
Compressed file types

598 McAfee Email Gateway 6.7.2 Administration Guide

G Email Gateway Action Order of Precedence

Contents
About action precedence
General action precedence
Precedence in specific Email Gateway features

About action precedence

Email Gateway generally will take actions on messages based upon the severity of the configured action. If
more than one action is possible against any specific message, because it has triggered multiple rules, the
action Email Gateway will take against that message will be determined by this precedence. The action with
the highest priority will be taken.
In general, when a message matches multiple rules, Email Gateway applies the following precedence
hierarchy:
1 Feature order

2 Policy level (policy attribute comparison)

3 Threshold Preference

4 Action Precedence - highest triggered action applies, based on the hierarchy discussed below.

Feature order
Feature order is set under the Queue Manager tab (Queue Manager | Configure Queues). In that
window you set the order messages follow as they are processed by Email Gateway. When the message
triggers a rule in any of the enabled features, that feature takes the configured action. If the rule requires
you to set a threshold, and if you have configured more than one rule (each with it’s own threshold and
action), the queue will follow take the action associated with the highest threshold (see Threshold
preference, below). Further processing for the message is determined by the action.
• If the action taken by the current queue is a terminal action as indicated in Table 324, Email Gateway will
do no further processing.

• If the action is a non-terminal action, the current queue will take the action and the message will proceed
to the next queue.

Policy level
Policies are applied in the following order based on their level of application:
• User

• Domain

• User Group

• Domain Group

• Global

If a message triggers both a globally-applied policy and a policy applied to a single domain, the domain
action will take precedence.

McAfee Email Gateway 6.7.2 Administration Guide 599

 Email Gateway Action Order of Precedence
General action precedence

Example: Email Gateway processes a message that triggers two rules. It triggers a user rule that requires
an action of copy and a domain group rule that requires an action of quarantine. Email Gateway will copy
the message to the configured email address. The quarantine action will not be taken.

Threshold preference
Equal policies are applied based upon the first threshold triggered, evaluated from the highest to the lowest
(applicable only for Spam Profiler and Image Analysis). When a threshold is matched, Email Gateway acts
on the message using the associated rule. There is no further evaluation.

General action precedence

The table below shows the overall precedence for Email Gateway actions in descending order. Two types of
actions are possible:
• Terminal actions - action is taken and no further processing occurs

• Non-terminal actions - action is taken and processing through other features and queues continues (but
might be delayed, as in the case of quarantined messages).
Note: Not all actions are applicable for all features. The order in specific features appears later in this appendix.

Table 324 Action precedence

Action In Email Gateway Comments
6.7.1 and later
versions
Reroute 1 Terminal action; no further processing, but
message will be processed by Join Queue.
Drop Message 2 Terminal action; message does not go to Join
Queue.
Remote Quarantine 3 Non-terminal action
Quarantine 4 Non-terminal action, EXCEPT for Anti-Virus
actions; terminal for Anti-Virus.
DLP Scan 5 Non-terminal action
Secure Delivery 6 Non-terminal action
Forward 7 Non-terminal action
Drop Part 8 Non-terminal action
Add Header 9 Non-terminal action
Subject Rewrite 10 Non-terminal action
Replace 11 Non-terminal action
Prefix 12 Non-terminal action
Copy 13 Non-terminal action
Rename 14 Non-terminal action
Log 15 Non-terminal action
Pass Through 16 Non-terminal action

600 McAfee Email Gateway 6.7.2 Administration Guide

 Email Gateway Action Order of Precedence
Precedence in specific Email Gateway features

Precedence in specific Email Gateway features

The table that follows shows the available actions and their precedence for particular Compliance features
and the Spam Profiler in Email Gateway 6.7.1 and later versions.

Table 325 Precedence for specific features

Action Attachment Content Envelope Advanced Image Spam
Analysis Analysis Analysis Content Analysis Profiler
Analysis
Reroute 1 1 1 1 1 1
Drop Message 2 2 2 2 2 2
Remote 3 3 3 3 3 3
Quarantine
Quarantine 4 4 4 4 4 4
DLP Scan 5 5 5 5 5
Secure Delivery 6 6 6 6
Forward 7 5
Drop Part 7 7 6
Add Header 8 6
Subject Rewrite 8 8 7 7 7
Replace 9
Prefix 10
Copy 9 11 9 8 8 8
Rename 10 12
Log 11 10 9 9 9
Pass Through 12

When a message conforms to multiple rules, more than one action can be taken on the message. There are
situations when all the actions cannot be performed. Specific features follow processes as outlined below.

Anti-Spam feature order

The Anti-Spam Feature Order window lists all anti-spam sub-features that are currently active Two kinds of
spam features are listed here: SpamProfiler, and all other individual spam tools (SpamProfiler can use
some or all the individual spam tools). Message processing depends upon whether or not SpamProfiler is
enabled in the queue order. Only one anti-spam feature could end up triggering a policy or action rule.

If SpamProfiler is not enabled:

If Scan all services is disabled (Queue Manager | Configure Queues | Anti-Spam), Email Gateway
evaluates messages using the enabled features from top to bottom according to the feature order.
Whenever a feature has a policy/rule is triggered, Email Gateway acts using that single rule, no matter
what actions are configured for features in lower positions. There is no further evaluation by the Anti-Spam
feature. Any action is treated as a terminal action so far as processing in the Spam Queue is concerned. The
message can still proceed to the next queue unless the anti-spam action was a real terminal action (see
Table 324). If Scan all services is enabled, messages are scanned by all configured services. Email Gateway
takes the action with the highest priority if the message triggers more than one service.

If SpamProfiler is enabled:
All enabled spam features will evaluate messages before SpamProfiler’s evaluation. If a SpamProfiler rule is
matched and SpamProfiler is positioned higher than any of the individual features that are also matched,
Email Gateway will act based on the SpamProfiler rule. Otherwise, the highest individual spam feature will
take the action. If you want SpamProfiler to control the action Email Gateway takes, it must be in the first
position in the feature order. From the perspective of policy precedence, SpamProfiler is treated like any
other individual spam feature.

McAfee Email Gateway 6.7.2 Administration Guide 601

 Email Gateway Action Order of Precedence
Precedence in specific Email Gateway features

Attachment Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.

• If both Secure Delivery and Forward actions are triggered for a message, the Forward action will cause
the original message to be deleted, and it will not be available for Secure Delivery. Therefore, Secure
Delivery has a higher precedence than Forward in the action codes. Other actions, such as Copy, Subject
Rewrite, and so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the
conflict when the actions belong to different policies; comparison of action codes resolves it if the rules
belong to the same policy.

• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.

• Policy attribute comparison resolves conflicts that occur when Drop Part and Rename actions are defined
against the same attachment extension or filename. These are part-level actions, so only one of them can
be performed. Drop Part outranks Rename. The same process occurs for Pass Through and Drop Part
actions; Drop Part outranks Pass Through.

• Policy attribute comparison occurs to resolve conflicts arising from two Rename actions on the same
extension. This comparison is required since the part can be renamed to either of the action data values.

Is there any sort of general rule or parameter to decide which value wins in this case?
• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute, Drop, or Quarantine forever – and the other is an action in (4) or (5). A Copy action in a policy
applied to a user will override a Reroute action applied to a group.

Can you explain what the italicized text in the paragraph above is saying? What does “in (4) or
(5)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.

Content Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.

• If both Secure Delivery and Forward actions are triggered for a message, the Forward action will cause
the original message to be deleted, and it will not be available for Secure Delivery. Therefore, Secure
Delivery has a higher precedence than Forward in the action codes. Other actions, such as Copy, Subject
Rewrite, and so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the
conflict when the actions belong to different policies; comparison of action codes resolves it if the rules
belong to the same policy.

• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.

602 McAfee Email Gateway 6.7.2 Administration Guide

Email Gateway Action Order of Precedence
Precedence in specific Email Gateway features

• Policy attribute comparison resolves conflicts that occur when Drop Part and Replace/Prefix actions are
defined against the same dictionary. These are part-level actions, so only one of them can be performed.
Drop Part outranks Replace/Prefix. The same process occurs for Replace and Prefix actions; Replace
outranks Prefix.

• Policy attribute comparison occurs to resolve conflicts arising from two Replace or Prefix actions on the
same dictionary. This comparison is required since the part can be replaced or prefixed based on either
of the action data values.

Is there any sort of general rule or parameter to decide which value wins in this case?
• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute, Drop, or Quarantine forever – and the other is an action in (4) or (5). A Copy action in a policy
applied to a user will override a Reroute action applied to a group.

Can you explain what the italicized text in the paragraph above is saying? What does “in (4) or
(5)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.

Envelope Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.

• If both Secure Delivery and Forward actions are triggered for a message, the Forward action could cause
the original message to be deleted (if the forward rule is on the sender or he subject, or all recipients are
removed), and the original message will not be delivered securely. Therefore, Secure Delivery has a
higher precedence than Forward in the action codes. Other actions, such as Copy, Subject Rewrite, and
so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the conflict when the
actions belong to different policies; comparison of action codes resolves it if the rules belong to the same
policy. Policy attribute comparison resolves this conflict when the actions belong to two different policies;
just comparing the action codes is sufficient if the actions belong to the same policy.
• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.

• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute or Drop configured on the sender or subject, or Quarantine forever – and the other is an action
from (4) through (10). A Log action in a policy applied to a user will override a Reroute action applied to
a group.

Can you explain what the italicized text in the paragraph above is saying? What does “from (4)
through (10)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.

McAfee Email Gateway 6.7.2 Administration Guide 603

 Email Gateway Action Order of Precedence
Precedence in specific Email Gateway features

604 McAfee Email Gateway 6.7.2 Administration Guide

H Text Filtering

Contents
About text filtering
File types from which Email Gateway can extract content

About text filtering

Email Gateway includes content extraction capabilities that allow it to recognize and classify a great number
of file formats that can appear in email messages. Email Gateway can also filter the content of some of
these formats for processing by features such as attachment filtering.

Classifying the formats

The table below shows the classification IDs for the types of formats Email Gateway identifies. Any file type
it recognizes will be classified.

Table 326 File format classification

Class ID Explanation
0 No format found
1 Word processor document
2 Spreadsheet document
3 Database document
4 Raster image document
5 Vector graphic document
6 Presentation document
7 Executable file
8 Encapsulation format
9 Sound file format
10 Desktop publishing format
11 Planning or outline format
12 General purpose document
13 Mixed type document
14 Font format
15 Schedule/planning format
16 Communications format
17 Object module format
18 Library format
19 FAX format
20 Movie file
21 Animation file

McAfee Email Gateway 6.7.2 Administration Guide 605

 Text Filtering
About text filtering

Formats identified by Email Gateway

Email Gateway can identify the file formats listed in the following table. However, the text filtering function
cannot extract text from all the types. For specific information about file types Email Gateway filters, see
Table 327, below.

Table 327 File formats identified

Format ID Class ID Extension File type
1 1 AES Multiplus (AES)
2 1 TXT Text file
3 7 BAT MS-DOS Batch File
4 1 UWP APPLIX ASTERISK
5 4 BMP Window Bitmap
6 1 CTD Convergent Technologies DEF Comm. Format
7 5 CDX, CDR Corel Draw File
8 5 CGM Computer Graphics Metafile (CGM)
9 5 CGM Computer Graphics Metafile (CGM)
10 5 CGM Computer Graphics Metafile (CGM)
11 1 UWP Word Connection
12 1 UWP COMET TOP
13 1 UWP CEOWrite
14 1 UWP DSA101 (Honeywell Bull)
15 1 DC, RFT DCA-RCT (IBM Revisable Form)
16 1 UWP CDA/DDIF
17 1 UWP DG Common Data Stream
18 5 UVG Windows Draw (Micrografx)
19 1 UWP Vistaword
20 1 UWP DECdx
21 1 UWP Enable Word Processing
22 4 EPSF Encapsulated PostScript
23 4 EPSF Encapsulated PostScript
24 7 EXE MSDOS/Windows Program
25 4 G3 CCITT G3 1D
26 4 GIF Graphics Interchange Format (GIF87a)
27 4 GIF Graphics Interchange Format (GIF89a)
28 1 UWP HP Word PC
29 1 UWP IBM 1403 Line Printer
30 1 DCF DCF Script
31 1 DCA DCA-FFT (IBM Final Form)
32 1 DOC Interleaf
33 4 GEM GEM Bit Image
34 1 IP Display Write
35 4 IM8 Sun Raster
36 1 SAM Lotus Ami Pro
37 1 SY1 Lotus Ami Pro Style Sheet
38 11 UOTLINE MORE Database Mac
39 1 LYX Lyrix Word Processor
40 1 M11 MASS-11
41 4 MAC MacPaint

606 McAfee Email Gateway 6.7.2 Administration Guide

Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
42 1 DOC Microsoft Word for Macintosh
43 16 SMT SmartWare II
44 1 DOC Microsoft Word for Windows
45 1 MM MultiMate
46 1 MM MultiMate Footnote File
47 1 MM MultiMate Advantage
48 1 MM MultiMate Advantage Footnote File
49 1 MM MultiMate Advantage II
50 1 MM MultiMate Advantage II Footnote File
51 2 MOD Multiplan (PC)
52 2 MOD Multiplan (Mac)
53 1 RTF Rich Text Format
54 1 DOC Microsoft Word for PC
55 1 STY Microsoft Word for PC Style Sheet
56 1 GLY Microsoft Word for PC Glossary
57 1 CNV Microsoft Word for PC Driver
58 1 DOC Microsoft Word for PC Miscellaneous File
59 1 NBI NBI Net Archive Format
60 1 DIF Navy DIF
61 1 NBI NBI Net Archive Format
62 1 UWP NIOS TOP
63 3 FM3 Filemaker MAC
64 1 UWP ODA/ODIF
65 1 UWP ODA/ODIF
66 1 UWP OLIDIF (Olivetti)
67 1 UWP Office Writer
68 4 PCX PC Paintbrush Graphics (PCX)
69 1 CPT CPT
70 5 PIC Lotus PIC
71 4 PCT QuickDraw Picture
72 1 UWP Philips Script
73 5 PS PostScript
74 1 UWP PRIMEWORD
75 1 UWP Q-One V1.93J
76 1 UWP Q-One V2.0
77 1 SM SAMNA Word
78 4 UVG Lotus Ami Pro Dwa
79 2 SYL SYLK
80 1 SMT SmartWare II
81 2 WR1 Symphony
82 4 BPX Targa
83 4 TIF TIFF
84 1 UWP Targon Word
85 2 USS Uniplex Ucalc
86 1 UWP Uniplex

McAfee Email Gateway 6.7.2 Administration Guide 607

 Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
87 1 DOC Microsoft Word UNIX
88 1 IWP WANG PC
89 1 UWP WordERA
90 1 IWP WANG WPS
91 1 WP WordPerfect MAC
92 1 WO WordPerfect
93 1 WP WordPerfect VAX
94 1 WCM WordPerfect Macro
95 1 LCN WordPerfect Spelling Dictionary
96 1 THS WordPerfect Thesaurus
97 1 IRS WordPerfect Resource File
98 1 WPD WordPerfect Driver
99 1 WCP WordPerfect Configuration File
100 1 HYD WordPerfect Hyphenation Dictionary
101 1 INS WordPerfect Miscellaneous File
102 1 UWP WordMARC
103 4 WMF Windows Metafile
104 5 WMF Windows Metafile (no header)
105 3 DB SmartWare II
106 4 WPG WordPerfect Graphics
107 1 WS WordStar
108 1 IWP WANG WITA
109 1 UWP Xerox 860
110 1 XWP Xerox Writer
111 2 DIF Data Interchange Format (DIF)
112 2 SSF Enable Spreadsheet
113 2 CAL Supercalc
114 2 USS UltraCalc
115 2 SMD SmartWare II
116 8 SOF Serialized Object Format (SOF)
117 6 PPT PowerPoint PC
118 6 PPT PowerPoint MAC
119 6 PPT PowerPoint 95
120 6 PPT PowerPoint 97
121 10 PUB PageMaker for Macintosh
122 10 PUB PageMaker for Windows
123 1 WPS Microsoft Works for MAC
124 3 WDB Microsoft Works for MAC
125 2 WKS Microsoft Works for MAC
126 16 BCM Microsoft Works for MAC
127 1 WPS Microsoft Works for DOS
128 3 WDB Microsoft Works for DOS
129 2 WKS Microsoft Works for Windows
130 1 WPS Microsoft Works for Windows
131 3 WDB Microsoft Works for Windows

608 McAfee Email Gateway 6.7.2 Administration Guide

Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
132 2 WKS Microsoft Works for Windows
133 18 LIB DOS/Windows Object Library
134 1 MCW MacWrite
135 1 MCW MacWrite II
136 5 FHC Freehand MAC
137 8 DD Disk Doubler
138 5 HPG HP Graphics Language
139 10 FM FrameMaker
140 10 BOOK FrameMaker
141 10 MML Maker Markup Language
142 1 MIF Maker Interchange Format
143 4 JPG JPEG Interchange Format
144 3 RDX Reflex
145 13 FW Framework
146 13 FW2 Framework II
147 3 DB Paradox
148 1 PCW, WRI Windows Write
149 2 WKQ Quattro Pro for DOS
150 2 WB2, WB3 Quattro Pro for Windows
151 6 PR3 Persuasion
152 4 ICO Windows Icon Format
153 4 CUR Windows Cursor
154 15 MPP Microsoft Project
155 15 MXM Microsoft Project
156 15 MPC Microsoft Project
157 8 JAR, ZIP ZIP Archive
158 10 QXD Quark Xpress MAC
159 8 ARC PAK/ARC Archive
160 10 MPH Microsoft Publisher
161 15 USCHEDULE PlanPerfect
162 12 WKB WordPerfect auxiliary file
163 9 WAV Microsoft Wave
164 9 MID MIDI
165 5 DXF AutoCAD DXF
166 5 DXF AutoCAD DXF
167 3 DBF dBase
168 5 BGA OS/2 PM Metafile
169 5 UVG Lasergraphics Language
170 5 RND AutoShade Rendering
171 5 GGP GEM VDI
172 12 HLP Windows Help File
173 1 VW Volkswriter
174 1 XWP Ability
175 3 XDB Ability
176 2 SSS Ability

McAfee Email Gateway 6.7.2 Administration Guide 609

 Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
177 16 UCOMM Ability
178 4 URASTER Ability
179 1 XY, XY4 XYWriter/Nota Bene
180 2 CSV CSV (Comma Separated Value)
181 1 IWA IBM Writing Assistant
182 1 WS WordStar 2000
183 5 PCL HP Printer Control Language
184 7 EXE Unix Executable (PDP-11/pre-System V VAX
185 7 EXE Unix Executable (Basic-16)
186 7 EXE Unix Executable (x86)
187 7 EXE Unix Executable (iAPX 286)
188 7 EXE Unix Executable (MC680x0
189 7 EXE Unix Executable (3B20
190 7 EXE Unix Executable (WE32000)
191 7 EXE Unix Executable (VAX)
192 7 EXE Unix Executable (Bell 5.0)
193 17 o Unix Object Module (VAX Demand)
194 17 o Unix Object Module (old MS 8086)
195 17 o Unix Object Module (28000)
196 9 AU NeXT/Sun Audio Data
197 14 NWS NeWS bitmap font
198 8 cpio cpio archive (CRC Header)
199 8 cpio cpio archive (CHR Header)
200 8 PEX Sun PEX Binary Archive
201 14 vfont Sun vfont definition
202 4 curses Curses Screen Image
203 8 UU, UUE UU encoded
204 1 WN WriteNow MAC
205 17 OBJ DOS/Windows Object Module
206 12 GRP Windows Group
207 14 TTF TrueType Font
208 12 PIF Program Information File (PIF)
209 7 COM PC (.COM)
210 8 SEA Stuffit (MAC)
211 2 PEA PeachCalc
212 8 GDL WANG Office GDL Header
213 1 UWP Q & A for DOS
214 1 UWP Q & A for Windows
215 1 WPS WPS-PLUS
216 19 DCX DCX FAX Format (PCX images)
217 8 OLE OLE Compound Document
218 1 EBCDIC EBCDIC Text
219 1 DCS DCS
220 8 SHAR SHAR
221 4 NDL Lotus Notes Bitmap

610 McAfee Email Gateway 6.7.2 Administration Guide

Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
222 1 CDF Lotus Notes CDF
223 8 Z Unix Compress
224 8 GZ GZ Compress
225 8 TAR TAR
226 1 ODF ODA/ODIF
227 1 ODF ODA/ODIF
228 1 UWP ALIS
229 1 EVY Envoy
230 1 PDF Portable Document Format
231 8 HQX BinHex
232 8 SMTP SMTP
233 8 EML, MIME, MIME
various
234 1 USE USENET
235 1 SGML SGML
236 1 HTM HTML
237 1 WPA ACT
238 4 PNG Portable Network Graphics (PNG)
239 20 AVI Video for Windows (AVI)
240 4 ANI Windows Animated Cursor
241 13 OBJ Windows C++ Object Storage
242 4 MAP Windows Pallette
243 4 RIF RIFF Device Independent Bitmap
244 9 RMI RIFF MIDI
245 20 MMM RIFF Multimedia Movie
246 20 MPEG MPEG Movie
247 20 QT QuickTIme Movie
248 9 AIFF Audio Interchange File Format
249 9 MOD Amiga MOD
250 9 IFF Amiga IFF (8SVX) Sound
251 9 VOC Creative Voice (VOC)
252 21 FLI AutoDesk Animator FLIC
253 21 FLC AutoDesk Animator Pro FLIC
254 8 UENCAP Compactor/Compact Pro
255 5 WRL VRML
256 5 3DMF QuickDraw 3D Metafile
257 8 SKA PGP Secret Keyring
258 8 PKR PGP Public Keyring
259 8 PGP PGP Encrypted Data
260 8 PGP PGP Signed Data
261 8 PGP PGP Signed and Encrypted Data
262 8 PGP PGP Signature Certificate
263 8 PGP PGP Compressed Data
264 8 PUB ASCII-armored PGP Public Keyring
265 8 AEX ASCII-armored PGP encoded
266 8 AEX ASCII-armored PGP encoded

McAfee Email Gateway 6.7.2 Administration Guide 611

 Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
267 4 DIB OLE DIB Object
268 4 SGI SGI Image
269 21 SCM Lotus ScreenCam
270 9 MP3 MPEG Audio
271 16 FTP FTP Session Data
272 12 ADR Netscape Bookmark File
273 5 CMX Corel CMX
274 5 DWG AutoDesk Drawing (DWG)
275 5 DWF AutoDesk WHIP
276 21 DIR Macromedia Director
277 9 RA Real Audio
278 7 DRV MSDOS Device Driver
279 5 DSF Micrografx Designer
280 5 SVF Simple Vector Format (SVF)
281 1 AW Applix Words
282 6 AG Applix Graphics
283 3 MDB Microsoft Access
284 3 MDB Microsoft Access 95
285 3 MDB Microsoft Access 97
286 8 BIN MacBinary
287 8 SNG Apple Single
288 8 RES Apple Double
289 5 EMF Enhanced Metafile
290 5 WMF Microsoft Office Drawing
291 1 XML XML
292 5 DVI Device Independent File (DVI)
293 1 UTX Unicode
294 2 WK3, WK4 Lotus 1-2-3
295 2 123 Lotus 1-2-3 Formatting
296 2 123 Lotus 1-2-3 97
297 1 LWP, MWP Lotus Word Pro 96
298 1 LWP, MWP Lotus Word Pro 97
299 6 PRE Lotus Freelance for DOS
300 6 PRE Lotus Freelance for Windows
301 6 PRE Lotus Freelance for OS/2
302 6 PRE Lotus Freelance 96
303 6 PRZ Lotus Freelance 97
304 1 DOC Microsoft Word 95
305 1 DOC Microsoft Word 97
306 2 XLS Microsoft Excel
307 2 XLC Microsoft Excel
308 2 XLM Microsoft Excel
309 2 XLS Microsoft Excel 95
310 2 XLS Microsoft Excel 97
311 6 PQF, SHW Corel Presentations

612 McAfee Email Gateway 6.7.2 Administration Guide

Text Filtering
About text filtering

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
312 6 SH3 Harvard Graphics
313 5 CH3 Harvard Graphics Chart
314 5 SY3 Harvard Graphics Symbol File
315 5 PC3 Harvard Graphics Configuration File
316 5 PL Harvard Graphics Pallette
317 2 123 Lotus 1-2-3 Release 9
318 2 AS Applix Spreadsheet
319 1 PWD Microsoft Pocket Word
320 4 DIB MS Windows Device Independent Bitmap
321 1 DOC Microsoft Word 2000
322 2 XLS Microsoft Excel 2000
323 6 PPT Microsoft PowerPoint 2000
324 3 MDB Microsoft Access 2000
325 15 MPP Microsoft Project 4
326 15 MPP Microsoft Project 4.1
327 15 MPP Microsoft Project 98
328 1 NFO, FFF Folio Flat File
329 1 HWP HWP (Arae-Ah Hangul)
330 1 JTD ICHITARO V4-10
331 1 XML Autonomy XML
332 1 BH2, OA2 Oasys format
333 4 PBM Portable Bitmap Utilities ASCII Format
334 4 PBM Portable Bitmap Utilities Binary Format
335 4 PGM Portable Greymap Utilities ASCII Format
336 4 PGM Portable Greymap Utilities Binary Format
337 4 PPM Portable Pixmap Utilities ASCII Format
338 4 PPM Portable Pixmap Utilities Binary Format
339 4 XBM X Bitmap Format
340 4 XPM X Pixmap Format
341 4 FPX FPX Format
342 4 PCD PCD Format
343 6 VSD Microsoft Visio
344 15 MPP Microsoft Project 2000
345 8 MSG Microsoft Outlook
346 17 EXE ELF Relocatable
347 7 EXE ELF Executable
348 18 EXE ELF Dynamic Library
349 1 XML Microsoft Word 2003 XML
350 1 XML Microsoft Excel 2003 XML
351 1 VDX, VSX, VTX Microsoft Visio 2003 XML
352 1 ODT, SXW StarOffice Text XML
353 1 SXC, ODS StarOffice Spreadsheet XML
354 1 SXI, SXP, ODP StarOffice Presentation XML
355 1 HTM XHTML
356 8 PST Microsoft Outlook PST

McAfee Email Gateway 6.7.2 Administration Guide 613

 Text Filtering
File types from which Email Gateway can extract content

Table 327 File formats identified (continued)

Format ID Class ID Extension File type
357 8 RAR RAR
358 8 NSF IBM Lotus Notes Database NSF/NTF
359 1 SWF SWF
360 1 DOCX Microsoft Word 2007 XML
361 2 XLSX Microsoft Excel 2007 XML
362 6 PPTX Microsoft PowerPoint 2007 XML
363 8 OPGP Open PGP Message Format (with new packet
format)
364 5 DGN Intergraph Standard File Format (ISFF) V7 DGN
(non-OLE)
365 5 DGN MicroStation V8 DGN (OLE)
366 1 DOCM Microsoft Word Macro 2007 XML
367 2 XLSM Microsoft Excel Macro 2007 XML
368 6 PPTM Microsoft PowerPoint 2007 XML
369 8 LZH LHA Archive
370 12 DOCX Office 2007 Document
371 1 XPS Microsoft XML Paper Specification (XPS)
372 8 DXL IBM Lotus representation of Domino design
elements in XML format
373 1 ODT ODF Text
374 2 ODS ODF Spreadsheet
375 6 ODP ODF Presentation
376 8 ONM Legato Extender Native Message ONM
377 0 BIN Binary Unknown Format
378 8 TNEF Transport Neutral Encapsulation Format (TNEF)
10000 0 EPE Encryption Plus Secure Export

File types from which Email Gateway can extract content

The file types listed in Table 328 below can be recognized by the Email Gateway Content Extraction Queue,
and text can be extracted from them. The extracted content is used by processes in SuperQueue, such as
Attachment Analysis.

Table 328 Files for text filtering

Extension File type
TXT Text file
DC, RFT DCA-RFT (IBM Revisable Format)
DOC Interleaf
IP Display Write
SAM Lotus Ami Pro
DOC Microsoft Word for Macintosh
DOC Microsoft Word for Windows
RTF Rich Text Format (RTF)
DOC Microsoft Word for PC
DOC Microsoft Word for PC Miscellaneous File
PIC Lotus PIC
TIF TIFF

614 McAfee Email Gateway 6.7.2 Administration Guide

Text Filtering
File types from which Email Gateway can extract content

Table 328 Files for text filtering (continued)

Extension File type
DOC Microsoft Word UNIX
WO WordPerfect
WPD WordPerfect Driver
WMF Windows Metafile
WMF Windows Metafile (no header)
PPT PowerPoint PC
PPT PowerPoint MAC
PPT PowerPoint 95
PPT PowerPoint 97
WPS Microsoft Works for MAC
WKS Microsoft Works for MAC
WPS Microsoft Works for DOS
WKS Microsoft Works for Windows
WPS Microsoft Works for Windows
WKS Microsoft Works for Windows
MIF Maker Interchange Format
PCW, WRI Windows Write
WB2,WB3 Quattro Pro for Windows
MPP Microsoft Project
JAR, ZIP ZIP Archive
DXF AutoCAD DXF
DXF AutoCAD DXF
XY,XY4 XYWrite / Nota Bene
CSV CSV (Comma Separated Values)
WPS WPS-PLUS
PDF Portable Document Format
HTM HTML
MP3 MPEG Audio
DWG AutoDesk Drawing (DWG)
AW Applix Words
AG Applix Graphics
MDB Microsoft Access
MDB Microsoft Access 95
MDB Microsoft Access 97
EMF Enhanced Metafile
WMF Microsoft Office Drawing
XML XML
WK3, WK4 Lotus 1-2-3
123 Lotus 1-2-3 Formatting
123 Lotus 1-2-3 97
LWP,MWP Lotus Word Pro 96
LWP,MWP Lotus Word Pro 97
PRE Lotus Freelance for DOS
PRE Lotus Freelance for Windows
PRE Lotus Freelance for OS/2

McAfee Email Gateway 6.7.2 Administration Guide 615

 Text Filtering
File types from which Email Gateway can extract content

Table 328 Files for text filtering (continued)

Extension File type
PRE Lotus Freelance 96
PRZ Lotus Freelance 97
DOC Microsoft Word 95
DOC Microsoft Word 97
XLS Microsoft Excel
XLC Microsoft Excel
XLS Microsoft Excel 95
XLS Microsoft Excel 97
PQF,SHW Corel Presentations
123 Lotus 1-2-3 Release 9
AS Applix Spreadsheets
DOC Microsoft Word 2000
XLS Microsoft Excel 2000
PPT Microsoft PowerPoint 2000
MDB Microsoft Access 2000
MPP Microsoft Project 4
MPP Microsoft Project 4.1
MPP Microsoft Project 98
NFO, FFF Folio Flat File
HWP HWP (Arae-Ah Hangul)
JTD ICHITARO V4-10
XML Autonomy XML
BH2, OA2 Oasys format
VSD Microsoft Visio
MPP Microsoft Project 2000
MSG Microsoft Outlook
XML Microsoft Word 2003 XML
XML Microsoft Excel 2003 XML
VDX, VSX, VTX Microsoft Visio 2003 XML
ODT, SXW StarOffice Text XML
SXC, ODS StarOffice Spreadsheet XML
SXI, SXP, ODP StarOffice Presentation XML
HTM XHTML
SWF SWF
DOCX Microsoft Word 2007 XML
XLSX Microsoft Excel 2007 XML
PPTX Microsoft PowerPoint 2007 XML
DGN Intergraph Standard File Format (ISFF) V7 DGN (non-OLE)
DGN MicroStation V8 DGN (OLE)
DOCM Microsoft Word Macro 2007 XML
XLSM Microsoft Excel Macro 2007 XML
PPTM Microsoft PowerPoint Macro 2007 XML
LZH LHA Archive
DOCX Office 2007 document

616 McAfee Email Gateway 6.7.2 Administration Guide

I Compliance Trainer

Contents
What is Compliance Trainer?
Running the Compliance Trainer setup
Starting Compliance Trainer the first time
Using the Compliance Trainer interface

What is Compliance Trainer?

Compliance Trainer is an optional Windows-based application that allows users to select the types of
corporate documents that are considered:
• Regulation compliant or non-compliant

• Confidential (non-compliant) or non-confidential (compliant)

The Email Gateway (Secure Mail) appliance uses these to help train itself to better filter corporate email and
ensure that your compliance needs are met. Users select and upload confidential and non-confidential files
to be used as training files on the Email Gateway (Secure Mail) appliance.
Note: administrators should have already configured their compliance options on the Email Gateway (Secure Mail)
appliance before allowing users to submit training documents via the Compliance Trainer.

Terminology
This guide is intended for both administrators and users of the Compliance Trainer. It assumes you are
familiar with federal or state compliance categories that can apply to your company. Common compliance
categories are:
• CIPA (Children's Internet Protection Act)

• CISP (Visa Cardholder Information Security Program)

• PA-DSS (Payment Application Data Security Standard)

• PCI DSS (Payment Card Industry Data Security Standard)

• Federal Circular A-123

• FFIEC authentication in an electronic banking environment guidance

• FISMA (Federal Information Security Management Act)

• GLBA (Gramm-Leach Bliley Act)

• HIPAA (Health Insurance Portability and Accountability Act)

• Sarbanes-Oxley Act of 2002 (Public Company Accounting Reform and Investor Protection Act)

• SB 1386 (California Information Practice Act) the Health Insurance Portability and Accountability Act
(HIPAA) and the Sarbanes-Oxley Act (SOX)

This guide also assumes you have a basic knowledge of computer and network terminology. You should
also be familiar with the internet and its associated terms and applications. Please take a few minutes to
become acquainted with this document.
Refer to the Email Gateway (Secure Mail) Administration Guide for more information about Compliance.

McAfee Email Gateway 6.7.2 Administration Guide 617

 Compliance Trainer
Running the Compliance Trainer setup

Before you begin

Before beginning, both administrators and users will need the following:
• Compliance Trainer application - provided to administrators by Technical Support

• IP address of the Email Gateway (Secure Mail) appliance that will receive the training files

• Email address for the Email Gateway (Secure Mail) appliance that will receive training emails (example:
train@yourdomain.com)

• List of compliance categories already configured on the Email Gateway (Secure Mail) appliance in .txt
format

Running the Compliance Trainer setup

To install Compliance Trainer on you local computer, perform the following steps.
1 Copy the Compliance Trainer .zip file to a directory on your local computer.

2 Unzip the Compliance Trainer files.

3 Run Setup.exe and follow the on-screen instructions.

Starting Compliance Trainer the first time

After running the Installation Wizard, you can customize the configuration to suit your particular needs.
The installation process will have placed a Compliance Trainer icon on your desktop.
Figure 328 Desktop icon

The first time you run Compliance Trainer, you will be taken through a setup process to help you configure
your default settings.

618 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Starting Compliance Trainer the first time

1 To begin your setup, double-click the Compliance Trainer icon. The Welcome window appears.

Figure 329 Welcome window

This portion of the wizard will help you configure the default settings for Compliance Trainer.

2 Click Next. The Host and Send To window appears.

Figure 330 Configure host and email address

3 Type the IP address or hostname of the Email Gateway (Secure Mail) appliance that is to receive the
training files. For example, 10.16.10.100 or ice.scur.com.

4 Click Add. The IP/hostname and email address appear.

McAfee Email Gateway 6.7.2 Administration Guide 619

 Compliance Trainer
Starting Compliance Trainer the first time

Figure 331 Host and email added

You can type additional hosts if needed.

5 When you have finished adding hosts, click Next. The Import Categories window appears.

Figure 332 Import categories

This window is used to import the list of categories that have already been configured on the Email
Gateway (Secure Mail) appliance.

Examples of categories are:

• HIPAA - documents dealing with employee health insurance

• FISMA - Federal Information and Security Management Act

Other administrator defined categories might include internal use only documents such as employee
payroll spreadsheets or patent application documents. Users should have received a .txt file containing
a list of categories from their Email Gateway (Secure Mail) administrator.

6 Click Import. A Browse window appears.

620 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Starting Compliance Trainer the first time

Figure 333 Navigation

7 Navigate to the location of your category .txt file and click Open.

Figure 334 Category list

The list of categories will appear in the list window. For this example, we have included only one
category - HIPAA-PHI.

8 Click Next. The File Filter configuration window appears. This window displays the list of the default file
types for the training files. You can accept the defaults, edit a file filter, or add a new file filter.

McAfee Email Gateway 6.7.2 Administration Guide 621

 Compliance Trainer
Starting Compliance Trainer the first time

Figure 335 File filters configuration

If your training file types are already listed, you can simply accept the default settings.

To add a file type:

a In the Display name field, type the display name of the file type. For example, OPEN OFFICE.

b In the Extension field, type the extension for the file type. For example, ODS. Note that you can add
multiple types by inserting a semi-colon between the types. For example, ODS;SXW.

c Click Add.

To edit a file type:

a Highlight the file type to be edited.

b Click Remove.

c Type the information you want, then click Add.

9 When you are finished with the File Filter Configuration window, click Next. The Training File List
Configuration window appears.
Figure 336 Training file list

622 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Starting Compliance Trainer the first time

This window allows you to specify the individual training files that are either confidential or
non-confidential.

10 Click Browse next to the Confidential Training File List field. A Browse window appears.

Figure 337 Select file type

11 Select the file type from the drop-down menu.

12 Navigate to the folder containing the file you want to use for training.

13 Select the file you want to use for confidential training, then click Open.

Note: If you are going to use multiple files of different types, you must select them individually by type. For
example, if you are going to use Excel and Word documents, select all the Excel documents, then select all of
the Word documents.

14 Click Browse next to the Non-Confidential Training File List field.

15 Select the file type from the drop-down menu.

16 Navigate to the folder containing the file you want to use for training.

17 Select the file you want to use for non-confidential training, then Click Open.

18 The files selected will appear in their respective fields on the window.

McAfee Email Gateway 6.7.2 Administration Guide 623

 Compliance Trainer
Starting Compliance Trainer the first time

Figure 338 Training files chosen

19 Click Next. The Set Training Schedule appears.

Figure 339 Set training schedule

This window is used to set the training schedule on the Email Gateway (Secure Mail) appliance. Two
methods are available – hourly or detailed.

To set an hourly interval schedule,

a Check the button next to Frequency Schedule.

b Select the number of hours for the hourly interval.

To set a detailed schedule,

a Check the button next to Detailed Schedule.

b Highlight the day(s) of the week you want in the schedule.

c Check the box(es) next to the time(s) you want in the schedule.

20 When you have finished setting your training schedule, click Next. Set host, category, and training files
window appears.

624 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Starting Compliance Trainer the first time

Figure 340 Set host, category, and training files

In this window, select and save the host and training files that are to be scheduled for training. You
must select at least one host and one training file.

To select the host to be scheduled,

a Check the box next to the host you want to schedule.

Figure 341 Host highlighted

b Select the IP address/hostname of the host you want to schedule. (Already scheduled hosts will appear
with a green highlight.)

McAfee Email Gateway 6.7.2 Administration Guide 625

 Compliance Trainer
Starting Compliance Trainer the first time

Figure 342 Category chosen

The categories you have selected appear in the Categories window and the training files you have
specified appear in their respective Confidential and Non-confidential windows.

c In both the Confidential and Non-confidential windows, select the file names of your training
documents. If you have multiple documents, click Select All under each of these windows.

d Click Schedule Host.

e Click Finish. The Compliance Trainer main window appears.

Figure 343 Compliance Trainer main window

Installation and setup are now complete and you can modify your configuration to suit your needs.

626 McAfee Email Gateway 6.7.2 Administration Guide

 Compliance Trainer
Using the Compliance Trainer interface

Using the Compliance Trainer interface

The Compliance Trainer interface contains several features to help you manage your compliance training.
After you complete the setup portion of the program you must perform the following actions:
• Select the files you want to use for compliance training. These are displayed by file type. For example
.doc or .xls, and so forth.

• Determine the file’s confidentiality or non-confidentiality.

• Add those files to the training list.

• Upload those files to the Email Gateway (Secure Mail) appliance.

Figure 344 Compliance Trainer main window

Functional areas
Different areas of the window provide different functions to help you manage your compliance files. These
are functional areas:

Table 329 Functional areas

Left column
Insert File – Browsing function to assist you
with selecting training files
File Name – Drop-down menu list of the files
contained in the selected folder. It is filtered
according to your selection from the file type
list.
Right column
Selected Confidential/Non-confidential Training Files –
This window displays the filenames of the documents you
have added for training. The heading changes dependant
upon whether the Yes or No button is selected in
Confidentiality panel.
Training File actions – Buttons that allow you to perform
several actions on the training files list.

McAfee Email Gateway 6.7.2 Administration Guide 627

 Compliance Trainer
Using the Compliance Trainer interface

Table 329 Functional areas (continued)

Left column
File Type list – Drop-down menu list of the file
types you selected during Setup.
Hostname or IP – Drop-down menu list of the
hostnames or IP addresses of the Email
Gateway (Secure Mail) servers you have
specified.
Categories – List of categories you imported
during setup.
Category actions – Buttons that allow you to
perform several functions on the categories.
Right column
Confidentiality Selection – Radio buttons that allow you to
display files you have considered confidential or
non-confidential.
Email Gateway Training Email Address – The training
email address
Default interface information – Information field that
provides status information about transactions that occur
during the selection and transfer of files.

Insert file area

This window works similarly to the File Open Dialog box displayed when you look for a file in MS Word or
Excel and is used to select your various training files by type.
You can select files to be used for training in different ways.
• Select an individual file.

• Type in a file name or select a filename from the drop-down box.

• Select a directory, then choose individual files.

• Select files via the key combination of Ctrl+click or Shift+click to select multiple files.
Note: To view and choose files of a different type, simply choose a different type from the file type drop-down
box.

Are these files confidential?

The files shown in the window are filtered according to your selection from the file type list. Before adding
files to the training list, you must know whether the individual file you want to use is considered compliant
or not. In other words, as confidential or non- confidential.
Check the appropriate button, Yes or No, for the file before adding the file to the training list.
Note that confidential files are considered non-compliant and non-confidential files are compliant.

Adding files to the training list

You can add files to the training list in different ways.
Caution: You must select the type of confidentiality for the file BEFORE moving it to the training file list.

• Drag and drop – drag a particular file from list and drop it into the training file list.

• Drag and drop – drag a particular folder and drop it into the training file list. This will cause all of the files
that have the same type as specified in the filter list to be added to the training file list.

• Select a filename from the name list, then click the Add Files action button.

• Type the existing name of the file in the File Name field, then click the Add Files action button.

• Select the filename shown in the Insert Files window, then click the Add Files action button.

Training file list actions

You can perform several actions on your training file list.
• Select All – Selects all the training files in the list based on your confidentiality selection.

628 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Using the Compliance Trainer interface

• Clear Selection – Clears the selections but does not remove them from the list.

• Check for File Changes – Checks for files that have been renamed or moved.

• Load Files – Loads the training files to be sent to the Email Gateway (Secure Mail) server, but does not
send them.

Loading and sending files

If you are satisfied with your training file list,
1 Click Load Files. The following popup window appears.

Figure 345 Load files

2 Select the hostname or IP address of the Email Gateway (Secure Mail) appliance where the training files
should be placed.
Figure 346 Files ready to load

3 Click Load. The files will be loaded and the main window will re-appear.

McAfee Email Gateway 6.7.2 Administration Guide 629

 Compliance Trainer
Using the Compliance Trainer interface

Figure 347 Compliance Trainer main window

4 Click the No button to display the non-confidential files you have listed.

5 Click Load Files.

6 Select the hostname or IP address of the Email Gateway (Secure Mail) appliance where the training files
should be placed.

7 Click Load. The main window will re-appear.

630 McAfee Email Gateway 6.7.2 Administration Guide

Compliance Trainer
Using the Compliance Trainer interface

Figure 348 Compliance Trainer main window

8 In the Category pane, highlight the category to be trained.

9 In the File list pane, highlight the file to be used for training. Note that the Send button is now enabled.

10 Click Send.

Note the Status area. It will display pertinent information about your file transfer.
Figure 349 Status area

Repeat steps 4 through 10 (changing the confidentiality setting in step 4 to Yes or No as appropriate) to
complete uploading your training files to the server.
If your uploads are successful, you have completed transferring your training files and you can exit the
program.

McAfee Email Gateway 6.7.2 Administration Guide 631

 Compliance Trainer
Using the Compliance Trainer interface

632 McAfee Email Gateway 6.7.2 Administration Guide

J Event Logging Elements

Contents
About events
Event classes
Events

About events
Event logging tracks and records each mail flow action Email Gateway takes. It records each individual
action as an event in binary format; each log message is an event.
Email Gateway identifies events at three levels:
• Transactions – each of the three mail flow components (SMTPI, SuperQueue, and SMTPO) can generate
events.

• Event classes – a range of ID numbers belongs to each of the transaction components. Events are grouped
into classes by their ID numbers.

• Events – each defined event has a unique ID number that makes identifying and tracking specific events
easier.

Within the events, Email Gateway identifies specific actions:

• SMTPI (SMTPProxy) uses the connection ID to identify its actions.

• SuperQue and SMTPO use the message ID.

Event classes
Email Gateway categorizes events using the following event class number ranges.

Table 330 Event classes

ID range Purpose
0256 - 0511 Reserved for future use
0512 - 07767 Anti-spam general events
0768 - 1023 Anti-virus general events
1024 - 1279 Attachment Filtering events
1280 - 1535 Bayesian events
1536 - 1791 Content Filtering events
1792 - 2047 Corporate Compliance events
2048 - 2303 CQS events
2304 - 2559 DKIM events
2560 - 2815 Dynamic Spam Classifier events
2816 - 3071 DSPAM events
3072 - 3327 Encryption events
3328 - 3583 SpamProfiler events
3584 - 3839 Enterprise Spam events

McAfee Email Gateway 6.7.2 Administration Guide 633

 Event Logging Elements
Events

Table 330 Event classes (continued)

ID range Purpose
3840 - 4095 End User Spam events
4096 - 4351 General events
4352 - 4607 Image Filtering events
4608 - 4863 Image Whitelist events
4864 - 5119 Image Spam Classifier events
5120 - 5375 Message joining events
5376 - 5631 LDAP events
5632 - 5887 Mail Monitoring events
5888 - 6143 Masquerade events
6144 - 6399 MIME Handler events
6400 - 6655 Message Stamping events
6656 - 6911 Message Store events
6912 - 7167 Notification events
7168 - 7423 Policy Management events
7424 - 7679 RBL events
7680 - 7935 RDNS events
7936 - 8191 Message ripping events
8192 - 8447 System defined header events
8704 - 8959 SMTP authorization events
8960 - 9215 SMTP before POP events
9216 - 9471 SMTPI events
9472 - 9727 SMTPO events
9728 - 9983 SPF events
9984 - 10239 SuperQueue events
10240 - 10495 TrustedSource events
10496 - 10751 User defined header events
10752 - 11007 Virtual Host events
11008 - 11263 Whitelist events

Events
Email Gateway logs a variety of events, which can be subdivided by ID numbers as shown below for easier
identification.
Note: Some events require arguments (Args), as shown in the tables that follow. If an event requires an
argument, the description is followed by a dash (-).

Anti-spam events
Table 331 Anti-spam general events
Event ID Event Description
513 AS_FAIL_RFC822WRAPPER Cannot create RFC822 wrapper object.
514 AS_CNTTRKR_START Spam hourly count tracker thread started.
515 AS_CNTTRKR_HR Inserting counts for hr -
516 AS_CNTTRKR_SLEEP Spam hourly count tracker thread sleeping for
3600 secs.

634 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 331 Anti-spam general events (continued)

Event ID Event Description
517 AS_LKUP_RESULTS Result of DNS lookups made in proxy:
<msgid:results> -
518 AS_NOTIF_DROP Spam notification message is digitally
signed/encrypted. Not allowed ... Dropping ...
519 AS_DROP_EUSR_OFF End user spam report to global collector is turned
off. Dropping the message: -
520 AS_DROP_EUSR_BLOCK End user spam report is blocked by global
collector for time being. Dropping the message: -
522 AS_DROP_ESR_OFF Enterprise spam report to global collector is
turned off. Dropping the message: -
523 AS_DROP_ESR_BLOCK Enterprise spam report is blocked by global
collector for time being. Dropping the message: -
524 AS_DROP_SDENY IP listed in deny list. Dropping the message.
<ip:msgid> -
525 AS_RCVD_IPS External IP(s) retrieved from received headers for
Message ID are: <msgid:ips> -
526 AS_SPAM_SVC This message is spam. Detected by:
<svc:msgid> -
527 AS_SPAM_ESP This message is spam. Detected by ESP. Message
ID: -
528 AS_SFLIST Sub feature list for the Message ID: <msgid:list>
-
529 AS_BYPASS_ALL All features bypass for Message ID: -
530 AS_BYPASS_RM_ST Removing subfeature form Spam Subfeature List
in Single Thread Mode <sf:msgid> -
531 AS_ACTION_INVALID_SVC Invalid service for action: -
532 AS_ACTION_NODROP_WL Ignoring Drop Action configured in RBL for
McAfee TrustedSource Whitelisted IP for Message
ID: -
533 AS_ACTION_INVALID_ACT Invalid action or action not set for service: -
534 AS_ACTION_SD_NO This message is not outbound and destined to
external domain. Secure delivery action is not
applicable.

Anti-virus events
Table 332 Anti-virus general events
Event ID Event Description
769 AV_CONFIG Configuration of engine: -
770 AV_CONFIG_NO (No configuration options)
771 AV_CONFIG_ITEM Item <key:val_ -
772 AV_ERR_SCAN Virus engine internal error <engine:errcode> -
773 AV_SKIP_ALERT Alerts not configured. Skipping alert generation.
774 AV_RIP_FAIL MIME parsing failed for the message. AV
engine(s) will scan the whole message instead of
the parts.
775 AV_RIP_OK AV engine(s) will scan the individual parts.
776 AV_SKIP_PART Part is message/rfc822.Skipping virus scanning
... part: -
777 AV_PART_STAT -
778 AV_XTN_OVERRIDE_RIPFAIL Error occurred on a MIME parse failed message.
Will not do Extension Override tests ... -

McAfee Email Gateway 6.7.2 Administration Guide 635

 Event Logging Elements
Events

Table 332 Anti-virus general events (continued)

Event ID Event Description
779 AV_XTN_OVERRIDE_NOTATT The part is not an attachment.Will not do
Extension Override tests ... -
780 AV_XTN_OVERRIDE_DISABLE Extension override not enabled for errors. Will not
do Extension Override tests ... -
781 AV_XTN_OVERRIDE_DIM Error extension override by Document
Identification Method. -
782 AV_XTN_OVERRIDE_AEM Error extension override by Attachment Extension
Method. -
783 AV_XTN_OVERRIDE_YES Virus engine encountered error while scanning
the part. Configuration allows files with
extensions to pass. <engine:error:part:xtn> -
784 AV_XTN_OVERRIDE_NOT Virus engine encountered error while scanning
the part. <engine:error:part> -
785 AV_CANNOT_CHANGE_XTN Change extension cannot be done on a MIME
parse failed message. Skipping ...

Attachment Filtering events

Table 333 Attachment Filtering events
Event ID Event Description
1025 AF_LIST Af_list : : -
1026 AF_XTNS Looking for extensions -
1027 AF_USE_XTN Using given extension -
1028 AF_PART Part number <part-id:part_name:part_extn> -
1029 AF_PART_ARC Archive part <part_name:part_xtn> -
1030 AF_FOUND **Found -
1031 AF_FILE:LOG_STAT_ATT_FIL Final_list -

Bayesian events
Table 334 Bayesian events
Event ID Event Description
1281 BAYES_BYPASS Bayesian Filtering bypass for message ID: -
1282 BAYES_TRAIN-CAP Can train up to files for HAM?SPAM.
<number-files:type> -
1283 BAYES_EUSR_OFF Bayes Trainer on end user reporting turned off.
Skipping file for training -
1284 BAYES_FAIL Bayesian Filtering failed for message ID: File is
larger than specified limit. Assigning default
score: <msgid:score> -
1285 BAYES_SCORE Bayesian Filtering was successful. Score details: -
1286 BAYES_CLUES Bayes clues: -
1287 BAYES_MODE_WAIT Bayesian retraining is configured for WAIT mode.
1288 BAYES_MODE_PICK Bayesian retraining is configured for PICK mode.
1289 BAYES_CANTADD_MAX Can’t add message to training directory. Already
have maximum number of messages!
1290 BAYES_ADD File added to the directory for Bayesian training.
<file:dir> -
1291 BAYES_ADD_NOT No rfc822 attachments found! End user
SPAM/HAM reporting only works for rfc822
attachments!

636 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 334 Bayesian events (continued)

Event ID Event Description
1292 BAYES_WLISTING Trying to add name to image whitelist as name2
<name1:name2> -
1293 BAYES_WLISTED Name1 added to image whitelist as name2
<name1:name2> -
1294 BAYES_DUP File already present in the directory for Bayesian
training. <file:dir> -
1295 BAYES_ADD_EMPTY Copy wrote empty file! Removing it.
1296 BAYES_CNTR_T Counter status: True
1297 BAYES_CNTR_F Counter status: False
1298 BAYES_LOAD Loading data into -
1299 BAYES_TRAIN_END Training iteration n completed. Trained x ham and
y spam (not including iterative trains).
<iter:ham:spam> -
1300 BAYES_SPAM_TRAIN Spam File x trained on probability y:
<trainmsg:msg_prob> -
1301 BAYES_SPAM_SKIP Spam File x skipping on probability y:
<trainmsg:msg_prob> -
1302 BAYES_HAM_TRAIN Ham File x trained on probability y:
<trainmsg:msg_prob> -
1303 BAYES_HAM_SKIP Ham File x skipping on probability y:
<trainmsg:msg_prob> -
1304 BAYES_TRAIN_OK_SPAM Spam Bayesian trained successfully for spam.
1305 BAYES_TRAIN_OK_HAM Ham Bayesian trained successfully for ham.
1306 BAYES_NOTRAIN_HAM Won’t train this message for Bayes based on
outbound. It hit outbound blacklist entry -
1307 BAYES_TRAIN_HAM Outbound training conditions met. Adding to
Bayesian training as HAM.
1308 BAYES_TRAIN_HAM_FAIL Error in trying to do outbound Bayesian training! -
1309 BAYES_PARSE_FAIL Not training message which failed to parse in
Bayes,
1310 BAYES_OBBAYES_BL_ Error in populating outbound Bayes training
POPULATE_ERROR blacklist! Trace: -
1311 BAYES_DICT_LOAD_FAIL Exception while loading Bayesian token dictionary
from <table> -
1312 BAYES_COUNTER_STATUS Counter status -
1313 BAYES_LOADING_DATA Loading data into -
1314 BAYES_RELOADING_FAIL Exception while reloading to -
1315 BAYES_ROWDELETE_FAIL Exception while deleting row from -
1316 BAYES_CLASSIFIER_INIT_FAIL Exception in initializing Bayesian classifier.
1317 BAYES_TRAINING_ITER_ Training iteration <number> completed.Trained
COMPLETED <hamnum> ham and <spamnum> spam not
including iterative trains.
1318 BAYES_DEBUG Bayes debug value is -

Content Filtering events

Table 335 Content Filtering events
Event ID Event Description
1537 CATEGORY_ACTION Cf_catergory_action -
1538 CF_DICT Dictionary Info: -

McAfee Email Gateway 6.7.2 Administration Guide 637

 Event Logging Elements
Events

Corporate Compliance events

Table 336 Corporate Compliance events
Event ID Event Description
1793 CC_CLUSTER_DATA Found data in path for clustering engine: -
1794 CC_CLUSTER_RECONFIG Reconfiguring clustering engine (new data to pick
up).
1795 CC_CLUSTER_DATA_ERROR No training data for clustering engine! The engine
will not be used.
1796 CC_DICT_THRESHOLD Cannot use global_dict_threshold of 0, instead
using: -
1797 CC_BAD_DICT_TYPE Unexpected dict_type for the entry in
ct_ccomp_dict_data! Skipping entry!
<type:entry> -
1798 CC_BAD_SENSITIVITY Invalid sensitivity found for engine, using
MEDIUM! <sensitivity:engine> -
1799 CC_TRAIN_FOUND CCQ Trainer message found.
1800 CC_TRAIN_DROP_ENCR Train Notification Message is Digitally
signed/encrypted. Not Allowed... Dropping...
1801 CC_TRAIN_BAD_MSG Trainer: Invalid Message (subject)
1802 CC_TRAIN_COPIED CCQ Trainer message copied.
1803 CC_TRAIN_NOTFOUND No CCQ Trainer message found.
1804 CC_IA_DISABLE CCQImageAnalysis not enabled, no checks
performed.
1805 CC_IA_NOLIST No Image Analysis rules/policies to apply to
message. No checks will be performed.
1806 CC_IA_ENCR Image Analysis in CCQ not performed. Message is
signed/encrypted.
1807 CC_IA_RES Results from ICA: -
1808 CC_PROF_DISABLE CCQProfiler not enabled, no checks performed.
1809 CC_PROF_NOLIST No Corporate Compliance rules/policies to apply
to message. No checks will be performed.
1810 CC_FINGER_RES Fingerprinting Hit Decision: -
1811 CC_CLUSTER_RES Clustering Engine output: -
1812 CC_CLUSTER_NOT Clustering did not run (less than x chars! Message
too small.) -
1813 CC_LEXANA_RES Adaptive Engine result: <probability:confidence>
-
1814 CC_LEXANA_UNDEF doLexicalAnalysis Error: Lexical Classifier
Undefined.
1815 CC_CF_ENCR Content Filtering in CCQ not performed. Message
is signed/encrypted.
1816 CC_PROF_IN Input to the profiler: -
1817 CC_CF_TIME Run times: -
1818 CC_CF_NOLIST No rules can apply to dictionary categories,
dictionaries will not be checked.
1819 CC_TARIN_DUP File already present in the directory for Training.
<file:dir> -
1820 CC_TARIN_ADD Added to trainer directory for category.
<file:category> -
1821 CC_TARIN_COPY Message file copied: <from:to> -
1822 CC_FINGER_NEEDS Need x prints for y sized message: <prints:size>
-
1823 CC_FINGER_MATCH Matched x/y fingerprints for document_id and
category: <count:needed_fp:did:cat> -

638 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 336 Corporate Compliance events (continued)

Event ID Event Description
1793 CC_CLUSTER_DATA Found data in path for clustering engine: -
1824 CC_CLUSTER_TOOFEW_CAT Not using clustering results due to too few x
categories: -
1825 CC_ADDHEADER Adding X-ccq header: -
1826 CC_TRAIN_DETECTED End-User Compliance Training Detected.
1827 CC_TRAIN_NOT_ACCEPT 550 Cannot relay. Compliance Training Not
Acceptable <addr> -
1828 CC_TRAIN_BAD_CAT Trainer - Invalid Message (category not found)

Remote quarantine events

Table 337 CQS events
Event ID Event Description
2049 CQS_QTN_INFO Received message for quarantine from a remote
system. <Original msg_id:Current msg_id> -

Domain Keys Identified Mail events

Table 338 DKIM events
Event ID Event Description
2305 DKIM_BYPASS DKIM bypass for Message ID: -
2306 DKIM_BAD_SIG DKIM Signature not present or invalid.
2307 DKIM_DNS_FAIL DNS query failed for domain and selector:
<dom:selector> -
2308 DKIM_DNS_NOAVIL DNS query for DKIM key not available for domain
and selector: <dom:selector> -
2309 DKIM_FAIL_PARSE Parsing of DKIM key failed for domain and
selector: <dom:selector:err> -
2310 DKIM_VERIFY_FAIL DKIM Verification failed: -
2311 DKIM_VERIFY_OK DKIM Verification successful.
2312 DKIM_NOTFOUND DKIM result not found in DB for Message ID: -

Dynamic Spam Classifier events

Table 339 DSC events
Event ID Event Description
2561 DSC_BYPASS Dynamic Spam Classifier bypass for Message ID:
-
2562 DSC_UNLOAD unloading dyn_spam_classifier
2563 DSC_IMPORT_VER Imported dyn_spam_classifier, version: -
2564 DSC_IMPORT_VER_NONE Imported dyn_spam_classifier module has no
version attribute! Disabling it.
2565 DSC_OBJ DSC Object: -
2566 DSC_LOG DSC log info: -
2567 DSC_SCORE DYN returns for Message ID: <dsc:msgid> -

McAfee Email Gateway 6.7.2 Administration Guide 639

 Event Logging Elements
Events

DSpam events
Table 340 DSpam events
Event ID Event Description
2817 DSPAM_MON_STOP Lexanad monitor: stopped.
2818 DSPAM_AVAIL Lexanad monitor: lexanad available.
2819 DSPAM_NOTAVAIL Lexanad monitor: lexanad not available...
2820 DSPAM_START Lexanad monitor: lexanad started...
2821 DSPAM_STOP Lexanad monitor: stopped.
2822 DSPAM_SKIP_DUP Skipping the message in file (has already been
trained for lexanad): -
2823 DSPAM_SKIP_NOTPEND Skipping the message in file (not yet in pending
status): -
2824 DSPAM_TRAIN_SPAM Trained spam file:
<file:probability:confidence:result> -
2825 DSPAM_TRAIN_HAM Trained ham file:
<file:probability:confidence:result> -
2826 DSPAM_TRAIN_END Lexana Training completed. Trained x ham and y
spam. <ham:spam> -
2827 DSPAM_FAIL Adaptive Analysis failed for Message ID: -
2828 DSPAM_OK Adaptive Analysis was successful.
<probability:confidence:result:signature> -
2829 DSPAM_OK_BATCH Lexical Analysis OK: -
2830 DSPAM_FAIL_BATCH Lexical Analysis FAILS -
2831 DSPAM_FAIL_RECV Recv failed! -
2832 DSPAM_FAIL_SEND Send failed! -
2833 DSPAM_FAIL_CONN Connection to Lexanad failed! Bailing.
2834 DSPAM_OK_CONN Connection to Lexanad successful.
2835 DSPAM_CMD Lexanad Control command -
2836 DSPAM_EMB_PERIOD Lexical Analysis found embedded period(s) in
text -
2837 DSPAM_TRAIN_HAM_FAILED Training FAILED for ham file -
2838 DSPAM_TRAIN_SPAM_FAILED Training FAILED for spam file -

Encryption events
Table 341 Encryption events
Event ID Event Description
3073 ENCR_ENABLED Encryption Server enabled.
3074 ENCR_PROC_ST Encryption Processing started for msg <Msg ID>
-
3075 ENCR_PROC_OV Encryption Processing completed for msg <Msg
ID> -
3076 ENCR_HOSTNAME_ERR Can't start SWM. No external host name
available for vip. <VIP ID> -
3077 ENCR_SEC_LNK_MSG_LIMIT_ERR Sec Link MSG Limit Reached. No Link created for
msg <Msg ID> -
3078 ENCR_SEC_ENV_MSG_LIMIT_ERR Sec Envelope MSG Limit Reached. No Envelope
created for msg <Msg ID> -
3079 ENCR_DOM_PARSE_ERR Error occurred while parsing Domain list for
<Msg Id>:<Rcpt to> -
3080 ENCR_USER_INSERT_ERR Inserting User failed <Rcpt to>:<Error> -

640 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 341 Encryption events (continued)

Event ID Event Description
3081 ENCR_MODE_UNSET_ERR Encryption Mode is not set for the user <Rcpt
to>:<Msg ID> -
3082 ENCR_MODE_SET_VAL Encryption mode set is <Rcpt:Mode Value> -
3083 ENCR_SEC_LINK_MSG Created New SWD Notification, <SWM
ID>:<User ID>:<Rand number>:<VIP ID> -
3084 ENCR_USER_SMIME_CERT_ERR User does not have a personal SMIME cert,
<User> -
3085 ENCR_NO_VALID_RCPT None of the recipients are enrolled for msg <Msg
ID> -
3086 ENCR_SMIME_MSG_ERR SMIME msg generation Error <error msg> -
3087 ENCR_NO_NOTFN No notification generated for the msg <Msg ID>
-
3088 ENCR_OK_NOTFN notification generated successfully for user
<Rctp to> -
3089 ENCR_DB_CERT_ERR Database corrupted, Certificate missing for
<Rcpt> -
3090 ENCR_NOTFN_RCPT_NEW_CHEETA SWMNotifyRecipientNew, Cheetah template
H_ERR failed to open <File Name> -
3091 ENCR_NOTFN_RCPT_NEW_MK_DAT SWMNotifyRecipientNew, Make data Failed with
A_ERR error code <Error number> -
3092 ENCR_NOTFN_RCPT_NEW_CRT_MS SWMNotifyRecipientNew, Create Msg Failed with
G_ERR error code <Error number> -
3093 ENCR_NOTFN_RCPT_NEW_SND_MS SWMNotifyRecipientNew, Send Msg Failed with
G_ERR error code <Error number> -
3094 ENCR_NOTFN_RCPT_NEW_UPDT_D SWMNotifyRecipientNew, Update DB Failed for
B_ERR SWM ID <SWM ID> -
3095 ENCR_NOTFN_SNDR_DSN_CHEETA SWMSenderDSN, Cheetah template failed to
H_ERR open <File Name> -
3096 ENCR_NOTFN_SNDR_DSN_MK_DAT SWMSenderDSN, Make data Failed with error
A_ERR code <Error number> -
3097 ENCR_NOTFN_SNDR_DSN_NTY_MS SWMSenderDSN, Sending Notification Failed
G_ERR with error code <Error number> -
3098 ENCR_NOTFN_SNDR_DSN_MSG SWMSenderDSN being generated for <User> -
3099 ENCR_NOTFN_SEC_ENV_OK Notification to be created with secure envelope
<Rcpt to> -
3100 ENCR_NOTFN_USR_SMIME_OK Notification to be created with user smime msg
<Rcpt to> -
3101 ENCR_NOTFN_SNDR_NR_DEF_NOTF The template specified to notify sender for
N non-retrieved messages has been deleted.
Defaulting to the system defined template
3102 ENCR_NOTFN_RCPT_NEW_DEF_NO The template specified for swm notifications has
TFN been deleted. Defaulting to the system defined
template
3103 ENCR_NOTFN_DSN_DEF_NOTFN The template specified for auto enrollment dsn
has been deleted. Defaulting to the system
defined template
3104 ENCR_NOTFN_RCPT_NR_DEF_NOTF The template specified to notify recipients for
N non-retrieved messages has been deleted.
Defaulting to the system defined template
3105 ENCR_NOTFN_RCPT_PR_DEF_NOTF The template specified to notify recipients for
N password reset has been deleted. Defaulting to
system defined template

McAfee Email Gateway 6.7.2 Administration Guide 641

 Event Logging Elements
Events

SpamProfiler events
Table 342 ESP events
Event ID Event Description
3329 ESP_RULES ESP policies, Thresholds <policies:ruleid> -
3330 ESP_NOLIST Filter list for ESP is empty.
3331 ESP_NOPOLICY Applicable ESP policies not defined.
3332 ESP_SCORE_ISC ESP_ISC score -
3333 ESP_NOCF_DICT CF in ESP not performed. Dictionaries not
enabled.
3334 ESP_NOCF_ENCR CF in ESP not performed. Message is
signed/encrypted.
3335 ESP_NOCF_SF CF in ESP not performed. Content Filtering not in
sub feature list.
3336 ESP_CF_DEF MIME parsing failure, using default confidence
value for CF in ESP: -
3337 ESP_CF_START ----Content Filtering in ESP - Begin----
3338 ESP_CF_END ----Content Filtering in ESP - End----
3339 ESP_SCORE ESP total points for Message ID: <esp:msgid> -
3340 ESP_TRAIN_ADD Message was added to training directory.
3341 ESP_TRAIN_NOT Message was NOT added to training directory.
3342 ESP_SCORE_DETAILS ESP individual score details for Message ID:
<esp:msgid> -
3343 ESP_OUTRANGE_CONFI Confidence value is not in range 0-100: -

Enterprise Spam events

Table 343 Enterprise Spam Notification events
Event ID Event Description
3585 EST_DETECTED Enterprise SPAM Notification Detected.
3586 EST_AUTO_MODE_NO_ACTION No action for auto rule set -
3587 EST_INVALID_SPAM_ACTION Auto enterprise spam reporting has no valid
spam action specified for setting policies. Data -
3588 EST_AUTO_MODE Auto enterprise spam reporting mode.
3589 EST_MANUAL_MODE Manual enterprise spam reporting mode.

End User Spam events

Table 344 End User Spam Notification events
Event ID Event Description
3841 EUSR_S_DETECTED End-User SPAM Notification Detected.
3842 EUSR_S_NOTACCEPT 550 Cannot relay. Spam Notification Not
Acceptable -
3843 EUSR_H_DETECTED End-User HAM Notification Detected.
3844 EUSR_H_NOTACCEPT 550 Cannot relay. Ham Notification Not
Acceptable -
3845 EUSR_INCORRECT_MSG_FORMAT The message is in incorrect format. The spam
message should be an message/rfc822
attachment type.
3846 EUSR_AUTO_MODE_NO_ACTION No action for auto rule set -

642 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 344 End User Spam Notification events (continued)

Event ID Event Description
3847 EUSR_PARSE_IP_ERROR Error occurred while parsing out ip address from
received header. <PartFileName> -
3848 EUSR_INVALID_SPAM_ACTION Auto end user spam reporting has no valid spam
action specified for setting policies. Data -
3849 EUSR_AUTO_MODE Auto end user spam reporting. Part no -
3850 EUSR_MISSING_IP Missing IP address.
3851 EUSR_MISSING_MAILFROM Missing mail from.
3852 EUSR_MISSING_SUBJECT Missing subject.
3853 EUSR_MMQ_NOT_CONFIGURED MMQ is not currently configured to process.
Skipping the policy setting.
3854 EUSR_INVALID_ACTION Invalid action specified.
3855 EUSR_INVALID_NOTIFICATION Invalid notification.
3856 EUSR_MANUAL_MODE Manual end user spam reporting. Part no -
3857 EUSR_DB_UPDATE_FAILED DB UPDATE into notification table failed for id -
3858 EUSR_DB_UPDATE_SUCCESS Updated entry in notification table for id -
3859 EUSR_ADD_SPAM_NOTIFY Added New Entry into ct_spam_notification.
Notify id -
3860 EUSR_ATTR_FLAG_SPAM_NOTIFY Spam notification id:attr_flag -

General events
Table 345 General events
Event ID Event Description
4097 IM_EXCEPTIO -
4098 LOG_STAT -
4099 CONNECT_BASE Connecting to
<BindHost:ConnectHost:ConnectPort> -
4100 OUTBD_DNS_SERVERS Channel will use per-vip user configured
outbound DNS servers <servers> -
4101 INBD_DNS_SERVERS Channel will use per-vip user configured
inbound DNS servers <servers> -
4102 SMTPC_ERR_STARTTLS STARTTLS failed <code:resp> -
4103 SMTPC_ERR_CONN Connect error in HELO: -
4104 SMTPC_ERR_MF Mail From - Sender Refused:
<from:to:code:msg> -
4105 DOS_ATTACK DOS attack detected. Closing connection...
4106 WAIT_DB Waiting to get a Database Handle...
4107 READ_CONFIG Reading configuration data...
4108 READ_ALLTABLES Base Class readAllTables()
4109 CHARSET_NOTFOUND Unable to find the charset associated with the
mibenum x. Exiting the process. -
4110 SIGINT_CALLED SIGINT called.
4111 SIGHUP_CALLED SIGHUP called.
4112 SIGTERM_CALLED SIGTERM called.
4113 SIGUSR1_CALLED SIGUSR1 called.
4114 SIGUSR2_CALLED SIGUSR2 called.
4115 ACCEPT_BAD_ADDR Invalid socket received from accept method.
Quitting connection...
4116 CREATE_CHANNEL -

McAfee Email Gateway 6.7.2 Administration Guide 643

 Event Logging Elements
Events

Table 345 General events (continued)

Event ID Event Description
4117 POLL_START Started Polling
4118 CANNOT_BIND -
4119 CONN_REFUSED Destination refused connection at: <host:port>
-
4120 TLS_HANDSHAKE_FAILED TLS Handshake with the client failed.
4121 TLS_DISABLED TLS feature is disabled.
4122 LOAD_THROTTLE Server disk under full load. Rejecting
connections...
4123 DHA_THRES_NOT_SET Recipient Rejections Threshold not set.
4124 DHA_DETECTED Recipient rejections exceeds maximum
allowable. Possible Directory Harvest Attack
4125 IP_IN_DENY_LIST Connection from IP address in deny list. Closing
connection...
4126 DHC_VALUE Dynamic hop count -
4127 DHC_IP_SAVED DHC IP saved to DB is <DHC IP Address>-
4128 RESET_TO_DEFAULT_ROUTE Email address is present in message splitting
address list. Resetting the route to DEFAULT.
4129 MON_START Started on host and port <server:host:port> -
4130 MON_CONNECTION Incoming monitor connection from -
4131 TLS_EXPORT_LIMIT TLS concurrent connections exceed export limit.
4132 CONFIG_SET Setting Configuration -
4133 CONFIG_SETATTR Setting Attribute -
4134 SCHEDULE_FUNC Scheduled function
function_name:frequency_seconds -
4135 IP_IN_RBL Listed in RBL. Disconnecting
4136 RDNS_LOOKUP_ERR RDNS Lookup Failed. Disconnecting
4137 CONN_CTRL_DENY_LIST Listed in connection control deny list.
Disconnecting
4138 RFC822_NO_HDR RFC822 header data not found

Image Analysis events

Table 346 Image Analysis events
Event ID Event Description
4353 IMGF_TYPE Autonomy image file types: -
4354 IMGF_START Processing for message id: -
4355 IMGF_PART Part id: -
4356 IMGF_SCORE_PART ICA scores on Message. Part:
<score:msgid:partid> -
4357 IMGF_MISSING ICA encountered missing Message. Part,
assigns score: <msgid:partid:assign_score> -
4358 IMGF_SCORE ICA scores with parts: -

Image Whitelist events

Table 347 Image Whitelist events
Event ID Event Description
4609 IMGWL_MATCH Whitelist hit: Found x in the whitelist -
4610 IMGWL_NOTEXIST The file doesn't appear to exist! -

644 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 347 Image Whitelist events (continued)

Event ID Event Description
4611 IMGWL_BAD_TYPE The file doesn't appear to be a valid image
type! -
4612 IMGWL_DUP Cannot add x to whitelist. It is already in white
list -
4613 IMGWL_NOTIN Cannot delete x from whitelist. It is not in
white list -

Image Spam Classifier events

Table 348 ISC events
Event ID Event Description
4865 ISC_BL_INIT ISC instantiating fuzzy blacklist, this might
take some time
4866 ISC_NOT_INIT ISC TS did not initialize!
4867 ISC_BYPASS_DEBUG ISC TS bypass!
4868 ISC_WL_CHECK ISC whitelist check for: -
4869 ISC_WL_HIT Image Whitelist hit for -
4870 ISC_WL_MISS Image Whitelist miss for -
4871 ISC_SKIP ISC heuristics check for x, says skip it -
4872 ISC_SPAM_SVM File SVM claims x is SPAM! -
4873 ISC_VECTOR TS and FILE ISC vector <ts:vector> -
4874 ISC_ERR_SVM File SVM had unknown error classifying -
4875 ISC_SPAM_BL Blacklist returns SPAM!
4876 ISC_IC_REQ Requesting IC for -
4877 ISC_IC_RES Obtained IC -
4878 ISC_IC_RETING Returning IC <type:qid> -
4879 ISC_IC_RET Returned IC -
4880 ISC_BYPASS Image Spam Classifier bypass for Message ID:
-
4881 ISC_SCORE ISC returns score for Message ID:
<score:msgid> -
4882 ISC_PRINT_FUNC ISC -

Join Queue events

Table 349 Join Queue events
Event ID Event Description
5121 JOIN_RIP_FAIL Rip failed message requires join, will treat as
rebuild failure. -
5122 JOIN_PART Joining the part for the message -
5123 JOIN_CHECK_HDR_ACTIONS Checking for headers actions.
5124 JOIN_HDR_UPD Changes to headers have been updated.
5125 JOIN_SKIP_FWD Skipping forward/copy action due to the
presence of AVQ repackage action or remote
quarantine action.
5126 JOIN_FWD Forwarding/Repackaging the message with CT
boundaries for message -
5127 JOIN_REBUILDFAIL_DROP Rebuild failed. Message will be dropped.
5128 JOIN_REBUILDFAIL_QTN Rebuild failed. Message quarantined.

McAfee Email Gateway 6.7.2 Administration Guide 645

 Event Logging Elements
Events

Table 349 Join Queue events (continued)

Event ID Event Description
5129 JOIN_REBUILDFAIL_DELIV_ORIG Rebuild failed. Sending original message file to
recipient
5130 JOIN_REBUILD_NOACTION No action to be taken for the message -
5131 JOIN_SEARCH_REPLACE_NOT_MATC The search and replace word lists do not have
H same list size. So not changing headers.
5132 JOIN_DKIM_NOTOB DKIM not applied. This message is not
outbound and destined to external domain.
5133 JOIN_DKIM_ENCR DKIM not applicable. This message is send
securely via SMIME/PGP/SWD.
5134 JOIN_DKIM_NOSENDERDOM Failed to retrieve valid sender domain from
the message. Skipping DKIM signing.
5135 JOIN_DKIM_ERRDBDOM Failed to retrieve data from DB for domain.
Skipping DKIM signing. -
5136 JOIN_DKIM_SIGNFAIL DKIM signing failed: -
5137 JOIN_NOTOB This message is not outbound and destined to
external domain.
5138 JOIN_SECURE_STATUS Secure status for S/MIME PGP SWMR SWMS:
<smime:pgp:swmr:swms> -
5139 JOIN_SECURE_DOMAINS Secure domains for S/MIME PGP SWMR TLS:
<smime:pgp:swmr:tls> -
5140 JOIN_SECURE_PREFORDER Secure preference order -
5141 JOIN_SECURE_RESCHDPGP Rescheduling PGP encryption for next cycle,
due to process resource constraint. Msg ID: -
5142 JOIN_SECURE_PGPTHRS Number of PGP threads running: -
5143 JOIN_SECURE_FAILS Secure failures for S/MIME and PGP:
<smime:pgp> -
5144 JOIN_SECURE_DELIMODES Delivery Modes: -
5145 JOIN_SECURE_ACTIONLIST Encrypt action list: -
5146 JOIN_SECURE_DELIMODES_DOMAIN Delivery Modes and SWM Domains:
S <modes:domains> -
5147 JOIN_SECURE_RCPTS SWM Recipients and Normal Recipients:
<swm:normal> -
5148 JOIN_SECURE_NOPRIVATE No private key or cert available for domain: -
5149 JOIN_SECURE_NOPUBLIC No public key available for domain: -
5150 JOIN_DKIM_SUCCESS Dkim signature success.

LDAP events
Table 350 LDAP events
Event ID Event Description
5377 LDAP_START Starting to monitor unavailable LDAP profiles.
5378 LDAP_TEST Beginning to test LDAP profile -
5379 LDAP_TEST_OK LDAP profile test successful. Making the profile
available...
5380 LDAP_TEST_FAIL Issues with LDAP profile <issue:err:profile> -
5381 LDAP_END Monitoring unavailable LDAP profiles
completed.
5382 LDAP_RCPT_GRP The recipient address belongs to the following
domain groups (IDs) -
5383 LDAP_RULES LDAP rules to be used for evaluation -

646 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 350 LDAP events (continued)

Event ID Event Description
5384 LDAP_MASQUERADE Recipient address masqueraded using LDAP.
<from:to> -
5385 LDAP_SKIP Skipping ldap due to outbound delivery.
5386 LDAP_PROFILE_SKIP Skipping the unavailable profile -
5387 LDAP_PROFILE_ID Profile (ID) used for the LDAP query -
5388 LDAP_ISSUES <Profile:Issue:Error> -
5389 LDAP_MARK_UNAVAILABLE Marking the profile unavailable on exceeding
the failure count. -
5390 LDAP_FAILURE_ALERT LDAP profile failure alert generated.
5391 LDAP_RCPT_VALIDATED Recipient address validated using LDAP.
5392 LDAP_INVALID_RCPT Recipient address not in LDAP. Rejecting
command... <addr> -
5393 LDAP_CC_LOOKUP <Window (Hr),IP Address,Count>
5394 LDAP_CCDENY LDAP CCDENY, IP will be added to the deny list
<HR,IP>
5395 LDAP_CONFIG_ATTR LDAP attributes -

Mail monitoring events

Table 351 Mail Monitor events
Event ID Event Description
5633 MM_RESULT_MMTABLE Result of readMailMonitoringTable <sf:result>
-
5634 MM_MATCHED_SIZE Matched condition (size) -
5635 MM_RULEDATA Rule Data -
5636 MM_RULEDEFN Rule Defn -
5637 MM_STAT LOG_STAT_MAIL_MON -
5638 MM_EMF_STAT LOG_STAT_ENCR_FIL -
5639 MM_OFFHR_SIZE OFFHR: Msg Size -
5640 MM_OFFHR_STAT LOG_STAT_OFFHR: -

Address Masquerading events

Table 352 Masquerading events
Event ID Event Description
5889 MASQ_E_SUCCESS Email Masqueraded <from:to> -
5890 MASQ_E_NO_MATCH No match found to masquerade email -
5891 MASQ_D_PARSE_FAILED Unable to parse address for masquerading -
5892 MASQ_D_SUCCESS Domain Masqueraded <from:to> -
5893 MASQ_D_EMAIL_INFO Email address is changed <from:to> -
5894 MASQ_D_NO_MATCH No match found to masquerade domain -

McAfee Email Gateway 6.7.2 Administration Guide 647

 Event Logging Elements
Events

MIME Handler events

Table 353 MIME Handler events
Event ID Event Description
6145 MIMEH_ADDHDR_ESP ESP header(s) has been added.
6146 MIMEH_CHANGESUBJ Subject has been changed.
6147 MIMEH_REMOVE_RCVD_HDRS Removed received headers.
6148 MIMEH_REMOVE_DISP_NTIF Removed disposition notification.
6149 MIMEH_CONVERT_HDRS Header will be converted to RFC2047 string.
This is for backward compatibility.
6150 MIMEH_UNABLE_EXTRACT_ADDR Unable to extract address from header:
<header:value:count> -
6151 MIMEH_MASQ_HDRS Masqueraded Header -
6152 MIMEH_HDR_NOTFOUND Header not present in message -
6153 MIMEH_STAGE1 Stage 1 starting: fn= -
6154 MIMEH_CONTTYPE_CHANGED Content type is changed to utf-8 for the part -
6155 MIMEH_JOIN_PART_FN Joining using the part file name -
6156 MIMEH_UNABLE_ENCODE Unable to encode part with encoding type x.
Proceeding ahead without encoding. -
6157 MIMEH_JOIN_UU_MSTNEF Invoking special join procedure for
UU/MS-TNEF message
6158 MIMEH_CHARSET_UNSUPPORTED Charset unsupported: <Subject
mibenum:Charset> -
6159 MIMEH_CHARSET_UNDETECTED Charset undetected/subject not decoded to
utf8. Subject mibenum -
6160 MIMEH_CHARSET_NOT_CONVERTED Unable to convert the data, Using utf8. Charset
-

Message Stamping events

Table 354 Message Stamping events
Event ID Event Description
6401 MSGSTP_FOOTER Footer -
6402 MSGSTP_LOG1 Secure message stamping.
6403 MSGSTP_DOM For domain -
6404 MSGSTP_PART_NOSTAMP_DUP Part contains the footer, not stamping. part: -
6405 MSGSTP_PART_NOSTAMP_UTF8 Part doesn't have a utf-8 decoded file.
Message stamp will not happen. part: -
6406 MSGSTP_PART_NOSTAMP Part Content Type is not text or html or the
part is not the body. Not stamped. part: -
6407 MSGSTP_PART_CHARSET Part of message stamp will be in charset.
<part:charset> -
6408 MSGSTP_PART_STAMP Part stamped -
6409 MSGSTP_STAT LOG_STAT_MSG_STP:
<log_str:partsStamped> -
6410 MSGSTP_SUBTYPE_ERR Content-type/Subtype is not one that can be
stamped. Will not stamp part: -

648 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Message events
Table 355 MSS events
Event ID Event Description
6657 MSS_QTN_CLONE QTN message Details
ID||FILENAME||FROMADDR||TOADDR
<msgid:filename:fromaddr:toaddr> -
6658 MSS_QUEU_COMMAND QUEU COMMAND RECEIVED
<mailfrom:frm_addr:rcptList:rcptLineList:ipa
ddress:msgtype:ehloDomain:notifysender:for
gedDomain> -
6659 MSS_DEL_MSGS Deleting messages and files ... <msgids:files>
-
6660 MSS_ERR_QORDER getQueueOrder failed. Backing out of message
creation
6661 MSS_MARK_ARCHIVAL Message is inbound and global archiving is
enabled. Marking for archival to Profile Id -
6662 MSS_ERR_INSERTMSG Insert message failed. Backing out of message
creation
6663 MSS_ERR_ADDACTION Insert into ct_action_bak failed for forged
domain action for msg Id: -
6664 MSS_DETAILS Message Details
ID||FILENAME||FROMADDR||TOADDR|VIPID
<msgid:filename:fromaddr:toaddr:vip> -
6665 MSS_CREATEMSG Created new Message ID and File
<msgid:file> -
6666 MSS_ERR_INSERTDOMS Failed to insert domain records. Message
dispatch failed.
6667 MSS_DROP_COMMAND DROP COMMAND RECEIVED
<msgId:msgFileName> -
6668 MSS_ERR_DECODEUTF8 errString -

Notification events
Table 356 Notification events
Event ID Event Description
6913 NOTIF_ERR_QUEUECONT cmd_queu_cont failed.
6914 NOTIF_ERR_EMPTYRCPT Cannot generate notification as the rcpt is
empty
6915 NOTIF_CHANGE_HDR Change Header done.
6916 NOTIF_USE_DEFTMPL The original template for the rule has been
deleted. Defaulting to the system defined
template for -
6917 NOTIF_CUSTOM_STOP customNotification, Stop
6918 NOTIF_RCPTS notify_rcpts is -
6919 NOTIF_RCPTS_NOMATCH None of the users match the notification
condition
6920 NOTIF_SINGLE_STOP singleNotification: Stop
6921 NOTIF_ERR_SETLOCALE Could not convert date for locale -
6922 NOTIF_ERR_DECODEUTF8_DATE Could not decode date to utf8 -

McAfee Email Gateway 6.7.2 Administration Guide 649

 Event Logging Elements
Events

Policy management events

Table 357 Policy management events
Event ID Event Description
7169 PM_FINAL_RCPTS Final recipients are: -
7170 PM_EX_UPD_RCPTS Exception in update orig rcpts
7171 PM_UPD_CCOMP_COUNTS Updating ct_ccomp_counts table.
7172 PM_LOG_STAT_FINAL LOG_STAT_FINAL <msg_id:log_str> -
7173 PM_SUMMARY_ACTIONS SUMMARY_ACTIONS -
7174 PM_ACTION_ATT_RENAME Renamed for parts <old:new:parts> -
7175 PM_ACTION_ATT_PASS_THRU Action Pass Through for parts <action:parts>
-
7176 PM_ACTION_DICT Action for dict <action:dict> -
7177 PM_ACTION_DEL_RCPTS_FWD Deleting recipients for forward -
7178 PM_ACTION_DEL_RCPT_FWD Removing from the list of recipients for
forward -
7179 PM_ACTION_QTN_PERM Message can be quarantined permanently -
7180 PM_ACTION_QTN_HR Message can be quarantined x hrs
<cause:hours> -
7181 PM_ACTION_REPL_SUBJ Replacing subject text with drop part text for
part <part:cause> -
7182 PM_ACTION_DROP_PART Dropping part <part:cause> -
7183 PM_ACTION_DEL_RCPTS_DROP Deleting recipients for drop for <dom> -
7184 PM_ACTION_DEL_RCPT_DROP Removing from the list of recipients for drop
<dom> -
7185 PM_ACTION_DEL_MSG Deleting message -
7186 PM_GET_FORMAT_NOCONT Text file generated for part, but has no
content. part: -
7187 PM_GET_FORMAT_NOGEN Text file not generated for part -
7188 PM_GET_FORMAT_NOXTN Content filtering not enabled for type -
7189 PM_GET_FORMAT_MISMATCH *** WARNING Xtn Mismatch.
<part:given-xtn> -
7190 PM_GET_FORMAT_USEXTN Part will be treated as given xtn
<part:given-xtn> -
7191 PM_GET_FORMAT_RESULT Part, Type, Xtn, Format;
<part:type:xtn:format> -
7192 PM_GET_FORMAT_ZIP_PARTS Zip Parts -
7193 PM_READ_DICTS_SIZE Read Size Process Size <readsiz:processsiz>
-
7194 PM_READ_DICTS_BAD_RE The following regular expression IDs have
failed compilation: -
7195 PM_READ_DICTS_ALL_RE All the regular expressions have been
compiled: -
7196 PM_CF_CATEGORIES Cf_categories: -
7197 PM_CF_LIST Cf_list: -
7198 PM_FILTER_XTNS Filter xtns: -
7199 PM_SCAN_NOT Cannot scan extracted text, file not
generated.
7200 PM_SCAN_PAR :--Scanning part -
7201 PM_FILTERSRCH_ALT_ACTION Due to the html part, alternate action will be
taken on the message instead of
replace/prefix actions, if required.

650 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 357 Policy management events (continued)

Event ID Event Description
7202 PM_FILTERSRCH_ALT_ACTION2 Non-Subject headers matched, will take
alternate action if required
7203 PM_FILTERSRCH_URL **URL score, URLs matched
<url-score:urls-matched> -
7204 PM_FILTERSRCH_PATTERN **Patterns matched: -
7205 PM_FILTERSRCH_PATTERN_ERR Pattern matching error: -
7206 PM_CFILTER_SCAN Will scan for -
7207 PM_CFILTER_SCANNED Already scanned for dictionaries
7208 PM_CFILTER_SCORE -----Scoring for -
7209 PM_CFILTER_SCORE_URL Part URL Score <part:score> -
7210 PM_CFILTER_SCORE_PART_FOUND *Part, Score, Found <part:score:found> -
7211 PM_CFILTER_SCORE_SUBTOTAL *Part, Found, Msg Sub Total
<part:found:subtotal> -
7212 PM_CFILTER_SCORE_TOTAL *** MsgTotal: -
7213 PM_SETIP_ERR_DB Insert failed for ct_rules <ip:createdby> -
7214 PM_SETIP_DENY_ADDED New entry added to deny list in ct_rules
<ip:ruleaction> -
7215 PM_SETIP_DENY_DUP Duplicate entry, already exist in ct_rules -
7216 PM_SETMM_BAD_CAT Invalid monitor category: -
7217 PM_SETMM_EMPTY_ACTION Empty monitor data in list. No action set. -
7218 PM_SETMM_UPDATE :ct_mail_monitoring updated
<ruleby:actiondata:ruleaction> -
7219 PM_SETMM_DUP rule already exist in ct_mail_monitoring
<ruleby:actiondata:ruleaction> -
7220 PM_SETMM_GIVEUP Giving up... Five attempts made. Cannot
insert record into ct_mail_monitoring.
7221 PM_SETMM_DONE SuperQ reconfigured... New rule(s) added in
mail_monitoring: <ruleby:ruleid> -
7222 PM_SETAF_SKIP CFQ is not currently configured to process.
Skipping the policy setting for category and
monitor data <ruleby:cat:ruledata> -
7223 PM_SETAF_UPDATED ct_af_list updated for Data and Action:
<ruleby:cat:ruledata> -
7224 PM_SETAF_DUP Entry already exist in ct_af_list
<ruleby:cat:ruledata> -
7225 PM_SETAF_DONE SuperQ reconfigured... -

Realtime Blackhole List events

Table 358 RBL events
Event ID Event Description
7425 RBL_BYPASS RBL lookup bypass for Message ID: -
7426 RBL_ALLOW_RELAY IP is in allow relay, RBL lookup bypassed.
7427 RBL_MATCH IP address is in RBL list maintained by:
<ip:by> -
7428 RBL_MATCH_NOT IP not listed in any of the given RBL server(s).
7429 RBL_NOTFOUND RBL lookup result not found in DB for Message
ID: -

McAfee Email Gateway 6.7.2 Administration Guide 651

 Event Logging Elements
Events

Table 358 RBL events (continued)

Event ID Event Description
7430 RBL_DETECTED RBL lookup detected for Message ID, with
Total detected Score: <msgid:score> -
7431 RBL_DETECTED_NOMATCH RBL lookup detected and none of the action
rule(s) matched for Message ID: -

Reverse DNS events

Table 359 RDNS events
Event ID Event Description
7681 RDNS_BYPASS RDNS lookup bypass for Message ID: -
7682 RDNS_ALLOW_RELAY IP is in allow relay, RBL lookup bypassed.
7683 RDNS_LKUP_FAIL RDNS lookup failed.
7684 RDNS_LKUP_OK RDNS lookup succeeded.
7685 RDNS_NOTFOUND RDNS lookup result not found in DB for
Message ID: -

RIP Queue events

Table 360 RIP events
Event ID Event Description
7937 RIP_CONT Main message part already in the database.
Continuing...
7938 RIP_MARK_FILTERING Format identification and text extraction will
be performed. <msgid> -
7939 RIP_SF Sub-feature list: -
7940 RIP_SF_FINAL Final sub-feature list -
7941 RIP_QORDER Queue order on msg: -
7942 RIP_QORDER_FINAL Final queue order -
7943 RIP_MIME_ERR_UNPACK Error during mime unpack <msgid:rc> -
7944 RIP_MIME_ERR_MAXPARTS Max part limit <msg_id:max_parts_limit> -
7945 RIP_QTN_DYN Message quarantined (dynamic) for hours.
<msgid:hours> -
7946 RIP_QTN_DYN_TS Quarantine recommended by TrustedSource
for hours -
7947 RIP_QTN_DYN_MATCH_SIMPLE DQtn simple rule matched
<param:condition:value> -
7948 RIP_QTN_DYN_MATCH_COMPOUND DQtn compound rule matched
<ruleID:ruleName> -
7949 RIP_QTN_REMOTE Quarantining remote quarantine message
<msgid:to:hours> -
7950 RIP_QTN_REMOTE_SEC Message is a remotely quarantined copy to
the secondary CQS, new_msgid -
7951 RIP_PGP_RESCHED Rescheduling PGP decryption for next cycle,
due to process resource constraint. <msgid>
-
7952 RIP_PGP_THREADS Number of PGP threads running: -
7953 RIP_PGP_NOTDONE_DOMID PGP decryption not done for domain ID
<domain-ID:msg_id> -
7954 RIP_PGP_NOTDONE_DOMS PGP decryption not done for domains
<domains:msg_id> -

652 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 360 RIP events (continued)

Event ID Event Description
7955 RIP_SMIME_NOCERT No signer cert available for SMIME decryption
for msg_id -
7956 RIP_SMIME_NOTDONE SMIME Decryption not done for the msg_id -
7957 RIP_SMIME_NOTDONE_DOMS SMIME Decryption not done for
<domains:msg_id> -
7958 RIP_SMIME_NOT The message is not an smime message -
7959 RIP_SMIME_PARSE_ERR Not a S/MIME enveloped or a opaque signed
message. <msg_id> -
7960 RIP_SMIME_PARSE_BOUNDARY No boundary found, malformed mime
message. <msg_id> -
7961 RIP_SMIME_PARSE_BOUNDARYREM Boundary definition removed from the header
for message <msgid> -
7962 RIP_UPDSF_ENC_CCCF Message is Digitally signed/encrypted.
Skipping CFQ/CCQ...
7963 RIP_UPDSF_ENC_BAYES Bayesian in SpamQ subfeature list.Skipping
Bayesian.
7964 RIP_UPDSF_ENC_SPAM Empty Spam sub-features. Removing Spam
from feature list...
7965 RIP_UPDSF_ENC_ESP ESP only subfeature with no other subfeature
enabled. Skipping ESP and Content Filtering
in ESP if enabled
7966 RIP_UPDSF_ENC_SPAM2 Empty Spam sub-features. Removing Spam
from feature list...
7967 RIP_UPDSF_PM_ATTFIL MIME parsing failed. Removing Attachment
Filtering from feature list...
7968 RIP_UPDSF_PM_CONTFIL MIME parsing failed. Removing Content
Filtering from feature list...
7969 RIP_UPDSF_PM_MSGSTP MIME parsing failed. Removing Message
Stamping from feature list...
7970 RIP_UPDSF_PM_ICA MIME parsing failed. Removing Image
Analysis from feature list...
7971 RIP_UPDSF_PM_NONE Empty Policy Manager sub-features.
Removing Policy Manager from feature list...
7972 RIP_FAIL_PARSE_F Failed to parse the message file. -
7973 RIP_FAIL_DROP_ABN Parse failed. Dropping it because it is not
normal.
7974 RIP_FAIL_DROP Parse failed. Message dropped.
7975 RIP_FAIL_QTN Parse failed. Message quarantined in Failures
Queue.
7976 RIP_FAIL_DELIV_RECP Parse failed. Message will be delivered to
recipient bypassing CFQ.
7977 RIP_FAIL_DELIV_ALTN Parse failed. Message will be delivered to
alternate address bypassing CFQ.
7978 RIP_LOOP_ERR Loop Error: <msg_id:Number of
rcvdheader:config value> -
7979 RIP_LOOP_DROP_ABN Mail loop detected. Dropping it because it is
not normal.
7980 RIP_LOOP_DROP Mail loop detected. Message dropped.
7981 RIP_LOOP_QTN Mail loop detected. Message quarantined in
Failures Queue.

McAfee Email Gateway 6.7.2 Administration Guide 653

 Event Logging Elements
Events

System Defined Header Analysis events

Table 361 SDHA events
Event ID Event Description
8193 SHA_BYPASS System Defined Header Analysis bypass for
Message ID: -
8194 SHA_NOLIST Message Filter/Function list/ Regex List is
empty.
8195 SHA_ERR Error occurred during SDHA for Message ID: -
8196 SHA_MAXFROM From header contains more than address
entries: -
8197 SHA_MAXTO To header contains more than address
entries: -
8198 SHA_MAXCC CC header contains more than address
entries: -
8199 SHA_MAXREPLYTO ReplyTo header contains more than address
entries: -
8200 SHA_MAXTOCC Total count of entries in To and CC headers
exceeded the configured limit.
8201 SHA_HIT SDHA rule hit for Message-Id:
<rid1:rid0:msgid> -
8202 SHA_NOFROM DNS_LOOKUP_822FROM result not found in
DB for Message ID: -
8203 SHA_NOTIMPL SDHA rule not implemented: -
8204 SHA_SCORE System Defined Header Analysis was
successful in evaluation of rule(s) for
Message ID, with Score details:
<msgid:score> -
8205 SHA_NOMATCH System Defined Header Analysis was
evaluated and none of the action rule(s)
matched for Message ID: -

SMTP authentication events

Table 362 SMTP authentication events
Event ID Event Description
8705 SMTPAUTH_DISABLED SMTP AUTH not enabled. Rejecting
command...
8706 SMTPAUTH_ARGS_ERR Not enough arguments for SMTP auth.
8707 SMTPAUTH_AUTHENTICATED SMTP AUTH - Already authenticated.
Rejecting command...
8708 SMTPAUTH_INVALID_USER Invalid user name response.
8709 SMTPAUTH_INVALID_PWD Invalid password response.
8710 SMTPAUTH_FAILED Authentication unsuccessful.
8711 SMTPAUTH_PASSED Authentication successful.
8712 SMTPAUTH_MECHANISM_UNSUPPORT SMTP AUTH - Unsupported mechanism -
ED

654 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

SMTP Before POP events

Table 363 SMTP before POP events
Event ID Event Description
8961 SMTPB4POP_CONN_OK Success, smtpb4pop connection to SMTP
PROXY host/port with Response:
<host:port:resp> -
8962 SMTPB4POP_SEND Attempt to send smtpb4pop IP to smtp proxy
-
8963 SMTPB4POP_SENT Sent smtpb4pop IP with Response from smtp
proxy <ip:resp> -
8964 SMTPB4POP_IP_REQ IP address not present. Rejecting command...

SMTPI events
Table 364 SMTPI events
Event ID Event Description
9217 SI_INVALID_PATTERN Invalid address pattern in the configuration.
Skipping .... -
9218 SI_EMPTY_PATTERN_LIST Empty pattern lists. Address Pattern Matching
will not take effect.
9219 SI_INVALID_WL_ADDR Invalid address in White list for Pattern
Match. Skipping .... -
9220 SI_CURRENT_LOAD Current load as calculated from the database
(number of messages) -
9221 SI_LOAD_THROTTLE_SLEEP Load throttling encountered, will sleep for x
seconds
<sleep:current_load:max_msg_limit> -
9222 SI_CHANNELS_CREATED Created channels -
9223 SI_CLEAN_DNSCACHE Cleaning DNS cache
9224 SI_WARN_NO_DNSSERVER:Warning No working DNS server in your configured
server list.
9225 SI_CLEANUP_SMTPB4POP Starting cleanup of smtpb4pop data.
9226 SI_COUNT_IN SMTP In Count -
9227=SI_CO
UNT_OUT:SM
TP Out Count
-
9228 SI_COUNT_DROP SMTP Dropped Count -
9229 SI_CONN_STATS_UPDATED Connection details update completed ...
9230 SI_CONN_STAT -
9231 SI_CONN_REJECT_STATS -
9232 SI_FAIL_OPEN_TSFILE Failed to open ts hit file. IP hit counter update
failed. -
9233 SI_PROCESS_START Processing started.
9234 SI_PROCESS_END Processing completed.
9235 SI_CONNECTION_INFO ChannelID:ThreadID:Source
IP:Port:Destination IP:Port -
9236 SI_CONNECTION_ACCEPT Connection accepted.
9237 SI_MSG_INCOMPLETE Incomplete message transmission.
9238 SI_MSG_SIZE_OVER_LIMIT Message size exceeds the limit. Message not
queued. -
9239 SI_MSG_Q_FAILED Database/File System issues. Message
queuing failed.

McAfee Email Gateway 6.7.2 Administration Guide 655

 Event Logging Elements
Events

Table 364 SMTPI events (continued)

Event ID Event Description
9240 SI_CMD_LINE Command line -
9241 SI_CMD_REJ_WITH_CRLF Command line containing CR or LF. Rejecting
command...
9242 SI_CMD_LEN_EXCEEDED Command line length exceeds the maximum
allowable. Rejecting command...
9243 SI_CMD_INVALID Invalid command. Rejecting command...
9244 SI_CMD_SEQUENCE_ERR Command sequence error. Rejecting
command...
9245 SI_CMD_UNRECOGNIZED Unrecognized command. External
Connection. Command not supported.
9246 SI_CMD_TYPE_ERR Type not present. Rejecting command...
9247 SI_CMD_DATA_INVALID_PARAM DATA - Invalid parameters. Rejecting
command...
9248 SI_CMD_DATA_MSG_Q_FAILED DATA - Message queuing failed. Rejecting
command...
9249 SI_MOREDATA_DEBUG Came into more_data Length -
9250 SI_EXIP_ARGS_ERR No data present in EXIP command.
9251 SI_EXIP_INFO External IP from EXIP
command:Score:Query:DQ -
9252 SI_EXIP_FAILED EXIP command failed for -
9253 SI_EHLO_DOM_REQ Domain name not present in EHLO. Rejecting
command...
9254 SI_HELO_DOM_REQ Domain name not present in HELO. Rejecting
command...
9255 SI_MF_ARGS_ERR MAIL FROM - more than one address.
Rejecting command...
9256 SI_MF_ADDR_REQ MAIL FROM - address expected. Rejecting
command...
9257 SI_MF_MSGS_PER_CONN_EXCEEDED MAIL FROM - Messages exceed maximum
allowed per connection. Rejecting
command...
9258 SI_MF_CLEAR_RCPT_LIST New Mail From Command Received. Dropping
old recipients.
9259 SI_MF_TRIM_SP_CHAR Trimmed a special character from MAIL
FROM.
9260 SI_MF_FORGED_ADDR_REJ MAIL FROM - Forged/Invalid From address.
Domain listed in routing list, but IP address
not in allow relay list. Rejecting command...
9261 SI_MF_FORGED_ADDR_ACPT Forged/Invalid From address. Domain listed
in routing list, but IP address not in allow
relay list. Marked for the 'Invalid MailFrom'
spam rule. Accepting...
9262 SI_MF_ESMTP_EHLO_ERR MAIL FROM - ESMTP option specified without
EHLO. Rejecting command...
9263 SI_MF_ESMTP_SIZE_INVALID MAIL FROM - invalid ESMTP size specified.
Rejecting command...
9264 SI_MF_ESMTP_SIZE_EXCEEDED MAIL FROM - ESMTP size exceeds limit.
Rejecting command...
9265 SI_MF_SECURITY_ERR Sender Refused due to lack of security.
9266 SI_RCPT_LIMIT_EXCEEDED RCPT TO - Recipient exceeds maximum
allowed per message. Rejecting command...
9267 SI_RCPT_ADDR_ERR RCPT TO - Only one recipient address
expected. Rejecting command...
9268 SI_RCPT_UUCP_NOT_SUPPORTED RCPT TO - UUCP Addressing not supported.
Rejecting command...

656 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 364 SMTPI events (continued)

Event ID Event Description
9269 SI_RCPT_UUCP_DETECTED Detected an UUCP Address. UUCP addressing
support is turned on. Accepting the
recipient...
9270 SI_RCPT_INVALID_CHAR RCPT TO - Special character present -
9271 SI_RCPT_INVALID RCPT TO - Invalid address. Rejecting
command...
9272 SI_RCPT_INFO Received -
9273 SI_RCPT_VALIDATE_PHISH_BYPASS UID is in phishing whitelist, bypassing pattern
match
9274 SI_RCPT_VALIDATE_PHISH_CONTAIN Pattern is contained in the rcpt_to. -
9275 SI_RCPT_VALIDATE_PHISH_MATCH Pattern matched rcpt_to. -
9276 SI_RCPT_VALIDATE_PHISH_BLOCK Phishing Pattern Block
9277 SI_RCPT_VALIDATE_VIP_ACCEPT Recipient accepted after Address Pattern
Matching.
9278 SI_RCPT_VALIDATE_VIP_REJECT Recipient rejected after Address Pattern
Matching.
9279 SI_RCPT_VALIDATE_VIP_WL Recipient accepted after Address Pattern
Matching. Address in white list.
9280 SI_RCPT_DIRECTION_CHANGE Email address changed directions <from:to>
-
9281 SI_RELAY_INFO Relay ----> -
9282 SI_SKIP_QUEUES Skipping all queues since connection is from
Email Gateway itself.
9283 SI_MAILBOX_UNAVAILABLE 550 Cannot relay. Mailbox not available -
9284 SI_MSG_STAT LOG_STAT -
9285 SI_MSG_DISPATCH_TIME Mail dispatch time -
9286 SI_BATV_ORIG_RCPTTO The orig dsn rcptto is -
9287 SI_BATV_RCPTTO_PARTS In DoBATVInbound rpct_address is <RCPT
Address> rcpt uid is <RCPT UID> rcpt
domain is <RCPT DOMAIN> -
9288 SI_BATV_SENTMAILFROM SentMailFrom is -
9289 SI_BATV_NOT_SIGNED Mail address isn't signed. Failing BATV.
9290 SI_BATV_INVALID_FORMAT Invalid format for BATV signature.
9291 SI_BATV_EXPIRED_MSG DSN Bounce Message older than <number
day> days. Not checking signature. -
9292 SI_BATV_HASH_FODDER The hash fodder is -
9293 SI_BATV_COMPARE The tag val is <tag val> and the sent sig is
<sent sig>. -
9294 SI_BATV_MATCH BATV sigs match using today’s date. Allowing
message.
9295 SI_BATV_SENT_DATE The sent date derivative ddd is -
9296 SI_BATV_CHECK_DELAY Checking if this is a delayed bounce. The hash
fodder is -
9297 SI_BATV_OLD_MATCH BATV sigs match using old date. Allowing
message.
9298 SI_BATV_NOMATCH BATV sigs do not match. Rejecting Message.
9299 SI_BATV_RCPTLIST The original RCPTList is -
9300 SI_BATV_STRIPPED_RCPTLIST The stripped RCPTList is -
9301 SI_BATV_CHECKING Checking for BATV tag on Inbound DSN
message.
9302 SI_BATV_FAIL_LOG Not dropping message for failing BATV test.
Log Only.

McAfee Email Gateway 6.7.2 Administration Guide 657

 Event Logging Elements
Events

Table 364 SMTPI events (continued)

Event ID Event Description
9303 SI_BATV_SQLUPDATE_FAIL Update of SQL for BATV Reject Count failed.
9304 SI_BATV_SKIP_NONINBOUND Skipping BATV check for non Inbound
message.
9305 SI_BATV_SKIP_NONDSN Skipping BATV check for non DSN message.
9306 SI_BATV_SKIP_WHITELISTED Skipping BATV check because sending ip is
whitelisted.
9307 SI_BATV_DEBUG BATV Debug value(s) <fromSelf> -
9308 SI_MSG_INFO Message information <Source
IP:Port:Message ID>
9309 SI_BATV_REJECTCLOSE BATV Test Failed, Rejecting and Closing SMTP
connection.
9310 SI_BATV_SKIP_RELAY Skipping BATV check for relayed message
9311 SI_BATV_RCPTTO_WHITELISTED Skipping BATV check because internal
recipient is whitelisted

SMTPO events
Table 365 SMTPO events
Event ID Event Description
9473 SO_PICKED Num messages picked -
9474 SO_OUTBOUND Channel outbound flag -
9475 SO_MAX_RETRY Max retry attempts -
9476 SO_MSG_START Starting to process msgid -
9477 SO_ENCR_START This is an Encryption Server Box (SWD) and
msg type is -
9478 SO_ENCR_END Finished processing SWM message
9479 SO_ENCR_REDIRECT Redirect one or more domains to SWM
server. Will re-pick msgid -
9480 SO_MSG_END Finished processing msgid -
9481 SO_DOM_PROCESS Processing Domain -
9482 SO_PROCESSED_LOCK Already processed, skipping
domain:msgid:msglock -
9483 SO_CONF_DNS_SERVERS Channel will use per-domain user configured
DNS servers. Host -
9484 SO_AUTH_RET_CODE Return Code <code &/ msg> -
9485 SO_AUTH_PASSED SMTP Auth Passed -
9486 SO_DOM_LOOKUPS_UNUSED -
9487 SO_CONN_BLOCK_TO Block timeout in seconds -
9488 SO_CONN_MX Connecting to MX -
9489 SO_CONN_ADR Connecting to A -
9490 SO_RECONN_TIME Timed out on connection attempts.
domain:timeout:status -
9491 SO_VIP_HOST Channels Vip vipid:bindhost -
9492 SO_CONN_STATUS Connection Status <status> -
9493 SO_DM_SMIME The messages for the domain are S/MIME
encrypted. Connection might get established
non secured. Domain -
9494 SO_DM_PGP The messages for the domain are PGP
encrypted. Connection might get established
non secured. Domain -

658 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 365 SMTPO events (continued)

Event ID Event Description
9495 SO_DM_TLS The messages for the domain will be
delivered over a secure channel using TLS.
Domain -
9496 SO_DM_SWM Message will be delivered to the SWD Server
-
9497 SO_SEC_ONLY Domain in SSL Required Domains list. The
messages will be delivered over a secure
channel using SSL. Domain -
9498 SO_POLICY_CONFLICT_1 Policies are in conflict. The messages are
supposed to be delivered over a secure
channel using SSL but the domain is in SSL
Deny Domains list. Domain -
9499 SO_SSL_DENYLIST Domain in SSL Deny Domains list. The
messages will be delivered over a non-secure
channel. Domain -
9500 SO_POLICY_CONFLICT_2 Policies are in conflict. The messages are
supposed to be delivered over a secure
channel using SSL but Enable SSL has been
turned off. Domain -
9501 SO_SSL_OFF Enable SSL has been turned off. The
messages will be delivered over a non-secure
channel. Domain -
9502 SO_REQ_SWD This domain/message requires secure
delivery. It will be delivered using SWD
9503 SO_DOM_NO_TLS_SUPPORT TLS not supported for domain -
9504 SO_TLS_CERT_VERIFY_SKIP This message is destined to the SWD Server.
Skipping the Recipient Server Certificate
Verification failure
9505 SO_TLS_CERT_VERIFY_PASS Recipient Server Certification verification
success
9506 SO_CONN_CLOSE Closing SMTP Connection
9507 SO_IPADDR_AUTH Matches Auth IPaddr <host> -
9508 SO_AUTH_ACTION It is configured to deliver mail on Strong
Server Authentication failure.
9509 SO_AUTH_ACTION_SWM This message is destined to the SWD Server.
Skipping the Strong Server Authentication
failure.
9510 SO_DOM_HOST_CQS Domain Host is CQS.
9511 SO_CQS_VER CQS Version is -
9512 SO_TLS_CERT_INFO TLS Certificate Information <Info> -
9513 SO_DOM_IN_CERT Server Auth successful. The domain name is
found in certificate.
9514 SO_RCTP_IN_CERT Server Auth successful. The recipient server
name found in the certificate.
9515 SO_DNS_LOOKUPS DNS Lookup Returned -
9516 SO_CONN_DOM Connecting to Domain -
9517 SO_REDIRECT_SWM Message to this domain needs secured
delivery. Redirecting to SWD. Domain -
9518 SO_SWM_ENABLED This is an SWM enabled box.
9519 SO_CQS_DONE CQS commands done
9520 SO_TLS_ERR_RETRY TLS Error, retry will be attempted for the
Message. <Retry Count> -
9521 SO_ERR_RETRY Retry will be attempted for the Message.
<Retry Count> -

McAfee Email Gateway 6.7.2 Administration Guide 659

 Event Logging Elements
Events

Table 365 SMTPO events (continued)

Event ID Event Description
9522 SO_SEND_DSN Domain address Invalid. Attempting to
generate DSN -
9523 SO_SEND_MSG Starting SendSmtpMsg in domain -
9524 SO_MSG_STAT LOG_STAT <mail from>, <rcpt fix>, <size>,
<date>, <secure Conn>. -
9525 SO_GEN_DSN Generating DSN
9526 SO_DSN_NO_REQ No DSN to be generated for this message.
9527 SO_DSN_TO DSN to <addr> -
9528 SO_DSN_INC_MSG Attaching the original messages in the DSN
9529 SO_PARSE_EMAIL Args received in parsing email addr <args> -
9530 SO_IPADDR_INVALID Address <ip addr> falls in invalid IP list <net
address>:<CIDRMASK> -
9531 SO_READTBL_EXPN readAllTables: Exception in log/config Vip =
<expn> -
9532 SO_CLN_THRD_START cleanerThread started. Delete interval =
<interval> -
9533 SO_CLN_UNUSED -
9534 SO_QCLN_MSG Process <messages> partially processed
messages -
9535 SO_CHANNELS_NUM Number of channels created -
9536 SO_DOM_ERR_DEF_TMP The template specified to notify Domain
name same as hostname has been deleted.
Defaulting to the system defined template.
Template ID -
9537 SO_DOM_INVALID_DEF_TMP The template specified to notify Invalid
Domain has been deleted. Defaulting to the
system defined template. Template ID -
9538 SO_DOM_UNREACH_DEF_TMP The template specified to notify Domain
Unreachable No more Attempts has been
deleted. Defaulting to the system defined
template. Template ID -
9539 SO_DOM_UNREACH_TRY_DEF_TMP The template specified to notify Domain
Unreachable has been deleted. Defaulting to
the system defined template. Template ID -
9540 SO_GENERIC_EXPN_DEF_TMP The template specified to notify
recipient/sender/data/io/mime/tls exception
has been deleted. Defaulting to the system
defined template. Template ID -
9541 SO_DB_INCONSISTENT Message found in ct_msg_heap but not
ct_message. Inconsistent Database!! MSGID
-
9542 SO_DELIVERY_FAILED Failed to deliver, dropping message id -
9543 SO_DNS_OFF DNS Lookup is off and Static Host is empty in
configuration. Processing will not proceed
until the problem is fixed.
9544 SO_AUTH_FAILED SMTP Auth Failed -
9545 SO_AUTH_ERR SMTP Auth Error
9546 SO_DOM_CONN_ERR Failed to connect to IP:domain -
9547 SO_DOM_CONN_FAILED Generic Error - Connection Failed -
9548 SO_EHLO_TO EHLO TIMED OUT ... WILL TRY LATER
<domain> -
9549 SO_EHLO_CONN_ERR Connect error in helo <error> <response> -
9550 SO_TLS_EHLO_ERR EHLO failed after TLS handshake for domain
<domain> -

660 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 365 SMTPO events (continued)

Event ID Event Description
9551 SO_TLS_CERT_VERIFY_ERR Recipient Server Certificate verification
failed. Dropping connection
9552 SO_TLS_CERT_VERIFY_DISABLED_ER Recipient Server Certificate verification
R failed. Verification is not enabled.
Continuing...
9553 SO_TLS_DOM_CHK_ERR:TLS Invalid The name on the certificate does not match
the recipient server name and does not
contain the domain we are to connect to.
9554 SO_INVALID_ADDR Invalid <address> found in Lookup records.
Might cause message to loop. -
9555 SO_CONN_IM_LOOP Trying to connect to Email Gateway itself.
Potential mail loop. -
9556 SO_DNS_FAILED DNS Could not contact domain -
9557 SO_DNS_NO_RESP All DNS Servers are not responding
9558 SO_HNSK_ERR Error during handshake. Will try again.
9559 SO_SEND_FAIL Failed to send msg. SMTP protocol error
<err> -
9560 SO_SEND_MSG_EXP Exception occurred in
smtpExceptionHandling.
9561 SO_SEND_MSG_NOT_FAIL Delivery failure. <Notification message id> :
<Retry Count> -
9562 SO_SEND_MSG_NOT_FAIL_DEL Notification period end, Delivery Failed.
Deleting Message.
9563 SO_EXPN Exception occurred: Type=<error type>
Exception=<exp> -
9564 SO_DSN_FAIL_822_HDR DSN cannot be sent. Retrieval of RFC 822
headers failed for Message.
9565 SO_DSN_FAIL_ADDR DSN Cannot be sent to an invalid Sender
address <addr> -
9566 SO_DSN_FAILED DSN to user <email> failed. -
9567 SO_DSN_EXPN Exception occurred in connection cleanup for
DSN generation.
9568 SO_IPADDR_INVALID_FAIL Error while checking for invalid IP.
<IPAddress> -
9569 SO_DOBATV_OUTBOUND BATV signed 821 MailFrom is -
9570 SO_BATV_VALS BATV values are DSN_BVP_enable:
<IsEnabled> mail_from: <Mail From>
mdoutbound <IsOutbound>
selfdeliveryMode <Delivery Mode> -
9571 SO_BATV_SIGNED After calling do BATV on outbound Signed
Mail From is -

Sender ID events
Table 366 Sender ID events
Event ID Event Description
9729 SPF_BYPASS SenderID Lookup bypass for Message ID: -
9730 SPF_ALLOW_RELAY IP is in allow relay, SenderID lookup
bypassed.
9731 SPF_RESULT SenderID Result for PRA MTA Status
Explanation:
<pra:spfresult0:spfresult1:spfresult2> -

McAfee Email Gateway 6.7.2 Administration Guide 661

 Event Logging Elements
Events

Table 366 Sender ID events (continued)

Event ID Event Description
9732 SPF_MISS_PRA Missing purported Responsible Address. MTA
Status: <250>
9733 SPF_NOTFOUND Sender ID result not found in DB for Message
ID: -

SuperQueue events
Table 367 SuperQueue events
Event ID Event Description
9985 Q_PAUSE_SET Pausing the Queue through Monitor channel
9986 Q_PAUSE_RESET Resetting pause for the Queue through
Monitor channel
9987 Q_PAUSE_RELEASE Releasing the Queue through Monitor channel
9988 Q_NO_SENDDOMAIN Sending domain not available, From address
is: -
9989 Q_FW_TYPES Message data -
9990 Q_GROUP_ID User - GroupID info -
9991 Q_GROUP_NAME Group ID - Name -
9992 Q_GET_RULES Applied Policies, Applied Rules:
<policies:rules> -
9993 Q_QTNREMOTE_SELF Remote system specified points to self.
Proceeding with local quarantine -
9994 Q_QTNREMOTE_REROUTE Re-routed to EUQ server for quarantine -
9995 Q_QTNREMOTE_NOT Remote system not specified. Proceeding with
local quarantine
9996 Q_ARCHIVE_NOPROF Profile Id not found. Abandoning archiving for
Message Id: <profile:msgid> -
9997 Q_ARCHIVE_NOTO Could not replace the To field. Message might
be corrupt. Cannot archive message to target
-
9998 Q_ARCHIVE_MSG Archiving message to -
9999 Q_ARCHIVE_MARK Marking message for archival to -
10000 Q_POLICY_RULES Policies -
10001 Q_VH_RELATIONS Policy application to Virtual Hosts -
10002 Q_DICT_RECONFIG_CFGSTART Dictionary data reconfig. Wait on channels
begin.
10003 Q_DICT_RECONFIG_CFGSTARTED Dictionary data reconfig. Channels
suspended.
10004 Q_DICT_RECONFIG_CFGDONE Dictionary data reconfig. Channel release
begins.
10005 Q_CLEANUP_STARTPREV Cleaning previous run activity...
10006 Q_CLEANUP_PREV Picked/ST mode messages <msgids> -
10007 Q_CLEANUP_INQTN Messages in Quarantine <msgids> -
10008 Q_CLEANUP_CHKQTN Checking for complete quarantine information
for the messages....
10009 Q_CLEANUP_QTNCOMPL Cleaning live information for msgs as the
information is complete in quarantine
<msgids> -
10010 Q_CLEANUP_QTNINCOMPL Cleaning quarantine information for msgs as
information in quarantine is incomplete
<msgids> -
10011 Q_CLEANUP_STARTSTFAILURES Handling Single Thread Mode Failures...

662 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 367 SuperQueue events (continued)

Event ID Event Description
10012 Q_CLEANUP_AVPASSTHRU ST Mode failure handling for Anti-Virus, Pass
Through action overridden to Quarantine...
10013 Q_CLEANUP_DROPPED Message dropped on ST Mode failure.
<msgid> -
10014 Q_CLEANUP_QTNED Message quarantined to Failures Quarantine
Queue on ST Mode failure. <msgid> -
10015 Q_CLEANUP_PASSED Message passed through on ST Mode failure.
<msgid> -
10016 Q_CLEANUP_STARTST Starting Single Thread Mode operations...
10017 Q_PAUSE_RELEASE_TO Releasing the Queue. Timeout occurred.
10018 Q_URLHARVEST_START URL harvest thread started
10019 Q_URLHARVEST_DUMP URL harvest dumped only by parent superq
process.
10020 Q_URLHARVEST_DONE URL harvest done
10021 Q_URLHARVEST_ERR URL harvest failed to open dump file
10022 Q_TREND_START Compliance trend count tracker thread
started
10023 Q_TREND_RUN Compliance trend count tracker running.
10024 Q_TREND_CMPLCNT Compliance counts <cnt> -
10025 Q_TREND_TRENDCNT Trend counts <cnt> -
10026 Q_TREND_ACTIONCNT Action counts <cnt> -
10027 Q_TREND_DOMCNT Domain trend counts <cnt> -
10028 Q_TREND_URLHITS URL Hits <cnt> -
10029 Q_TREND_QIN Superq In Ctr <cnt> -
10030 Q_TREND_QOUT Superq Out Ctr <cnt> -
10031 Q_TREND_QDROP Superq Drop Ctr <cnt> -
10032 Q_TREND_QQTN Superq Qtn Ctr <cnt> -
10033 Q_TREND_OIN Smtpo In Ctr <cnt> -
10034 Q_TREND_OOUT Smtpo Out Ctr <cnt> -
10035 Q_TREND_ODROP Smtpo Drop Ctr <cnt> -
10036 Q_TREND_OQTN Smtpo Qtn Ctr <cnt> -
10037 Q_TREND_END Compliance trend data tracker completed.
10038 Q_PROCESS_START:Processing
started for Message ID : <msgid> -
10039=Q_PR Processing completed for Message ID:
OCESS_END <msgid> -
10040 Q_READ_CONFIG Reading configuration data...
10041 Q_PAUSE_ON Queue set to Pause state. Quitting QSpinner.

TrustedSource events
Table 368 TrustedSource events
Event ID Event Description
10241 TS_BYPASS TrustedSource bypass for Message ID: -
10242 TS_ZOMBIE Zombie detected
10243 TS_LKUP_TO TrustedSource lookup timed out
10244 TS_FINGER_MSG Fingerprinting message
<ehlo-dom:subj:msgid> -
10245 TS_REPPER repper response: -

McAfee Email Gateway 6.7.2 Administration Guide 663

 Event Logging Elements
Events

Table 368 TrustedSource events (continued)

Event ID Event Description
10246 TS_GREY_LIST_SPAM Spam Message. Grey Listed.
10247 TS_SPAM_DROP Spam Message. Message not queued.
10248 TS_IP_WHITELIST IP address whitelisted for TrustedSource.
10249 TS_LKUP Performing TS Lookup -
10250 TS_LKUP_RESULT TrustedSource Result -
<status:lookup_ip:ipscore:score:dq_status:t
ime> -
10251 TS_FINGERPRINT Fingerprint -
10252 TS_RESULT_TEXT Text -
10253 TS_LKUP_NOANS Received empty answer section for TS query

User Defined Header Analysis events

Table 369 UDHA events
Event ID Event Description
10497 UHA_BYPASS User Defined Header Analysis bypass for
Message ID: -
10498 UHA_NOLIST Message list not enabled
10499 UHA_ERR Error occurred in UDHA for Message ID: -
10500 UHA_SCORE User Defined Header Analysis was successful
in evaluation of rule(s) for Message ID with
Score details: <msgid:score> -
10501 UHA_NOMATCH User Defined Header Analysis was evaluated
and none of the action rule(s) matched for
Message ID: -

Virtual Host events

Table 370 VIP events
Event ID Event Description
10753 VIP_CONFIG_ATTRS Configure vip attributes -
10754 VIP_NO_LANTAG Display value not found in ct_lang_tags for -
10755 VIP_LOAD_ALL Load all vips
10756 VIP_RM Removed vip from vip map -
10757 VIP_USEFB Using fallback Vip the Vip <fallback:vip> -
10758 VIP_ATTR set attr_name and attr_value: <name:value>
-
10759 VIP_NOTFOUND Vip not found in vip collection. skipping
load_attr_fromhash. -
10760 VIP_COLLECTION vipCollection: -
10761 VIP_TYPE vip: <vip:type> -
10762 VIP_CANENABLE_FLAG canEnable_vip_configured flag -
10763 VIP_REVIVE Vip revived from original type to new type.
Fallback will be reset. <orig:new> -
10764 VIP_FB_REVIVE Vip Fallback value after revive (inbd, outbd)
<vip:inbd:outbd> -
10765 VIP_INSERT Inserted Vip -
10766 VIP_UPDATE Updating Vip -
10767 VIP_REUSEIP Reuse IP flag is ON. Updating IP for Vip -

664 McAfee Email Gateway 6.7.2 Administration Guide

Event Logging Elements
Events

Table 370 VIP events (continued)

Event ID Event Description
10768 VIP_SOCK_CREATE Create socket for vip -
10769 VIP_SOCK_DEL Delete socket for vip -
10770 VIP_NOTCONFIGED_ENABLE enable: VIP not configured/enabled, vip_id= -
10771 VIP_NOTCONFIGED_DISABLE disable: VIP not configured, nothing to disable
vip_id= -
10772 VIP_INFO <Channels VIP:Secure Flag> -
10773 VIP_CHANGE_INFO <My Id>:<Old VIP ID>:<New VIP
ID>:<Domain Name> -
10774 VIP_CHANGE_FAILED New vip is disabled cannot switch. <My
Id>:<Old VIP ID>:<New VIP ID>:<Domain
Name> -
10775 VIP_ILLEGAL_CONN_ERR Invalid vip for the connection. <My
Id>:<Invalid vip>:<Correct vip>:<Domain
Name> -

White List events

Table 371 White List events
Event ID Event Description
11009 WL_POLICIES Policies : -
11010 WL_VHRELATIONS Policy application to Virtual Hosts : -
11011 WL_UPDATE User created whitelist entries usage updated.
11012 WL_UPDATE_NOLIST No new user created whitelist entries
available for usage update.
11013 WL_NO_SENDDOMAIN Sending domain not available, From address
is: -
11014 WL_GROUP_ID User - GroupID info -
11015 WL_GROUP_NAME Group ID - Name -
11016 WL_SKIP_SPAMSF Message size exceeds the skip-message size
limit. Skipping all spam sub-features.
<msgsize:skiplimit:msgid> -
11017 WL_SF_EUSR Setting only User Reported Spam as the
subfeature
11018 WL_SF_EUHR Setting only User Reported Ham as the
subfeature
11019 WL_SF_EST Setting only Enterprise Spam as the
subfeature
11020 WL_SF_CCQTRAIN Setting only CC Trainer as the subfeature
11021 WL_SF_REMOVE_NOT Not all recipients qualified to remove
sub-feature in feature: <sf:f> -
11022 WL_BYPASS_RULES Bypass rules triggered for the message - IDs:
<msgid:ruleids> -
11023 WL_GET_RULES Applied Policies, Applied Rules:
<policies:rules> -
11024 WL_CC_DENY Connected IP is in IP Whitelist connection
control List.

McAfee Email Gateway 6.7.2 Administration Guide 665

 Event Logging Elements
Events

666 McAfee Email Gateway 6.7.2 Administration Guide

Index
A
Address Masquerading 145

Domain Masquerading Bayesian and Spam Profiler 239

Add New Domain 147 Retraining 240
Wild Cards 148 Tokenization 238
Email Masquerading
C
Adding an Email Address 148
Central Quarantine Server
Advanced Compliance 101
Features Using Remote Quarantine 61
Engines 101
High-Level Process 62
Key Concepts 102
Implementation 62
Alert Manager
Certificate Management 287, 319
Alert Class 444
Certificates 287, 319
Adding an Alert Class 444
Domain Require and Deny 363
Editing an Alert Class 445
Adding Domains 364
Alert Mechanisms 445
Changing the Admin Password 496
Adding an Alert Mechanism 446
Cleanup Schedule 494
Alert Viewer 447
Clustering 492
Allow Relay 353
Adding appliances 493
Anomaly Detection 428
Maximum number 493
Configuration 429
Removing appliances 494
Creating Anomaly Rules 429
Starting a cluster 493
Showing Anomaly Rules 431
Command Line 537
Anti-Fraud-Phishing Protection 208
Commands 537
Snapshot 208
EDIT 538
Anti-Spam Feature Order 254
HELP 538
Anti-Virus
History 552
Current Information 274
Reset 553
Signature Engines 275
RUN 541
Bypass Extensions 276
SET 542
Detection Behaviors 276
SHOW 543
Updating Signature Protection 277
SYSTEM 551
Automatic Updates 279
TAIL 551
Manual Updates 277
TEST 552
Zero-Day Protection 272
Command Overview 537
Anti-Zombie Protection 207
Configuration
Snapshot 207
Backup 513
Appliance Certificates 495
Backup Data 515
Attachment Analysis 158
Backup Now 513
Apply Rules 163
Scheduled 514
Add New Application 164
Restore 516
Edit Existing Application 166
Granular 516
Manage Rules 158
Restore All 517
Adding a New Rule 160
Restored Data 518
Attachment Compliance 158
Configuring Queues 49
B MIME Joiner 56
Backscatter Protection (BATV) 264 MIME Ripper 53
Bayesian SuperQueue 50
Admin-released messages 241 Configuring the CQS 63, 64
Ham retraining 241
Bayesian Filtering 237

McAfee Email Gateway 6.7.2 Administration Guide 667

 Index

Appliances 64 Storing Control Center Keys 532

Secure Mail Appliances 64 Controlling 337
the CQS 64 Gateway 337
Quarantine Types 63
D
the Cleanup Schedule 71
Date and Time 528
User Quarantine 66
Deny Lists 249
End User Quarantine User List 68
Local Deny List 249
End User Whitelists 69
Add New Listing 251
Feeder Secure Mails 66
RBL Drop List 251
the CQS 66
Reverse DNS Drop List 252
Configuring the Secure Mail Appliances 64
Desktop Encrypted Compliance 149
Connection Control 209
Desktop Encryption Control 149
Configuration 210
Apply Rules 153
Cleanup 211
Add New Application 154
Options 210
Edit Existing Application 156
Special Requirements 211
Manage Rules 149
Deny List 213
Add New Rule 151
Deny list 213
Edit Rule 152
Exclude List 211
DNS Hijack Protection 427
LDAP 210, 382
Configuration 427
Content Analysis
DomainKeys Identified Mail 262
Applying Rules 95
Configuring DKIM 262
Edit Existing Application 97
Domains and Selectors 262
New Application 96
DSN Bounce Verification
Dictionaries 79
Configuration 265
Adding a New Dictionary 87
How DSN Bounce Protection works 265
Editing and Searching 81
Dual Central Quarantine Servers 73
Managing Rules 92
Configuring CQS2 73
Editing Rules 94
If CQS1 Fails 74
Pre-defined RegEx 91
On CQS1 73
Report Configuration 98
On CQS2 73
Adding a Report 99
Dynamic Quarantine 45
Editing Report Configuration 99
Rules 46
Content Analysis Rules
TrustedSource variable 48
Manage 103
Dynamic Spam Classifier 199
Content Analysis, Advanced
Configuring DSC 200
Apply Rules 106
How DSC Works 200
Add Policy 107
Reporting 200
Edit Policy 108
Updating DSC 200
Categories 110
Whitelisting 200
Add Category 111
Configure Categories 114 E
Edit Category 112 End 66, 73
Train Categories 112 End User Quarantine 66
Training Corpus 115 Configuration 215
Compliance Trainer 116 Policy Modifications 218
Manage Rules EUQ Web Page
Add New Rule 104 Customize 218
Edit Rule 105 Logging 218
Content Compliance Mailing List 223
Dictionaries On the CQS 66
Editing and Searching 81 On the Feeder IronMails 66
Control Center Communication 532 Release Notification 224
CC Attributes 532 Viewing a List 225
SSH Configuration 533

668 McAfee Email Gateway 6.7.2 Administration Guide

 Index

Releasing Messages 226 Manage Rules 118

from the List 227 Add Rule 119
from the Notification 227 Edit Rule 120
Release Process 228 Image Spam Analysis 199
User List 221 How ISC works 199
Whitelist 229 Image Spam Classifier
Configuration 231 Whitelisting 200
Maintenance 230 Implementation 62
User-Defined Policies 233 Installing an X509 Certificate 290, 322
End User Whitelists 69 Intrusion Blocker
Envelope Analysis Controlling the Gateway 337
Apply Rules 130 Intrusion Defender
Add New Application 131 Gateway Threats 337
Edit Existing Application 133 IP Addresses, Configuring 506
Manage Rules 125 Adding an IP 507
Add New Rule 126 Editing an IP 508
Edit Existing Rule 128
L
ePolicy Orchestrator 504
LDAP
Configuring 504
LDAP Operations
Events 504
Realtime 365
Extensions 504
Synchronized 365
F LDAP Profiles 366
FIPS Compliance LDAP Queries 366
Configuration 534 Realtime Rule Queries 367
Synchronized Rule Queries 367
G
LDAP Rules 366
Gateway 337
Rules and Domains 366
Controlling 337
Using LDAP
Gateway Threats 337
on Email Gateway 365
Group Manager 177
LDAP Configuration 367
Add New Group Definition 178
LDAP Profiles 367
Edit Existing Group Definition 179
Editing a Profile 369
H New Profile 368
Header Analysis 241 LDAP Properties 382
Regular Expressions 241 LDAP Rules 370
System-Defined 242 Editing a Rule 381
Filters 243 New Synchronized Rule 376
RFC821 vs. RFC822 Headers 246 License Manager 530
SDHA and Spam Profiler 246 Logging in
User-Defined 247 Compliance officer 485
UDHA and Spam Profiler 249 ePO user 485
Header options Virtual Host administrator 484
Non-ASCII characters 195
M
Health Monitor
Mail Monitor 149
Configuration 497
Mail Notification 180
Configuring Email Gateway Alerts 500
Allowed Variables 182
Tests 499
Mail Routing 354
I Domain-Based Routing 355
Image Analysis Editing an Existing Domain 358
Apply Rules 120 New Routing Domain 356
Add Policy 121 Internal Routing 359
Edit Policy 123 Adding an IP 360
Mail Services 341

McAfee Email Gateway 6.7.2 Administration Guide 669

 Index

Configuring Mail Services 342 Queues

Global Properties 351 Final Queues
SMTPI and SMTPIS 342 Join Queue 31
SMTPO Service 347 Outbound Queue 31
Mail-IPS Non-Processing Queues 32
Application Level Protection 401 Failures Queue 32
Configuration 404 Quarantine Queue 32
Denial of Service Protection 401 SuperQueue 30
Password Cracking 403 Queues, the 29
Password Strength 402
R
System Level Protection
RBL
File System Integrity 406
Dynamic Hop Count 261
Program Integrity 406
Hop Count 261
Mail-VPN
Realtime Blackhole Lists 258
Configuring Mail-VPN 360
Multiple Blacklists 262
Configuring Services 361
RBL and Spam Profiler 262
IMAP4 361
Reports
POP3 363
Configuration 449
Message actions
CSV Reports 453
subject re-write 580
Understanding the CSV File 456
Message Archives
EMail Gateway Logs
Applying Archiving 442
Log Levels 462
Global 442
Email Gateway Logs 462
Rule Based 442
Summary Logs 469
Configuring 439
Syslog Configuration 473
Add Immediate Target 441
Reports Viewer 435
Add Scheduled Target 440
Resetting Keys 531
Editing an Archive 441
Reverse DNS 253
Message Stamping 172
Reverse_DNS 253
Apply Rules 174
Add New Application 174 S
Edit Existing Application 176 Sender ID Lookup 235
Manage Rules 172 Sender ID and Spam Profiler 236
Add New Rule 172 Setting Quarantine Types 63
Edit Existing Rule 173 Signature configuration 388
SMTP
N
Custom Ports 358
Network DLP Analysis 167
SMTPO 73
Editing Rules 170
SNMP Polling 460
Managing Rules 169
Configuration 460
Using DLP Analysis 171
Email Gateway variables 461
O Spam Profiler
Off-Hour Delivery 157 Apply Rules 195
On 66 Add Policy 196
Edit Profiler Policy 197
P
Configuring Spam Profiler 192
Power Down and Restart 527
Manage Rules 193
Q Add New Rule 194
Quarantine Types 58 Spam Profile 191
Using the Quarantine Queue 60 Spam Traps 257
Queue Order 57 SpamProfiler
Configuring the Sub-Queues 52 Locking configuration 200
Anti-Virus Queue 54 Support scripts 525
Content Filtering Queue 55 System
Mail Monitoring Queue 56

670 McAfee Email Gateway 6.7.2 Administration Guide

 Index

Configuration Allowed IPs 487

Appliance Configuration 503 Settings 488
Check Tool 519 User Accounts 477
Routing 509 Managing Accounts 480
Serial Port 511 User Preferences 489
SSH Configuration 511 Dashboard 489
ePolicy Orchestrator 504 Miscellaneous 491
Miscellaneous Preferences 491
T
Queue Manager 490
The End User Quarantine User List 68
WebAdmin and CLI 508
TRUSign Updates
WebMail Protection
Locking current settings 201
Configuration 385
Special locking configurations 201
Customizing the IWM Log-In 397
TrustedSource 203
HTTP Routing 388
Configuring TrustedSource 203
Host-Based Routing 392
LDAP Rejections 206
Path-Based Routing 389
Using TrustedSource
Portal Page Routing 394
Launching 206
Strong Client Authentication 395
Whitelisting 205
Whitelisting
U Applying Whitelist Rules 141
Updates 521 Adding a New Whitelist Application 141
Anti-virus updates 521 Editing Application 143
Applying Updates 523 Automatic rule cleanup 138
Compliance updates 521 Creating New Whitelists 135
Configuring Auto-Updates 524 Rule expiration 136
Hotfix updates 521 Searching Whitelists 139
Mail-IPS updates 522 Viewing Whitelists 137
Managing updates 522 Editing a Whitelist Rule 138
Pre-configuration updates 521
Software updates 521
Support Scripts 525
TRU Optimize 521
TRU Response 521
UPS Statistics 527
User Accounts
Create 478
User accounts
Types 477
Appliance administrator 477
Compliance officer 478
Virtual Host administrator 478
User Spam Reporting 255

V
Virtual Hosts
Configuring Virtual Hosts 411
Adding a Virtual Host 411
Deleting a Virtual Host 423
Domain Based Administration 425
Creating Accounts 425
Managing Virtual Hosts 410
Using Virtual Hosts 424
Applying Rules 424

W
Web Administration

McAfee Email Gateway 6.7.2 Administration Guide 671

 Index

672 McAfee Email Gateway 6.7.2 Administration Guide

700-2195A00