Escolar Documentos
Profissional Documentos
Cultura Documentos
Administration Guide
version 6.7.2
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD,
MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS,
PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL
PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the
sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE
AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN
THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A
FULL REFUND.
License Attributions
MD5 portions Copyright (C) 1995, Board of Trustees of the University of Illinois (C) Copyright 1993,1994 by Carnegie Mellon University. Copyright (c) 1991
Bell Communications Research, Inc. (Bellcore). Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991.
expat-lite portions Copyright (c) 1998, 1999 James Clark.
Regex portions Copyright 1992, 1993, 1994 Henry Spencer
expat xml parser library portions Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper
mod_mime_magic portions Copyright (c) 1996-1997 Cisco Systems, Inc, Copyright (c) Ian F. Darwin, 1987
mod_imap portions "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com
zb test and ab support portions Copyright (C) Zeus Technology Limited 1996
Cheetah portions Copyright 2001, The Cheetah Development Team: Tavis Rudd, Mike Orr, Ian Bicking, Chuck Esterbrook
Dom4J License portions Copyright 2001-2005 (C) MetaStuff, Ltd.
GIFLIB distribution portions Copyright (c) 1997 Eric S. Raymond
ICONV portions Copyright (C) 2003 Hye-Shik Chang
LibPNG versions 1.2.6, August 15, 2004, through 1.2.39, August 13, 2009 portions Copyright (c) 2004, 2006-2009 Glenn Randers-Pehrson, Contributing
Authors Cosmin Truta
LibNet portions Copyright (c) 1998 - 2001 Mike D. Schiffman mike@infonexus.com http://www.packetfactory.net/libnet.
M2Crypto portions Copyright (c) 1999-2004 Ng Pheng Siong, Portions copyright (c) 2004-2006 Open Source Applications Foundation., Portions copyright
(c) 2005-2006 Vrije Universiteit Amsterdam.
NetSNMP portions Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work - 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents
of the University of California, Copyright (c) 2001-2003, Networks Associates Technology, Inc., Portions of this code are copyright (c) 2001-2003,
Cambridge Broadband Ltd.., Copyright California 95054, U.S.A.. Copyright (c) 2003-2008, Sparta, Inc. Copyright (c) 2004, Cisco, Inc and Information
Network Center of Beijing University of Posts and Telecommunications. Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com
Author: Bernhard Penz.
Numeric portions Copyright (c) 2005, NumPy Developers.
OpenLDAP portions Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.
OpenSSH portions Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland, Cryptographic attack detector for ssh portions Copyright (c) 1998 CORE
SDI S.A., Buenos Aires, Argentina, ssh-keyscan portions Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>, Rijndael implementation by Vincent
Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain, One component of the ssh source code portions Copyright (c) 1983, 1990, 1992,
1993, 1995 The Regents of the University of California. Remaining components portions copyright holders: Markus Friedl, Theo de Raadt, Niels Provos,
Dug Song, Aaron Campbell, Damien Miller, Kevin Steves, Daniel Kouril, Wesley Griffin, Per Allansson, Nils Nordman, Simon Wilkinson
OpenSSL portions Copyright (c) 1998-2008 The OpenSSL Project. SSL implementations portions Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com).
PIL portions Copyright (c) 1997-2006 by Secret Labs AB Copyright (c) 1995-2006 by Fredrik Lundh
PyASN1 portions Copyright (c) 2005, 2006 Ilya Etingof ilya@glas.net
Python portions Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation;
PySNMP portions Copyright (c) 1999-2006, Ilya Etingof ilya@glas.net
ReportLab portions Copyright (c) 2000-2004, ReportLab Inc.
ripMIME portions Copyright (c) 2000 P.L.Daniels
strace portions Copyright (c) 1991, 1992 Paul Kranenburg pk@cs.few.eur.nl, Copyright (c) 1993 Branko Lankester branko@hacktic.nl, Copyright (c) 1993
Ulrich Pegelow pegelow@moorea.uni-muenster.de, Copyright (c) 1995, 1996 Michael Elizabeth Chastain mec@duracef.shout.net, Copyright (c) 1993,
1994, 1995, 1996 Rick Sladkey jrs@world.std.com, Copyright (C) 1998-2001 Wichert Akkerman wakkerma@deephackmode.org
Tiff portions Copyright (c) 1988-1997 Sam Leffler, Copyright (c) 1991-1997 Silicon Graphics, Inc.
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Dashboard
1 The Dashboard 19
About the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
Configuring the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
Special navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 19
The charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 21
System charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 21
Queue charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Dashboard reports and summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Mail IPS status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Health Monitor summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 23
Services status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 24
Connection blocking status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 24
SpamProfiler status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
System utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Updates status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Alert status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
WebMail protection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Encryption status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 25
Queue Manager
2 Email Gateway Queues 29
About the queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
SuperQueue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Rip Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Content Extraction Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Anti-Virus Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Content Analysis Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Envelope Analysis Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Anti-Spam Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Corporate Compliance Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Join Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Outbound Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Non-processing queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Quarantine Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Failures Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3 Queue Information 33
About the Queue Information window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Quarantined messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Current messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Queue activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Viewing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Searching messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Quarantined messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Current messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Processed messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5 Remote Quarantine 61
About Remote Quarantine . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
Central Quarantine Server . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
Which features use Remote Quarantine? . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 61
General implementation . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 62
High-level process . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 62
Configuration of the CQS . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 63
Setting quarantine types . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 63
Configuring appliances . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 64
End User Quarantine . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 66
Setting the Cleanup Schedule . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 71
Dual Central Quarantine Servers . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 73
Configuring CQS2 . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 73
If CQS1 fails . . . . . . . . . . . . . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 74
Compliance
6 Compliance Overview 77
About Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Snapshot reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
7 Content Analysis 79
About Content Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 79
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 79
Editing and searching an existing dictionary . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Editing the search option . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing dictionary content . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 81
Searching dictionary content . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 83
Adding content . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 84
Editing existing dictionary content . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 86
Adding a new Content Analysis dictionary . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 87
Adding the content . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 88
Managing content rules . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 92
Adding a new rule . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 93
Editing dictionary rules . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 94
Applying content rules . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 95
Adding a new policy . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 96
Editing an existing application . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 97
Dictionary report configuration . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 99
Editing a report configuration . . . . . . . . . . . . . . . . . . .. ... .. ... . . . . . . . . . . . . . . . . . . . . . . . . 99
11 Whitelisting 135
About whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating new whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating a TrustedSource whitelist rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring whitelist rule expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Viewing whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Editing a whitelist rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Setting automatic cleanup for whitelist entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Searching whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Applying whitelist rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding a new whitelist policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Editing an application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Anti-Spam
13 SpamProfiler 189
About spam protection . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 189
Anti-Spam snapshot . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 189
SpamProfiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 191
Spam profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 191
Configuring the SpamProfiler . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 192
Managing SpamProfiler rules . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 193
Adding a new SpamProfiler rule . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 194
Editing an existing SpamProfiler rule . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 195
Applying SpamProfiler rules . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 195
Adding a new SpamProfiler policy . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 196
Editing a SpamProfiler policy . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 197
Classifying spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 198
Image Spam Classifier (ISC) . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 199
Dynamic Spam Classifier (DSC) . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 199
How to configure DSC and ISC . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Whitelisting DSC and ISC . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Locking your SpamProfiler configuration . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 200
Locking your current configuration settings . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 201
Special configurations . . . . . . . . . . . . . . . . . . . . . . . .. ... .. ... .. .. . . . . . . . . . . . . . .. . . . . 201
Anti-Virus
17 Anti-Virus Protection 269
About Anti-Virus protection . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 269
Anti-Virus snapshot . . . . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 269
Zero-Day Protection Setting . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 272
Current Anti-Virus information . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 274
Signature engines . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 275
Editing detection behaviors . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 276
Configuring bypass extensions . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 276
Updating signature protection . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 277
Manual signature updates . . . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 277
Automatic Signature Updates . . . . . . . . . . . . . . . . .. .. ... .. ... . . . . . . . . . . . . . . . . ... . . . . 279
Encryption
18 Managing Encryption 283
About Encryption . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 283
Available reports . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 283
Incoming message reports . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 284
Outgoing message reports . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 284
About Secure Web Delivery . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 285
Configuring the Encryption Router . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 286
Certificate management . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 287
Certificates . . . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 287
PGP certificates . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 292
Managing domains . . . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 294
External domains . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 294
Internal domains . . . . . . . . . . . . . . . . . .. .. ... . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... . . . . 296
IntrusionDefender
20 IntrusionDefender Overview 337
About IntrusionDefender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Controlling the gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Gateway threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Quick snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Reporting
27 Reporting 435
About reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
The Reports window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Administration
31 Email Gateway Administration 477
User accounts . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 477
About user accounts . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 477
Creating user accounts . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 478
Managing user accounts . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 480
Editing a user account . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 482
Logging onto Email Gateway . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 482
Appliance administrators . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 483
Virtual Host administrators . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 484
Compliance officers . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
ePO Users . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
Configuring password policy . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 485
Allowed IPs . . . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 487
Configuring WebAdmin settings . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 488
User preferences . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 489
Dashboard preferences . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 489
Queue Manager preferences . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 490
Miscellaneous preferences . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 491
Clustering . . . . . . . . . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 492
Starting a cluster . . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 493
Adding an appliance . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 493
Removing an appliance . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
General administration . . . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
The Cleanup Schedule . . . . . . . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 494
Configuring Appliance Certificates . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 495
Changing the Admin Password . . . .. ... .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. . . 496
System
33 System Configuration 503
Appliance configuration . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
ePolicy Orchestrator configuration . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Key concepts . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configuring ePO functions . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configuring IP addresses . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Adding an IP address . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Editing an existing IP address . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Configuring WebAdmin and CLI . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Routing . . . . . . . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Adding a new route . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Editing an existing routing . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
The serial port . . . . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
SSH configuration . . . . . . . . . . . . . . .. ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Appendices
A Email Gateway Generated Alerts 557
The subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
The alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
File types from which Email Gateway can extract content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Index 667
The Administration Guide describes the features and capabilities of McAfee Email Gateway version 6.7.2
This guide is intended for network and security administrators. It assumes familiarity with the internet,
email messaging systems, and related terminology.
You can find additional information at the following locations:
• Online Help – Online Help is built into Email Gateway. Click the question mark icon at the upper right of
any window.
Conventions
Refer to Table 1 for a list of the text conventions used.
Table 1 Conventions
Convention Description
Courier bold Identifies commands and key words you type at a system prompt
Note: A backslash (\) signals a command that does not fit on the same line. Type the
command as shown, ignoring the backslash.
Courier italic Indicates a placeholder for text you type
<Courier italic> When enclosed in angle brackets (< >), identifies optional text
nnn.nnn.nnn.nnn Indicates a placeholder for an IP address you type
Courier plain Used to show text that appears on a computer screen
Plain text italics Identifies the names of files and directories
Used for emphasis (for example, when introducing a new term)
Plain text bold Identifies buttons, field names, and tabs that require user interaction
[ ] Signals conditional or optional text and instructions (for example, instructions that pertain only
to a specific configuration)
Caution Be careful—in this situation, you might do something that could result in the loss of data or an
unpredictable outcome.
Note Helpful suggestion or a reference to material not covered elsewhere in the manual
Security Alert Information that is critical for maintaining product integrity or security
Tip Time-saving actions; can help you solve a problem
Note: The IP addresses, screen captures, and graphics used within this document are for illustration purposes
only. They are not intended to represent a complete or appropriate configuration for your specific needs. Features
might be enabled in screen captures to make them clear; however, not all features are appropriate or desirable
for your setup.
Acronyms
The following acronyms are used throughout this document (Table 2).
Table 2 Acronyms
Acronym Description
URL Uniform Resource Locator
Dashboard
Contents
About the Dashboard
The charts
Dashboard reports and summaries
Then click the arrow pointing to the panel (Left Panel or Right Panel) where you want the new
information to appear. The portlet will be moved to that panel.
The new portlet is set to appear at the bottom of the panel, by default. If you want to change the placement
of any portlet, highlight it and use the Up or Down button beside the panel. Click Save to record the
change.
Your window will display the Dashboard with the summaries and charts you have configured.
If you want to remove a portlet from the Dashboard, go to the Configure window, highlight the portlet, and
click the arrow pointing to the Available Portlets panel. When you click Finish, the portlet will be
removed from its display panel and added to the Available Portlets list.
Special navigation
You can expand or collapse any of the summaries that appear on the Dashboard, to allow focussing upon
just the data you want to see. At the top right of each header, you will see double arrows, pointing either
upward (when the summary is expanded) or downward (when the summary is collapsed. Clicking the
double arrow icon toggles the summary between its collapsed and expanded states.
During the same login session, the Dashboard summaries will remain expanded or collapsed as you last left
them. If you log out without saving the current configuration, the Dashboard will return to the configuration
you found at login. If you do save the configuration before you log out, the Dashboard will remain as you
last saw it before logout.
The charts
The charts that can be displayed on the Dashboard are subdivided into two types:
• System charts
• Queue charts
Each type can also be configured to display data for distinct time period, ranging from one hour to one
year. The possible date ranges for each type will be provided as part of the description for the type.
Click any chart to display a larger, more detailed version.
System charts
The System charts include the following displays:
• Filesystem Utilization
• Memory Utilization
• CPU Utilization
• Disk I/O
• Network Traffic
• Network Errors
The period represented by these charts is selected from the Dashboard Configuration window. All system
charts will represent the same time period.
Filesystem utilization
The Filesystem Utilization chart displays utilization in terms of the percentage of capacity used and the
percentage of available inodes used. Each parameter is tracked for three separate partitions on the file
system: /ct, /var, and /tmp.
• % capacity used – These lines represents the percentage of capacity in use by the partitions at any given
point in time over the configured span (one day in this example).
• % inodes used – These lines represent the percentage of available inodes in use by the partitions at any
given point in time over the configured span.
Memory utilization
The Memory Utilization chart shows utilization in megabytes.
• Active – This line represents the megabytes of memory being actively used at any given point over the
configured time span (one day, in this example).
• Inactive – This line tracks the megabytes of memory that have been in use and are not in active use at
this point, but that have not been released to become free memory.
• Free – The free memory line shows the megabytes of memory available for use by any initiated process
at a given point in time.
• Swap Memory – This line only becomes active when no free memory exists (free memory = 0). It traces
the number of megabytes of information that have been temporarily transferred to disk in order to free
up memory for use.
• Swap Free – This line tracks the amount of memory that has been freed by temporarily transferring
information to disk (using Swap Memory).
CPU utilization
The chart shows CPU utilization in percentage of capacity. The total of all three percentages at any point in
time should yield 100%.
The chart tracks the following information:
• System – This line presents the percentage of CPU capacity that was in use at the System level (being
used by the system to support the applications in use) at a given point.
• User – This line represents the percentage of CPU capacity that was in use at the Application level (being
used by one or more applications) at a given point in time.
• Idle – This line tracks the percentage of CPU capacity that was not in use at a given point in time during
the period covered by the chart (in this case, one hour).
• Nice – This line represents the percentage of CPU capacity in user mode running niced processes (time
spent on niced tasks in user mode).
• Interrupt – This line tracks the percentage of CPU capacity running in interrupt mode.
Disk I/O
This chart displays disk usage data in terms of the number of bytes per second and the number of
input/output operations per second.
• Bytes/second – This portion of the chart indicates the number of bytes per second of data transfer into
or out of the disk at any given point.
• Operations/second – This line follows the number of data input and/or output operations per second at
any point.
Network traffic
This chart shows network utilization (input and output) in bytes/second and packets/second.
• Bytes Sent – This line shows the number of bytes/second of outbound data on the network at any given
point.
• Bytes Received – this line tracks the number of bytes/second of inbound data on the network at any given
point.
• Packets Sent – This line shows the number of packets/second of outbound data on the network at any
given point.
• Packets Received – This line shows the number of packets/second of outbound data on the network at
any given point.
Network errors
This chart tracks network errors in terms of errors per second for both inbound and outbound data, and collisions per
second.
• Received – The line represents the number of errors per second in outbound traffic (information not
successfully sent).
• Sent – The line represents the number of errors per second in inbound traffic (information not successfully
received).
• Collisions – The line represents the number of requests for resending data that could not be successfully
transmitted.
Queue charts
The Queue charts show the content and performance of the Email Gateway queues over the configured
time period. The Queue Graphs include:
• Queue Statistics
Like the System charts, the Queue charts can be configured to represent a variety of time periods, selected
on the Dashboard Configuration window. All Queue charts will reflect the same time period.
Queue statistics
This chart shows the load statistics for each of the queues in Email Gateway: SMTPO, SuperQueue and
Quarantine. The chart shows the number of messages being processed by each of these queues at a given
point in time. In this example, the chart covers the past day.
Executive summary
The Executive Summary offers an overview of email traffic through Email Gateway, both inbound and
outbound. The summary shows the total messages in and out, then breaks the numbers and percentages
down among good messages, messages identified as spam, messages captured as containing viruses, and
messages that triggered action as a result of Email Gateway policies.
Services status
In this table, you can see the current status (running or not) of all the mail services. The table also
indicates whether or not the service is set to be restarted by Health Monitor when it runs and finds the
services is not running. The information of possibly greatest importance to you is the status - is this mail
service running or not? - and the service uptime - why has SMTPI been running for 3 days and 6 hours,
while SMTPO has only been running for 4 hours? This sort of information might indicate the need to
investigate.
Each Service name is a hyperlink that opens the service properties window for the specific service, allowing
you to verify configuration or make changes as necessary.
• Connections Rejected by RDNS Lookup – The number here reflects the connections that were blocked
because they did not pass RDNS lookup.
• Total Connections Accepted –This statistic reflects the number of connections the appliance has accepted
during this reporting period.
Note: The connections accepted can still result in rejections. The totals for LDAP Rejects and SMTP Address
Pattern rejects are included in the total for Connections Accepted, since the rejections occur post-connection.
• Total Connections Blocked – This total reflects the number of connections that were rejected during the
reporting period. This total includes the individual totals for:
• Connection Control
• Rejects by RBL
• Rejects by RDNS
• Rejects by Health Monitor when the Deny Connections at Disk/Inodes Usage percentage has been met
or exceeded
• LDAP Rejects – The total represents the number of connections that were blocked due to lack of LDAP
validation.
• SMTP Address Pattern – This total represents the number of connections blocked because of configured
Address Pattern Matching in the Inbound Queue (SMTPI). It also includes:
• mail received from an IP that is not on the Allow Relay list, and is not destined to a hosted internal
domain, and
• Connection Control – The statistic reflects the total connections that were blocked by Connection Control
rules.
Note: Updates to the rejection counts (for example, LDAP Rejections) will not happen instantaneously. A
five-minute interval is required for updates to process and be visible.
Some of the Status names are hyperlinks. Each of them takes you to a related window where more
information is available.
SpamProfiler status
The SpamProfiler Status table shows the number of messages that triggered action by the various
Anti-Spam tools. The information can be used along with other sources to indicate the effectiveness of the
current configuration. The most important number on this summary might be the SpamProfiler total, since
the SpamProfiler (if it is so configured) is the tool that takes the actions.
It is important to remember that the total messages shown on this summary might not add up to the total
number of messages processed. The reason for this difference is that the same message can be identified
for action by more than one tool, and can therefore be counted two or more times.
System utilization
This summary provides information about the main components of the system, showing usage in numerical
terms and as percentages of capacity. It can be helpful to compare this information with the System Graphs
if you would like additional information.
Updates status
The Update Status table reveals the currently installed versions of the Email Gateway software, Threat
Response Updates, and Anti-Virus engines. It also shows any available updates that can be downloaded or
installed, and the current status for all the updates. This table allows you to know at a glance when updates
become available.
Alert status
The Alert Status table displays the number of Alerts generated by Email Gateway for the past three hours.
If you want further information about the alerts, click any of the Alert Type hyperlinks to go directly to the
Alert Viewer window. On that window you can explore the individual alerts.
Encryption status
The Encryption Status summary provides an overview of inbound and outbound traffic by secure
transmission method.
Each Component name is a hyperlink that takes you to the opening reports and charts for Encryption,
where you will find more detailed information.
Queue Manager
Contents
About the queues
SuperQueue
Outbound Queue
Non-processing queues
SuperQueue
Email Gateway employs eight features within one queue, the SuperQueue, to process messages between
SMTPI (the inbound queue) and SMTPO (the outbound queue).
Note: Versions prior to 6.7 used separate queues to process mail (RIP Queue, SuperQueue, and Join Queue).
Rip Queue
MIME Ripper (also known as Rip Queue) is the first to process an email, and its task is to “rip” the message
into its constituent MIME parts. SMTPProxy writes the original message to disk; Rip Queue writes copies of
the message parts to disk as part files, and references to the part files in an internal database. Each
subsequent queue examines the message parts. You can configure additional options by clicking MIME
Ripper in Queue Manager | Configure Queues.
Anti-Virus Queue
Anti-Virus Scanning uses the configuration settings in the Anti-Virus program area of Email Gateway when
it processes messages in its queue. The Anti-Virus Scanning feature performs all the actions configured in
Anti-Virus | Configure Signature Engines. You can configure additional options by clicking Anti-Virus in
Queue Manager | Configure Queues.
Anti-Spam Queue
Anti-Spam uses a variety of anti-spam tools configured in Email Gateway Anti-Spam program area to
inspect messages for characteristics of spam. When a message is found to be spam-like, an
administrator-defined action, such as drop, quarantine, rename, etc,) is performed on it. You can configure
additional options by clicking Anti-Spam in Queue Manager | Configure Queues.
Outbound Queue
Once a message has passed through SuperQueue without being stopped by a triggered action, it is ready to
be sent on to the intended recipient.
The Outbound Queue is the Email Gateway SMTPO Service, responsible for delivering messages out of the
Email Gateway appliance. The terms SMTPO Service and Outbound Queue are used interchangeably. The
Email Gateway SMTPO Service wakes up at periodic intervals to see which messages have been processed
by all the other queues. You can view the contents of the Outbound Queue—that is, view the messages
ready for delivery, but not yet delivered—and re-prioritize the delivery of either individual messages or all
messages addressed to a specific domain, or delete them.
The queues perform their tasks on messages sequentially. That is, messages do not enter a new queue
until they have successfully passed out of the previous one. Administrators can specify the order or
sequence in which the queues process messages (Queue Manager | Configure Queues).
Email Gateway can scan a maximum of 500 message parts. If a message contains 501 or more parts, Email
Gateway will respond with a MIME Parse Failure and perform the action specified in the MIME Parsing
Failure Action input field of the MIME Ripper window (Queue Manager | Configure Queues | MIME Ripper
hyperlink).
Non-processing queues
Email Gateway also includes two other queues that do not actually process messages, but store them under
specific conditions. These queues are:
• Quarantine Queue, and
• Failures Queue.
Quarantine Queue
The Quarantine Queue is not a message-processing queue, but rather a logical holding area where other
queue services can send messages if certain conditions are met. Whereas the other queues and features
actually process messages in some way, the Quarantine Queue holds messages in a quarantined status. All
messages have status of some kind, such as currently in work or already delivered, and so forth. The
messages in the quarantine queue have a status of paused awaiting other work, or do not deliver yet.
Some Email Gateway rules have a send to Quarantine action if certain message characteristics are found.
Additionally, large e-mails held for Off-Hour Delivery are stored here. Email Gateway Queue Manager allows
administrators to create multiple quarantine queues within the Quarantine Queue to facilitate the
management of its email policies. You can view the contents of the quarantine queues at any time (through
a search function). You can delete, re-prioritize, change the scheduled delivery time, or re-direct to an
alternate address any message in any of the quarantine queues.
Failures Queue
The Failures Queue is used if a message fails Rip, Content Extraction, or Join Queue processing. Messages
generally end up in the Failures Queue because of an inability to parse message attachments or to extract
text content, or because of a Join Queue quarantine action. The specific actions taken for messages in the
Failure Queue depend on options defined for the processing queues on the Configure Queues window in the
Queue Manager.
All messages (messages NOT generated by Email Gateway) pass through the RIP Queue. The RIP Queue
parses the messages into individual parts both in the disk as part files and also in the database as
references to the message parts. Each subsequent queue examines the message parts within the database.
Sometimes a message fails Rip Queue or Content Extraction Queue processing (the message cannot be
broken into its component parts). In the event of a MIME parse failure, the message does not pass through
all the Compliance features. As a result, Attachment Analysis, Content Analysis, Corporate Compliance and
Message Stamping features are not available for messages with MIME parse failures. However MIME parse
failures can pass through all the queues and features that do not need the email message to be broken
down into parts.
When any of the repackage actions are set for messages that are MIME parse failures, the messages pass
through all the configured queues and features that do not need the email message to be parsed.
For MIME parse failures, four actions are available (Drop Message, Deliver to Recipient, Deliver to alternate
address, and Quarantine Message). These actions are specified as the MIME Parse Failure Action on Queue
Manager | Configure Queues.
Additional considerations also apply in the event of MIME parse issues. For example, if the Email Gateway
RIP queue is able to parse the message into parts but JOIN queue is unable to rebuild the message back
from the individual parts for whatever reason, Email Gateway requires a special configuration. For more
information about Email Gateway actions, see Appendix C in this Administration Guide.
Note: The Secure Web Delivery (SWD) feature also requires the message to have valid MIME. For the messages
where RIP queue is unable to parse the message successfully, the SWD option will not be available. This means
the SMTPO process when checking for availability of SWD will also check for validity of the message for MIME.
Contents
About the Queue Information window
Viewing messages
Searching messages
Dynamic Quarantine
Note: The recommended way to manually refresh the Queue Information window (or other Email Gateway
window) is to click the associated menu option (in the left menu pane) or hyperlink. Refreshing the window using
the browser Refresh button can cause Email Gateway to logout.
The three charts that appear on the Queue information window provide at-a-glance information about Email
Gateway activities. The charts are supported by the tables and links below them.
Quarantined messages
The Quarantined Message chart and the corresponding table provide information about messages that are
currently quarantined, as well as showing the queues where the quarantines are carried out. The chart
presents the portion of all quarantined messages in each quarantine queue.
All quarantine queues are represented in the chart.
The name of each queue in the Quarantined Message table is a link that will display a message list for the
specific queue. This allows you to investigate the individual messages and to take specific actions on the
messages you select. More information about the message lists is included below.
Current messages
The Current Message chart provides information about the messages that were in either SuperQueue or the
Outbound Queue when you accessed the window.
The Current Message table lists the two queues by name and provides the exact number corresponding to
the chart. Each queue name is a link that permits you to access detailed information about the messages
currently in the queues.
Queue activity
The Queue Activity chart displays graphic information about the number of messages that have passed
through SuperQueue since midnight, comparing the number of messages for each sub-queue that required
no action with the number upon which action was taken.
Figure 4 Queue Activity chart
The numbers of messages processed by the Rip Queue, including both those that triggered action and those
that did not, represent the total messages received since midnight. However, the total messages processed
by each of the other queues might not show the same total, depending upon how your Email Gateway is
configured (bypass functions, enabling or disabling of features, and so forth). The Join Queue will show the
number of message that have been reassembled for delivery; it will not include messages quarantined or
dropped as a result of policies configured on this Email Gateway.
Viewing messages
To view the messages in the various queues, click the queue name links in either the quarantined message
table or the current message table. Email Gateway will display a message list for the queue you have
clicked.
Note: The examples that follow show messages from selected quarantine queues. Similar information is available
for messages in other accessible queues.
The message list provides information about each message currently in the queue.
The following message action icons are used in many of the message lists you can access from the Queue
Information window.
Search Clicking this icon will open the message search fields, which will vary
button depending upon the queue within which you want to search. Search
functions are discussed in more detail below.
Delete Clicking this button will delete any message or messages you have
message selected.
Release Clicking this button releases the selected message or messages from
message quarantine.
Schedule Clicking this button opens fields that allow you to schedule a specific time
delivery for the selected message or messages to be delivered.
To set the schedule, select the date and time information from the
drop-down lists, then click Set Date/Time.
Forward Clicking this button will forward the selected message or messages to the
message address you specify. The necessary field will display.
Copy Clicking this button will send a copy of the message or messages to the
message address you specify. The necessary field will display.
Bayesian Clicking this icon will cause Email Gateway to copy the selected message
training or messages to the proper email address where they can be used for
Bayesian training as “ham” messages.
User Clicking this button will open the user preferences window for Queue
preference Manager. This window permits you to configure the appearance of the
window Queue Manager window.
For more information, see Chapter 31, Email Gateway Administration.
Save This icon will appear for a single individual message you have selected to
message see. Clicking the button allows you to save the message to the location
you specify.
Print This icon will appear for a single individual message you have selected to
message see. Clicking the button allows you to save the message to the location
you specify.
When you click the message ID in this example for any message on the list, Email Gateway will display
details for that quarantined message.
The Message Part tab on the message detail window displays the message part information.
Field Description
Action icons The icons for allowable actions appear at the top of the window.
Header information The second panel of the window displays the header information for the
message, including:
• Sender address
• Recipients address or addresses
• The subject, and
• The date and time the message was received.
Message body The third panel shows the actual message body. You can scroll to read the
message in its entirety.
Attachments The lower panel of the window provides information about any
attachments associated with the message, including:
• The name of the attachment
• The size of the attachment
• The type of attachment (for example, image and format, document
and format, and so forth)
• A download button that allows you to download the attachment.
The Action Taken tab allows you to see the actions that were taken on the message and the order in which
they were taken. The details include specific features that took action and the rules that triggered the
action.
The Message Log tab displays the message log for the message you have selected, if per-message logging
has been enabled. Otherwise, the window will display a message saying the log does not exist, and
directing you to the Global properties window (IntrusionDefender | Mail Firewall | Configure Mail
Services | Global).
Figure 9 Message Log tab
The Message Rules tab window shows appropriate rules based on the queue where a message is
quarantined. From this tab you can create new rules for messages like the current one, or create whitelist
rules if the type of messages should not be quarantined in the future.
Searching messages
If you have even minimal information about a message, you can locate it within its current queue by using
the search options available through Queue Search in the left menu. The parameters you can enter will
vary depending upon the message type you are seeking. You can find:
• Messages currently in Email Gateway queues (being processed)
• Messages that are in the process of being delivered (in the outbound queue)
Email Gateway adds specific information to the RFC821 and RFC822 headers to facilitate quicker and more
specific searches and better information gathering. The added information includes:
• Message ID – Added to the RFC821 received information
You can use the search function to investigate specific messages for various reasons, such as suspected
false positives or messages that should have been caught. Depending upon where the message is located,
you can take appropriate actions. You can:
• View the message
You can type partial information in the Email Gateway search input fields. For example, a search for
“dscott” will find dscott@domain.com. If you type search values in more than one input field, Email
Gateway will not locate the message unless all the values you type are found.
The results of the search are displayed in a Search Results window in the main body of the page. If more
than one message matching the search criteria is found, they appear in separate rows of the Search Results
table. Clicking a message’s Subject hyperlink within the table opens a secondary window from which
various administrative actions can be taken, depending on whether or not the message is still on the Email
Gateway appliance.
Quarantined messages
To search for quarantined messages within a queue other than the Outbound Queue, provide search information on
the Queue Search window.
Figure 11 Queue Search window
Select the Quarantined message type, then supply as much information as you can.
When you have provided the information, click Search. A message list containing only the results of your
search will display.
You can use this listing to further investigate any of the messages that met your search criteria, as
explained earlier in this chapter.
Current messages
Selecting either the Current In-Queue or the Current Outbound message type offers input fields for
entering search criteria. To search for current (not quarantined) messages, provide search parameters.
In SuperQueue
Select Current In-Queue, then provide the search parameters.
Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter.
When you have entered the search parameters, click Search. The results will display as shown. In this
case, Skip to Detail was specified.
Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter.
When you have entered the parameters, click Search. A window appears showing the results of the search.
You can view the messages that were in the Outbound Queue at the time you accessed the window by
clicking the Domain link you want to expand. The number of messages currently in the queue for that
domain and the number of delivery attempts that have been made also show on the window. If you want to
take any action on messages, you must click Pause to temporarily stop the Outbound Queue.
Processed messages
The search window for Processed messages offers fields for entering search criteria for messages that have
already been processed but which have not yet been delivered, and allow you to specify the search type to
be conducted.
Tip: You can also conduct an advanced search for this message type, using the fields described earlier in this
chapter
Dynamic Quarantine
Currently, the most destructive delivery mechanism used by spammers, virus writers, and other attackers
of network systems is the zombie machine. Dynamic Quarantine is intended to ward off attacks sent by
zombie machines. Dynamic Quarantine provides a method for early detection of a potential viral outbreak
from a surge of unknown senders; this functionality will temporarily quarantine messages while reputation
information is gathered and analyzed using TrustedSource.
TrustedSource tracks all IP addresses that send email from around the world, monitoring sending behavior
and patterns. It uses this information to formulate very accurate, granular reputation scores for each
address. Then Email Gateway uses these scores to assess threats from inbound messages and take
appropriate action, when necessary.
The problem is that most zombie machines have never sent spam or malicious email, so Trusted Source
might have insufficient information to provide an accurate risk determination. The messages are classified
as “suspicious.”
Defensive signatures against spam or virus attacks can be developed once the threat is recognized, and the
signatures can be deployed to email security systems. However, this can take hours, leaving the networks
vulnerable in the meantime. Dynamic Quarantine provides an additional layer of defense to protect
networks from these suspicious messages. It allows TrustedSource time to gather more information and
formulate an accurate reputation score.
2 Inside SuperQueue, RIP Queue breaks the message into its component parts, such as the header,
message body, any attachments, and so forth.
Note: Messages can still be quarantined by the Content Extraction Queue even after the first TrustedSource
lookup.
3 Email Gateway examines the parts. Based on this analysis, it applies the rules to determine if the message
should go to Dynamic Quarantine. The rules will determine how long the quarantine period should be.
4 When the quarantine period expires, another TrustedSource lookup occurs to see if updated reputation
information is now available. Multiple Email Gateways might have encountered the same message,
generally indicating an attack.
• If TrustedSource identifies the sender as good, the message is released from Dynamic Quarantine. The
message will still be inspected by all configured Email Gateway processes.
• If the sender is bad, the message is dropped.
• If TrustedSource still considers the message “suspicious,” it will remain in quarantine for an additional
period, as determined by the rules.
Note: When you release a message from Dynamic Quarantine, the second TrustedSource lookup does not
occur. The message will be delivered unless it contains a virus.
The TrustedSource reputation score from this second lookup replaces the earlier score; the score from
this lookup is supplied to the Anti-Spam Queue for Spam Profiler’s calculations, replacing the score
from the previous lookup.
5 When the second quarantine period expires, the message will be released to be inspected by the Email
Gateway configured processes. No further TrustedSource lookup is performed. During the quarantine
periods, updates might have been provided as new Anti-Virus signatures or new TRU packages, allowing
Email Gateway to deal with the new threats.
Email Gateway provides the ability to add rules based on a TrustedSource score variable to the TRUSign
rules, in addition to rules based on subject, attachment name, attachment format, and message size.
Automatic shut-off
Dynamic Quarantine will automatically disable itself if available disk space falls below 30% of the system’s
capacity. This feature is intended to prevent performance degradation or other problems that can result
from inadequate disk space.
Contents
Configuring queues
Changing the queue order
About quarantine types
Using the Quarantine Queue
Configuring queues
The Configure Queues window is used to stop and start SuperQueue, establish the order in which Email
Gateway queues process messages, and configure individual queue options.
Figure 13 Queues - Configure window
Each queue name (Service) is a hyperlink that displays a window for that queue. The new window allows
configuration of the associated Queue.
Configuring SuperQueue
Figure 14 SuperQueue Configuration window
The encoded URLs that Email Gateway decodes are explained in the following table
• Anti-Virus
• Content Analysis
• Envelope Analysis
• Anti-Spam
• Corporate Compliance
• MIME Joiner
Five of those sub-queues are configured by clicking the appropriate hyperlink on the Queues - Configure
window.
Caution: In network configurations that use a Centralized Quarantine Server (CQS), the processing order, rules
and policies must be configured exactly the same way on all Email Gateway appliances. If this is not done, the
CQS will not function properly.
You can change the queue order by selecting the desired change from the pick list found on the Queues -
Configure window. If a desired change will conflict with an existing setting, other changes must be enacted
at the same time to define the complete order.
For example, assume you want to move the Corporate Compliance Queue to second position. Anti-Spam is
already in second position, but you can move it to fifth position. You must change both Corporate
Compliance to position 2 and Anti-Spam to position 5 at the same time (the same Submit entry). Email
Gateway will allow you to change any or all sub-queues at once, so long as the change you are making does
not result in position conflicts.
When the order has been established, click Submit to save the changes. The window refreshes to show the
order selected.
• Attachment Analysis
• Envelope Analysis
• Anti Virus
• Anti-Spam
• Off Hour
• Failures
• Image Analysis
• Corporate Compliance
Whenever an email policy configured with a quarantine action is created, you can specify to which
quarantine queue the policy sends the message. This greatly eases the management of Email Gateway
policies—you can look in one place to see the results of that policy, without the interference of other
messages that might also be quarantined. In addition to using the default quarantine queues, you are
encouraged to create your own, even more granular, quarantine queues. For example, when testing a new
policy, you might set the quarantine action to send to the test quarantine queue. As messages accumulate
in that queue, you can see exactly how effective the policy is.
After you type the name for the new queue, click Submit. The window will refresh with the new queue
shown at the bottom. At this point, the new queue is not in use, as indicated by the red X in the In Use
column. In order to put it into use, you must configure a new rule that specifies the queue.
The new queue will be specified when you click Submit. This places the new queue in use. When you
navigate back to the Quarantine Types window, the In Use column now contains a green check mark.
Contents
About Remote Quarantine
Central Quarantine Server
Configuration of the CQS
Dual Central Quarantine Servers
Tip: If CQS is to quarantine messages in multiple queues, you must set the action for each associated feature as
Remote Quarantine. Features set to Quarantine will quarantine messages locally rather than on the CQS.
Mail processes on the CQS will accept messages from the original Email Gateway appliances and will send
messages that have been released by the end users. The appliance should not accept any mail from the
Internet or from internal mail servers.
General implementation
Implementation of the basic requirements for CQS requires the following conditions to be considered:
• All the Email Gateway appliances must be running Email Gateway (Secure Mail) 6.5.1 or later.
• The Email Gateway appliances that are in mail flow must be configured to take the Remote Quarantine
action in order to route messages to the CQS that they otherwise would have quarantined. The
configuration must be set for every sub-feature that would have normally been configured for Quarantine
under Compliance and Anti-Spam.
Note: Sub-features set to Quarantine rather than Remote Quarantine will quarantine messages locally.
• The End User Quarantine feature MUST NOT be configured on any of the mail flow appliances. It should
only be configured on the CQS.
• The CQS must be configured with Allow Relay entries that allow it to accept mail from all the feeder Email
Gateway appliances.
• All Queues that are enabled on the mail flow appliances must also be enabled on the CQS.
• The CQS should be configured to deliver email messages to the same internal mail servers as the feeder
Email Gateways.
• The CQS should be configured to quarantine the messages it receives from the feeder Email Gateways.
Generally, you can accomplish this by configuring the same rules on the CQS as on the feeder Email
Gateways, but with an action of Quarantine rather than Remote Quarantine.
• The CQS should be configured to use 0 (zero) as the number of days to quarantine messages. This will
have to be set for each sub-feature that has the Quarantine action. The zero setting prevents the
messages from being delivered after their retention time expires, and allows the Cleanup Schedule to
determine when the messages should be deleted. The Cleanup Schedule should be set for the maximum
number of days any quarantined message should be kept.
• The End User Quarantine notification feature must be configured on the CQS only.
High-level process
The CQS receives forwarded (Remote Quarantined) messages from each of its feeder Email Gateway
appliances. The MIME Ripper on CQS identifies these messages as having been processed and quarantined
by the prior Email Gateway, so rather than passing the messages through the configured processes, it
sends the messages to the quarantine queues specified by the feeder Email Gateways. CQS recognizes the
action value (the number of days of quarantine) associated with each remote quarantined message (a
number from 0 through 15) and uses that value to determine how long the message should be held in the
assigned queue.
If the action value is 0, the message will be deleted from the queue the next time the Cleanup Schedule
runs after the message has remained in quarantine longer than the Cleanup Interval. If the action value is
a number between 1 and 15, the message will be held for that many days in the assigned queue. If it has
not been deleted or released by the end user (using the End User Quarantine feature) before that time
expires, the message will be delivered.
For more information about the Cleanup Schedule, see Chapter 31, Email Gateway Administration.
• Attachment Analysis
• Envelope Analysis
• Anti Virus
• Anti-Spam
• Off Hour
• Failures
• Image Analysis
• Corporate Compliance
Whenever you configure an email policy with Quarantine action, specify which quarantine queue receives
the message. This capability makes it much easier to monitor the results of the policy without having to
search through messages unnecessarily. You can also create more granular quarantine queues. As
messages accumulate in the queue, you can monitor the policy’s effectiveness.
Any new queues you create on one appliance must also be created on all the feeder Email Gateways and
the CQS, and all queues must exist with exactly the same names on all appliances. The feeder Email
Gateways determine the queue into which each message will be quarantined and the desired processing
order. If the queues and the queue order are not the same on the CQS, the messages will not be processed
as expected.
For more information, see “Quarantine Types” in Chapter 4, Advanced Queue Manager Topics.
Note: If you creates a quarantine queue on one appliance and want to copy and paste it to all other appliances,
including the CQS, it is absolutely essential that no spaces be added before and/or after the queue name.
A quarantine name variation will be difficult to detect visually, but will cause the queues not to match. If
that does happen, you will notice mail from a feeder appliance being identified and quarantined, but not
showing up in the corresponding queue on the CQS. If this happens, one way to find the “missing” message
is to look at the Queue Information window on the CQS.
If you look at the information on the Queue Information window, you will find totals representing the
number of messages in each of the quarantine sub-queues. If the total for the last line in the Quarantined
Messages table (Total) is larger than the sum of the totals in the other lines, this indicates that a message
has been sent to CQS and has been placed in a zero (0) quarantine queue. The only solution is to search for
the message (visually) and take action to release it, forward it, or drop it. You cannot move it to another
queue.
Configuring appliances
Specific configuration options are required on both the feeder Email Gateways and the CQS to allow the
enterprise to take advantage of the CQS functions.
Check Specify Remote Quarantine System and then type the IP address for the CQS in the Remote
Quarantine System data field. This enables the Remote Quarantine action on the feeder Email Gateway.
For more information about setting the SuperQueue Properties, see Chapter 4, Advanced Queue Manager
Topics.
Note: When an IP address is placed on the Allow Relay list, it will not be evaluated for Denial of Service attacks.
This is a potential liability.
On the CQS
Enable and configure End User Quarantine. One particular parameter that is important on the CQS is the
number of messages that can be sent to the end user in a single notification email. McAfee recommends
that no more than 1,000 messages be sent in a single notification.
Note: A single user can receive more than one notification email in the same notifications period if the number of
messages quarantined exceeds the limit you set. This is expected behavior.
The next step is to set up the User List on the CQS by adding users to whom EUQ notices will be sent and
for what associated quarantines they should be generated.
Click Add New to add a new user or group; click Delete to delete an existing one. Users on the list can not
be edited; they can only be added or deleted. To change an existing user, delete the current version, then
add the user again with different information.
When users have been added, they will appear on the End User Quarantine User List window.
Finally, set up EUQ Whitelisting.
You can configure End User Quarantine Whitelist functionality from the GUI. McAfee recommends that you
define at least one bypassed feature (you might want to specify an unused feature for this). Then configure
the whitelist synchronization by entering the feeder Email Gateways to the Send To list on CQS. It is not
necessary to add the Email Gateways to the Received From list, since CQS is the only appliance configured
for End User Quarantine.
Figure 28 End User Quarantine Whitelist - Configure window
The Central Quarantine Server should now be ready to fulfill its purpose.
Configuring CQS2
To use a second Central Quarantine Server as backup, you must configure specific properties on both CQS1
and CQS2.
On CQS1
Configure the second CQS in MIME Ripper Properties on CQS1. Check Enable Secondary Central
Quarantine Server, and type the IP address in the Secondary Central Quarantine Server data field.
On CQS2
In order to ensure proper storage and processing of messages, configure CQS2 exactly the same as CQS1,
with two exceptions:
SMTPO
Disable the Outbound Queue and ensure it is not running. All messages are to remain on CQS2 until they
are deleted according to the Cleanup Schedule.
If CQS1 fails
If CQS1 should fail for any reason, the two servers reverse roles. McAfee Support will reconfigure CQS2 to
process messages in place of CQS1. Support will perform the reconfiguration as follows:
• Reconfigure all feeder Email Gateways to send their “Remote Quarantine” messages to CQS2;
• Configure CQS2 to send copies of messages to CQS1 (optional, depending upon the status of CQS1); and,
• Restart SMTPO.
Compliance
Contents
About Compliance
Snapshot reports
About Compliance
In Email Gateway you can create policies based on keywords or phrases within email messages and
attachments. You can use compliance features as tools to block spam, as well as to enforce acceptable
email usage. Email Gateway can enforce Compliance policies for email messages, as well as for many text
file attachment formats.
Snapshot reports
The Quick Snapshots provide an overview of processes and actions within the Compliance area. The reports
reflect inbound and outbound email traffic, and provide both historical information and current actions.
The reports are divided into three panels. The top panel tracks the following message trend data over a
defined time period:
• Messages cleared
• Messages dropped
• Messages quarantined
• Messages modified
Use the historical trend data to detect changes over time. The time period varies according to the amount
of data accumulated.
• If the appliance has data for less than a week, the trend data is plotted daily.
• If the data represents from 1 to 12 weeks, the trends are monitored on a weekly basis. The dates
displayed represent the beginning date for each week.
• If the data covers more than 12 weeks, the trends continue to be plotted on a weekly basis, showing the
most recent 12 weeks.
The middle panel tracks the same trends in graphic form, for the current day since midnight. The
associated table shows the numbers of messages processed.
The lower panel shows detailed message actions by feature since midnight.
Note: The number of cleared messages shown on this summary report might not match the total reflected in the
upper two panels for the same day. Those panels report all messages processed by the system, while the
summary reflects only messages processed within the compliance program area. However, all the panels reflect
actions triggered within Compliance.
Contents
About Content Analysis
Dictionaries
Editing and searching an existing dictionary
Editing existing dictionary content
Managing content rules
Applying content rules
Dictionary report configuration
2 Create rules based on dictionary thresholds indicating that multiple dictionary words are detected in a
message.
Dictionaries
Caution: Before you implement Content Analysis policies, pay careful attention to the dictionary entries and their
weights. Careless use of dictionary words, weights, and thresholds can lead to Email Gateway taking action on
legitimate email. For example, the presence of “breast” in a pornography dictionary might act on a message
describing a chicken breast served at a meal, or a newsletter about breast cancer awareness month. Likewise
users within the company might have the personal names “Lust,” “Dick,” “Beaver,” or “Lolita” — words that might
appear in a pornography dictionary.
• HIPAA Compliance
• HIPAA 04182005
• GLBA Compliance
• Regular Expressions
Use the Content Analysis - Manage Dictionaries window to create and edit dictionaries. You can add your
own dictionaries to the default dictionaries to enforce policies and fight spam. Search Types permit a search
for dictionary words anywhere within a message when they are embedded within another word or text
string, or bounded by white space or other characters. You can filter content on raw email messages or on
extracted text, ignoring tags that spammers use to hide content from spam detection software.
Do not delete the original (default) entries in the any system-generated dictionary. In most cases, the
delete option does not exist.
To manage your configured dictionaries, do the following:
1 Click the Compliance tab.
3 View your dictionaries, and make any allowed changes to complete the screen (see Table 28).
You can view, search and edit the content of any dictionary by clicking the name of that dictionary. You can
also edit the Search Option by clicking that hyperlink.
2 Select one of the following search options from the drop-down list:
• Extracted Text – The dictionary searches the extracted text and ignore any embedded tags or URLs.
• Original Part File – The dictionary searches any embedded tags or URLs in the message.
• Both – The dictionary searches both extracted text and the original part file, and uses the option that
produces the most hits.
2 View the content, or make changes to complete the window (see Table 29).
• Use the search options to find a specific entry (see Table 30). Your search results will display.
Note: If the entry is present, the window will show it as it appears on the Dictionary Content window. If it is
not present, the content window appears but shows no entries.
Adding content
To add an entry to the dictionary:
1 Click the name of a dictionary on the Content Analysis - Manage Dictionaries window. The Content
Analysis - Manage Dictionary Content window displays.
2 Click Add New at the bottom of the window. The Add to Dictionary window appears.
4 Click Submit. The Dictionary Content window updates to show the new entry.
2 Select the entry to edit. The Edit Dictionary Content window appears.
4 Click Submit. The Dictionary Content window updates to show the new entry.
2 Click Content Analysis, then click Dictionaries. The Content Analysis - Manage Dictionaries window
appears.
3 Click Add New at the bottom of the window. The Add New Dictionary window appears.
5 Click Submit. The new dictionary appears in the Manage Dictionaries window.
• URLs, or
• Regular expressions
The Add to Dictionary screens for each will vary to fit the type of content you wish to create.
2 Click Add New at the bottom of the window. The Add to Dictionary window appears.
4 Click Submit.
Adding URLs
To add a URL to the dictionary:
1 Click the name of the new dictionary on the Content Analysis - Manage Dictionaries window. The Manage
Dictionary Content window appears.
2 Click Add New at the bottom of the window. The Add to Dictionary window appears.
4 Click Submit.
2 Click Add New at the bottom of the window. The Add to Dictionary window appears.
4 Click Submit.
2 Click the Test Regular Expression button. Email Gateway runs the expression against the data string
• If the regular expression detects data in the string, the window confirms that fact.
• If the expression and the test value don’t match, you can revise the entry and retest before submitting
it.
• Create a new compliance dictionary that contains the pre-defined regular expressions.
2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.
3 View your rules (see Table 38). You can also delete rules from this window.
2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.
3 Click Add New at the bottom of the window. The Content Analysis - Add Rule window appears.
5 Click Submit. The Manage Dictionary Rules window updates to include the new rule.
2 Click Content Analysis, then click Manage Rules. The Content Analysis - Manage Rules window appears.
3 Click the ID for the rule. The Content Analysis - Edit Rule window appears.
2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.
3 View your rules (see Table 41). You can also delete rules from this window.
2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.
3 Click Add New. The Content Analysis - Add Apply Rule window appears.
5 Click Submit. The Apply Rules window updates to add the new policy.
2 Click Content Analysis, then click Apply Rules. The Content Analysis - Apply Rules window appears.
3 Click the ID hyperlink for that policy. The Content Analysis - Edit Rule window appears.
These reports are generated every night as part of the Daily Reports. They provide statistics about the
actions triggered by messages scanned by the dictionaries, and reflect other statistics like the top 10
senders and top 10 recipients of offending messages that.
To see the list of configured Dictionary Reports, do the following:
1 Click the Compliance tab.
2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.
3 View your reports (see Table 43). You can also delete reports (other then the default reports) from this
window.
Adding a report
To add a new report, do the following:
1 Click the Compliance tab.
2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.
3 Complete the two data fields at the bottom of the window (see Table 43).
5 Click one or more dictionaries to include their results in the report (see Table 44).
6 Click Submit. The Configure Reports window updates to add the new report.
2 Click Content Analysis, then click Configure Reports. The Content Analysis - Configure Reports window
appears.
3 Click the name of the report you want to edit. A window listing all included dictionaries appears.
Contents
About Advanced Compliance
Managing Advanced Content Analysis rules
Applying Advanced Content Analysis rules
Categories
The Compliance Trainer
Content Analysis detects compliance violations or personal identifiers by matching exact dictionary items
(such as keywords or regular expression patterns) within email. For more information, see Chapter 7,
Content Analysis.
Advanced Content Analysis detects sensitive content within email by training on confidential documents
such as legal agreements, financial documents, or research information. Advanced Content Analysis
includes both exact and fuzzy matching technologies to ensure intellectual property is not lost.
• Exact document matching – The detection of 'exact' or 'identical' content from a document, such as a
phrase, sentence, paragraph or page.
• Fuzzy document matching – The detection of like or similar content from a document based on words,
phrases or word patterns.
Advanced Content Analysis introduces the concept of Categories of information. By thoughtfully creating
these categories and training them to recognize specific content patterns, you enable Email Gateway to
detect and act upon messages that pose risks to confidential information.
• Fingerprinting – Fingerprinting identifies exact matches of small pieces of the documents you train
(sentences, paragraphs, pages) to the contents of an email message, based on the same technology used
within TrustedSource to identify spam message reputation.
Example: An email sent with the following conditions will be detected by Fingerprinting:
This is true even if content of the email or attachment is in a different format than the original
documents (for example, the original trained document was a Word document and the attachment is a
Power Point document).
• Adaptive Lexical Analysis – This technology utilizes fuzzy matching algorithms to detect similarities
between the contents of an email (both email body and attachments) and the trained document. Adaptive
Lexical Analysis requires training of both sensitive and non-sensitive documents. Adaptive Lexical Analysis
uses advanced statistical analysis (extracting lexical tokens from words, phrases, and word patterns) to
determine if an email contains either confidential or non-confidential content.
Example: If the trained document has the following sentence, “The quick brown fox ran through the
green garden,” Lexical Analysis would identify an email containing the sentence “The brown fox
hopped through the green garden” as a fuzzy match.
• Clustering – This technology is best utilized if you have a narrow category or type of content you wish to
detect, such as sensitive HIPAA documents. Clustering utilizes fuzzy matching to find likeness of a whole
document to the trained corpus of documents that are part of a category. It uses a large scale analysis
of word frequencies. This engine is effective at detecting content even if it is substantially reordered,
scrambled, or appears in entirely different documents than those trained. However, Clustering requires
very diligent training of documents to create a proper corpus for detection to prevent risk of false
positives. Clustering is recommended only in situations where narrow categories of documents can be
defined and stringent consideration is put into selecting documents to train upon.
Key concepts
Advanced Content Analysis uses sophisticated techniques to analyze email messages for the presence of
confidential content. The following concepts, as defined for Advanced Content Analysis, are important:
• A category defines a type of content that is to be monitored by Advanced Content Analysis. Categories
can be defined for any type of content, but might operate more effectively if all content is related to a
common compliance issue, such as medical or financial information, or product design specifications.
Categories can be associated with dictionaries or documents.
• The default category is always present in Advanced Content Analysis, and it can not be deleted. The
primary role for this category is to maintain rules that will trigger adaptive lexical analysis. The Adaptive
Lexical Analysis engine does not understand categories; it only understands whether content is
confidential or not confidential. The Adaptive Lexical Analysis engine will only trigger rules defined against
the default category.
• Confidential – In the product UI, synonymous with Non-Compliant, denotes data that does contain
content/data that should be protected from inappropriate exposure. Confidential data is data that will
trigger policy.
• Non-Confidential – In the product UI, synonymous with Compliant, denotes data that does not
contain content/data that needs to be protected from inappropriate exposure. Non-Confidential data
is data that will not trigger policy.
• Category Training provides the method to increase the effectiveness of categories by submitting both
confidential and non-confidential documents to serve as examples. You must identify the category you
wish to train, then submit the documents. A confidential document contains material you want Email
Gateway to act upon via rules defined against that category. A non-confidential document contains
material that might be germane to the category, but does not contain confidential information. This will
help the Compliance engines to better discern between confidential and non-confidential material within
the category.
When building a training corpus, try to select documents that represent the category, avoiding
material that might bridge categories or that contains extraneous or irrelevant information. Try to
maintain a 50-50% ratio between confidential and non-confidential information in all categories.
McAfee limits the total corpus size to 30 MB of extracted text (an average novel is roughly 500 KB of
extracted text) due to the extreme computational requirements of this technology.
Note: The size of an average novel is approximate; it was derived by checking data for extracted text for a few
novels using Project Gutenburg. For example:
• Dracula – 854 KB
• Sensitivity is a setting for each of the three advanced detection engines (Fingerprinting, Adaptive Lexical
Analysis, and Clustering) which varies how much data must be matched for the engine to return a decision
of confidential (non-compliant) vs. non-confidential (compliant). To set sensitivity, navigate to
Compliance | Content Analysis Advanced | Configure Categories.
2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.
3 View your rules, and make any allowed changes to complete the screen (see Table 46).
2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.
3 Click Add New the bottom of the window. The Add Rule window appears.
2 Click Content Analysis Advanced, then click Manage Rules. The Content Analysis Advanced - Manage
Rules window appears.
3 Click the rule ID number on the Manage Rules window. The Edit Rule window appears.
2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.
3 View your policies, and make any allowed changes (see Table 49).
4 When you are finished, click Submit. The Apply Rules window updates.
2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.
3 Click Add New at the bottom of the Apply Rules window. The Add Apply Rule window appears.
5 Click Submit to add your new rule to the Apply Rules window.
Note: You can configure Virtual Hosts at Intrusion Defender | Virtual Hosts. More detailed information is
available in Chapter 25, Virtual Hosts.
2 Click Content Analysis Advanced, then click Apply Rules. The Content Analysis Advanced - Apply Rules
window appears.
3 Click the ID hyperlink on the Apply Rules page. The Edit Apply Rule window appears.
Categories
Advanced Content Analysis employs categories in defining and applying rules. The Manage Categories
window lists the categories and allows access to edit the existing categories and define new ones.
To view existing categories, do the following:
1 Click the Compliance tab.
2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.
3 View the categories, and make any allowed changes (see Table 52).
4 When you have finished, click Submit. the Manage Categories window updates.
The window also contains a hyperlink that allows you to export Categories to the training tool. The training
tool is a 32-bit Windows program that allows you to train categories. Detailed information is provided at
The Compliance Trainer.
Exporting categories
When you click Export, a message appears on your window. The Categories file will be exported as a text
document. You can click Open to see the contents of the file, or click Save and then navigate to the
location where you want to store the file. The Categories are then available to import into the training tool.
Adding a category
To add a new Category, do the following:
1 Click the Compliance tab.
2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.
3 Click Add New at the bottom of the window. The Add Category window appears.
Editing a category
To edit an existing category, do the following:
1 Click the Compliance tab.
2 Click Content Analysis Advanced, then click Categories. The Content Analysis Advanced - Manage
Categories window appears.
• Highlight a dictionary.
Training categories
Categories can be trained to increase their effectiveness. This can be done on the Email Gateway itself, or
using the Compliance Trainer.
To train categories on the Email Gateway, do the following:
1 Click the Compliance tab.
2 Click Content Analysis Advanced, then click Train Categories. The Content Analysis Advanced - Train
Category window appears.
Note: The bottom portion of the window shows a graphic overview of the training corpus (see View Training
Corpus).
Configuring categories
Advanced Content Analysis Categories are trained individually on the Email Gateway, but they are
configured as a group.
To configure categories, do the following:
1 Click the Compliance tab.
2 Click Content Analysis Advanced, then click Configure Categories. The Content Analysis Advanced -
Configure window appears.
2 Click Content Analysis Advanced, then click View Training Corpus. The Content Analysis Advanced -
Training Corpus window appears.
3 View the window, and make any allowed changes (see Table 57).
4 When you have finished, click Submit The Training Corpus window updates.
The upper portion of this window is a table that lists individual categories and provides information about
their associated documents.
The lower portion of the window is a graph that provides a quick snapshot of the entire Training Corpus.
The graph shows the portion of the Corpus for three parameters:
• In-use – this is the portion of the total Corpus occupied by data retained from the training of documents.
• Pending – this section of the graph represents the portion occupied by documents that are scheduled for
use in training Categories.
• Free – the graph also shows the portion of the Corpus that is currently not occupied by training
information (available space).
For detailed information about the Compliance Trainer, see Appendix I, Compliance Trainer.
Contents
About Image Analysis
Managing Image Analysis rules
Applying Image Analysis rules
2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.
3 View your rules, and make any allowed changes to complete the screen (see Table 58).
2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.
3 Click Add New at the bottom of the Manage Rules window. The Add Rule window appears.
5 Click Submit. The Manage Rules window updates to add the rule.
2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.
3 Click the rule ID hyperlink for any rule. The Edit Rule window appears.
5 Click Submit. The Manage Rules window updates to add the rule.
2 Click Image Analysis, then click Apply Rules. The Image Analysis - Apply Rules window appears.
3 View the policies, and make any allowable changes (see Table 61).
2 Click Image Analysis, then click Apply Rules. The Image Analysis - Apply Rules window appears.
3 Click Add New at the bottom of the window. The Add Apply Rule window appears.
5 Click Submit. The Manage Rules window updates to add the rule.
by clicking Add New at the bottom of the Apply Rules window. The Add Apply Rule window appears.
Figure 59 Image Analysis - Add Apply Rule window
Note: You can configure Virtual Hosts at Intrusion Defender | Virtual Hosts. More detailed information is
available in Chapter 25, Virtual Hosts.
2 Click Image Analysis, then click Manage Rules. The Image Analysis - Manage Rules window appears.
3 Click the rule ID on the Manage Rules window. The Edit Apply Rule window appears.
2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.
3 View your rules, and make any allowed changes to complete the screen (see Table 64).
The only change you can make on this window is the deletion of rules. You can, however, add new rules or
edit existing ones by navigating to additional windows.
2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.
3 Click Add New at the bottom of the Manage Rules window. The Add Rule window appears.
2 Click Envelope Analysis, then click Manage Rules. The Envelope Analysis - Manage Rules window
appears.
2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.
3 View your rules, and make any allowed changes to complete the screen (see Table 67).
2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.
3 Click Add New at the bottom of the window. The Add Rule window appears.
2 Click Envelope Analysis, then click Apply Rules. The Envelope Analysis - Apply Rules window appears.
3 Click the ID for the rule. The Edit Rule window appears.
About whitelisting
Whitelisting allows you to exempt specific portions of your email traffic from some or all of Email Gateway
processing. You can specify domains, email addresses, or IP addresses that belong to trusted senders.
Whitelisting can reduce the volume of traffic Email Gateway must process and improve overall processing of
email.
Use the options in the table below to allow individuals, domains or IP addresses to bypass specific Email
Gateway processes.
When the rule is configured as you wish, click Submit to save the rule.
Viewing whitelists
The Whitelist - View Rules window allows you to see all the rules that are currently configured. From this
window you can delete rules or navigate to a window where you can edit existing rules.
Figure 65 Whitelist - View Rules window
When the whitelist entry is configured properly, click Submit. The Whitelist - View Rules window will refresh
to include the new or revised entry.
When you have modified the rule as you intended, click Submit. The View Whitelist Rules window will
update.
Searching whitelists
Email Gateway provides the ability to search the whitelists for specific rules or for applications of the rules.
You can begin a search by navigating to the Search Whitelist window.
Figure 66 Whitelist - Search Rules window
Supply the parameters to be used in conducting the search. It might be helpful to narrow the search by
providing all the information you have to limit the potential results.
Note: You can conduct a search for Rules or Policies, but not both in the same search instance.
When the search parameters have been entered, click Submit to see the search results.
Figure 67 Search Result window
When you have completed the configuration, click Submit to add the application. The Whitelist - Apply
Rules window will update to show the new application.
Editing an application
You can also edit existing applications as necessary. Click the Apply ID for the particular application to
open the Edit Whitelist Rule window.
When you have made the necessary changes, click Submit. The Apply Whitelist - Apply Rules window will
update.
When you have entered the search parameters, click the Search button to execute the search. Email
Gateway will return a list of all masquerade entries that match the parameters, or display a message saying
that no entries were found.
When the information is correct, click Submit. The Address Masquerading window will update.
Note: When you use inbound address masquerading, you must create an entry in the Domain-Based Routing
Table for the new domain name, and ensure the associated internal mail server is configured to accept mail from
the new domain. Otherwise, incoming mail will be rejected with a 571 Cannot relay error.
When the information is correct, click Submit. The Address Masquerades - Manage window will update.
Note: Wild cards can not be used in masquerading email addresses. They can only be used for domain
masquerading.
When you have entered or selected the information correctly, click Submit. The Manage Rules window will
update to show the new addition.
Make changes to the data as necessary, then click Submit. The window will update to include your
changes.
When the information has been entered correctly, click Submit. The Desktop Encryption Analysis - Apply
Rules window will update.
After you have made the changes you desire, click Submit. The Desktop Encryption Analysis - Apply Rules
window will update to include your changes.
Field Description
Enable Off Hour Select the checkbox to enable off-hour delivery.
Delivery - Configure
Apply to all Virtual If the administrator adding the new policy is an appliance-level
Hosts administrator and is logged into the Default Virtual Host, this checkbox
appears. If the administrator selects it, the new policy will apply to all
Virtual Hosts on the appliance, without exception.
If the administrator is a Virtual Host administrator or an appliance-level
administrator logged directly into a Virtual Host, this option does not
appear.
Apply To From the pick list, select the type of entity to which the policy will apply.
Options are:
• Email Address – applies the policy to one individual user (for multiple
users, create a group).
• User Group – applies the policy to a group consisting of a list of
individual users.
• Domain Group – applies he policy to a group consisting of a list of
domains.
• Domain – applies the policy to a single domain (to apply the rule to
multiple domains, first create a domain group).
• Global – applies the policy to all users.
See About Group Manager later in this chapter.
Data selection If you chose User Group or Domain Group above, select the name of an
existing group from the enabled pick list.
Data If you chose Domain or Email Address as the “Apply To” entity, type the
domain name or email address to identify the specific entity.
Exclude If you want this policy to apply to everyone except the entity you define,
select the checkbox.
Field Description
Size (MB) Type a number to represent the minimum size in megabytes for messages
that will trigger Off-Hour Delivery.
Begin Time Select the time of day (hours and minutes) from the pick lists to define
the time of day that begins the Off-Hour Delivery period.
End Time Select the time of day (hours and minutes) from the pick lists to define
the time of day that ends the Off-Hour Delivery period.
Notifications The center panel of the window allows you to configure notifications to be
generated by this rule, if desired.
Notification The three checkboxes allow you to select the individuals who will receive
Recipients the notices Email Gateway generates for this rule. You can select one or
more of the following:
• The Sender of the message
• The Internal User (either sender or recipient)
• Up to three Additional Recipients (such as security personnel,
administrators, and so forth)
For each additional recipient, you must specify the email address.
Notification For each individual who is to receive notification, select the template to be
Templates used. See Mail Notification later in this chapter.
Note: If Email Gateway does not finish delivering all large messages before the End Time, unsent messages will
remain in the queue until the next Begin Time. You can manually “push” messages out of the queue.
When the information is entered correctly, click Submit. Off-Hour Delivery will occur on a daily basis, as
you have configured it.
When you have entered the correct information, click Submit. The Attachment Analysis Rule Management
window updates.
Multiple rules
When a message conforms to more than one rule, more than one action can be taken on that message. In
some situations, not all actions can be performed. Policy attribute comparison is used to resolve conflicting
actions. In the comparison, a system-defined policy supersedes a user-defined policy, a policy applied to a
user supersedes a policy applied to a group, and a higher action code supersedes a lower one. For example,
if both secure delivery and forward actions can apply to one message, secure delivery takes precedence
because the forward action could cause the original message to be deleted so that it could not be delivered
securely. More information about actions and action precedence is available in Appendix C, Actions and
Action Codes and Appendix G, Email Gateway Action Order of Precedence of this Administration Guide.
Policy attribute comparison is also used to resolve conflicts when the actions belong to different policies,
following the same guidelines used when the action codes belong to the same policy. For example, when
multiple quarantine rules with finite quarantine days can be applied, policy attribute comparison selects one
of them by comparing the quarantine periods.
Policy attribute comparison can resolve conflicts when multiple actions directed at specific message parts
are configured for the same attachment extension or file name. Only one part-level action can be applied,
such as either drop part or rename, drop part or pass through. This also applies when two rename actions
are defined for the same extension, since the part can only be renamed to one new name or the other.
Policy attribute comparison is performed between two rules when either of them is one of the following:
• Reroute
• Drop
• Quarantine forever
If one of the actions is any of the above, one action will be performed and all other actions will be ignored,
since the message is no longer available for additional action.
When all the fields are entered correctly, click Submit to record your changes.
When you have completed the necessary information, click Submit. The Attachment Analysis - Apply Rules
window will update to include the new application.
Editing an application
You can edit an existing application when it becomes necessary or desirable. Click on the application’s
Apply ID hyperlink to open the Attachment Analysis - Edit Apply Rules window, populated with the current
configuration information.
Make the desired changes and click Submit. The Attachment Analysis - Apply Rules window will refresh.
Dangerous extensions
The following extension types are capable of executing code: att, bat, chm, cmd, com, cpl, eml, exe, hta,
htm, html, ins, isp, js, jse, lnk, mp3, msi, msp, pif, req, scr, sct, shs, vbe, vbs, wav, wsc, wsf, wsh. Add
these extensions only after they have been reviewed to ensure they are not used legitimately within your
environment.
Detection capabilities
The detection capabilities of DLP Analysis include:
• Finding encrypted traffic
How it works
The following diagram illustrates the high-level flow for DLP Analysis.
Figure 81 Network DLP Analysis flow diagram
2 You creates a rule on Email Gateway which takes a DLP action based on some conditions. Taking a DLP
action means that Email Gateway will submit the message for a DLP scan.
3 Depending on how you configured DLP Analysis policies, different results might be possible:
Note: The DLP Analysis feature has its own quarantine queue. Messages quarantined by DLP Scan are held
there. For more information, see About quarantine types in Chapter 4 of the Administration Guide.
c DLP Analysis sends this scanned message (containing the added header) back to Email Gateway.
d DLP Analysis sends back a notification message to Email Gateway; this notification contains the ALLOW
header, permitting the message to be routed to SuperQueue.
Note: Generally, DLP Analysis takes actions which are accompanied by notification messages. Email
Gateway can also send other notifications about DLP scan actions, created using an additional notification
template, Network DLP Notification. See About Mail Notification, later in this chapter.
4 Email Gateway scans the incoming messages. If incoming message is from DLP Analysis, then Email
Gateway considers this ‘round 2’ of the process.
a During round 2, Email Gateway skips all normal checks such as address pattern matching, LDAP
validations, and so forth, and sends the message directly to SuperQueue.
b Depending on the action you set for DLP Analysis, the configured action will be taken.
5 If delivery of the message is allowed, Email Gateway forwards it to the email server.
If you have made any changes to the existing rules, click Submit to save your configuration.
You can not add or delete rules in Network DLP Analysis, but you can edit the existing rules.
Prerequisites
• A Reconnex Prevent DLP host must be available and properly configured, and its IP address must be
provided to the Email Gateway; otherwise, the DLP Scan action cannot be used as intended.
• The Mail Monitoring Queue must be included in the queue order on the Email Gateway appliance (Queue
Manager | Configure Queues).
• Network DLP Analysis must be enabled (Compliance | Advanced Compliance | Network DLP Analysis).
• Content Analysis
• Envelope Analysis
• Image Analysis
Tandem actions
The DLP Scan action is not mutually exclusive, and can be performed in tandem with the following actions:
• Quarantine
• Forward
• Subject rewrite
• Copy
• Log
This does not change action precedence. For example, if both Quarantine and DLP Scan actions are
configured, the Quarantine action will take precedence. DLP Scan will be performed after the message has
been released from quarantine.
During round 2 of message processing, Email Gateway sends the DLP message directly to SuperQueue for
processing.
When the information is correctly entered, click Submit. The Message Stamping - Manage Rules window
will refresh to display the new rule.
When you have made the desired changes, click Submit. the Message Stamping Rule Management window
updates.
If you have changed the enabling of Message Stamping or elected to delete a policy, click Submit.
When you have completed the configuration information, click Submit. The Message Stamping - Apply
Rules window will update to show the new application.
When you have made the changes you wish, click Submit. The Message Stamping - Manage Rules window
will update to include your changes.
If you make changes to this window, click Submit to save the changes.
When you have the information entered correctly, click Submit. The Group Definition window will update to
add your new group.
When you have completed the changes you want to make, click Submit. The Edit Group Definition window
updates to show the new configuration.
Editing a domain-based group is like editing a user group. The screens are slightly different. To edit the
definition, click the Group hyperlink. When you have made the required changes, click Submit.
Adding a notification
Email Gateway provides templates (listed later in this section) covering the policies that support user
notification. Selecting a template for an Email Gateway policy populates text fields in the lower half of the
page with sample text. The sample text can be edited and personalized as required.
To create a new notification, click Add New on the Mail Notifications - Manage window.
When you have entered the necessary data, click Submit. The Mail Notifications - Manage window will
refresh to include your new template.
When you have entered the necessary data, click Submit. The Mail Notifications - Manage window will
refresh to include your updated template.
Allowed variables
The variables that can be used for custom notifications will vary according to the type of notice being
configured. The variables are shown below.
Caution: The Pull tags must come before the Push tags when you customize the notifications.
• Forwarded as Attachment: When an Email Gateway policy has a forward as attachment action, it
creates a new email envelope, with the original message as an attachment. The message will be sent from
fwd-attach@default_domain.com.
• Copy: When an Email Gateway policy has a copy action, it creates a new email envelope with the original
message as an attachment. The message will be sent from copied@default_domain.com.
• Copied as Attachment: When an Email Gateway policy has a copy as attachment action, Email Gateway
creates a new email envelope with the original message as an attachment. The message will be sent from
copied-attach@default_domain.com.
• Delivery Status Notification (DSN): If Email Gateway is unable to deliver an email, and DSN is enabled
in the SMTPO Service, it generates a new email to the sender. The DSN is sent from
dsn@default_domain.com.
Note: Delivery Status Notifications might lose some fidelity with the Template if they are delivered to a Domino
server. When the Domino SMTP listener receives a DSN, it recognizes it as DSN and reformats it to the Domino
standard format. Then it places it in the server mail.box for delivery. The Notes form is also changed from
memo to NonDelivery Report.
• Reports: If configured to do so, Email Gateway e-mails its daily Reports. They are sent from
reports@default_domain.com.
• User-reported Spam to HQ: If configured to do so, Email Gateway creates an email to McAfee’s spam
collection address, with user-reported spam as an attachment. The email is sent from
userreports@default_domain.com.
• Enterprise Spam to HQ: If configured to do so, Email Gateway creates an email to McAfee’s spam
collection address, with enterprise-reported spam as an attachment. The email is sent from
enterprise@default_domain.com.
Email Gateway provides templates for customized email notifications when policies are enforced (for
example, policies concerning Off-Hour Delivery, or enforcement of Envelope Analysis and Content Analysis
rules, and so forth). A notification message generated by Email Gateway is delivered by SMTPO to SMTPI
services. The message generated by Email Gateway bypasses all the queues. At this point, the message
has an RFC821 From address.
SMTP then sends the notifications to SMTPO for delivery to the intended recipient. When SMTPO delivers
these outbound messages to the actual host for the recipient domain, the RFC821 From address is blank.
All Email Gateway notifications are handled in this way. This approach prevents a possible looping email
condition that can occur if generated notifications are sent with a From Address that is not reachable.
For information about applying your updates, see Managing updates in Chapter 35 of this Administration
Guide.
Anti-Spam
Anti-Spam snapshot
The opening window for Anti-Spam is the Quick Snapshot window, showing reports of both historical and
current statistics. The quick snapshots provide an easily understood overview of processes and actions with
the Anti-Spam program area.
Message trend
The top panel shows historical data for a defined time period, tracking the following actions:
• Messages that triggered actions by the SpamProfiler
The historical trend data is intended to allow you to detect changes over time. The time period covered by
the historical graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data is plotted daily.
• If the data represents from 1 to 12 weeks, the trends is monitored on a weekly basis. The dates displayed
represent the beginning date (Sunday) for each week.
• If the data covers more than 12 weeks, the trends will still be plotted on a weekly basis, showing the most
recent 12 weeks.
Message actions
The middle panel contains a pie chart and a table that show actions taken by specific Anti-Spam tools from
midnight to the current update time.
The current data tracks the following actions for the SpamProfiler, Connection Control, Recipient Rejections
and other spam tools:
• Dropped messages
• Quarantined messages
SpamProfiler
The Email Gateway SpamProfiler allows a high level of spam protection while keeping false positives to a
minimum. Prior to the SpamProfiler, spam-fighting tools were limited; no matter how many detection
techniques were present, they all acted independently. Email Gateway uses a broad array of detection tools
to analyze messages for spam. Then SpamProfiler aggregates the results of these multiple tools to calculate
the probability that a message is spam. The result is much more trustworthy than the result from any spam
detection tool alone.
Email Gateway provides two methods of spam-detection:
Tool-based
Tool-based spam detection is based on emails being processed sequentially by each enabled spam-blocking
tool. Once an individual tool thinks a message is spam, the specified action is taken and no other tools
examine it.
Note: If SpamProfiler is not enabled, Email Gateway defaults to tool-based spam detection.
Confidence-based
Confidence-based spam detection is based on having all enabled spam-blocking tools examine a message.
Email is not considered spam until all spam tools have each returned their respective determination. Each
tool is “weighted” by the Email Gateway administrator as to its reliability in detecting spam, and returns a
“probability score” for each message. SpamProfiler polls each enabled tool, then adds together each tool's
probability score and takes action only if the aggregate score reaches or exceeds an administrator-defined
threshold. Confidence-based spam detection is enabled and configured in the SpamProfiler.
Note: Spam tools must be enabled individually before they can be included in SpamProfiler calculations.
Spam profile
The spam profile is the result calculated from the contributed scores from all enabled spam tools. You can
determine which tools and which dictionaries contribute to the profile. This is configured at Anti-Spam |
SpamProfiler | Configure.
SpamProfiler can receive contributions from Content Analysis and many of the Anti-Spam tools. These
contributions are totaled to calculate the aggregate value used as the Spam Profile. The contributors are
identified in the table below. Some contributors require a confidence level and/or a threshold.
If you make changes to the existing configuration, click Submit to record the changes.
When the configuration data for the new rule is complete, click Submit. The SpamProfiler - Manage Rules
window will update to include the new rule.
From this window, you can open secondary screens to edit SpamProfiler policies or to add new policies.
When you have entered the required configuration data, click Submit. The SpamProfiler - Apply Rules
window will update to include the new policy.
When the modifications are completed, click Submit to record the changes.
Classifying spam
Two additional spam classification engines are included in Email Gateway:
• Image Spam Classifier
On the SpamProflier - Configure window, you can enable or disable these engines. You cannot provide any
more configuration options; Technical Support maintains Image Spam Classifier, and TRU Signature
updates maintain Dynamic Spam Classifier.
• It also includes a blacklist designed to improve effectiveness by catching images similar to those known
to evade detection by ISC.
Images can be added to the whitelist and blacklist by informing Support and allowing them to be added.
The lists are not user-configurable, and will be maintained by McAfee.
The only user-configurable option for ISC is the ability to enable or disable it from the Spam Profiler
configuration window. ISC is disabled by default.
2 It checks the whitelist to look for a match. If it finds a match, it skips the image.
3 The ISC checks size heuristics. If the image is too large or too small, ISC skips it.
4 The Support Vector Machine (SVM) applies algorithms to determine the likelihood that the image is spam.
5 The ISC checks the blacklist to see if the image matches known spam images.
6 The ISC returns a raw score for the image to the Spam Profiler. By default, the score will be 0 if the image
is determined not to be spam, and 50 points if it is spam. A confidence value will be applied to the raw
score.
Default scores for the Spam Profiler can be reconfigured by Support upon request.
• Ability to tailor methods for specific outbreaks, and to retire methods that are no longer needed; and,
Note: DSC is implemented to deliver better protection from the latest spam outbreaks. It does not replace TRU,
Spam Queue, or any other detection method on Email Gateway.
• Messages that have received TrustedSource scores greater than 100 points or less than -100 points;
The individual scores from each DSC module will be visible in the X-header of the message, and in the
message log files.
Updating DSC
The frequency of DSC updates is based on research and evaluation of new spam threats. The updates will
be delivered as ThreatResponse Signatures, which can be delivered as frequently as every twenty minutes.
The delivery method will be the same as for any other ThreatResponse Signature update.
If you have DSC enabled and have configured to allow automatic TRU updates at System | Updates |
Configure Auto Updates, updated DSC files will be installed automatically.
Reporting
The message count stopped by DSC will be included on any report that reports overall spam (Executive
Summary, Domain Executive Summary, Spam Action Summary) or in the totals for any report that shows
messages blocked by SpamProfiler (Overall Spam Summary, Top Spam Lists).
You can also lock the current settings for specific features by navigating to the SpamProfiler - Configure
window. Most features that appear in SpamProfiler have a checkbox that allows you to lock them. If you
select the checkbox next to a feature, the current settings will be maintained, while those for deselected
features will be overwritten.
Special configurations
Some features do not offer the locking option on the SpamProfiler window. Realtime Blackhole Lists,
System Defined Header Analysis and User Defined Header Analysis require their own configuration
methods.
Note: Selecting the locking option on the AutoUpdates window will protect the settings for these features, just as
it does for all the others.
You can configure each zone you add to your RBL as you add it. Checking the Locked checkbox causes the
entry to be protected when new TRUSign updates are added.
For SDHA and UDHA, each filter has its own checkbox by which you can protect the current configuration.
You can select the individual filters from the lists.
About threats
Email Gateway (Secure Mail) provides comprehensive protection for the email gateway, including robust
functionality for a variety of threats. In addition to spam, these threats include:
• Phishing attacks
• Zombies
• Fraud
Email Gateway protects businesses from all manner of email threats. It provides a simple, comprehensive
security solution.
About TrustedSource
McAfee TrustedSource is a global threat correlation engine and intelligence base of global messaging and
communication behavior, including reputation, volume, and trends, including email, web traffic and
malware. TrustedSource ensures the safety and security of all Internet communications from the firewall to
the PDA, sharpening the intelligence gathering and applications.
How it works
When Email Gateway receives a message, it sends the sender information to the TrustedSource database
as a real-time query from SMTPI, the first process to receive each message. SMTPI reads the message and
connection-level meta data and generates confusion-resistant fingerprints, which are sent to
TrustedSource. When TrustedSource receives the data, it evaluates the reputation of the sender and the
fingerprints in real-time to return an overall reputation score for the message to Email Gateway. Unlike
simple blacklists that identify spamming IPs based on human reports of spam or spamtrap information,
TrustedSource automatically analyzes data and develops behavioral real-time sending patterns for
legitimate and malicious sending behaviors by correlating information from millions of sources and
aggregating it into a precise reputation score for each message.
Configuring TrustedSource
You must configure TrustedSource functions on two different Email Gateway screens:
• The TrustedSource – Configure window;
On TrustedSource - Configure
Navigate to the TrustedSource - Configure window to enable TrustedSource and set essential action
options.
Figure 100 TrustedSource - Configure window
On SpamProfiler - Configure
Enabling TrustedSource and setting a Drop action for any risk level will cause the spam messages to be
dropped before they can enter the system. Therefore, they don’t use any Email Gateway processing
bandwidth. Setting other actions based on TrustedSource scores and enabling TrustedSource to contribute
to the Spam Profiler score creates one more source of protection for the messaging network.
Unless a sender’s score reaches a spam threshold you have set that is configured with a drop action for
such spam, Spam Profiler will use the score as part of the information it accumulates to create its own
score. SpamProfiler will take action if a rule exists and the message meets or exceeds the associated
threshold.
The SpamProfiler - Configure window allows you to include TrustedSource’s contribution to the
SpamProfiler score, or exclude it.
TrustedSource is included as a potential contributing feature. To enable the contribution, select the Enable
checkbox. You do not have the option to set a confidence level.
When you have configured the option as you wish, click Submit to record the configuration.
For more information about SpamProfiler configuration, see “Configuring the SpamProfiler” in Chapter 13,
SpamProfiler of this Administration Guide.
TrustedSource whitelisting
Email Gateway provides the capability to whitelist IP addresses from TrustedSource reputation queries. The
details surrounding this capability follow.
TS whitelist rules
• Your must be able to add an IP address using the existing whitelisting window and set TrustedSource as
the sub-feature to be whitelisted.
• SMTPProxy reads IP-based rules which have a bypass list value of Anti-Spam/TrustedSource, and uses
them when it performs the TrustedSource lookup.
• You must create a policy including the rules that need to be evaluated. Policy attributes are not evaluated,
so the policy could be global, user based, and so forth. The policy indicates explicitly the rules to be used.
This allows you to create certain rules that might not be used immediately, and helps extend this feature
to VIPs in the future.
• Email Gateway will not use whitelist rules created on filters other than IP addresses, and will ignore the
direction (inbound/outbound) in the whitelist rule.
• Just before it initiates TrustedSource lookup, SMTP proxy will look up the address in memory. If it is
present, it will send TrustedSource a special parameter to communicate that this message should not be
flagged.
• Email Gateway logs the result of TrustedSource lookup, but does not evaluate it for further action.
• Email Gateway continues processing as if the TrustedSource lookup reports the IP address as neutral.
When you have finished entering the required information, click Submit. The rule will be created, and will
appear on the Whitelist - View Rules window (Compliance | Whitelist | View).
Launching TrustedSource
You can navigate directly to the TrustedSource website by clicking the link on the TrustedSource -
Configure window. The link takes you to TrustedSource where you can explore the information provided.
You can also access TrustedSource directly by navigating to www.trustedsource.org.
The TrustedSource site is divided into seven tabs, each of which can be accessed from the opening window.
Note: This section is not intended to provide in-depth information about the TrustedSource website, but to serve
as a brief introduction. The latest information about the site and the features of TrustedSource are amply
provided by the site itself. You are invited to explore there. Information is updated continually. You can launch
the site from Email Gateway as explained above, or browse to www.trustedsource.org.
Anti-Zombie Snapshot
Email Gateway reports its detection of zombies as part of email traffic on the Quick Snapshot window.
Figure 101 Anti-Zombie Quick Snapshot window
The window is divided into two panels, each containing a trend chart. The upper chart tracks today’s
activity, while the lower one presents historical data.
Hourly Trend
The upper graph tracks the Anti-Zombie activities for this Email Gateway for up to 24 hours.
The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative. It tracks the number of messages determined to be from zombie servers.
Message Trend
The lower graph shows historical information for up to 365 days.
The time period actually shown on the historical graph will vary dynamically according to the amount of
data that has been accumulated.
• If the appliance has data for less than a week, the trend data are plotted daily.
• If the data represents from 1 to 12 weeks, the trends are monitored on a weekly basis.
• If the data covers more than 12 weeks, trends are plotted on a monthly basis, for up to one year (365
days).
Anti-Fraud-Phishing Snapshot
Email Gateway reports detection of fraud as part of email traffic on the Quick Snapshot window.
Figure 102 Anti-Fraud-Phishing Quick Snapshot window
The window is divided into four panels, each containing a trend chart. The upper chart tracks today’s
activity, while the second one presents historical data. The bottom two charts report both good messages
and fraudulent ones based on specific protocols used by the senders.
Hourly Trend
The message action chart tracks today’s counts of fraudulent messages of three kinds:
• Failed Header Analysis Checks – messages detected by header analysis filters (forged “From” email
address, forged From domain name, mismatched EHLO domain and “From” domain, and forged routing
domain)
The scale for this graph is divided into two-hour intervals covering the 24-hour period. The information it
contains is cumulative.
Message Trend
The second graph tracks historical data for the same three parameters as the graph above, but the time
period can cover up to 365 days.
The time period actually shown on the historical graph will vary according to the amount of data that has
been accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.
• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis.
• If the data covers more than 12 weeks, trends will be plotted on a monthly basis, for up to one year (365
days).
Connection Control
Connection Control is a Email Gateway feature that dramatically reduces the number of spam messages
that must be processed by the appliance. It does this through two processes:
• ESP Connection Control rejection
• The second rule runs every 24 hours and calculates the average ESP score for each IP address for the
past 24 hours. If the IP address has sent more than 10 messages with an average ESP score of 100 points
or higher (beginning with the eleventh such message), the IP address is denied connection to Email
Gateway for a period of four days.
• The second rule causes TrustedSource to detect the defined number of messages within the past 24 hours
from the same IP address that have an LDAP rejection. IP addresses that trigger this rule are added to
the deny list for four days.
Note: If you wish to use LDAP connection control, and the Email Gateway appliance is protected by an Edge
appliance, you must add the Edge appliance to the connection control exclude list.
The rules are defined to eliminate false positives by requiring that the IP address has sent enough
messages and that these messages have a high enough average ESP score to warrant denial. If the total
count of all messages is high enough, but the ESP average is NOT high enough, the IP address will not be
denied. Correspondingly, if the ESP average is high, but the messages count is low, the IP address will not
be denied.
Should a false positive ever occur, it can be corrected by deleting the IP address from the Connection
Control Deny List. Additionally, IP addresses can be “whitelisted” by placing them on the Connection
Control Exclude List.
• Changing the minimum average ESP score required to qualify for Connection Control
Changes to the default configuration can be made by the Email Gateway Threat Response Updates (TRUs).
Special requirements
In order for Connection Control to work, the following conditions MUST be met:
• SpamProfiler must be enabled;
• The Email Gateway utilizing the Connection Control must be the first hop into the network; and,
• Any host (such as a secondary MX) forwarding mail to the Email Gateway appliance, but that should not
be subjected to Connection Control analysis, must be added to the Allow Relay list for the Email Gateway.
Cleanup Cycle
When the denial period expires for a denied IP address, the cleanup cycle will remove that IP address from
the Connection Control Deny List, and connections from that IP address will be accepted again. However,
the IP address will be denied again if the IP address fails any subsequent Connection Control checks.
Exclude List
From time to time, administrators might want to exclude specific IP addresses from Connection Control
processing. This can be accomplished using the Connection Control Exclude List. IP addresses listed on that
window will be exempt from Connection Control scrutiny.
Figure 104 Connection Control Exclude List - Configure window
Adding an IP address
To add an IP address to the exclusion list, complete the information in the data fields at the bottom of the
Connection Control Exclude List window, then click Submit. The window will refresh to add the new IP
address.
Note: The End User Quarantine Configuration window does not use international languages as selected in Email
Gateway. By default, EUQ renders the screens based on the language setting for the browser you are using, not
the Email Gateway locale.
You do NOT need to click Submit before selecting a second or subsequent day in your detailed schedule;
however, if you do, then the next detailed schedule you create will be added to the prior one.
When you have entered the information correctly, click Submit to configure End User Quarantine.
• Internal - Quarantine Release WebAdmin: The ct_euser.log lists the messages released by end users.
To search the log and display a list of messages that users released from the quarantine queues, use the
following command:
If you select a profile by clicking the Name link, the End User Quarantine Pages - Customize window
refreshes to show current information about the page.
3 Click Submit. The window will refresh to display the full customization options.
Caution: Uploaded files and URLs are case-sensitive. The file name in the
CSS must match the actual file name exactly.
Web The lower left portion of the window lists all currently configured assets.
Customization Each asset type is collapsible and can be expanded to show lists.
Assets
Mail List Expand this asset type to view all configured assets for the mail list page.
Click the name link for any listed asset to show a preview of the
customized page in the lower right section of the window.
Style Sheet Expand this asset type to view all configured assets for the stylesheet.
Click the name link to show the stylesheet.
3 Click Download Default Resource. Depending on your browser, a save window appears.
5 Open the css file, edit it to suit your needs, then save it.
6 Return to the Customize window and, from the Browse field, navigate to your edited css file and select it.
7 Click Submit. Your file will be renamed and then be used by the system.
Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.
Table 125 End User Quarantine User List - Manage fields (continued)
Field Description
Include If the user, domain or group is to be included in the policy (is to receive
notifications based upon this rule), this column will display an X.
Type The user who will receive notifications can be the recipient of the
messages, a sender of messages or both. This column indicates the
configuration for the associated entity.
Quarantine Type This column shows the quarantine type or types for which this user will
receive notifications.
Delete If you need to delete a user from this list, select the checkbox and then
click Submit. Clicking the Delete hyperlink will cause all users to be
deleted.
To add a new user to the User List, click Add New at the bottom of the End User Quarantine User List. The
End User Quarantine Data - Add window will appear.
Figure 111 End User Quarantine Data - Add window
When the information is correct, click Submit. The End User Quarantine User List will update to include the
new user.
Note: The entries in the EUQ User List cannot be edited. User entries can only be deleted and re-entered with
different information (for example, a different queue selection).
To add a new list to the table of mailing lists, complete the information at the bottom of the window
described above. When you click Submit, the new mailing list will be included.
Note: The entries in the EUQ Mailing List cannot be edited. They can only be deleted and re-entered.
An end user can use the link at the top of the release notification to view a list of all of his or her
quarantined messages, then select one or more messages from the quarantine queue and release them for
delivery. Accessing this link shows all messages in the monitored Quarantine Queues for the user, not just
the ones in the associated email.
Note: You can include all Quarantine Queues in their policies. End users can see a list of their messages that are
in the Quarantine Queues except for messages in the Outbound Quarantine Queue, Off Hour Queue, and Failure
Queue.
Both the notification itself and the window that appears when the user wants to view a list of all
quarantined messages contain in indicator that lets the user know if the message has multiple recipients.
You can delete messages using this window by submitting a delete request. If the message has only one
recipient (the user who submitted the request), the message is dropped. If the message has multiple
recipients, the current user is removed from the list.
Note: The hyperlink that displays the list of all quarantined messages might not work with MS Outlook OWA 2003.
This problem exists when signature protection is enabled, with the specific signature #1054 (WEB-MISC weblogic
view source attempt) enabled as well. If the problem occurs, you can resolve it by disabling the signature.
Quarantine duration
An issue related to End User Quarantine and the associated functionality is quarantine duration. The
duration is the number of days a given message will remain in quarantine before it is delivered or deleted
according to the Email Gateway Cleanup Schedule. The quarantine duration is set when rules are applied by
the various features in Email Gateway. At the end of the time set for the specific rule that quarantined the
message, that message can be sent on to the next configured feature or deleted. End User Quarantine
actions must occur within this duration or the message involved will no longer be available.
Note: When you configure a quarantine policy for 0 days, the expiration is tied to the Cleanup Schedule. The
default for Cleanup Schedule is 36 hours. The schedule can be set at Administration | Cleanup Schedule.
• Navigate to a list of all available messages to request the release of one or more messages.
1 From the email notification or the available message list, the user requests that one or more messages
be released.
2 Email Gateway EUQ process determines if the user who is making the request is the sender of the
message or an intended recipient. Release requests are processed accordingly.
3 If the requestor is the sender of the message, the EUQ process releases the message from quarantine so
it can proceed through any remaining Email Gateway queues and be delivered. The number of recipients
is irrelevant in this case.
4 Email Gateway EUQ process must determine whether the message is addressed to one recipient or
multiple recipients.
5 If the quarantined message has only one recipient, the EUQ process releases the message from
quarantine so it can proceed through any remaining Email Gateway queues and be delivered. This process
also applies to the last remaining recipient of a multiple-recipient message.
6 If the message is intended for more than one recipient, the EUQ process will first make a copy of the
message and store it in the database to keep it available to remaining recipients. The message will then
be delivered to the recipient who released the message, and that user will be removed from the list of
recipients for the message.
Note: The remaining users can decide to release the message for themselves, following this same process.
If the message was still in quarantine and is released by the current user, the pop-up window displays,
“The message has been successfully released.”
Note: If the end-user has installed a pop-up blocker, it can prevent the display of pop-up windows used in End
User Quarantine Release. To avoid blocking Email Gateway pop-ups, disable or override the pop-up blocker.
Under certain circumstances, a message that has been released or deleted by the user can still appear in
the message list after the user has clicked Submit. One possible reason for this is that the release or delete
process is a delayed action, processing a maximum of 100 messages per batch. The selected message
might be waiting for its place in a batch. If the user should retry releasing or deleting the message, the
window will refresh to display a message saying, “Message(s) already released or deleted.” This is simply a
result of the feature’s design, and should not be considered an exception.
Automatic processing
If EUQ Whitelisting is enabled and is configured for automatic whitelisting, the end user can create whitelist
entries without assistance.
Note: Automatic processing is not the recommended method, since it does not allow you to monitor the process
as closely as necessary.
When the user receives a notification and then clicks the main link on the notification email, a complete list
of all quarantined messages for that user displays. Clicking the link opens the message list. This window
includes the provision for requesting a whitelist entry for each message shown.
The user can choose one or more messages to be whitelisted. A rule is then created for the sender or the
recipient (email address or domain), and is applied to the user who is doing the whitelisting.
In the case that two or more users create a whitelist entry for the same value (same sender or recipient),
Email Gateway creates only one rule for that entry, and then applies it to all the users who have requested
it.
Manual processing
If EUQ is enabled and is configured for manual whitelisting, the end users will still submit requests in the
same way as for automatic processing. However, instead of automatically creating whitelist entries, the
requests are submitted to the database and are available on the GUI, providing you the opportunity to
decide how and to whom the whitelist rule should apply. You have the ability to submit both the rule and
the policy. You can apply the rule to the user who created the request, in which case the rule will be
considered user-created; or he or she might decide to apply the rule differently. This is helpful when you
need to apply the same rule for more than one user. This latter option is considered an
administrator-created rule
Synchronization
In an environment with more than one Email Gateway appliance, the whitelists must be synchronized.
Rules created in one Email Gateway by a user need to be propagated to all others in the system. Each Email
Gateway must recognize all others from which it can receive entries.
Synchronization action only synchronizes end-user whitelists. Administrator-generated whitelist entries are
synchronized by using the Backup and Restore functionalities in the System program area.
Note: Synchronization adds your end-user whitelist entries to the regular whitelist table on all the synchronized
appliances. The entries are user-created, and will not be visible on the whitelist window. Only administrator-
created whitelist entries display. To find your end-user entries you must search for them.
When a user issues a whitelist request from a notification, the pertinent data is stored in a temporary table
on the Email Gateway where it was generated. At a pre-determined time, all the whitelist entries are
collected and then propagated in batches of 100 to the other Email Gateways in the system. SMTPI on the
recipient Email Gateway receives the request to add the new entry, stores it temporarily, and then moves it
to the primary whitelist location at periodic intervals. At these intervals it also reconfigures the RIP Queue
to recognize the newly added entries.
A retry mechanism is available if propagation fails for any reason.
Note: To ensure uniformity of all whitelists in the system, McAfee strongly recommends that all existing whitelists
be synchronized before enabling this feature. All subsequent synchronization is performed on new user entries
added or deleted. The import and export options in whitelisting can be used to accomplish this requirement.
Scheduled cleanup
A second requirement for maintaining accurate whitelists is the elimination of unused rules. The ct_bypass
table includes a time column that is updated to show the last access time whenever a message qualifies for
a user-created whitelist rule. An automatic cleanup process reviews the table and deletes any entries that
have not been used for a user-defined period of time. The user-created policies that apply these rules are
altered accordingly. If the rule is the only rule in a policy, the policy is deleted as well. If this is not the
case, the rule is deleted and the rule ID is removed from the policy.
RIP Queue creates a list of bypass rules that have been triggered when it processes a message. This list is
the source for access times. The database information is updated a pre-configured number of minutes
(every 60 minutes).
The automatic cleanup process is enabled or disabled by the administrator.
Usage updates
In multiple-Email Gateway environments, where messages can flow through any appliance, the usage
information for each rule must be propagated to all Email Gateways in the system. This keeps the usage
information for all rules in sync on all the appliances. This update is performed in batches at the end of the
day.
Deletions
End users can request that any rules they have created be deleted, but the deletions have to be performed
by an administrator. You have the capability to search for the rule and to eliminate it; you can search
against rule information or policy information, against user-created rules and policies, or against
administrator-created rules and policies. You can choose the rules and users that should be deleted. The
deletions will be accomplished the next time the cleanup process runs. If the rule is the only rule in a policy,
the policy is deleted as well. If this is not the case, the rule is deleted and the rule ID is removed from the
policy.
You can also delete rules that have been requested but have not yet been applied, in either automatic or
manual processing mode, when viewing them in the GUI. Users can also view their own requests and mark
for deletion any that need not be submitted. The UI will then remove the requests.
When you have completed the configuration information, click Submit to record the configuration.
• Reset – If you want to return the configuration to its previous settings (before you took any action), click
this button then click Submit. The window will reset to the way it appeared after the previous Submit
command.
• Synchronize Now – If your environment includes multiple Email Gateway appliances, this button causes
the user defined policies to be synchronized on all appliances.
When user-defined policies appear on this window, they must also be added to the normal Whitelist
window. User-defined whitelist rules that are moved to the regular Whitelist do not appear there. To see
them, you must search for them.
Email Gateway provides an impressive assortment of anti-spam features and processes that you can
configure to meet the demands of your network. This chapter will explain these features and their
configuration.
Sender ID lookup
Sender ID (SID) is an anti-spoofing tool that compares the envelope sender domain or HELO/EHLO domain
against the client IP address before any message data is transmitted. The goal is to detect email address
forgery – those messages wherein hackers and spammers have forged the From address, using either a
totally fictitious IP or one they have stolen from a legitimate sender. The tool depends upon having domain
owners designate sending email exchanges in DNS, to allow SMTP servers to distinguish legitimate email
from illegitimate mail. While SID is primarily an anti-forgery weapon, you might also benefit from reduced
spam and decreased vulnerability to viruses, worms, and so forth.
SID does not verify individual sender usernames, but only validates the domain name. It does not protect
the header From: address, only the envelope sender address. Each domain is responsible for publishing and
maintaining its own SID records.
SID is extended SMTP, to prevent spammers from forging email domains. It is a counterpart of the MX list.
SID does not force you to declare a domain for the MTA implementation (SID client). It improves the
veracity of the sender address.
Enabling SID Lookup allows Email Gateway to verify the sender domain names against the legitimate
domain lists of IP addresses published voluntarily by domain owners. From its lookup process, SID
determines one of the following responses:
• The sender is good (valid), meaning the IP address is listed in the owner's published IP list); SID Lookup
sends the SID Success Score to be deducted from the total Spam Profile.
• The sender is suspicious, but not clearly bad; SID Lookup send the SID Softfail score to be added to the
profile score.
• The sender is bad (not on the domain owner's published IP list); SID Lookup sends the SID Failure Score
to be added to the profile score.
• SID encounters an error (syntax, and so forth) or doesn't recognize the domain because the domain
owner has not published IP addresses; SID sends a contribution of zero (0) points to the SpamProfiler.
Bayesian filtering
The Bayesian Engine classifies incoming email messages as ham (good email) or spam using probability
theory. Spam messages can be diverted to a separate queue, and so forth, so as not to interrupt mail flow.
The classification is based on clues from prior messages that you have considered spam or ham.
Email Gateway includes a Bayesian word list, but it can also be trained to identify the categories of email
messages. This is done by showing it a large sample of emails the user considers legitimate and a sample of
emails he considers spam. Bayesian Filtering analyses these samples for clues that differentiate them, such
as different words, differences in mail headers, content style, and so forth. The clues are stored as a
Bayesian Dictionary. The system then uses these clues to examine new messages. The Bayesian Engine
contributes to the SpamProfiler profile based on the probability scores that result.
Figure 118 Bayesian - Configure window
This window allows you to enable Bayesian Filtering and to configure the tokenization method and Bayesian
retraining, each of which are discussed in more detail below.
Tokenization
The Bayesian dictionary contains accumulated words derived from tokens generated when the Bayesian
engine processes messages. When the engine finds matches for these tokens in the message body, it
assigns points for the number of occurrences if finds. The total of these points is the Bayesian point for the
message.
Email Gateway supports tokenization using one of three methods:
• Splitting on white spaces;
• Non-overlapping N-GRAM; or
• Overlapping N-GRAM.
Tokenization using white spaces works well for English and most European languages, but not for many
Oriental languages, since they do not use white spaces.
If this type of tokenization is applied to English or European languages, white spaces would count like any
other characters.
• If the Bayesian Point is greater than HBS but less than SBS, the SpamProfiler contribution for Bayesian
Filtering is 0.
The Bayesian Point values will also determine if a message can be used as trainable ham or trainable spam.
Bayesian retraining
To facilitate Bayesian retraining, Email Gateway will retain a rolling 7-day history of Trainable Spam Per
Day (TSPD) and Trainable Ham Per Day (THPD).
The TSPD values will track the number of messages with high SpamProfiler scores that Email Gateway
receives in a day. These messages will have scores that are greater than or equal (>=) to the attribute
bayes_trainable_high and less than or equal to (<=) the attribute bayes_trainable_max. These attributes
are stored in the database, and are not configurable. They can be reset by the TRU package. Messages with
SpamProfiler scores higher than the maximum will not be used for training. The values are rolled nightly
during the Bayesian Retraining session.
The THPD values will track the number of messages with low SpamProfiler scores. These messages will
have scores that are less than or equal to (<=) the attribute bayes_trainable_low but greater than or equal
to (>=) the attribute bayes_trainable_min. Messages with SpamProfiler scores lower than the minimum will
not be used for training. The values are rolled nightly during the Bayesian Retraining session.
2 If the message is not trainable (does not fall within the trainable ham or trainable spam criteria), it is
deleted.
3 If the message is trainable, it is subject to selection according to the ratios explained above. If it is
selected, it will be moved to a new location and saved for retraining. If it is not selected, it will be deleted.
• Current training dictionary - the dictionary that contains all new training data. This dictionary is renewed
every 24 hours.
If messages have been saved for training, the current training dictionary is updated using all the
currently-saved training messages. The saved messages are deleted. Then the number of tokens in the
current training dictionary is counted, and one of three scenarios takes place:
1 If the number of tokens (before pruning) is less than the minimum number of tokens required in the
updated training dictionary for it to be activated (to replace the existing classification dictionary), the
current training dictionary is retained for the next day’s training.
2 If the number of tokens is equal to or exceeds the maximum number of tokens that can exist in a training
dictionary, the updated dictionary will be pruned by deleting all tokens for which the probability of spam
is between Bayesian Ham Confidence (HBS) and Bayesian Spam Confidence (SBS). Then the tokens are
counted again.
• If the number of remaining tokens is less than or equal to the maximum required for activating the
training dictionary, the updated training dictionary will replace the existing classification dictionary,
and a new (empty) training dictionary is created for the next day’s training.
• If the number of tokens is greater than the maximum required for activating the dictionary, the
updated training dictionary is assumed to be polluted and is deleted without replacing the current
classification dictionary. A new training dictionary is created for the next day’s training.
Ham retraining
As part of McAfee’s ongoing efforts to improve Bayesian training and effectiveness, Bayesian training is
being enhanced to include training on outbound messages. Bayesian functionality will be trained using all
messages being sent outbound from the enterprise, so long as each message has multiple recipients.
Messages destined to a single recipient will not be used for training.
Email Gateway also allows you to send ham, or legitimate email, to a special email account. This mail will
be used for retraining the Bayesian classifier, similar to the way spam messages have been supplied in the
past.
To configure this feature, type the ham notification address in the data field on the User Spam Reporting -
Configure window.
If a message is sent to the ham address and that message contains an embedded image, or if it has an
image attached, the image will be added to the list of whitelisted images for the specific Email Gateway
Image Spam Classifier.
Note: Image Spam Classifier requires that SuperQueue be manually restarted before it will recognize whitelisted
items.
Email Gateway includes a provision to allow you to enable training on outgoing messages (as ham). The
Bayesian - Configure window includes a checkbox that allows you to enable or disable training. This option
can be used to alleviate overemphasis on spam messages for Bayesian training.
Administrator-released messages
Email Gateway provides the ability to specify messages that will be used for Bayesian training, much as the
way EUQ released messages are used.
To specify messages for training, select the messages on the Quarantine Queue Message List window, then
click the button at the top of the window. Any messages you have selected will be used for Bayesian and
ISC training.
Analyzing headers
Email Gateway employs a range of methods to analyze the content and construction of the RFC821 and 822
headers in messages.
All regex definitions and function definitions are compiled in a separate file. Email Gateway is delivered with
the current version of the file, and the file can be updated as part of McAfee's update system.
Note: You cannot create regular expressions independently, but can contact McAfee Support to request additions.
When the Spam Queue processes messages, it executes the regular expressions by passing the regex
objects, data from the mail part of the message, and the method (search/replace) as arguments for the
spam detection process. If the process finds a match, it records the configured point value. The functions
also execute and the points are totalled. When total points exceed the configured threshold value, the spam
service takes action based on the rules.
The System Defined Header Analysis page is broken into two parts: a list of filters that look for specific
header information, and a table of policies specifying what actions Email Gateway should take when certain
thresholds are reached.
Figure 119 System Defined Header Analysis - Configure window
If you have made changes or added a policy, click Submit. The SDHA window will refresh to reflect the new
configuration data.
SDHA filters
Email Gateway will use any of the filters enabled on this page as it examines each message entering the
Anti-Spam Queue. Each enabled filter must be given an associated numeric weight or point value. The point
values are arbitrary, but they must relate logically to the over-all threshold specified for each System
Defined Header Analysis policy. (You can use the point value as a binary value – for example, on or off –
where all filters have the same point value and the over-all threshold simply becomes a count of how many
filters detected certain header characteristics. Alternately, you can use varying point values to reflect your
confidence that a particular header characteristic is correctly associated with spam. The over-all threshold
becomes, then, a weighted scale, where a target has to be reached before Email Gateway will act on the
message.
The table below shows the available SDHA filters.
RFC821 headers
These are the headers that have to do with delivery of the mail over the internet and are the “envelope
headers” and are described in RFC821. This is the data exchanged between sending and receiving servers
as they negotiate how the message is to be delivered.
Since it is less frequently counterfeited, RFC821 information is more reliable than RFC822 data for use in
capturing true spam while allowing legitimate email to be delivered. Email Gateway displays RFC821 header
data everywhere in the Queue Manager program area except in the Message Details window. Email
Gateway whitelists and blacklists are based on the RFC821 header data.
RFC822 headers
These are content headers that describe the content of the message. Content headers can also contain
information that is particular to specific mail delivery systems. This is the data the email program uses
when displaying the email in its interface. The User Spam Reporting table displays the RFC822 header data.
If you have made changes or added new rules or policies, click Submit. The UDHA window will update to
show the new configuration.
Deny lists
Email Gateway displays three separate deny lists. A deny list is a table of IP addresses that represent
sources that are not allowed to send email to the network. The Deny Lists function at the level of Email
Gateway SMTPI Service. Whenever an external source attempts an SMTP connection, Email Gateway looks
in each of these tables to see if the source IP is present. If the IP address is found in any Deny List, Email
Gateway drops the connection, and the email is not accepted. Each of the three Email Gateway Deny Lists
represents different ways the source IP addresses were identified.
Adding a listing
To add a new IP address or subnet to the Local Deny List, complete the information in the data fields at the
bottom of the window. Click Submit to record the addition. The window will update to include your new
listing.
Note: The RBL Drop List grows over time (if RBL is enabled with a Drop action), and its data is not deleted by
Email Gateway Cleanup Schedule (Administration | Cleanup Schedule).
RBL services have been known to black list legitimate domains for a variety of reasons. If expected email
from a domain suddenly stops being received, check that the domain’s IP address has not inadvertently
ended up on this RBL Drop List. If so, select its Delete checkbox and delete it from the table. Consider
placing that IP address on Email Gateway whitelist so that future instances of an incorrect RBL blacklisting
do not occur. Because the RBL Drop List is not automatically updated, the resulting build-up of black list
entries can affect Email Gateway performance. After the RBL Drop List grows over time, it is a good idea to
remove entries and start with an empty list and rebuild it (if RBL is enabled as an anti-spam tool and its
action is configured to “Drop”). This also helps to avoid the black listing of legitimate domains.
Reverse DNS
While a normal DNS lookup is used to resolve a host name to an IP address, a reverse DNS lookup is used
to resolve a message sender’s IP address to a valid host name.
Normal DNS: thispc.thisdomain.com = 10.20.1.210
If a reverse DNS entry is not present in DNS, it might indicate that the sender is a spammer.
Email Gateway only queries the DNS server for the presence of a reverse DNS entry. It does not resolve the
IP address to the host name. If Email Gateway is behind some versions of proxy-type firewalls, reverse
DNS will not function correctly. The firewall will present its IP address to the DNS server instead of the
address of the sending host.
Due caution should be used when enabling Email Gateway Reverse DNS lookup. While reverse DNS used to
be effective at detecting spammers, domains are increasingly incorrectly or intentionally not configuring
their servers for reverse DNS. Therefore, reverse DNS queries might incorrectly consider legitimate email
as spam. You might be advised to set the Reverse DNS action to Log or Quarantine instead of Drop or
Subject Rewrite. After monitoring the results of reverse DNS queries, you can decide not to implement this
tool, unless confidence-based spam detection and blocking is being implemented.
Ordinarily, SpamProfiler should be placed in the first position, as its spam-detection capability is more
reliable than any other spam tool on its own. However, if SpamProfiler is placed in a later position, then its
action(s) will not be enforced unless all prior spam-blocking tools have declined to act on the message.
Bear in mind that unless SpamProfiler is enabled, messages will not necessarily be evaluated by all of the
Email Gateway spam-blocking tools. Once a spam tool determines that a message is spam, no other tools
evaluate it.
Figure 125 Anti-Spam Feature Order - Configure window
All of the spam-blocking tools processed within the Anti-Spam Queue are identified on this page. For each
enabled tool, a pick list allows the selection of an order. Selecting Remove instructs Email Gateway to not
examine messages with that tool. Functionally, selecting Remove is the same as disabling the tool from
within its own configuration page.
You can reset the processing order of the anti-spam processes using this window. Choose the position for
each tool from its associated Order drop-down list. You can also select Remove if you don’t want to use a
particular spam-blocking tool. When you have the order as you want it, click Submit.
Duplicate positions are not allowed. If you change the positions of any spam tools, you must ensure that
only one tool is set to occupy each position.
The window will refresh to show your revised order.
The User Spam Reporting page reports the RFC822 header data. This information, from the User Spam
Reporting table, can be used to create additional rules for blocking this same type of spam in the future
without preventing the delivery of legitimate email.
If User Spam Reporting is configured to automatically generate a policy, that policy will be identified as
system-generated. System-generated policies can not be deleted until all the individual rules used by that
policy are deleted.
Figure 126 User Spam Reporting - Configure window
Spam Traps
Email Gateway Spam Traps function similarly to End User Spam Reporting. The difference is that you will
type honey pot email addresses in the Spam Notification Address input field. That is, you can create
fictitious email addresses for a domain that Email Gateway hosts, and submit these addresses to web sites
and newsgroups where there is a high probability they will be acquired by spammers (the username of the
address must not be used by any internal mail server). Spammers will begin sending their junk email and
pornography to these addresses — addresses that Email Gateway will monitor. Email Gateway will populate
the spam table with those messages, and rules can be created for them.
Figure 127 Spam Traps - Configure window
When you have made changes or added new zones or policies, click Submit to record your changes. The
window will update to reflect the new configuration.
• Received headers;
• The hop count from which the TrustedSource query should originate.
The essential rules for setting hop counts are as follows:
• If you specify all three of the parameters above (connecting IP, received header and header position), all
three conditions must be met, or the specified hop count will not apply. The default hop count will be used.
• If you specify connecting IP alone, the hop count will apply for all traffic from that IP.
• If you set the header string and header position (which must always be specified together), the hop count
will be set for that combination.
• Connecting IP only – set the hop count for the specified IP; or,
• Header string and header position - set the hop count for matches on the header string and position, for
all IPs. The received header is checked to see if the header string occurs in the specified header position.
• You cannot specify a header string with a position of 0, which implies the header string is NULL (matching
is done for the connecting IP only).
The actual processing using dynamic hop count occurs in smtpproxy, where the TrustedSource lookup
happens.
Multiple blacklists
Multiple RBL servers are allowed. Email Gateway accounts for each one separately, submitting all the IPs
from the messages to each blacklist in succession. Each RBL is assigned its own confidence level, and can
contribute to the Spam Profile. Different RBLs might have different confidence levels and can be configured
for different actions for each threshold.
Note: Up to ten (10) RBL servers can be configured, but McAfee recommends that no more than two (2) be
enabled to assure maximum performance levels.
• One or more Selectors, each of which is assigned one of potentially multiple public keys.
Selectors act as subdivisions of the domain. They can be used to define sub-domains, such as office
locations, divisions, departments or groups; they can define permission durations, such as a month and
year; or they can define individual users, if so desired.
Configuring DKIM
DKIM functionality is defined and enabled on the Domain Keys Identified Mail (DKIM) - Manage window.
Table 150 Domain Keys Identified Mail (DKIM) - Manage fields (continued)
Field Description
Body Click the radio button to select the verification setting for the message
body. Options are:
• Simple – DKIM will tolerate almost no modification.
• relaxed – DKIM will tolerate common modifications, such as
whitespace replacement.
Domain This column will display the domains for which DKIM functionality has
been configured.
Selector The names of configured selectors appear in this column. Each selector
name appears only once.
Primary Key The link in this column allows you to export the primary key associated
with this DKIM combination to a location where it can be stored as a
backup.
Public Key The link in this column allows you to export the public key assigned to this
selector. This key is exported to customer DNS records as part of the data
returned by the recipient’s DNS lookup, in order to allow communication
using DKIM encryption.
Delete Selecting the checkbox and subsequently clicking Submit will cause the
DKIM combination to be deleted. The Delete hyperlink at the top of the
column will delete all combinations.
Commands The fields at the bottom of the window allow you to import a stored DKIM
key or generate a new key combination.
If you click the Import radio button, the following fields are enabled:
• Domain – select the domain associated with the key you want to
import from the drop-down list;
• Selector – type the name of the selector associated with the domain;
• Primary key file – if you choose, you can browse to the location where
the key is stored.
If you click the Generate radio button, you will see only the Domain and
Selector fields.
When you have entered the configuration parameters, click Submit at the bottom of the window. The
imported or newly generated key information will be added to the signing settings.
Backscatter protection
When hackers create spam or phishing messages using forged (spoofed) source addresses belonging to a
company’s domain, that company can experience denial of service attacks under certain conditions. Where
the fraudulent email's recipient address doesn’t exist, the spoofed company can be flooded with email
bounces. In the worst cases, a mail loop occurs when the message is bounced to a non-existent sender
address.
Bounced Address Tag Validation (BATV) is a method for determining whether the return address specified
in a bounced email is valid. The goal is to reject bounced messages to forged return addresses.
The BATV feature in Email Gateway is DSN Bounce Verification Protection. The feature allows you to
configure a text key that is included in all recipient addresses supported by Email Gateway appliances.
The following conditions apply:
• DSN Bounce Verification will not work if Email Gateway or a BATV-compatible device with matching
Address Tagging key is not used for outbound mail delivery.
• If there are multiple Email Gateways on site, they must share the same hash code.
• Recipients of outgoing messages will not be able to see the header code.
• You should allow a delay time to allow the DSNs to filter through your system.
When the configuration options have been properly set, click Submit.
Tip: When you first enable BATV, set your action to Log verification failure and leave it configured like that until
the DSN expiration days have passed. Also, if you change the Address Tagging Key, you should set the action to
Log verification failure until the DSN expiration days have passed. Then you can change the action back to Log
and block verification failure.
Anti-Virus
Anti-Virus snapshot
The first window that appears when you navigate to the Anti-Virus tab is the Quick Snapshot for Zero Day
Protection. This overview page presents both historical and current-day information about messages that
have been processed.
The window displays both summary and detailed versions of the reports.
Summary snapshot
The summary reports provide an easy glance at overall processing by the Zero Day Protection features. The
summaries appear in two panels.
The upper portion of the summary report shows historical data that distinguishes among three type of
message actions:
• Good message actions
• Non-signature blocked message – those messages that were blocked by content compliance, attachment
compliance, connection control, LDAP rejection, and so forth.
The historical trend data allows you to detect changes over time. The time period covered by the historical
graphs will vary according to the amount of data that has been accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.
• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.
• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.
The lower portion of the summary report contains a pie chart and summary table with numbers and
percentages that present the same kind of information, but for only the current day.
Note: The information in today’s current snapshots (summary or detailed) might not be completely up to date. A
lag time of approximately 15 minutes is required to populate the charts and tables with the most current
information.
Detailed snapshot
The Detailed tab on the Quick Snapshot window presents the detailed reports. The graphs and tables
correlate to the ones in the Summary reports, but the information is broken down into more granular
segments, allowing a more specific tracking of individual features.
The upper panel of the window shows more detailed data about actions taken by Zero Day Protection,
breaking down the non-signature blocked message actions into individual components. The detailed report
tracks the following:
• Good message actions
The lower pie chart and table present the current day’s information about the same kinds or actions and
processes.
Of the protection sources displayed on the Zero Day Protection Setting window, only the Signature Engines
can be configured in the Anti-Virus area of Email Gateway. TrustedSource and Connection Control appear in
the Anti-Spam program area, while Attachment Blocking and Keyword Blocking are part of the Compliance
functionality. More information about these features can be found in the Compliance and Anti-Spam
Sections of this Administration Guide.
For each licensed Anti-Virus engine, the Current Anti-Virus Information window presents the following
information:
Much of the information included on this window is also shown in different format on the Zero Day
Protection window. The specific library or virus ID data and the version dates for each are unique to this
window.
Signature engines
Email Gateway currently supports up to three signature engines. Each engine requires a separate license.
The Signature Engines window permits you to configure the processing order and general behavior of each
licensed engine.
Figure 135 Signature Engines - Configure window
The Signature Engines window as it first appears presents the following information:
When you have set the configuration as required, click Submit to record your changes.
Identical screens are available for Sweep Errors and Password Protected messages. When you have set the
configuration as desired, click Submit.
Note: Sweep Error Message and Password Protected Message types have their own bypass extension lists.
Adding an extension
You can add an extension by entering it in the New Extension Name field and clicking Submit. The new
extension will be added to the specific list.
If you click any of the links in the Name column, the window will expand to provide details about that
particular update.
Field Description
Automatically Select the checkbox to enable automatic signature updates.
Upgrade Anti-Virus
Software
Automatic Check Type a number in this field to represent the frequency in minutes to
Interval (minutes) determine how often Email Gateway will check the update server for
new signature updates.
View Log Clicking this button will display the current log entries for the automatic
update process.
When you have entered the information correctly, click Submit. Email Gateway will check for updates automatically,
and upgrade your protection according to your configured schedule.
Tip: Automatic updating is generally the preferred method for ensuring the signature engines are kept in the most
current state.
Encryption
About Encryption
Current protocols governing email dictate that all messages transmitted over the internet be sent in plain
ASCII text characters. The problem caused by this requirement is that anyone with the right tools can read
a message sent by anyone else. The tools, such as TCP or packet sniffers, can be freely downloaded from
the internet. The tools not only allow hackers to read anyone's email, but also allow them to intercept and
alter the messages before they are delivered to the recipient. The easiest and most popular way for
enterprises to secure their email is by using Digital Certificates.
These certificates allow two essential strategies for message encryption: client to client and server to server
encryption.
In client-to-client encryption, Security Certificates are installed on individual workstations. The dominant
benefit of this method is that the message is encrypted before it leaves the originator's computer and
remains encrypted until it is received (protection from end to end).
Server-to-server encryption, on the other hand, requires Security Certificates be installed on the mail
servers. Messages are protected only from server to server, not from the client to the server. The Email
Gateway strategy provides the benefits of server-to-server encryption without permitting its drawbacks.
Available reports
The Quick Snapshots are intended to provide an easily understood overview of processes and actions within
the Encryption program area. The reports are provided separately for received and delivered email traffic.
Both sets of reports provide historical information and the current day’s actions.
The Encryption Quick Snapshot can be toggled between incoming and outgoing data by clicking the
appropriate tab at the top of the window. Both views report message trends and message actions for their
respective traffic directions.
The upper panel of the window shows historical data regarding Encryption action over time.
The graph tracks the following types of incoming messages:
• Clear (unencrypted) connection count
The historical trend data allows you to detect changes over time. The time period covered by the historical
graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.
• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.
• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.
Note: Email Gateway keeps track of messages it processes; however, the Stage Server can normally send
messages out without having them pass through the Email Gateway. Inbound messages destined for the Stage
Server and secure replies coming from it will increment the totals in the Encryption Quick Snapshot, but apparent
discrepancies in message totals might occur since outbound traffic does not pass through Email Gateway.
The lower panel contains a pie chart that shows actions in the Encryption program area since midnight. This
graph tracks the same as the trend report, limited to the present day.
• Server-side S/MIME, one of two major secure key exchange standards, is used primarily to support legacy
encryption systems.
• Server-side PGP, the other major secure key exchange standard, is also used mainly to support legacy
encryption systems.
• Secure Web Delivery (SWD) is used when a message must be delivered securely, but no secure
connection can be established with the recipient server. This method emails the recipient that they have
a message waiting in a secure, web-based mailbox. The notification provides a URL link to the secure web
page where the message can be retrieved.
Note: At present, Email Gateway will continue to check the SSL capability of the receiving server to receive a
secure message before falling back to Secure Web Delivery, even if SSL is disabled. This additional check is only
seen in the SMTPO log file, and does not affect expected behavior.
Additionally, when encryption is performed at the gateway, Secure Delivery allows you to use Email
Gateway Compliance features to make decisions about encryption of messages, based on keywords or
header information. Secure Delivery will attempt to deliver the message securely using any of the available
methods as configured by the administrator, with Secure Web Delivery as the final method. Email Gateway
can be configured to “fall back” to SWD.
Secure Web Delivery consists of two major components. There must be:
1 A host appliance providing the ability to configure SWD, produce reports, allow searches, and so forth.
This can be a regular Email Gateway appliance with SWD functionality enabled (the Secure Web Delivery
Redirector).
2 A server to receive and hold messages and to allow properly authenticated recipients to receive their
messages (the Secure Web Delivery Server).
Email Gateway can be configured to deliver the original message securely to the Secure Web Delivery
Server. SWD will create a new email to the original recipient that contains a hyperlink to Secure Web
Delivery. The original recipient is invited to click here to read the message waiting for them. When the
recipient opens a browser to retrieve the message, a Security Certificate installed on the Secure Web
Delivery appliance forces an HTTPS session, ensuring that the message is read in an encrypted session.
There are two ways of enabling the policies for a message's delivery using Secure Web Delivery:
1 If one of the Email Gateway Envelope Analysis policies requires Secure Delivery as a policy action, Email
Gateway will use Secure Web Delivery as the fall back option. When Secure Delivery is the designated
action, Email Gateway will attempt to deliver the message in the following order of encryption methods:
S/MIME, PGP, and TLS. If it is unsuccessful delivering the message using these methods, Email Gateway
will fall back to Secure Web Delivery.
2 Users and domains appearing in the Secure Web Delivery User List will always receive messages via
HTTPS. Before the Email Gateway SMTPO Service delivers any message off the appliance, it will look for
the address/domain in its User List. If the address or domain exists on the list, the SMTPO Service will
redirect the message to the Secure Web Delivery Server, which will then generate a new email indicating
that a message is waiting to be read securely. The email contains a URL pointing back to the original
message now stored on the Secure Web Delivery Server.
Note: SWD will not work on any Email Gateway that has High Performance enabled. A MIME error exception will
be generated in SMTPO for any message scheduled for SWD.
Secure Web Delivery is a licensable feature. If a Secure Web Delivery license is installed after Email
Gateway initial installation, you must log out of the Web Administration user interface and log back in again
before the Secure Web Delivery feature is displayed.
When Secure Web Delivery is hosted on a Secure Web Delivery Server (separate from the Email Gateway
appliance), it must be configured on both the Email Gateway and the Secure Web Delivery Server.
Secure Web Delivery requires that messages have a valid MIME. For messages that the Email Gateway
RIPQ is unable to parse (“rip” the message into its constituent MIME parts) successfully, the Secure Web
Delivery option is not available. When the SMTPO process checks for the availability of Secure Web
Delivery, it also checks for the validity of the message for MIME.
Recipients of messages delivered via Secure Web Delivery have the ability to send secure replies or
acknowledgements for those received messages. Email Gateway supports secure replies only to the original
senders over SSL. You can edit the subject of the message and configure the relay target. It is also possible
to include attachments with the reply. See Configure Secure Web Delivery for configuration details.
Note: This Email Gateway IP address must be added to the Allow Relay list on the Stage Server, and the server
must be included on the Allow Relay list on Email Gateway.
Certificate management
Email Gateway protects messages in transit through the use of two types of methods:
• Creating encrypted channels of communication (SSL)
When Email Gateway is first installed, it is delivered with a self-signed Security Certificate which is
adequate for encrypting the Web Administration sessions for administrators managing their Email
Gateways. This self-signed certificate can also encrypt SMTP messaging, though sending servers can refuse
to deliver their email to a server whose certificate cannot be authenticated. Therefore, administrators are
enabled by Email Gateway to create and install certificates signed by a certificate authority. This Certificate
Manager program area provides the ability to create a Certificate Signing Request, as well as to install,
backup and restore one or more Security Certificates.
Certificates
Email Gateway provides an interface for requesting and installing a Security Certificate from a Certificate
Authority. When a certificate is installed on the Email Gateway appliance, it is not necessary to install
additional certificates on internal servers, unless you want to protect the connection between Email
Gateway and the internal servers and provide security for internal users sending or retrieving messages
directly to or from the server. Email Gateway requires the installation of a Security Certificate so that
administrative sessions with it via the Web Administration browser interface can be conducted securely.
Email Gateway supports two primary certificate types: X.509 certificates and PGP (Pretty Good Privacy)
certificates. Each type provides encryption standards that Email Gateway will use to send and receive
messages. X.509 certificates use both a public key, shared with others that will be allowed to send
encrypted messages to Email Gateway or receive encrypted messages from Email Gateway, and a private
key that is maintained in complete secrecy. The private key is used to encrypt outgoing messages and
decrypt incoming messages. The certificates must be purchased from a Trusted Root Certificate Authority
(CA).
PGP certificates also uses the public and private keys, but rather than binding the certificate to the user (or
server), PGP uses a Web of Trust concept, a multiple path of certification that allows some tolerance. The
PGP certificates are generated by a PGP encryption package, available free from several sources. The
official repository is at the Massachusetts Institute of Technology.
X.509 certificates are used for Email Gateway's S/MIME functionality.
X509 certificates
The Certificate Signing Request (CSR) is actually the request made by an administrator for a new
certificate. Open the CSR List to see existing CSRs and to request new ones.
Adding a CSR
Clicking the Add New button at the bottom of the CSR List window opens the Add CSR window. This
window allows you to generate a Certificate Signing Request.
Figure 142 Add CSR window
When you have completed the necessary information, click Submit. The CSR List will refresh to add your
new CSR.
Email Gateway will generate a private key/public key pair, and display in a text string the public key to be
submitted to a trusted root source (such as VeriSign) for Security Certificates.
To complete the submission, do the following:
1 In the Name column, click the name of the CSR you just created.
3 Copy and paste the Email Gateway-generated text string into the appropriate input field of the Certificate
Authority's web page when applying for a Certificate. When copying and pasting the key information,
include the
When you click Submit, the CSR is submitted to the Certificate Authority (CA). Email Gateway creates and
stores a private key/public key text string in its database. When this string is submitted to a CA after you
complete and submit the CSR a second time, the issuing authority generates a new public key string. The
new certificate information appears in the CSR List - Manage window.
The install procedure allows you to paste this string in the Email Gateway Certificate panel of the Install
Security Certificate window and complete the certificate generation.
From the picklist, populated from the CSR List, select the certificate that is to be installed. Type the
password that was used to request the CSR from the Certificate Authority (CA). Then copy and paste into
the Certificate input field the Security Certificate text string provided by the CA. Click Submit. The
certificate will be installed, and the CSR will disappear from the CSR List.
Caution: Installed Security Certificates cannot be uninstalled.
Note: P7C and PEM Certificates involve public keys only. No password is required. Provide the information
required, browse to the file location where the certificate is stored (for P7C) and click Submit.
PGP certificates
All existing PGP certificates appear in the PGP List. This window also allows you to generate new PGP
certificates and import existing ones from backup.
Figure 146 PGP Certificates - Manage window
Type the name for the new certificate, then click Submit. The window will refresh to include the new PGP
certificate.
When the information is entered correctly, click Submit. The certificate will appear on the PGP List.
Managing domains
For server to server encryption, Email Gateway includes a single option in the Mail-VPN configuration that
tells it to always try to send messages securely over Port 25 (SMTPS). You can also instruct Email Gateway
what to do if the receiving server doesn't accommodate a secure session. Email Gateway can fall back to
non-secure delivery or it can be configured not to send the message at all.
Email Gateway provides the ability to send and receive server-based S/MIME or PGP messages using much
the same functionality as Mail-VPN. Every incoming message is checked to see if it is an S/MIME or PGP
message. If so, Email Gateway checks to see if a key exists to decrypt the message. If a key exists, Email
Gateway decrypts the message. If no key exists, the message is treated as normal. Outgoing messages are
checked for a domain or user that exists in the S/MIME or PGP encryption lists. Different keys are required
for different domains.
External domains
External domains are those domains outside Email Gateway network with which it communicates securely.
Email Gateway can use both S/MIME and PGP encryption for secure communication.
External S/MIME
Use the External S/MIME window to configure the domains to which Email Gateway sends messages using
S/MIME encryption. Note that the public key of the S/MIME Security Certificate of each external domain
must be installed on the Email Gateway.
Figure 148 External S/MIME Certificates - Manage window
External PGP
Use the External PGP page to manage the specific domains to which Email Gateway should send messages
using PGP encryption.
Figure 149 External PGP Certificates - Manage window
Internal domains
Internal domains are located within Email Gateway network. Email Gateway can communicate with them
using S/MIME or PGP decryption.
Internal S/MIME
The Internal S/MIME page is used to specify internal domains hosted by Email Gateway that are required to
receive messages securely using S/MIME. For each domain, specify which Email Gateway Security
Certificate is to be used to provide the decryption.
Figure 150 Internal S/MIME Certificates - Manage window
Internal PGP
The Internal PGP Certificate Management window displays any internal domain for which a PGP Security
Certificate was installed on Email Gateway. Administrators can enable/disable use of PGP decryption, or
permanently remove the use of PGP for a domain.
Email Gateway only supports incoming PGP messages that are RFC3156-compliant.
Figure 151 Internal PGP Certificates - Manage window
To add an internal domain, complete the information in the data fields at the bottom of the window.
Depending on your license, the Advanced Encryption tab provides you with various configuration options to
help you perform a variety of functions related to your appliance. Main menu options may include such
items as:
• Configuration
• User administration
• Certification management
Current protocols governing email dictate that all messages transmitted over the internet be sent in plain
ASCII text characters. The problem caused by this requirement is that anyone with the right tools can read
a message sent by anyone else. The tools, such as TCP or packet sniffers, may be freely downloaded from
the internet. The tools not only allow hackers to read anyone's email, but also allow them to intercept and
alter the messages before they are delivered to the recipient. The easiest and most popular way for
enterprises to secure their email is by using Digital Certificates.
These certificates allow two essential strategies for message encryption: client to client and server to server
encryption.
In client-to-client encryption, Security Certificates are installed on individual workstations. The dominant
benefit of this method is that the message is encrypted before it leaves the originator's computer and
remains encrypted until it is received (protection from end to end).
Server-to-server encryption, on the other hand, requires Security Certificates be installed on the mail
servers. Messages are protected only from server to server, not from the client to the server.
The upper panel of the window shows historical data regarding Encryption action over time. Note that the
first time you access this screen, it will have no data displayed because no activity has taken place.
The graph tracks the following types of incoming messages:
• Clear (unencrypted) connection count
The historical trend data allows the Administrator to detect changes over time. The time period covered by
the historical graphs will vary according to the amount of data accumulated.
• If the appliance has data for less than a week, the trend data will be plotted daily.
• If the data represents from 1 to 12 weeks, the trends will be monitored on a weekly basis. The dates
displayed will represent the beginning date (Sunday) for each week.
• If the data covers more than 12 weeks, the trends will be continue to be plotted on a weekly basis,
showing the most recent 12 weeks.
Note: Email Gateway keeps track of messages it processes; however, the server can normally send messages out
without having them pass through the Email Gateway. Inbound messages destined for the Stage Server and
secure replies coming from it will increment the totals in the Encryption Quick Snapshot, but apparent
discrepancies in message totals may occur if some outbound traffic does not pass through Email Gateway.
The lower panel contains a pie chart that shows actions in the Encryption program area since midnight. This
graph tracks the same as the trend report, limited to the present day.
The outbound report window displays reports about delivered email traffic. This group of reports is divided
into two panels that correspond to those for the inbound reports. The outbound reports track the same
statistics about the email traffic as the inbound reports.
• Server-side S/MIME, one of two major secure key exchange standards, is used primarily to support legacy
encryption systems.
• Server-side PGP, the other major secure key exchange standard, is also used mainly to support legacy
encryption systems.
• Secure Web Delivery (SWD) is used when a message must be delivered securely, but no secure
connection can be established with the recipient server. This method emails the recipient that they have
a message waiting in a secure, web-based mailbox. The notification provides a URL link to the secure web
page where the message may be retrieved.
Note: At present, Email Gateway will continue to check the SSL capability of the receiving server to receive a
secure message before falling back to Secure Web Delivery, even if SSL is disabled. This additional check is only
seen in the SMTPO log file, and does not affect expected behavior.
Additionally, when encryption is performed at the gateway, Secure Delivery allows the Administrator to use
Email Gateway Compliance features to make decisions about encryption of messages, based on keywords
or header information. Secure Delivery will attempt to deliver the message securely using any of the
available methods as configured by the Administrator, with Secure Web Delivery as the final method.
Secure Web Delivery consists of two major components. There must be:
1 A host appliance providing the ability to configure SWD, produce reports, allow searches, etc. This may
be a regular Email Gateway appliance with SWD functionality enabled.
2 A server to receive and hold messages and to allow properly authenticated recipients to receive their
messages (the Secure Web Delivery Server).
Email Gateway can be configured to deliver the original message securely to the Secure Web Delivery
Server. SWD will create a new email to the original recipient that contains a hyperlink to Secure Web
Delivery. The original recipient is invited to click here to read the message waiting for them. When the
recipient opens a browser to retrieve the message, a Security Certificate installed on the Secure Web
Delivery appliance forces an HTTPS session for the user, ensuring that the message is read in an encrypted
session.
Note the following:
• If one of the Email Gateway Envelope Analysis policies requires Secure Delivery as a policy action, Email
Gateway will use Secure Web Delivery as the fall back option.
• When Secure Delivery is the designated action, Email Gateway will attempt to deliver the message in the
following order of encryption methods: S/MIME, PGP, and TLS. If it is unsuccessful delivering the message
using these methods, Email Gateway will fall back to Secure Web Delivery.
Note: Users and domains appearing in the Secure Web Delivery User List will always receive messages via HTTPS.
If the email address exists on the list, the SMTPO Service will redirect the message to the Secure Web Delivery
Server, which will then generate a new email to the user indicating that a message is waiting to be read securely.
The email contains a URL pointing back to the original message now stored on the Secure Web Delivery Server. If
the email address does NOT exist on the list, and auto-enrollment is enabled, the user will be automatically added
and SMTPO will redirect the message to SWD, otherwise the message will be dropped and a notification will be
sent to the sender.
Secure Web Delivery is a licensable feature. If a Secure Web Delivery license is installed after Email
Gateway initial installation, the Administrator must log out of the Web Administration user interface and log
back in again before the Secure Web Delivery feature is displayed.
When Secure Web Delivery is hosted on a Secure Web Delivery Server (separate from the Email Gateway
appliance), it must be configured on both the Email Gateway and the Secure Web Delivery Server.
Secure Web Delivery requires that messages have a valid MIME. For messages that the Email Gateway
RIPQ is unable to parse (rip the message into its constituent MIME parts) successfully, the Secure Web
Delivery option is not available. When the SMTPO process checks for the availability of Secure Web
Delivery, it also checks for the validity of the message for MIME.
Recipients of messages delivered via Secure Web Delivery have the ability to send secure replies or
acknowledgements for those received messages. Email Gateway supports secure replies only to the original
senders over SSL. You may edit the subject of the message and configure the relay target. It is also
possible to include attachments with the reply. See Configure Secure Web Delivery for configuration details.
Note: Deleting email addresses from the SWD User List and then adding them back again will not restore access
to previous messages. Even though the messages exist on the SWD sever and may never have been accessed,
they are no longer available to the deleted and re-added email address.
2 From the drop-down list, select either Single User or Upload List. If you select Single User the screen
will change and allow you to enter the user’s email address, password, and if enabled, a series of
challenge/response security questions and answers.
Note: See the Challenge Response area for details about Challenge Response questions and answers.
5 If Challenge Response is enabled and security questions are editable, enter the questions and answers to
be used for the Challenge Response function.
6 When you have finished entering the user information, click Submit.
Note that you also have the option to add a list of users via upload.
To upload and existing list of users,
3 Select your user list file and click Open. The path will appear in the Browse field.
SYSTEM|Question1|
SYSTEM|Question2|
Note: The proper format for the User list when Challenge Response is enabled and editable questions enabled
is:
User1@test.com|Password(optional)|Question1|Answer1 (optional)
User1@test.com|Password(optional)|Question2|Answer2 (optional)
The same user with different questions and answers repeated for the configured number of questions.
Note: The proper formats for the User list when Challenge Response is enabled and editable questions disabled
(system questions will be taken):
User1@test.com|Password(optional)||
User2@test.com|Password(optional)||
Note: The format for the User list when Challenge Response is disabled is:
User1@test.com|Password(optional)||
User2@test.com|Password(optional)||
4 Click Submit.
Editing users
You can edit SWD user information two ways.
• In the user list, click the user’s email address. That user’s edit screen will appear.
• From the User/Search menu item, enter all or part of the user’s email address, then click Submit. A list
of users matching your search criteria will appear. Click the email address of the user you want to edit.
That user’s edit screen will appear.
User Search/Edit
You can search for SWD users via the search function. To search for a SWD user,
1 Click the User Search/Edit menu item.
2 Enter all or part of the user’s name or email address, then click Submit. A list of user’s matching the
search criteria appears.
Challenge Response
Use the Challenge Response window to enable and configure your Challenge Response settings.
Figure 165 Challenge Response
Use the following table to help you configure your Challenge Response options.
Table 177 Challenge Response fields
Field name Description
Enable Challenge Response Check this box to enable security questions and answers to be populated for
individual users. The questions are used to authenticate the user who forgets
the password.
Number of Questions Challenged Enter the maximum number of security questions to be presented to the user.
Number of successful responses Enter the minimum number of correct answers to the security questions
expected required for authentication.
Enable Editable Questions Check this box to enable security questions to be defined for the individual
user. If disabled, only global security questions that apply to all users can be
defined.
Password Reset
There are three reset password cases, depending on the configuration options set by the Administrator:
• Challenge/Response is enabled by the administrator and questions have been uploaded and answers have
been configured – proceed to password reset.
• Challenge/Response is enabled and questions have been uploaded, but answers have not been set – a
popup appears and informs you to go to the user notification and either click the attachment or the view
message link.
• Challenge/Response is not enabled – a popup window appears and requires you to enter your email
address to reset your password.
Password policy
The Password Policy Configuration window allows you to set various settings for your password policies.
Figure 166 Password policy configuration window
2 Check the box next the user whose password you want to reset, then click Submit. This will reset the
enrollment status for this email address and allow the user to reset the password at their next login. User
should, of course, be advised of this action.
Customization profile
Use this window to configure the display pages that users normally see. For example, when logging into
their email.
Figure 169 Customize SWD pages window
Tip: You can create and enable a customization profile from this process, but you must apply it from the Secure
Web Delivery Customization window, in the Secure Message Configuration section, Choose Customization Profile
field. For more information, see Secure Web Delivery configuration.
4 Click Submit. The screen will change and display the customization options.
5 Check the box next to the Enable field to enable this customization profile. The enabled customization
profile will be a candidate profile show in the activation list ready for activation.
Note: You may also edit your disclaimer text if desired.
6 Next to the Resource Upload field, click Browse and navigate to the folder that contains the logo, graphic,
or file you want to use with your customization and select it.
Note: You may choose different logos or graphics to use with different assets, but the logo or graphic to be
used for mobile devices MUST be small enough to fit properly. We suggest a size no larger than 100 pixels
wide x 50 pixels high.
7 Check the box next to the Assets to which the Resource applies, then click Submit.
Note: When uploading a resource file, you cannot assign it to override and non-override assets types
simultaneously by selecting multiple check boxes.
3 Click Download Default Resource. Depending on your browser a save window appears.
5 Open the css file, edit it to suit your needs, then save it.
6 Return to the Customize SWD Pages window and from the Browse field, navigate to your edited css file
and select it.
7 Click Submit. Your file will be renamed and then be used by the system.
Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.
Mail notification
The Mail Notification screen displays a list of mail notification templates. The defaults are defined by the
system, but you can add new templates based on the default settings.
Use this window to manage your mail notification templates.
Figure 173 Mail notification default templates window
2 In the Type field, select a template to use as the base for your Customization. The screen will change and
display the tags available for your use.
Note: Inserting a tag at the cursor location results in that tags information being inserted at that location
inside the Notification. You may move existing tags around, but do not delete them.
Note: Inserting a tag at the cursor location results in that tags information being inserted at that location
inside the Notification. You may move existing tags around, but do not delete them.
7 When you have finished creating your new Mail Notification template, click Submit. You will be returned
to the Mail Notification page. A success message should appear at the top of the screen and your new
template should appear in the template list.
Note the checkbox that appears next to your template in the Delete column. Checking this box, then
clicking Submit, will delete the template.
To create additional templates, simply repeat steps 1 through 6, selecting the specific template you want to
use to suit your needs.
Certificate management
Email Gateway protects messages in transit through the use of two types of methods:
• Creating encrypted channels of communication (SSL)
When Email Gateway is first installed, it is delivered with a self-signed Security Certificate which is
adequate for encrypting the Web Administration sessions for administrators managing their Email
Gateways. This self-signed certificate can also encrypt SMTP messaging, though sending servers may
refuse to deliver their email to a server whose certificate cannot be authenticated. Therefore,
administrators are enabled by Email Gateway to create and install certificates signed by a certificate
authority. This Certificate Manager program area provides the ability to create a Certificate Signing
Request, as well as to install, backup and restore one or more Security Certificates.
Certificates
Email Gateway provides an interface for requesting and installing a Security Certificate from a Certificate
Authority. When a certificate is installed on the Email Gateway appliance, it is not necessary to install
additional certificates on internal servers, unless the Administrator wants to protect the connection between
Email Gateway and the internal servers and provide security for internal users sending or retrieving
messages directly to or from the server. Email Gateway requires the installation of a Security Certificate so
that administrative sessions with it via the Web Administration browser interface can be conducted
securely.
Email Gateway supports two primary certificate types: X.509 certificates and PGP (Pretty Good Privacy)
certificates. Each type provides encryption standards that Email Gateway will use to send and receive
messages. X.509 certificates use both a public key, shared with others that will be allowed to send
encrypted messages to Email Gateway or receive encrypted messages from Email Gateway, and a private
key that is maintained in complete secrecy. The private key is used to encrypt outgoing messages and
decrypt incoming messages. The certificates must be purchased from a Trusted Root Certificate Authority
(CA).
PGP certificates also uses the public and private keys, but rather than binding the certificate to the user (or
server), PGP uses a Web of Trust concept, a multiple path of certification that allows some tolerance. The
PGP certificates are generated by a PGP encryption package, available free from several sources. The
official repository is at the Massachusetts Institute of Technology.
X.509 certificates are used for Email Gateway's S/MIME functionality.
X509 certificates
The Certificate Signing Request (CSR) is actually the request made by an Administrator for a new
certificate. Open the CSR List to see existing CSRs and to request new ones.
Use this window to manage your CSRs.
Figure 177 CSR List - Manage window
Adding a CSR
Use this window to generate a Certificate Signing Request.
To add a CSR,
1 Click the Add New button at the bottom of the CSR List window.
Use the following table to help you configure your CSR request.
2 When you have completed the necessary information, click Submit. The CSR List will refresh to add your
new CSR.
Email Gateway will generate a private key/public key pair, and display in a text string the public key to be
submitted to a trusted root source (such as VeriSign) for Security Certificates.
To complete the submission, do the following:
1 In the Name column, click the name of the CSR you just created.
3 Copy and paste the Email Gateway-generated text string into the appropriate input field of the Certificate
Authority's web page when applying for a Certificate. When copying and pasting the key information,
include the
When you click Submit, the CSR is submitted to the Certificate Authority (CA). Email Gateway creates and
stores a private key/public key text string in its database. When this string is submitted to a CA after the
administrator completes and submits the CSR a second time, the issuing authority generates a new public
key string. The new certificate information appears in the CSR List - Manage window.
Figure 179 CSR list showing new certificate
The install procedure allows you to paste this string in the Email Gateway Certificate panel of the Install
Security Certificate window and complete the certificate generation.
1 Click Install on the CSR List window. The Install Security Certificate window opens.
2 From the list, populated on the CSR List, select the certificate that is to be installed.
3 Enter the password used to request the CSR from the Certificate Authority (CA).
4 Copy and paste into the Certificate input field the Security Certificate text string provided by the CA.
5 Click Submit. The certificate will be installed, and the CSR will disappear from the CSR List.
Certificate Store
When a certificate is installed, it is added to the X509 list (X509 Certificates - Manage). Storing the
available certificates allows them to be archived for backup purposes. X.509 Certificates are added from the
CSR list when they are installed.
Figure 181 S/MIME Certificates - Manage window
Note: For a PEM certificate, enter a display name for the certificate, then paste the certificate information in
the certificate box.
For the P12 Certificates, a password is required, since the certificate contains both public and private
keys.
4 Enter the certificate name, browse to the file storage location, and enter the password that was associated
with the certificate at the time it was exported.
PGP certificates
All existing PGP certificates appear in the PGP List. This window also allows you to generate new PGP
certificates and import existing ones from backup.
Figure 185 PGP Certificates - Manage window
2 Enter a name for the PGP certificate, then click Submit. The window will refresh to include the new PGP
certificate.
2 Enter the appropriate information, then click Submit. The certificate will appear on the PGP List.
Server-to-server encryption
For server to server encryption, Email Gateway includes a single option in the Mail-VPN configuration that
tells it to always try to send messages securely over Port 25 (SMTPS). You can also instruct Email Gateway
Gateway what to do if the receiving server doesn't accommodate a secure session. Email Gateway can fall
back to non-secure delivery or it can be configured not to send the message at all.
Email Gateway provides the ability to send and receive server-based S/MIME or PGP messages using much
the same functionality as Mail-VPN. Every incoming message is checked to see if it is an S/MIME or PGP
message. If so, Email Gateway checks to see if a key exists to decrypt the message. If a key exists, Email
Gateway decrypts the message. If no key exists, the message is treated as normal. Outgoing messages are
checked for a domain or user that exists in the S/MIME or PGP encryption lists. Different keys are required
for different domains.
External domains
External domains are those domains outside the Email Gateway network with which it communicates
securely. Email Gateway can use both S/MIME and PGP encryption for secure communication.
External S/MIME
Use the External S/MIME window to configure the domains to which Email Gateway sends messages using
S/MIME encryption. Note that the public key of the S/MIME Security Certificate of each external domain
must be installed on the Email Gateway appliance.
Figure 189 External S/MIME Certificates - Manage window
External PGP
Use the External PGP page to manage the specific domains to which Email Gateway should send messages
using PGP encryption.
Internal domains
Internal domains are located within the Email Gateway network. Email Gateway can communicate with
them using S/MIME or PGP decryption.
Internal S/MIME
Use the Internal S/MIME page to specify internal domains hosted by Email Gateway that are required to
receive messages securely using S/MIME. For each domain, specify which Email Gateway Security
Certificate is to be used to provide the decryption.
Figure 191 Internal S/MIME Certificates - Manage window
Internal PGP
The Internal PGP Certificate Management window displays any internal domain for which a PGP Security
Certificate was installed on Email Gateway. Administrators may enable/disable use of PGP encryption, or
permanently remove the use of PGP for a domain.
Email Gateway only supports incoming PGP messages that are RFC3156-compliant.
Figure 192 Internal PGP Certificates - Manage window
To add an internal PGP domain, complete the information in the data fields at the bottom of the window.
Managing messages
Use the Message Management window to search for encrypted messages currently stored on this appliance.
To search for a message, do the following:
1 On the Encryption tab, click Message Management. The Message Management window appears.
2 Provide as much information about the message as possible (see Table 193).
3 Click Search. A message list containing only the results of your search will display.
You can use this listing to further investigate any of the messages that met your search criteria
Figure 193 Message Management window
IntrusionDefender
About IntrusionDefender
The network perimeter is, for most corporations, relatively secure. Firewalls, combined with a handful of
other tools such as intrusion detection systems (IDS), have established a solid line of defense for corporate
networks. In fact, firewalls have been so successful that most attackers have ceased trying to attack them.
Instead, hackers are shifting their attacks to areas unprotected by traditional network security tools—to
applications such as mail server and web server software. Hackers have learned to use actual email and
email protocols as the carriers of, or vehicles for, their attacks. Email systems are being widely exploited in
order to disrupt and violate corporate networks.
McAfee has taken a comprehensive approach to protecting corporations from email risks by providing an
integrated solution, deployed at the gateway, which secures every aspect of the email system. It created
Email Gateway, the secure email gateway appliance.
Gateway threats
Three primary threats plague enterprises if they are allowed to enter through the network gateway:
• Denial of service attacks;
• Intrusions; and
Denial of Service
Hackers can launch denial-of-service attacks against email systems in an attempt to bring those systems to
a halt. Many techniques are capable of accomplishing this disruption, but hackers typically exploit
vulnerabilities in a mail server, such as the inability to process a malformed MIME message or buffer
overflow constraints. Or the attackers can simply flood a mail server with more SMTP connections or
instructions than the server can handle.
Intrusions
Intrusions occur when unauthorized users gain access to the organization’s infrastructure. For spammers,
this typically means breaking into a mail server to send spam (mail relay) or to harvest email addresses.
Spammers can also plant computer code on the organization’s personal computers, which then become
spam machines or drones. Recent worms and viruses are examples of the results from intrusions.
Quick snapshot
The first window that appears when Intrusion Defender opens is the Intrusion Defender Quick Snapshot.
This report window consists of three panels containing tables that provide current information about
processes within this program area.
Figure 194 IntrusionDefender Quick Snapshot window
The Services Status panel provides data about a variety of services, configured by specific functions within
Email Gateway
The Active Protection Status panel tracks the current status of three forms of protection:
• Denial of Service protection
The Mail IPS Status panel tracks the results of intrusion detection tools at two levels:
• Application Level
• System Level
As a proxy, Email Gateway scrutinizes every attempted connection to your mail servers, detecting and
blocking all known or potentially harmful connections. Email Gateway employs McAfee's patented
Mail-Firewall technology to deliver the most robust email gateway protection available.
®
• The SMTPO Service processes all messages that Email Gateway delivers out of the appliance. (The O
represents delivered Out of Email Gateway.) Again, new Email Gateway users mistakenly think of the
SMTPO Service as the subsystem that delivers email originating within the network to users out in the
Internet. While this is true, it is more correct to understand that the SMTPO Service delivers all messages
out of the appliance, whether their destination is inside or outside the network (see SMTPO Service).
Invisible to the Email Gateway administrator is the SMTPI Service’s enforcement of the SMTP protocol.
Before this service will accept the data or payload of an email, it inspects the requested email connection at
the application level to ensure that it is legitimate. Connection requests that do not conform to the SMTP
protocol are dropped. If the connection is accepted, then Email Gateway processes the message like a
full-featured mail server application. Accordingly, the SMTPI Service has many configuration options that
affect how it processes and delivers messages.
SMTPI service
Clicking the SMTPI Service link on the Mail Services - Configure window opens the SMTPI Service
Configuration window. On this window you can configure parameters in eight categories, governing the
behavior of the SMTPI functionality.
Note: This function can stop legitimate email for internal users when they use an external source to generate mail
and send it using Email Gateway. This feature should be used caution and forethought.
SMTPO service
Just as the SMTPI Service is responsible for processing messages entering the Email Gateway appliance
(whether originating from inside or outside the hosted domain), the SMTPO Service is responsible for
delivering the messages out of the appliance (whether the recipient is inside or outside the hosted domain).
Clicking the SMTPO Service hyperlink in the Mail Services - Configure window opens a secondary window
where the following configuration options are available:
Figure 197 SMTPO Service Configuration window
If Email Gateway has been configured to require SSL message delivery to specific domains and the
receiving server cannot support SSL, Email Gateway will “fall back” to Secure Web Delivery if that
feature/license has been installed and the domain has been configured to use it. Otherwise, Email Gateway
will not deliver the message—it will send a Delivery Status Notification indicating that it could not deliver
the message.
Global properties
Clicking the Global hyperlink on the last row of the Mail Services - Configure window opens a secondary
browser window allowing configuration of additional message-delivery options.
The Global Properties window allows you to configure properties for Email Gateway mail service. It is
important to remember that specific property settings made here will have impact on other Email Gateway
processes. One example is choosing to enable High Performance, or choosing not to enable it.
Figure 198 Global Configuration window
Allow Relay
Email Gateway SMTPI Service provides an option to allow relaying to external domains (Mail-Firewall |
Configure Mail Services | SMTPI Service). Ordinarily, this option should never be enabled as it allows
anyone in the world to send email through the domain’s mail server.
Instead, use the Allow Relay - Configure window. If the option on SMTPI is not enabled, Email Gateway will
only accept mail for delivery outside the network if it originates from an IP address or subnet that appears
in this Allow Relay table. This does not include the IP addresses of all internal mail servers that Email
Gateway hosts; they are allowed to deliver. It does include any addresses and subnets of users outside the
network who can have a legitimate need to relay their mail through the network.
Figure 199 Allow Relay - Configure window
To add ad subnet to the Allow Relay list, type the required information about the new subnet, as discussed
above. Click Submit when the data is correct. The Allow Relay list is updated.
When an IP subnet is placed on the Allow Relay list, it will not be evaluated for Denial of Service attacks.
This can be a potential vulnerability.
Note: Email Gateway fully supports RFC 3490 in SMTPI, SMTPO, and anywhere requiring the entry or display of a
domain name (allowing processing of domains with international characters).
Domain-based routing
Specific domains or sub-domains can be mapped to specific internal mail servers. All messages to that
domain or sub-domain will be delivered to the specified machine name (internal mail server).
McAfee recommends you limit each single Email Gateway appliance to routing mail to a maximum of 100
internal domains.
Email Gateway uses the following logic to deliver the message:
1 Use LDAP routing information if LDAP routing is enabled.
2 If LDAP is not enabled, or if LDAP does not provide a route, use the sub-domain route existing in this table.
3 If a sub-domain route does not exist in this table, deliver it to the mail server hosting the next-level of
the destination domain. (For example, if name.subdomain.domain.com does not exist in the Mapping
Table, Email Gateway will look for subdomain.domain.com. And if that entry is not in the table, Email
Gateway will look for domain.com.)
4 Step three repeats until the top-level domain (for example, domain.com) is reached.
5 If the IP address sending the message is not on the Allow Relay list (Mail-Firewall | Allow Relay), Email
Gateway (SMTPI) responds with a 571 Cannot relay message, and the connection is dropped.
6 When Skip Internal Server for Outbound Messages (Mail Firewall | SMTPI Service | Skip Internal
Server for Outbound Messages) is enabled and a message is addressed to a domain not mapped in this
Mapping Table, Email Gateway verifies that the message sender is identified in the Allow Relay List and
relays it. If the sender is not on the Allow Relay List, Email Gateway drops the message.
7 When Skip Internal Server for Outbound Messages is disabled, all messages will be delivered internally,
and if the recipient's domain is not in the Mapping Table, the email is routed to the default domain.
To change the default mail server, type a list of host names or IP addresses separated by commas in the
Machine Name column for the Default entries for the SMTP, POP3, and IMAP4 protocols. Additional internal
mail servers can be added to this list as the number of internal mail servers which Email Gateway protects,
increases.
Figure 200 Domain Based Mapping - Manage window
If a message is addressed to a domain not mapped here, Email Gateway will drop the connection – the
message will not be accepted – unless the sender is on the Email Gateway Allow Relay List, or the message
sender has been authenticated by a POP Before SMTP or SMTP AUTH method.
When the information is complete, click Submit. the Domain Based Routing window will update.
When you click Submit, the edited domain information will appear in the Domain Based Routing window.
Internal routing
Administrators must provide the IP addresses of any internal server allowed to deliver, through Email
Gateway, messages to external domains. The IP address of the default mail server (entered during the
Initial Configuration Wizard when Email Gateway was installed) is listed by default.
Note: Whenever a server’s IP address is added here, it must also be added to the Email Gateway Allow Relay List
(Mail-Firewall | Allow Relay). If an IP address in this table is deleted or edited, the Allow Relay List must be
manually updated to reflect the change.
Configuring Mail-VPN
The Mail-VPN - Configure window contains four columns: Service, Auto-Start, Running, and Service Uptime.
Figure 203 Mail VPN - Configure window
Note: The service properties screens for both of the Mail-VPN services are identical with the exception of the port
selection. The table below explains the screens and the service configurations for both services.
To add a new domain to either list, type the information in the data fields explained above. When the
information is correct, click Submit. The SSL/TLS Domains window will update to add the new domain.
New domains are not enabled by default. If you want to enable the new domain, select the Enable
checkbox and click Submit again. The window will refresh to accept the change.
LDAP operations
Email Gateway uses LDAP directories to perform two types of operations: Realtime and Synchronized.
Realtime operations
Realtime operations are those which query the LDAP server in real time, to find details about a recipient
when a message is received at SMTPI. The results of each query are evaluated immediately.
Email Gateway Realtime LDAP operations are:
• Recipient validation - during message acceptance, SMTPI can check with the LDAP server to verify that
the recipient is a valid member of a hosted domain.
• Mail routing queries - during message acceptance, if the recipient is a valid member of a hosted domain,
SMTPI can determine, from the LDAP server, the mail server to which the message should be routed.
• Address masquerading - during message acceptance, SMTPI can find the canonical email address (the
original email address) for the recipient and re-write the recipient address at the 821 protocol level ONLY
(an 822 address re-write will not happen).
Synchronized operations
Synchronized Operations are those which query the LDAP server at specific intervals. The resultant
information is stored in Email Gateway database, and is evaluated by a query to the database rather than
to the LDAP server. Synchronized mode is used when it is desirable to duplicate data between the LDAP
server and the local Email Gateway database for faster access.
The Synchronized operations for which Email Gateway uses LDAP are:
• User or group evaluation (Policy Engine) - during message processing, various Email Gateway processes
check group membership in the local data in order to apply any rules based on membership to a group.
• Recipient validation - during message acceptance, when a recipient belongs to a hosted domain, SMTPI
will check the local dataset to determine if the recipient is valid.
• Mail routing queries - during message acceptance, SMTPI can check the local dataset to determine the
mail server to which the message should be routed.
LDAP profiles
An LDAP profile is a collection (a logical grouping) of configuration information about an LDAP server. This
type of grouping helps in switching between servers for failure awareness
A profile includes the following elements:
• Profile ID – a unique identifier for the profile
• Platform – the type of LDAP server where the profile applies. For Email Gateway, the types are:
• MS Active Directory
• MS Exchange 5.5
• Domino
• Novell eDirectory
• OpenLDAP
LDAP rules
An LDAP rule is a collection of LDAP operations that can be completed in one pass by either a single query
or a group of queries. It is a grouping of operations that can be applied to a set of domains and evaluated
using the LDAP profiles.
The elements of a rule are:
• Rule Name – a unique display value for the rule
• Rule Type – Realtime rule or Synchronized rule (identifies the type of operation)
• Rule Enabled – indication whether or not the rule has been enabled
LDAP queries
The configuration parameters used in creating LDAP queries will change, based on the type of LDAP rule
being applied and the operations selected for that rule.
• Search DN – the starting point where the query will search for the Person Object
• Search Filter – the filter string (for identifying individuals) that defines or limits the search
• Validation Attributes – the attributes of the Person Object the query is to use for validation
• Mail Host Attributes – the attributes of the Person Object the query is to treat as containing the routing
information
• Address Masquerading Attributes – the attributes of the Person Object the query will treat as containing
the canonical (main) email address
• Search DN – the starting point where the query will search for the Group Objects
• Group Filter – the filter string (for identifying groups) that defines or limits the search
• Group Attribute – the attribute of a group that contains information identifying the objects that make up
the group (for example, members)
• Group Routing Attribute – the attributes of a Group Object the query treats as containing routing
information, when routing information is stored at the group level.
• Member Attributes – the attributes of a Group Object the query treats as containing the members of the
group
• Email Attribute – the attribute the query should treat as containing the member’s email address.
• Routing Attribute – when routing information is stored at the member level, the attribute of the
Member Object the query treats as containing the routing information.
LDAP configuration
Using LDAP functionality in Email Gateway requires you to proceed in a logical order to define and configure
all the necessary components for executing queries and evaluating the results.
Field Description
Profile Name Type a unique name to identify this profile. The name will be used to
associate the profile with a configured LDAP rule.
Platform Select from the pick list the platform for which you are configuring this
profile. This selection will match the name of the organization that
provides your version of LDAP.
LDAP Server Provide the IP address or Fully Qualified Domain Name of the LDAP server
where this profile will reside.
Port This field will contain the port number Email Gateway should use to
connect to the defined LDAP server. The port will default to the correct
port number based on the selection your selection of the port type radio
button. Choices are:
• Non secure
• Secure LDAP over SSL (LDAPS)
• Secure LDAP and TLS
Ignore Cert Select this checkbox to allow Email Gateway to connect to a secure LDAP
Validation server via TLS without checking that the server’s certificate is present in
the Email Gateway’s list.
This option is available only if you selected Secure LDAP and TLS.
Anonymous Bind Select this checkbox to create an anonymous bind for this profile. This will
disable the next three fields.
User DN Type the user name or Distinguished Name that must be used to connect
to the LDAP server. Leave this field blank for anonymous bind.
Password Type a valid password associated with the user name or DN entered
above. Leave this field blank for anonymous bind.
Confirm Password Confirm the password by entering it a second time.
When the configuration data is complete, click Submit. The LDAP Server Profile - Manage window will be
updated.
Editing a profile
Clicking a profile’s ID hyperlink on the LDAP Server Profiles - Manage window displays details about that
profile. An Edit Profile link is included in that display. Clicking Edit Profile displays the LDAP Profile - Add
Definition window again, populated with the current configuration of the selected profile.
The Profile ID, Profile Name and Platform fields are not editable. The other fields can be edited by changing
the information as allowed.
This window provides the necessary fields to allow you to associate the domain to which the rule will apply
with the rule itself.
Assigning Profiles
Figure 212 Assign Profile Information window
This window allows you to assign one or more profiles to this rule.
Click Select. The next window allows you to configure queries using the rule you have just configured.
Queries
Figure 213 Query Browser window
If you click Next, the Assign Profile Information window appears to allow you to assign another profile to
the rule if desired. When you have reviewed the window, click Next again to go to the final window where
you can enable your rule.
Confirming rules
Figure 214 Rule Confirmation window
After you have reviewed the window, click Finished. The LDAP Rules window updates showing the new
rule.
Click Next.
Assigning profiles
Figure 217 Assign Profile Information window
Click Select to proceed to the next step. The Query Browser window will appear, allowing you to configure
queries that use the rule you have configured.
Queries
Figure 218 Query Browser window
Click Next to continue. The Assign Profile Information window will reappear to allow you to assign another
profile if necessary.
If you add a profile and click Select, a new Query Browser window will appear to allow you to configure
queries for the new profile. If you do not add a new profile, click Next again to go to the Rule Confirmation
window.
This window allows you to review the configuration of the new rule, and to enable the rule if the
configuration is correct and you want to enable it.
When you have reviewed the configuration and decided whether or not to enable the rule, click Finished.
The LDAP Integration - Manage Rules window will update to add the new rule.
Editing a rule
If you want to edit an existing LDAP rule, click the ID hyperlink. The window expands to show details
regarding the rule you selected. Click any of the hyperlinks in the detail display to open the particular
window where that parameter is configured. You can edit the data on some of those screens and save your
changes.
The details for a realtime rule are shown below.
Figure 221 LDAP Integration - Manage Rules window expanded
When you have edited the configuration, click Submit to record your changes.
When you have completed the information correctly, click Submit to record your configuration.
Because browser-based email continues to grow in popularity and enterprises increasingly turn to
applications such as Lotus iNotes, Outlook Web Access, and GroupWise WebAccess, Email Gateway
provides WebMail Protection to offer the same protection against HTTP network attacks as it does for SMTP
attacks. In addition to providing a hardened face to the web-enabled mail servers running the web mail
applications, WebMail Protection also offers additional security measures such as HTTPS (SSL) messaging,
Secure Logoff, optional Strong Client Authentication, and more.
Signature configuration
WebMail Protection provides real-time detection of attempted attacks through its intrusion detection
engine. By examining all packets passing across port 80 or secure port 443, it can see if they match
signatures of known attacks. Furthermore, WebMail Protection uses protocol analysis to overcome hackers’
URL path confusion-generating techniques, like the insertion of hex, double-hex, and UNICODE strings,
designed to circumvent signature detection.
Figure 225 WebMail Signature - Configure window
Configure which attack signatures WebMail Protection should use from this window. When a signature is
checked, WebMail Protection will look for that potential attack as it examines packets passing through it
(the Enable hyperlink at the top of the column toggles all signatures on or off). Click Submit after
selections have been made.
HTTP routing
WebMail Protection can proxy the web sessions for users who ordinarily would have connected directly to
the internal web-enabled mail servers. By sitting between users out in the Internet and the internal
web-enabled mail servers, WebMail Protection can protect against network attacks, provide SSL encryption
of the web mail, and securely close browser sessions it proxies.
Administrators must map a route to the web-enabled mail server so WebMail Protection knows how to
proxy end users’ web mail requests to the internal server hosting their mail box. The HTTP Routing
hyperlink in the left navigation frame displays a window that offers Path-Based Routing, Host-Based
Routing, and Portal Page tabs. Each tab represents a proxy solution for a particular type of web mail server
environment.
Depending on the configuration of the internal mail server(s), one of the routing options here will be used.
Select the option you want from the drop-down list at the top of the window.
• Use Path-based Routing when each internal web-enabled mail server uses a unique path string pointing
to its own web mail application (for example, /exchange, /, /mail, and so forth). End users will point their
browsers to the Email Gateway fully qualified host name, followed by the path string to the web mail
application. WebMail Protection will resolve each server’s unique path string to its URL.
• Use Host-based Routing when there are multiple internal web-enabled mail servers and the path strings
pointing to the web mail application are identical (for example / or /exchange). Create one virtual host
name/IP address on the DNS server for each web-enabled mail server WebMail Protection proxies. The A
and PTR records for each virtual host name point to Email Gateway. WebMail Protection maps each of its
virtual IP addresses to a specific internal web-enabled mail server, thus routing end users to the
web-enabled mail server hosting their mail box.
• Use the Portal Page when WebMail Protection is proxying web mail specifically for one or more Outlook
Web Access/Exchange servers, and True Logoff or Secure Logoff is required. With True Logoff or Secure
Logoff, WebMail Protection will totally close, on logoff, the session to the web-enabled mail server so that
subsequent individuals using the same open browser cannot back into a web mail session.
The table below provides routing recommendations for specific email environments.
Path-Based routing
Path-based routing is used when all internal web-enabled mail servers use a unique path string pointing to
their web mail application. WebMail Protection maps the unique path string to the URL of each web-enabled
mail server.
Figure 226 HTTP Routing - Path Based Routing - Manage tab
When the information is correctly entered, click Submit to record the new path.
Typical configurations
A typical configuration for OWA 5.5 is:
• Protocol: HTTP
• Path: /exchange
• URL: http://owaserver.company.com/exchange
• Protocol: HTTP
• Path: /exchange
• URL: http://owaserver.company.com/exchange
• Exchange 2000: On
Application-specific notes
Some applications require specific configuration options:
IIS
Windows NT’s Challenge Response (NTLM Directory Security in the Internet Service Manager) must be
turned off if IIS is employed on the web-enabled mail server. Use Basic authentication only on the IIS
server.
Lotus iNotes
Two entries in the Path-based Routing table are required for each Lotus iNotes web-enabled mail server.
One entry must contain the normal path string /mail. In addition to that, however, a second entry is
required to point WebMail Protection to images used by the iNotes application. Therefore, create a second
entry for the iNotes server using /icon as the image path string in the Path input field.
Note: End users do not use this second string in the URL when pointing their web browsers to Email Gateway.
Table 227 HTTP Routing - Host Based Routing - Manage fields (continued)
Field Description
Enable Selecting the checkbox will allow you to enable or disable the associated
host for use in host-based routing.
Delete To delete a server from the Host-based Routing table, select its Delete
checkbox and click Submit.
When the information is correctly entered, click Submit to record the new host.
Provide end users with the following URLs:
https://virtualEmail Gatewayname.yourdomain.com/ (for GroupWise users)
where
• virtualEmail Gatewayname is the virtual Email Gateway host name associated with the web-enabled
mail server hosting the user’s mail box.
If IIS is running on the web-enabled mail server, Windows NT’s Challenge Response (NTLM Directory Security in the
Internet Service Manager) must be disabled. Use Basic Authentication only. See the Microsoft knowledgebase
article Q317627 for more information on NTLM Directory Security.
When the information is correctly entered, click Submit to record the new portal.
Note: Some users' browsers can freeze when accessing the OWA web server or display a “Cannot render image”
message. This is a “browser issue.” The problem is resolved by clearing the browser’s cache and restarting the
browser.
If a user attempts to log on to the Outlook Web Access server and the session fails because of an
incorrectly-typed username or password, WebMail Protection records this as a log on failure in the WebMail
Protection Daily Report. WebMail Protection only counts this failure when an OWA log on at WebMail
Protection’s Portal Page fails.
Each time users log on to WebMail Protection’s proxy service, a Client Authentication dialog box appears
on-window, prompting them to select the Security Certificate installed in their browser.
Note: If users have more than one certificate installed, ensure that they select the root certificate whose
corresponding public key was pasted into WebMail Protection’s Strong Client Authentication window.
After clicking OK, the user is logged onto their web-enabled mail server.
Failure to use Strong Client Authentication negatively affects email security. Strong Client Authentication is
applicable for those WebMail Protection routing configurations for which the protocol setting is HTTPS
(secure) and not for HTTP (non-secure).
2 Click the Content tab of the Internet Options page and click the Certificates button.
3 Click the Personal tab in the Certificates page. Then select the personal certificate installed in your
browser and click the View button.
4 In the resulting Certificate page, select the Details tab and click the Copy to file... button. This launches
a simple Wizard to export your certificate. The first step of the Wizard requires you to select an export
certificate format. Select the second option, Base-64 encoded X.509 (.CER). Follow the remaining
prompts to name and select a destination for the exported certificate.
5 Open the certificate file you just saved to disk in your favorite text editor. (Ensure that the application
can see all files — the certificate file extension is .cer.) Copy the entire contents of the certificate file and
paste into Email Gateway Certificate Information text field.
To access information about the certificate, click the View Certificate hyperlink at the bottom of the
window. The Certificate Information window displays.
When the window appears, it displays the list of configured customization profiles.
Note: Email Gateway currently supports only UTF-8 encoding for HTML files. Since ASCII is a subset of UTF-8, it is
supported as well. If the user edits the customized HTML in any editor, and especially if a symbol (trademark,
copyright, and so forth) is inserted, the encoding must be in UTF-8.
3 Click Submit. The window will refresh to display the full customization options.
3 Click Download Default Resource. Depending on your browser, a save window appears.
5 Open the css file, edit it to suit your needs, then save it.
6 Return to the Customize window and, from the Browse field, navigate to your edited css file and select it.
7 Click Submit. Your file will be renamed and then be used by the system.
Note: Some browsers may have difficulty displaying the uploaded css file in the preview window. If you
experience this event, clear your browser cache (recommended) or click the css filename again.
The Mail-IPS (Intrusion Protection System) program area provides a variety of tools designed to detect
network attacks against the email gateway, as well as a tool to test for weaknesses or vulnerabilities in
specific internal mail servers. Email Gateway will automatically generate alerts for certain types of network
attacks, notifying administrators immediately by email, pager, or SNMP that an event has occurred. For all
attack events, Email Gateway will log their occurrence so they can be viewed in the Email Gateway log files
and daily reports, and in the Email Gateway Dashboard. Administrators, therefore, should configure the
Email Gateway Alert Manager (go to Reporting | Alert Manager) to send to them alerts that the Mail-IPS
services generate. And administrators should routinely monitor the Email Gateway Dashboard and Mail-IPS
Report throughout each day.
The Denial of Service Protection table lists a summary of all DoS attacks recorded since Email Gateway
cleanup process deleted the DoS data; each time this page is refreshed, the data is updated with the most
recent attacks. The information here can also be viewed in the daily Mail-IPS Report created at
approximately midnight each day. Note, however, that while Email Gateway Denial of Service window can
show several days’ (or more) worth of information, the daily Mail-IPS report will only show 24 hours worth
of data.
Do not confuse the Denial of Service threshold with the SMTPProxy, POP3 and IMAP4 load-throttling
thresholds. The DoS threshold occurs at the Network layer, while load throttling occurs at the Application
level.
Note: When an IP address is placed on Email Gateway Allow Relay list, it will not be evaluated for Denial of
Service attacks. The might be a potential liability.
Password strength
If Password Strength Monitor is enabled, passwords are analyzed as Email Gateway POP3 and IMAP4
Services proxy username and password to the internal mail server. Email Gateway does not store or save
the password to disk—rather, it analyzes the text strings in memory “on the fly.” Email Gateway uses an
algorithm that tests each password’s relative strength, displaying its results in the Password Strength
Monitor table on this page. The table shows a cumulative summary of all passwords checked since Email
Gateway last cleanup deleted old data. The data on this page is updated each time the page is refreshed.
Figure 234 Password Strength window
Using the data fields at the bottom of the window, you can add new words by entering the text sting and
clicking Submit, or import lists.
Password cracking
If Password Failure Monitor is enabled, Email Gateway will log every instance that a failed log on threshold
has been reached (administrators establish the threshold with Password Failure Count and Password Failure
Interval parameters). Additionally, if the number of failed log on attempts reaches the threshold, Email
Gateway can generate an email, pager, or SNMP alert to the administrator. This on-window display of
Password Cracking lists a cumulative summary of threshold-level failed log-ons since Email Gateway last
cleanup deleted old data; the data is updated each time this page is refreshed. The daily Mail-IPS Report on
Password Cracking begins anew each day at midnight, and displays only the previous 24 hours worth of
data.
When the information is correctly entered, click Submit to save the configuration.
Integrity check
Email Gateway is foremost an appliance to protect the internal mail servers sitting behind it. An integral
component of its security, however, is ensuring that it (that is, Email Gateway) has not been compromised
by an attacker. The Program Monitor and File Monitor services, therefore, check the Email Gateway
program files and file system in order to detect whether or not an attempt has been made to alter code in
any of its files, or if an attempt was made to insert Trojan horses or delete important system files. The first
time Email Gateway restarts after the Initial Configuration Wizard is run, its Program Monitor and File
Monitor test the system in order to build an initial database of Email Gateway file set and file system.
Thereafter, these two services run nightly, immediately before the Mail-IPS log is generated. Administrators
can also run the checks “on demand” at any time by clicking Check System in the Integrity - Check
System window.
Figure 238 Integrity - Check System window
Program integrity
Every night, at approximately midnight, Email Gateway examines every executable file within its scope to
verify that they have not been altered. The Program Integrity page displays how many files were scanned,
and the number of files that failed its test, (are now different from their original version).
After you click Check System, Email Gateway will check, approximately every 10 seconds, to determine if
Program Integrity Monitor has finished its tests. Then it will refresh the page with the results. If Program
Integrity Monitor ever reports that a single file failed, contact McAfee Technical Support immediately.
Approximately every 10 seconds, Email Gateway will check if Filesystem Integrity Monitor has finished its
tests, and then refresh the page with the results. If Filesystem Integrity Monitor ever reports that a single
file failed, contact McAfee Technical Support immediately.
The information available here can also be viewed in the Email Gateway Dashboard and the Mail-IPS Report
that is created daily.
• Allows a single Email Gateway appliance to segment the mail flow for difference Virtual Host IP addresses.
• Permits the creation of distinct email policies and spam policies for specific domains.
Virtual IP addresses and Virtual Hosts enhance the configurability of protection for your network.
Note: You will need to configure IP addresses under the Email Gateway System tab (System | Configuration|
IP Addresses), and domains under the IntrusionDefender tab (IntrusionDefender | Mail Routing | Domain
Based). At least one IP address and one domain will be required.
General guidelines
There are a few basic guidelines you will need to remember as you configure Virtual Hosts:
• A Virtual Host can be assigned one or more domains.
• A domain can be assigned to more than one Virtual Host only under certain circumstances (See “Adding
a Virtual Host: Configuring Domains” later in this chapter.
• The SuperAdministrator (admin account) has complete and total access to all areas of the Email Gateway
appliance, including the ability to create and manage user accounts and assign permissions.
• An Appliance Administrator has assigned permissions for all domains and Virtual Hosts on the Email
Gateway appliance. Appliance Administrators might or might not be given permission to create and
manage user accounts.
• Virtual Host administrators have their assigned access rights and privileges for only those Virtual Hosts
they have been assigned. They might or might not have user creation rights for those Virtual Hosts.
A Virtual Host is an administrator-defined entity that allows grouping of domains to satisfy the needs
mentioned above. It is a collection of domains (one or more) that permits the Email Gateway customer to:
• Allow administrators to manage rules and quarantine queues for certain domains; and,
There are two types of Virtual Hosts: listeners, and non-listeners. The type of Virtual Host you create is
determined by a checkbox on the Add New window for Virtual Hosts.
A Listener is a Virtual Host that listens for email traffic on the specific IP addresses assigned to that Virtual
Host. As a result, the Listener handles mail for the domains in that Virtual Host through those IPs.
Additionally, a Listener can be configured to listen for inbound email traffic, outbound traffic, or both, based
upon your selection from the “Type” drop-down list on the window.
A Non-Listener is a Virtual Host that listens for traffic on the Email Gateway appliance’s default IP
addresses to handle mail destined for the domains within the Virtual Host, but not routed through specific
IP addresses. The Non-Listener configuration allows assigned administrators to manage specific Virtual
Host domains, but without having to segment the mail flow.
Clicking the ID or Name hyperlink for any existing Virtual Host will expand the window to allow you to select
an existing component of that Virtual Host. The associated window will appear, allowing you to review or
edit that component’s configuration. More information about each of the components is presented in
Configuring Virtual Hosts, below.
The screen shot above shows the expanded information for a fully configured Virtual Host. Since it is
possible to configure a Virtual Host in more than one Web Administration session, only those portions of the
configuration that have been completed will be available for viewing and editing from the expanded data.
Furthermore, Virtual Hosts that are not configured as listeners will only show the Domains link.
Note: You cannot enable a Virtual Host until configuration is complete.
Prerequisites
Before you can complete the configuration of a Virtual Host, you must have at least one available
(unassigned) IP address configured. This configuration is done in System | Configuration | IP Addresses.
You will also need to have configured at least one domain that can be assigned to the Virtual Host. You can
add domains at IntrusionDefender | Mail Routing | Domain Based | Add New.
IP addresses
Each Listener Virtual Host has either two or four IP address interfaces, depending upon the Listener Type
you selected. Listeners for either inbound or outbound messages will have two interfaces; Listeners for both
inbound and outbound will have four. You can select the IP address for each interface from the drop-down
lists.
The interfaces are:
• Inbound SMTPI – this is the SMTP Proxy interface for inbound mail from the Internet.
• Inbound SMTPO – the SMTPO interface delivers inbound mail to the internal mail servers.
• Outbound SMTPI – this interface is the SMTP Proxy for outbound mail from the internal servers.
You can use a unique IP address for each interface if you so desire, but that isn’t necessary. You can use
one IP address for up to all four interfaces on the same Virtual Host.
Under certain circumstances, you can also use the same IP addresses for different Virtual Hosts. If the
same IP is not shared for the same purposes, it can be used by more than one virtual host. For example,
you can have a Virtual Host listening only for inbound traffic and another one listening only for outbound
traffic; those two Virtual Hosts could share the same IP address, since the IP is not used for the same
purpose in both Virtual Hosts. The Sample Scenarios table below might help explain how this works.
Note: The table does not represent all possible configurations; it just provides a few examples.
Domains
The ability to assign the same domain to more than one Virtual Host depends upon how your Virtual Hosts
are configured. If you have a Virtual Host set to listen for inbound messages only, then the domains in that
Virtual Host are available to be included in another Virtual Host that listens for outbound traffic only.
However, if you included a domain in a Virtual Host that listens for both inbound and outbound messages,
that domain will not be available for inclusion in any other Virtual Host.
Complete the necessary information and select at least one available domain for this Virtual Host. Select
the domain in the Available list, and use the right-pointing arrow to move it to the Selected list. The double
arrows will assign all available domains to this Virtual Host. The left-pointing arrows will allow you to
remove one or more domains from the Virtual Host, placing them back on the Available list.
When this window is complete, click Next. The Internal Servers - Configure window will display.
If you are configuring a Virtual Host that is not to be configured as a listener, the button to the lower right
of the window will read Finish. When you click this button, the window will display the Virtual Hosts -
Manage window again, and your new Virtual Host will be included. Non-listener Virtual Hosts require no
further configuration.
If you are adding a server’s IP address, click Submit. The IP will appear in your list.
When you have entered the desired IP Addresses, click Next.
Note: You can save the configuration that has been done so far and exit the configuration process by clicking the
Finish button wherever it is available.
Configuring SMTPI
This window allows you to view the properties for incoming mail for this Virtual Host, and to edit them. The
parameters are collected into logical groupings on the window.
Figure 242 SMTPI Service Configuration window
When SMTPI configuration is complete, click Next. The SMTPO Service Configuration window will display.
Configuring SMTPO
This window allows you to view and edit the properties for outbound mail for this Virtual Host.
Figure 243 SMTPO Service Configuration window
When SMTPO configuration is complete, click Next. The Allow Relay - Configure window will display.
When Allow Relay configuration is complete, click Submit. The window will update. When you are finished
adding subnets, click Next. The Local Deny List - Configure window will appear.
When Deny List configuration is complete, click Submit. The window will refresh. When you have finished
adding subnets, click Finish. You will be returned to the Virtual Hosts - Manage window, where the new
Virtual Host will now appear.
Should you wish to edit the new Virtual Host, click the ID link or the Name link to expand the entry. Then
you can click any of the newly displayed hyperlinks to navigate to the appropriate window.
The VIrtual Host can be enabled, if it is not already enabled, by selecting the Enable checkbox. An existing
Virtual Host can also be disabled by deselecting this option, with no loss of configuration data.
Configuration of your new Virtual Host is now complete. The Virtual Host is ready for use.
Select the necessary fallback Virtual Hosts, then click Submit. The Virtual Hosts - Manage window will
refresh, indicating that the Virtual Host is scheduled for deletion.
The actual deletion will occur when all existing email messages that are being processed by the Virtual
Host are finished. Then the Cleanup operation will delete the designated Virtual Host. All domains that were
assigned to that Virtual Host are now assigned to the Virtual Host you designated as the fallback; however,
that Virtual Host is no longer classified as a fallback, and is viewed as a normal Virtual Host with the
additional domains assigned to it. The fallback status is active only until the scheduled Virtual Host is
actually deleted.
Rules to remember
When you wish to delete a Virtual Host, there are a few essential rules you will need to remember.
1 Whenever you delete a listener Virtual Host, you must select a fallback Virtual Host to which mail traffic
will go when the deleted Virtual Host is gone. If no other Virtual Host is available or if you fail to select
one, the Default Virtual Host will be the fallback.
2 When a Virtual Host becomes the fall back for another, the fallback Virtual Host cannot be deleted
(scheduled for deletion) until all the mail traffic has been cleared from the original (deleted) Virtual Host
and that Virtual Host is actually deleted.
3 You cannot change the network configuration of any Virtual Host while it is in fallback status; other editing
is possible.
4 When the originally deleted Virtual Host has been removed, the fallback Virtual Host becomes a regular
Virtual Host again, and is subject to deletion, editing, and so forth.
Applying rules
The way any administrators can create policies will depend upon the type of administrator they are (for
more information about the types of administrators, see Virtual Host administration in this chapter). The
SuperAdministrator and the Appliance Administrators create policy the same way. They will see an Add New
window.
Figure 247 Image Analysis - Add Apply Rules window - appliance administrator view
These appliance level administrators automatically log onto the Default Virtual Host, which always exists,
when they sign onto Email Gateway. The Add New window, by default, allows them to create policy for that
Virtual Host. They also have one other option from this window. They can select the checkbox for Apply to
All Virtual Hosts. If they do that, the policies they create will apply to every Virtual Host on the appliance.
The policy options from the default login are for the Default Virtual Host only, or for all Virtual Hosts.
To log out, the appliance level administrator clicks the Logout Default Virtual Host link at the top of the
Email Gateway window. You do not immediately leave Email Gateway. Instead, a window appears that will
allow you to select a specific Virtual Host.
From this window, the appliance level administrator can select an individual Virtual Host for which policies
can be applied. When a Virtual Host administrator logs into Email Gateway, this is the first window
presented. Only those Virtual Hosts for which they have permissions will appear. The Add New window the
Virtual Host administrator sees does not show the Apply to All Virtual Hosts option.
The Virtual Host administrator can only create policy for the Virtual Hosts assigned, and must do so one
Virtual Host at a time. The Add New window displayed for the Virtual Host administrator has no option for
applying policy to all Virtual Hosts.
Appliance level administrators can apply rules to individual Virtual Hosts, as well. They follow the same
process as the Virtual Host administrators.
Note: If the Email Gateway appliance is configured to be managed by a Control Center, the rules and policies
pushed by the Control Center can take precedence and overwrite rules applied locally on the Email Gateway itself.
• Define domains by assigning them to Virtual Hosts, and assigning Virtual Host administrators to the
Virtual Hosts.
• Permits Virtual Host administrators to create Virtual Host-specific rules and policies, applicable only to the
assigned Virtual Hosts.
Enterprises can use this functionality to provide more granular control of their networks.
You will first need to configure IP addresses under the System tab and Virtual Hosts under the
IntrusionDefender tab. Then you can configure the user accounts for Appliance Administrators and Virtual
Host administrators under the Administration tab, using the original admin access (SuperAdministrator).
For creating the user accounts for the new administrator, you have two options regarding the type of
administrator being created. The new user can be an Appliance Administrator, who will have whatever
rights are granted across ALL Virtual Hosts and domains on the Email Gateway appliance. Or the new user
can be created as a Virtual Host administrator, who will have whatever rights are granted only for those
Virtual Hosts that are assigned. Either option allows the SuperAdministrator to delegate some of the
administrative workload.
If the new administrator is to be an Appliance Administrator, the User Account - Create window will not
include Virtual Host information. The roles assigned are propagated through all Virtual Hosts.
In this case, the creating administrator can assign full access rights or read-only rights to the new
administrator for any or all the Roles listed on the window. If User Creation Rights are granted, the
Appliance Administrator can create new users for any domain or Virtual Host on the appliance and enable
any roles the creating administrator is allowed.
When the configuration is complete, the creating administrator clicks Add New. The new Appliance
Administrator is added to the User Accounts - Manage window.
If the new administrator is to be a Virtual Host administrator (the Appliance Admin checkbox is not
selected), the User Accounts - Create window will include the Virtual Hosts information, as shown below.
The two tables at the bottom of the window show all Virtual Hosts that are available to be assigned to the
Virtual Host administrator, and any that have already been selected for assignment. The arrows between
the lists permit moving Virtual Hosts.
Note: The Virtual Host administrator will only be able to access, manage and configure the specific Virtual Hosts
assigned. Other Virtual Hosts will not be visible.
When the configuration for the Virtual Host administrator is entered properly, the creating administrator
clicks Add New. The new administrator is added to the User Accounts - Manage window.
After making the selection, click Submit. Then specify the server preference to be configured.
After DNS Hijack Protection is enabled, a snapshot of the MX and A records and IP address on the DNS
server for each domain Email Gateway proxies must be captured. Email Gateway will store this information
in its own database and use it to compare the current MX and A records when it checks the DNS server at
the user-defined interval. The DNS Hijack Protection page offers the following options:
Click Get Snapshot to query the DNS server(s) and write the MX and A record information to the Email
Gateway database. Within a few moments the MX information for each domain Email Gateway hosts is
displayed. Email Gateway will now monitor each domain listed in this table for possible DNS Hijacking. If for
any reason it is decided that Email Gateway should stop monitoring the MX information for a domain, select
its Delete checkbox and click Submit.
If the MX and A record of a mail server ever change for a valid reason, remember to update the Email
Gateway database by taking a new snapshot of the DNS records.
Click Submit when done.
If at some future time Email Gateway is configured to host additional mail servers (added in
IntrusionDefender | Mail Routing | Domain-based), return to this page in order to capture a fresh
snapshot of the new mail servers’ MX and A records. When doing so, Email Gateway will re-introduce into
this table MX and A record information for domains that might have been previously deleted. If a domain
was previously removed from DNS Hijack Protection, remember to delete it once again after the new
snapshot is taken.
The heuristic is based on thresholds where time, frequency, and email characteristics converge. That is, if a
specified number of emails with the defined characteristic(s) enter the network within the designated
window of time, ADE can create a rule that takes an action on all future messages with that characteristic,
or send an email notification to the administrator.
Anomaly Detection is an historical, not a real-time, analysis of events—it does not process messages like
Email Gateway Queue Services. That is, at an administrator-defined interval, it looks in the Email Gateway
database that stores information about all the email it processed since it last ran its check. If a threshold
was reached during the previous period of time, Email Gateway will either generate an alert message or
create a rule, depending on the ADE’s configuration.
Clicking the service name hyperlink opens the Anomaly Detection Engine Configuration window. The only
configuration possible on this window is setting the log level to determine how much detail will be entered
into the logs when anomalies are detected.
Figure 251 Anomaly Detection Engine Configuration window
Create an anomaly detection query by selecting a type of email event’s checkbox and entering values for
Detection Period and Threshold Value.
Note: If more than one email event is selected, Email Gateway can only generate an alert—actions are not
allowed when an ADE rule is based on multiple events.
When you have completed the configuration data, click Submit. The window will refresh to acknowledge
your addition.
Your new rule will appear in the Anomaly Detection - View Rules list.
Reporting
About reporting
Email Gateway reporting and monitoring tools are what make Email Gateway such a robust and usable
appliance. Through its logs, administrators can determine exactly which Email Gateway processes
examined a message—indeed, whether or not Email Gateway even received the message. When a Email
Gateway policy acts upon a message, the reports and logs will describe exactly what condition of the policy
caused Email Gateway to act.
In addition to reporting on Email Gateway internal message-processing, this program area also contains
Health Monitor — a subsystem that examines all other core application subsystems, as well as hardware, to
ensure that the appliance is operating as designed. And on the belief that Email Gateway cannot truly
protect an enterprise’s email system if the appliance, itself, is vulnerable, an Alert Manager can be
configured to generate email, pager, or SNMP trap alerts to the administrator whenever Health Monitor
detects that Email Gateway is not performing as designed.
The report lists are scrollable, allowing you to see a complete listing of all Email Gateway reports. Clicking
any report hyperlink reveals details.
The reports are divided into two groups, based on their format. Both PDF and HTML reports are available.
You can select reports of either type and view them, or transfer them to file locations of your own choosing
using the buttons on each window. Samples of both report formats are shown below.
Viewing reports
Some detail screens offer lists of reports that can be viewed or downloaded. This is specifically true of the
HTML report screens.
Figure 255 Reports window, selecting an HTML report
When you select a specific report, listed by date, and click the View hyperlink, the report for that date will
display. Some detail screens, particularly among the PDF reports, present graphic information.
If you would like to change the time period that is represented by the report, click the Select Interval
button at the top of the window. Fields will appear that allow you to specify a new date range, then get that
report.
When you click Get Report, the report window refreshes. You can view the report you requested, using the
new interval, by clicking the View link.
Note: When you view reports like the Overall Compliance Summary Report, where both summary and detailed
action information displays, the total message count for all messages processed (summary) might not match the
total for messages processed by each queue (detailed). One message can trigger action in more than one queue,
which shows in the detailed report.
Selecting “Enable Global Archive” reveals a drop-down list showing available targets.
If you have selected a new target or set a target for deletion, click Submit to record your selection.
When the configuration parameters are complete, click Submit. The Message Archive Target - Manage
window will refresh to add your new target.
When the configuration parameters are complete, click Submit. The Message Archive Target -Manage
window will refresh to add your new target.
Global archiving
If Global Archive is enabled on the Message Archive Target - Manage window, Email Gateway will save a
copy of all inbound and outbound messages to disk. At the frequency specified for the Archive Target
selected for global archiving, it will create a zipped file of all the messages processed since the last archival
interval. Email Gateway can then transfer them via SCP or FTP to a destination server.
About alerts
Email Gateway continuously monitors its core subsystems, as well as its ability to communicate with
internal mail servers. If any part of Email Gateway functionality fails to perform as designed, Email
Gateway will generate an alert. The alerts, by themselves, don’t do anything. Rather, the Alert
Manager—which processes all Email Gateway-generated alerts—must be configured to send them to an
administrator.
Email Gateway alert management is configured on the basis of two categories of information:
• Email Gateway subsystems: The Email Gateway application is comprised of core subsystems. Each one
is designed to generate alerts when anomalous conditions are experienced. Administrators will create
logical groupings of these subsystems.
• Alert Levels: Email Gateway is designed to look for specific types of problems—such as a subsystem
stopping unexpectedly, or restarting after it was stopped. There are a finite number of anomalies that
Email Gateway can report on (see Appendix A). Each anomaly can be assigned one of seven alert levels
according to the degree of criticality of the problem.
Email Gateway administrators will create an alert mechanism (email, pager, SNMP trap) for any or all of the
alert levels, for each grouping of subsystems they have created.
The possible alerts Email Gateway can send are as follows:.
• Information: This alert is for information only. No problem exists. It reports, for example, that an SNMP
heartbeat has been sent.
• Notification: This alert is slightly more important than information. It reports information about an Email
Gateway process or service. For example, it reports that an anti-virus update has been received.
• Warning: A warning should get your attention. It implies that administrative action is warranted. For
example, Email Gateway generates a warning when a Denial of Service attack has been detected.
• Error: An error is serious. Email Gateway generates error messages when a single process is not
performing as intended. For example, it generates an error alert if it detects that Email Gateway Content
Analysis Queue stops processing messages.
• Critical: A critical alert is even more serious. Email Gateway generates this alert when an error affects
the entire appliance. It reports, for example, when Email Gateway cannot reach a DNS server.
By default, Email Gateway starts with one logical grouping, or class, of subsystems: Common. You can
create any logical grouping of services that serves their needs. Individual services or subsystems can be
moved from one grouping or class to another, and classes can be deleted altogether. The purpose of
creating classes of subsystems is to be granular in terms of which alert notifications are received. When the
classes have been added, Alert Levels can be configured for them using the Alert Mechanism function.
If a subsystem is deleted from a group and not added to another, Email Gateway will automatically create
(or recreate) a class named Common and place the unassigned subsystem there. Alerts that might be
generated by a subsystem in the Common class are not delivered to an administrator unless an alert
mechanism for the Common class is created.
To add the new class, type the name for the class in the New Alert Class data field, then select from the
scrolling list one or more services to be included in the class. Click Add when the selection is finished. The
window will refresh. You can repeat the process until you have the set of classes necessary for your system.
When you have completed the desired changes, click Submit. The Alert Class - Manage window will
refresh, showing your new configuration.
You can delete an entire class from the list by checking Delete for all the services and clicking Submit. A
confirmation alert will appear; click OK to complete the deletion. All the services will go back to the default
(Common) class.
After the Alert Classes have been created, create the Alert Mechanism for each class to determine how
alerts will be delivered.
The Alert Mechanism - Manage page contains three pick lists allowing configuration of alerts notifications,
and displays a table of all configured alerts
Note: The Common Class will always control the generation of Alerts for sched functions and for license
expiration. These two services are not configurable and cannot be moved from Common. Therefore, if you want
to generate Alerts for sched or for license expiration, you must configure Alert Mechanisms for the Common
Class.
When you have entered the information, click Submit. The Alert Mechanism - Manage window will refresh
to add your new mechanism.
When the alert ID hyperlink in the Alert Viewer table is clicked, the message line on the window expands,
displaying information about the alert.
When the information has been properly entered, click Submit to implement the configuration.
Report descriptions
Email Gateway can produce the following reports, if configured to do so. The following tables show the
HTML reports and the PDF reports you can configure:
HTML reports
Table 260 Email Gateway HTML reports
Report Name Description
Executive Report Summarizes total messages inbound and outbound, plus blocked
messages inbound and outbound, for the day, week, month quarter and
year. Useful in identifying trends.
Incoming Report Provides totals and averages of inbound messages for one day, plus
Top Ten statistics for key concepts.
Secure WebMail Report Provides totals and averages, session counts, connection denials, and
so forth, for WebMail Protection.
Mail IDS Report Shows the results of Email Gateway intrusion monitoring and activity,
password strength, denial of service protection, program and
filesystem integrity, and so forth.
Policy Compliance Policy Compliance Report - AV Keyword Blocking
Report – AV Keyword
Blocking
Outgoing Report Provides totals and averages of outbound messages for one day, plus
“Top Ten” statistics for key concepts.
Policy Compliance Shows in detail every action that Email Gateway executed on any
Report – Detailed message because of an email policy.
Policy Compliance Shows in detail every action that Email Gateway executed because of
Report – GLBA an email policy configured to protect GLBA compliance.
Policy Compliance Shows in detail every action that Email Gateway executed of an email
Report – HIPAA policy configure to protect HIPAA compliance.
Policy Compliance Shows in detail every action that Email Gateway executed because of
Report – SOX Financial an email policy configured to protect SOX-Financial compliance.
Policy Compliance Presents information about the top 20 email policies Email Gateway
Report – Summary and enforced, and the users who were impacted by them.
Statistics
Policy Compliance Presents the actions Email Gateway executed, but sorts the results by
Report – User Based the individual users affected by the policies.
Policy Configuration Shows a detailed listing of all rules that have been created, sorted by
Report functional area. This report can be run at your discretion.
Policy Configuration Shows a detailed listing of all rules that have been created, applicable
Report – GLBA to GLBA compliance.
Policy Configuration Shows a detailed listing of all rules that have been created, applicable
Report – HIPAA to HIPAA compliance.
Policy Configuration Shows a detailed listing of all rules that have been created, applicable
Report – SOX Financial to SOX Financial compliance.
System Defined Policies Displays currently enabled system-defined policies and the results of
Report their enforcement, sorted by functional area.
Vulnerability Assessment Shows the results of a Vulnerability Assessment (defining
vulnerabilities to intrusion, and so forth), for a single IP address.
Vulnerability Assessments can be run at your discretion.
PDF reports
Table 261 Email Gateway PDF reports
Report Description
Anti Fraud Summary Displays Email Gateway's actions against fraud and phishing attacks.
Anti Zombie Summary Displays Email Gateway's results in protecting the email network from
zombie attacks.
CSV reports
Email Gateway can generate a daily comma separated values-formatted (CSV) text file that records the
From, To, Size, Date, Time, and every action Email Gateway performed on every message processed that
day. While the daily Incoming and Outgoing Reports only show totals and top 10s for each day, this report
lists every single email that was processed. This file is a data dump showing every action Email Gateway
took on a message—whether actions were taken because of an email policy, or if messages were delivered
with no action taken. Because this file contains so much data, CSV files can easily reach 50-100MB in size
in high mail-volume environments. Administrators are cautioned, therefore, to configure the cleanup
schedule for Log Files data so that these files do not remain on Email Gateway disk longer than three or
four days (See System | Cleanup Schedule | “Reports data”).
Note: The Policy Compliance Report - Detailed must be enabled before you can configure and generate the CSV
reports. The following window allows you to configure the reports.
Email Gateway can transfer CSV files to an archive server, either manually or automatically. If archive
server information is provided in the FTP/SCP Configuration input fields at the top of the page and the
Transfer checkbox is selected in the table below, Email Gateway will automatically transfer the file at the
specified hour. When the Archive Information input fields are left blank, or if the Transfer checkbox is
deselected in the table below, CSV Reports can be manually transferred by entering archive server
information in the secondary browser window that appears after clicking the Show all files hyperlink.
• 2 = Domain information
• 3 = Policy information
The remaining fields on each row differ, depending on the type of information being displayed.
Figure 266 Message Information
The first field indicates the information type. Each row of Message information begins with the numeral 1.
The second field is the “message ID” – a number that uniquely identifies the message. The message ID is
a critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs.
The third field is the message’s Subject, reported in its entirety.
The fourth field is the message’s date – the timestamp when Email Gateway received the message.
The fifth field is the message’s size in bytes.
The sixth field is the Mail From address – from whom the message originated.
The seventh field is the list of Recipient addresses – to whom the message was addressed.
The eighth field is the source IP address – the IP address of the message sender.
The ninth field is the Message direction. One of these values will appear:
• 0 = Inbound
• 1 = Outbound
The tenth field identifies the internal user. One of these values will appear:
• 0 = Both External
• 3 = Both Internal
The eleventh field identifies the message type, to indicate if the message was received by SMTP Proxy
using TLS (SSL). One of these Message Type values will appear:
• MSG_TYPE_NORMAL = 0
• MSG_TYPE_NOTIFICATION = 1
• MSG_TYPE_FORWARDED = 2
• MSG_TYPE COPIED = 3
• MSG_TYPE_DSN = 4
• MSG_TYPE_SWM = 5
• MSG_TYPE_REPORTS = 6
• MSG_TYPE_EUSR_OUT = 7
• MSG_TYPE_EST_OUT = 8
• MSG_TYPE_EUSR_IN = 9
• MSG_TYPE_EST_IN = 10
• MSG_TYPE_SECURE = 11
• MSG_TYPE_FWD_ATTACH = 12
The twelfth field indicates if the messages was encrypted or signed. One of these values will appear:
• 0 = Unsigned
• 1 = Signed
• 2 = Encrypted
• 3 = Decrypted
Figure 267 Domain Information
The first field indicates the information type. Each row of Domain information begins with the numeral 2.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs.Although message IDs might look like they are grouped serially, there is no Email
Gateway requirement that they are sorted in this CSV file.
• 1 = TLS delivery
• 2 = S/MIME delivery
• 3 = PGP delivery
• 5 = TLS deny (A TLS delivery was attempted, but a Email Gateway policy denying TLS for that user forced
the message to be delivered in plain-text.)
The seventh field describes the message’s status, and will display one of eight values:
• 1 = Not yet picked up for delivery (The message was deleted by the SMTPO Service, or it is in the
Quarantine Queue because of a failed delivery attempt or other Email Gateway policy.)
• 0 = Picked
• 1 = Connected
• 2 = Transmitted
• 4 = Delivered
• 5 = Undeliverable dropped
The first field indicates the information type. Each row of Policy information begins with the numeral 3.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs. Although message IDs might look like they are grouped serially, there is no Email
Gateway requirement that they are sorted in this CSV file.
The third field identifies a message’s part number. This field reports a numeric value representing which
part of the message is being described. (Messages can have many MIME parts—Email Gateway defaults to
only accepting messages that contain less than 1,000 parts.) A 0 in this field represents the whole
message. Any other value is the part number. A message’s parts are not necessarily grouped together in
the CSV file – a third party utility is required to group all message parts by their ID number, and then sort
them in ascending or descending order.
The fourth field is a number that identifies each possible Email Gateway action. This number is used
internally by Email Gateway, but corresponds to the actions that Email Gateway policies enforce. View the
table of actions in the Appendices to this Administration Guide.
The fifth field might or might not be present, depending on the policy Email Gateway enforced. For
example, a policy with a quarantine action requires a number as an action value indicating how many days
a message is to be quarantined, and a policy with a drop action can have a text message (replacing the
dropped message part) as an action value. (Note that text action values can be lengthy, and force the row
in the CSV file to wrap to additional lines.) Depending on the action, the fifth field can contain numerous
data elements that describe the totality of the action, for example, message Subject, Recipient address, or
timestamp.
The sixth field is the timestamp of the action – the time the action occurred.
Figure 269 Message Part Information
The first field indicates the information type. Each row of Message Part information begins with the
numeral 4.
The second field is the message ID – a number that uniquely identifies the message. The message ID is a
critical piece of information, allowing administrators to identify and track a single message in all of the
Email Gateway logs. Note that though message IDs might look like they are grouped serially, there is no
Email Gateway requirement that they are sorted in this CSV file.
The third field identifies a message’s part number. This field reports a numeric value representing which
part of the message is being described. (Messages can have many MIME parts – Email Gateway defaults to
only accepting messages that contain less than 1,000 parts.) A 0 in this field represents the whole
message. Any other value is the part number. A message’s parts are not necessarily grouped together in
the CSV file – a third party utility is required to group all message parts by their ID number, and then sort
them in ascending or descending order.
The fourth field identifies the message content type.
The fifth field identifies if the part is an attachment or the message body. One of two values will appear:
• 0 = Attachment
• 1 = Body
SNMP polling
Email Gateway includes an SNMP polling feature that provides the capability for a polling station or package
to collect data from the Email Gateway appliance via the SNMP protocol. This feature is helpful in mapping
alert events to SNMP traps. The Email Gateway appliance publishes a MIB view that allows “read only”
access to data to be used in processing a variety of queries. There is NO “write” access permitted, so the
data remains secure. The feature allows you to set the polling interval.
Email Gateway SNMP polling supports SNMP v1 and SNMP v2.
On this window, you can set the polling interval by entering a time in seconds. The allowable range is from
60 to 3600 seconds. This interval defines the wait time between SNMP polling occurrences.
Before Email Gateway SNMP traps can provide all the available information to the SNMP service, you must
compile the appropriate Email Gateway MIB file within your SNMP application. You can download the MIB
you will need for SNMP polling from the Support KnowledgeBase, article 7220. The file you need to
download is CT-SNMP-PUBLIC-MIB.txt.
Log levels
Email Gateway allows you to configure the type of log entries that will be generated and the amount of
detail that will be maintained in log files.The possible log levels are shown in the table below
Log standardization
To enable customers to parse log data more easily with scripts and system information and event managers
(SEIMs), McAfee has implemented an innovative format for all mail flow logs. Email Gateway writes these
logs in binary format that can be efficiently stored and can be readily adapted to display and generate
reports.
The new mail flow log:
• Consolidates logs for SMTPProxy, SuperQueue, and SMTPO into a single log
Event logging
Event logging tracks and records each mail flow action Email Gateway takes. It records each individual
action as an event in binary format; each log message is an event.
Note: One email message will generate many events. Events are generated per action, not per message.
• Event classes – a range of ID numbers belongs to each of the transaction components. Events are
grouped into classes by their ID numbers.
• Events – each defined event has a unique ID number that makes identifying and tracking specific events
easier.
Note: For a detailed listing of event classes and defined events, see Appendix J, Event Logging Elements in this
Administration Guide.
Sample syntax
./showevents.sh -s ifile=”<binary log filename>” -sofmt=”<keywords>” -d head
Keywords
The following keywords are allowed. The keywords must be separated by ampersands (&) as shown here:
./showevents.sh -s ifile=”scmail-logs.bin” -s ofmt=“time&eud&eagrstr” -d head
• time
• thrdid – thread ID
• childid – child ID
• eid – event ID
Examples
See all the events belonging to a particular binary log file for smtpproxy:
Display all the events logged ON Nov 14 for a given time duration:
$./showevents.sh -s ifile=”/ct/data/admin/log/scmail-logs.bin.ends10081114” -g
“stime=20081114:14:20:00” -g “etime=20081114:18:00:00” -d head
Tracking messages from the point of entrance to exit is a two step process when Source IP/Port and an
approximate time is known:
1 Using eventid 9308 grep for ‘IP:Port’ and get the message id and connection id
Sample syntax:
/ct/bin/showevents [-s name=value] [-g name=value] [-d operation]
Options
The following options are allowed.
• -s <name=value> – setters to configure the application usage
• cfile=<filename> – event configuration file to read the event IDs and descriptions
• ifile=<filename> –
• -d <operation>
Filter matching uses an OR relationship between the same type of filters, and uses an AND relationship
between different types.
Examples:
-g eid=4097 -g eid=6665
will display all events with the event ID 4097 or 6665
-g eid=4097 -g msgid=1000
will display all events that have both the message ID 1000 and the event ID 4097.
• or parse the binary file first (using the parser mentioned above) then modify your report generator (or
create your own).
CLI commands
You can access information about your event logging files through three command line options:
• show events – this command dumps the entire binary file, allowing you to search for particular data you
want.
• show stat cph – shows connections per hour, beginning at midnight, for the current 24-hour period.
20081021::04:00:00 57075
20081021::04:59:59 60876
20081021::05:59:59 54274
20081021::07:00:00 58233
20081021::07:59:59 55592
20081021::08:59:59 57319
20081021::09:59:59 63801
20081021::11:00:00 59973
20081021::11:59:59 61380
20081021::13:00:00 56542
20081021::13:59:59 55674
20081021::14:59:59 58775
20081021::16:00:00 56160
20081021::17:00:00 58003
20081021::17:59:59 62301
20081021::19:00:00 60914
20081021::19:59:59 60882
20081021::20:59:59 50730
20081021::22:00:00 61464
20081021::22:59:59 60784
20081022::00:00:00 55818
The information is cumulative for the entire day. If you type today’s date, the data will only reflect activity
since midnight.
General logs
Email Gateway generates logs that record functionality other than mail flow in ASCII format. The two types
of general logs are Detailed Logs and Summary Logs.
Detailed logs
Email Gateway records in its Detailed Logs all the actions it takes as it processes messages and for all
aspects of its core functionality. The amount of detail recorded in these logs is controlled by the Logging
Level configured for each of the Email Gateway services and features.
Ordinarily, a log level of Information is adequate for day-to-day monitoring and will provide enough
information to indicate that a Service is running properly, and at that level, will not bloat in size to an
unmanageable level. It is recommended, however, that the logging level be set to Detailed for the first
several weeks after Email Gateway is placed in the mail flow of the network. This will ensure that adequate
information is available if troubleshooting problems is required. Once Email Gateway is processing without
incident, the logging level should be changed.
Similarly, the logging level for the Queue services should be raised to Detailed during the period that policy
testing is underway. That level will be required to see the specific reasons a message was detected and
acted upon by one of Email Gateway policies. Once the policy testing is complete, these log levels can be
changed.
In high mail-volume environments, some logs can grow very large, up to 100-200 MB in size. Log files
larger than just 1 MB will typically take longer to open in the Email Gateway web interface than
administrators will care to wait. Administrators are encouraged, then, to use an SSH client to open these
logs. Within the command line interface, logs open instantly, and queries within them are as fast.
Email Gateway generates one special detailed log, Email Gateway Setup. Generated only once, after the
initial Email Gateway setup and configuration, this log reports the details of the setup process.
Summary logs
Detailed Log files record the specific actions Email Gateway takes when processing messages, and the
information is spread across multiple files. The Summary Log consolidates all message processing data into
one file, and displays the information in a slightly different way. If Email Gateway does not accept a
message (for example, the sending IP address is on the Email Gateway Local Deny List and the message
is dropped by the SMTPI Service), the only line in the Summary Log for that message will look like the
example above.
Figure 272 Example summary log content
If Email Gateway accepted and processed the message, the first line of the Summary Log for that message
will look like the example above. For each message that Email Gateway processed, each Email Gateway
Queue process will write a separate line indicating what action it took. To view all the lines in the Summary
Log for a single message, use the grep command on the message ID.
The Summary Log displays seven pipe-separated ( | ) fields of data. Each line in the Summary Log displays
information about each Email Gateway process that examined or processed a message. Note that the
descriptions of Email Gateway processes are not grouped together by message. The processes of multiple
messages are commingled. As with the Detailed Logs, administrators must follow the trail of bread crumbs
using the Message Identifier to trace a single message in this log. The Summary Log can be viewed in real
time for troubleshooting and policy-tuning purposes, or it can be exported so that a third party application
can perform advanced grouping, sorting, and querying within it.
1 The first field is the date and timestamp when the message was received by the SMTPI Service.
2 The second field is the process ID – a number used internally by Email Gateway to identify which Email
Gateway processes are processing a message. For example, the JoinQ has one process number, while the
SMTPO Service has another process number.
3 The third field is the message identifier – a number Email Gateway uses to uniquely identify a message.
If the message is accepted by the SMTPI Service, the message identifier becomes the Message ID.
However, if the message is not accepted by Email Gateway (for example, the message is from an IP
address that appears on a Deny List), this value will be the source IP address and port number.
4 The fourth field is the Action number – a 0 or a 1 – indicating whether Email Gateway took an action on
the message because of the rules of an email policy. A 0 means no action was taken – the message
passed straight through Email Gateway untouched. A 1 means that Email Gateway performed some action
on the message.
5 The fifth field is an internal numeric code representing the action Email Gateway took – a number
representing, for example, whether Email Gateway stamped an outgoing message with a footer, or
deleted a file attachment, and so forth.
6 The sixth field displays textual information returned by the process. For example, process 21 (the SMTPI
Service) will return the Mail From, Mail To, and Message ID number of a message, and the 200 process
(the Virus Scan Queue) will report No virus found in this message.
7 The seventh field displays any details about the action as applicable. For example, an Envelope Analysis
rule based on a particular Subject will have the text of the rule’s Subject displayed here.
8 The eighth field shows the ESP score and message hash for the message.
10 The tenth field contains the SMTPI full throttle or sleep information.
Email Gateway can transfer Summary Log files to an archive server, either manually or automatically.
Configuring logs
Both Detailed Logs and Summary Logs can be configured on the same window.
Figure 273 Detailed/Summary Logs - Configure window
Clicking show all files opens a window like the example shown below.
Configuring Syslog
Email Gateway can generate and transmit the same data it generates for its Summary Log on SysLog
format for integration with a network’s SysLog logging system.
In addition to configuring Email Gateway to communicate with the SysLog server – as provided below – the
SysLog server must be configured to recognize Email Gateway data. Email Gateway uses the SysLog User
facility and Info level for the data it sends. Therefore, a user.info variable must be created for
/var/log/Email Gatewayname_syslog on the receiving host.
Note: File Information Summary Log window
When the information is complete and correct, click Submit to record the configuration.
Three parameters have been added to the Syslog format:
• ESP score and message hash;
Administration
User accounts
The Email Gateway administrator can create user accounts for additional personnel who are granted
permission to perform specific duties in administering the Email Gateway appliance. You can select which
program areas users are allowed to access, and whether their access is read only or read/write.
There is one super user account for the Email Gateway administrator. This super user account name is
admin. Initially, only the admin user account has access to this User Accounts window. This allows you
secure control over access to Email Gateway.
Email Gateway generates a daily log showing each user’s login and the Email Gateway windows accessed.
• A Virtual Host administrator, who will have whatever rights are granted only for those Virtual Hosts that
are assigned.
• A compliance officer, whose rights will be limited to conducting message searches in order to research
potential compliance violations and related problems.
• An ePO user, who has rights to the Dashboard only, and who can monitor Email Gateway from an ePolicy
Orchestrator appliance.
Any of these options allow the SuperAdministrator to delegate some of the administrative workload.
Appliance administrators
If the new administrator is to be an appliance administrator, the User Accounts - Create window does not
include Virtual Host information. In this case, the creating administrator can assign full access rights or
read-only rights to the new administrator for any or all the roles listed on the window. If User Creation
Rights are granted, the Appliance Administrator can create new users for any domain on the appliance and
give the new user any roles the creating Appliance Administrator is allowed.
Compliance officers
If the new administrator is to be a compliance officer, the Roles selections on the User Accounts - Create
window will be unavailable.
The compliance officer has specialized access rights, limited to conducting message searches on the Email
Gateway appliance. This allows the officer to research potential compliance violations and related issues.
Compliance officers can be assigned rights for the entire appliance or for assigned Virtual Hosts.
When the compliance officer logs into Email Gateway, the displayed opening window is unique. For more
details, go to Compliance Officer searches in Chapter 3, Queue Information.
ePO users
ePO users can only access the Dashboard. All permission checkboxes are unavailable, but read-only
permission for the Dashboard is automatically granted. No other permissions can be assigned. The creation
process is the same as other user types. ePO users can be configured on standalone MEG appliances and
MEG appliances with Advanced Encryption, but not for standalone Encryption appliances. The user will
monitor Email Gateway from an ePO server using this account.
Note: Email Gateway also has a default account named epo. The ePO server itself uses this account to
communicate with Email Gateway and fetch events (MEG counter values for a specified time).
4 Click Add New. The account is added to the User Accounts - Manage window.
Figure 276 User Accounts - Create window (showing Virtual Host Admin role)
The User Accounts - Manage window appears, showing the log on name and other basic information
for each user account.
If you have made any changes to accounts on this list, click Submit. The changes will be implemented.
Details about the roles assigned to each user on the list appear when you click the User name on the
window. The account selected expands to reveal the permissions granted and the Virtual Hosts assigned to
that user.
Figure 278 User Accounts - Manage window expanded (showing appliance administrator account)
2 Click User Account, then click Manage Accounts. The User Accounts - Manage window appears, showing
the log on name and other basic information for each user account.
3 Click the Edit icon associated with the account you are editing. The User Account - Edit screen appears.
If no Virtual Hosts are configured on the appliance, all users are appliance-level administrators. If Virtual
Hosts are configured, the user can be either an Appliance Administrator, a compliance officer, or a Virtual
Host administrator, each with its own login process. Virtual Hosts have no impact for ePO Users.
Appliance administrators
Appliance administrators have access rights to everything on the Email Gateway appliance, including all
domains and all Virtual Hosts. All Email Gateways have a Default Virtual Host, and an appliance-level
administrator always logs onto the Default Virtual Host.
When an appliance-level user logs on, the following selection window appears.
Figure 280 Appliance administrator login on an appliance with Virtual Hosts
• If other Virtual Hosts are present, the action displays the Virtual Host selection window again. The window
shows a list of all the configured Virtual Hosts. You can select any of them by clicking the name in the left
column. The new login location is confirmed at the top of the left menu.
To administer a single Virtual Host, including configuring policies for it, the Appliance Administrator must
log out of the Default Virtual Host and log onto the specific Virtual Host. Administering Virtual Hosts (other
than all of them at once) requires logging into each one of them, one at a time.
To get an overview of the way any Virtual Host is configured, click details next to that Virtual Host.
When you have completed the desired tasks on any Virtual Host, click Logoff at the top of the Email
Gateway window again. The Virtual Host selection window displays, showing a list of all Virtual Hosts except
the one you just accessed. You might go back to the Default Virtual Host or to another Virtual Host by
selecting the appropriate name, or log out completely by clicking Logout at the top of the window.
To log out, the Virtual Host administrator clicks the Logoff (Virtual Host Name) link.
• If the Virtual Host administrator is assigned only one Virtual Host, this action closes the Email Gateway
session and displays the main login window.
• If the Virtual Host administrator has access to more than one Virtual Host, the Virtual Host selection
window reappears. The Virtual Host administrator can select any other Virtual Host, display high-level
configuration information by clicking the details, or end the Email Gateway session by clicking Logout.
Compliance officers
You can create a special type of user account for a compliance officer. This user logs into Email Gateway
with a user name and password like any other user, but the opening window limits access to the
investigation of quarantined messages. The compliance officer may have appliance-level or Virtual Host
level access rights.
ePO Users
The ePO user logs into Email Gateway with a user name and password. The only tab the ePO user can
access is the Dashboard.
2 Click Configure Password Policy. The Password Policy Configuration window appears.
4 Click Submit.
Allowed IPs
If the Allowed IPs option is enabled, Email Gateway will accept only browser connections (for Web
Administration) from computers with the IP addresses specified in the table. If this option is not enabled,
Email Gateway administrators can log on from any workstation.
Caution: If IP-based access control (ACL) is enabled without entering valid IP addresses from which
administrators can connect to Email Gateway, all Email Gateway administrators will be immediately locked out of
the Web Administration interface. Administrators must log on to Email Gateway Command Line Interface, form
either from an SSH client or a keyboard and monitor attached to the appliance, and disable this setting. The CLI
command to disable IP-based access control is: system restore acl (see Chapter 36, Using the Command Line).
4 Click Submit.
Caution: If you enable IP-address access control and your Email Gateway appliance is connected to an ePolicy
Orchestrator server, the IP address for that server must be included in the Allowed IPs list. For more information
about ePO, see ePolicy Orchestrator configuration in Chapter 33, System Configuration.
4 Click Add New. The account is added to the User Accounts - Manage window.
User preferences
You can configure the appearance of the Dashboard and the Queue Manager screens and set other
preferences.
Dashboard preferences
You can configure the reports, tables or graphs that appear on the Dashboard, and their locations, using
the Dashboard User Preferences - Configure window. You can also access the window from the Dashboard
itself by clicking the Configure icon at the lower right corner of the window.
On the Administration tab, click Web Admin Configuration. Click User Preferences, then click
Dashboard. The Dashboard User Preferences - Configure window appears. The center column lists all
portlets (each one representing a reporting mechanism) that have not been configured to appear on the
existing Dashboard.
2 Then click the arrow pointing to the panel (Left Panel or Right Panel) where you want the new
information to appear. The portlet will be moved to that panel.
The new portlet appears at the bottom of the panel by default. If you want to change the placement of any
portlet, do the following:
1 Select the portlet.
2 Use the up or down arrow beside the panel to move it to a new location.
2 Click the arrow pointing to the Available Portlets panel. The portlet will be moved to that panel.
For more information about the reports and charts on the Dashboard, see Chapter 1, The Dashboard.
2 Click User Preferences, then click Queue Manager. The Queue Manager User Preferences - Configure
window appears.
4 Click Submit.
When the parameters have been configured, click Submit. The format will be implemented.
Miscellaneous preferences
Use the Miscellaneous User Preferences - Configure window to configure the view the user gets at log on,
the availability of Quick Snapshots from navigation, and the bookmarking capability.
1 On the Administration tab, click Web Admin Configuration.
2 Click User Preferences, then click Miscellaneous. The Miscellaneous User Preferences - Configure
window appears.
4 Click Submit.
Note: For more information about whitelisting and the “Last Hit Date” indicators, see Viewing whitelists.
Clustering
Clustering allows you to configure a group of Email Gateway appliances to mirror the same configuration
across all appliances in the cluster. All the configured items that must be similar on different appliances
performing the same function within a network are shared from a primary appliance.
Note: Clustering can only be applied to Encryption features (Advanced Encryption).
A cluster is a number of Email Gateway appliances that have a peer-to-peer relationship. The items that
are shared are not configurable. Any message that triggers shared items will be immediately replicated
across all other members in the cluster.
Caution: Email Gateway and Advanced Encryption will not synchronize users that existed prior to the time you
establish a cluster.
Starting a cluster
Figure 289 Cluster window (start cluster)
Note: You can start a new cluster only from an appliance that is not already in a cluster.
3 Click the radio button labelled Start New Cluster. The IP address for the appliance is added to the peer
list.
4 Click Submit. The new cluster is now ready to accept other appliances.
Adding an appliance
Figure 290 Cluster window (join cluster)
Note: You can add an appliance that is not already part of a cluster.
3 Click the radio button labelled Join Existing Cluster. The IP address for the appliance is added to the
peer list.
Note: The maximum number of appliances allowed in a cluster is four. Adding a fifth appliance disrupts the
stability of the cluster.
Removing an appliance
Figure 291 Cluster window (for removal)
Note: If the appliance is part of a cluster, the window includes the Remove From Cluster button.
General administration
You can configure important general functions for your Email Gateway on the Administration tab. They
include the following:
• The cleanup schedule
• Appliance certificates
4 Click Submit.
• The cleanup interval – how long a file can remain on the disk before it is cleaned from the disk.
• The cleanup cycle – how often (or when) the cleanup cycle will run.
2 Click Configure Appliance Certificate. The Appliance Certificates - Configure window appears.
4 Click Submit.
Note: The Admin password can be changed, but the admin user name can not be changed or deleted.
The Health Monitor window provides a link that allows you to run a Health Monitor cycle on demand (Run
Now); it also presents the properties that allow you to configure Health Monitor.
Use the Health Monitor Configuration window to define Health Monitor’s properties.
1 On the Administration tab, click Web Admin Configuration.
2 Click Health Monitor, then click Configuration. The Health Monitor Configuration window appears.
4 Click Submit.
2 Click Health Monitor, then click Configure Alerts. The Health Monitor Alerts - Configure window appears.
4 Click Submit.
System
Appliance configuration
Initially, the Appliance Configuration window displays information that was entered during the Initial
Configuration Wizard when Email Gateway was first installed. At any time afterward, these settings can be
changed as required.
Figure 297 Appliance Configuration window
To change the configuration of the appliance, make changes to any the fields on the window. When the
changes have been made, click Submit. The window will refresh.
Key concepts
Two particular terms used in conjunction with ePO require clarification.
Events
The Email Gateway appliances on the managed system generate software events constantly during normal
operation.These can range from information events about regular operation, such as when MEG enforces
policies locally, to events such as alerts generated by Email Gateway. Email Gateway sends these events to
the ePO server every hour, ePO stores them in the database. A typical deployment of ePolicy Orchestrator
in a large network can generate thousands of these events an hour. ePolicy Orchestrator consolidates this
data into graphs and charts.
Extensions
Extensions are ZIP files you install on the ePO server in order to manage another security product in your
environment. The extensions contain the files, components, and information necessary to manage such a
product.
Caution: If you enable event generation between your Email Gateway appliance and an ePolicy Orchestrator
server, the IP address for that server must be included in the Allowed IPs list. For more information about allowed
IP addresses, see Allowed IPs in Chapter 31, Email Gateway Administration.
ePolicy Orchestrator provides the following information on an hourly basis about all MEG appliances in the
network, combined.
Configuring IP addresses
Email Gateway provides the capability to configure a variety of IP addresses. This provision is particularly
important with the concept of Virtual Hosts and the related delegation of administrative tasks.
Email Gateway allows the configuration of two types of email addresses: Primary and Alias. The number of
Primary IP Addresses a Email Gateway appliance can support is directly related to the number of active
Network Interface Cards (NICs) it has. You can configure one Primary IP Address per NIC. All other IP
Addresses will be Aliases.
Each Alias IP Address is associated with only one NIC. Email traffic for that Alias IP flows through the NIC
assigned to the Primary IP Address.
All existing IP Addresses that are currently configured for this Email Gateway appliance will be displayed on
the IP Addresses - Manage window. The IP address information will be separated into sections, one section
for each active NIC.
Figure 299 IP Addresses - Manage window
If you have set any IP Address for deletion, click Submit. If you wish to prevent pending changes from
being carried out, click Clear All Pending.
Adding an IP address
To add a new IP Address, click the Add New button at the bottom of the IP Addresses - Manage window.
The Add New window will display. The appearance of the window will depend upon whether you are adding
a primary IP Address or an Alias.
Figure 300 IP Addresses - New window
When the new IP Address configuration is complete, click Submit. The IP Addresses - Manage window will
refresh, adding the new IP Address and showing it in the Pending state. Activating (completing) the IP
Address will require a level 4 Restart. After the restart, the status will change to Complete.
When the proper IP addresses have been selected, click Submit to record the changes.
Note: Configuration or changes to either access method will require restarting that access type before the new IP
address will become effective.
Routing
When messages are addressed to mail servers that Email Gateway cannot directly reach (because Email
Gateway is in a DMZ or for other reasons), a static route must be created so the mail Email Gateway
proxies can be delivered to the internal mail servers. The Routing - Configure window allows you to create
this route.
Figure 302 Routing - Configure window
When the information is correctly entered, click Submit. The new entity will be added.
• as the access port for command line interface access using a keyboard (and monitor) connected directly
to the Email Gateway appliance.
Figure 304 Serial Port Configuration window
To configure the serial port, you must select the desired use from the pick list, then click Submit to record
the selection.
SSH configuration
Accessibility to Email Gateway command line interface is controlled by the CLI Access Service. If this
subsystem is not running, administrators will be unable to log onto Email Gateway via their favorite SSH
client.
Figure 305 SSH Service - Configure window
If the appliance is to be managed by an Email Gateway Control Center, that hyperlink will appear on the
SSH Configuration window as well. Click the link to configure the access port for Control Center
management.
When the information is entered correctly, click Submit.
Note: By default, Control Center connects to Email Gateway on port 20022. If there is a need for Control Center
to communicate to the Email Gateway on a different port, contact McAfee Support for instructions or assistance
with changing this configuration. This is particularly important in environments that do not allow Support access.
Backup now
When you navigate to the Appliance Backup & Restore window, you will see two options at the top of the
window just below the window title. Click Backup Now to create an immediate backup.
Figure 308 Appliance Backup & Restore window
Type and confirm a password to be associated with the backup file and click Submit. This password will be
required when the backup is restored. A confirmation window displays.
Click the View Log button to see the log describing the backup action.
Clicking the Configuration File hyperlink will open a window that provides information about the backup
file and allows you to save the compressed folder for future use.
When Email Gateway saves a backup configuration to disk, it uses an automatic naming scheme,
identifying the appliance’s name, version number, latest release number, and date (for example,
MEG.4.5.1.1098287820.31.zip). The backup information is encrypted, stored in a proprietary file format
that only Email Gateway can read, and cannot be viewed in Plain Text. The encryption method is one way –
even McAfee Technical Support cannot decrypt this file. The zip file extension has been supplied to the
backup file name solely for the purpose of tricking a browser into downloading the file, rather than trying to
open it.
Caution: Do not forget the password!
Scheduled backups
If you prefer to configure a regularly scheduled backup for the appliance, navigate to the Appliance Backup
& Restore window as before, and click the Schedule Backup radio button. The window will expand as
shown below.
Figure 309 Appliance Backup & Restore window
When you have completed the configuration, click Submit to create the schedule.
Backup data
The table that follows shows the information included in a Email Gateway backup.
Email Gateway does not backup the network information (IP address, subnet, DNS, and so forth)
configured in System | Configuration | Appliance Configuration.
System restore
Use the Restore function to restore data only to the same Email Gateway appliance. Software feature
licenses – for WebMail Protection, Secure Web Delivery, Anti-Virus, and so forth – cannot be pushed to
other appliances via this restore method.
Figure 310 Appliance Backup & Restore window (restore tab)
When a Email Gateway configuration is backed up, that appliance’s host name, IP address/subnet, and User
Accounts are saved. Restoring that backup configuration to another Email Gateway appliance will not
over-write the second box’s host name, IP address, and subnet. However, User Accounts will be restored,
potentially creating a security risk. If the backup file from one Email Gateway is restored onto another
Email Gateway, review and modify the User Accounts as required.
When you select granular restoration or complete restoration (Restore All), the window will refresh to
reveal the particular data requirements for that type.
Granular restore
If you elect to perform a granular restoration, type the required information and select the policy areas you
want to restore.
Click Submit to execute the restoration. Email Gateway reads all the configuration data and enters it into
the appliance. The Email Gateway appliance will automatically reboot when the backup is restored.
Clicking the View Log button will open a log window that provides details about the restoration.
Restore all
The Restore All option provides additional restoration options, as shown on the Appliance Restore -
Configure window. You can select Recovery Types of Disaster Recovery or Full Recovery, as needed.
Disaster recovery
If you select Disaster Recovery, the restoration will include a full configuration of all policies, and so forth,
plus all the host information as it existed at the time of the backup. This option is helpful when an appliance
has failed completely.
Full recovery
If you select Full Recovery, the restoration will include all policy areas, but will not include the host
information. The window will also expand to include Virtual Host Recovery.
• Backup – If you choose this option, the backup file will supply all the Virtual Host information it has,
including VIP names. Any Virtual Hosts that do not exist on the backup will be dropped.
• Merge – If you select this option, the backup file supplies data for the VIP names it can match, and all
information for VIPs on the backup but not currently on the appliance. Current Virtual Hosts that are not
part of the backup file will retain their current configuration.
Click Submit to execute the restoration. Email Gateway reads all the configuration data and enters it into
the appliance. The Email Gateway appliance will automatically reboot when the backup is restored.
Clicking the View Log button will open a log window that provides details about the restoration.
Restored data
The data restored by the restoration process is shown in the following table.
Click Run Now to run the test. The window will display a message acknowledging the job. When the job is
finished, you can click View Log File to view a detailed log of the results of the test.
Available updates
Keeping Email Gateway current requires you to find and install the latest updates for a variety of services.
The System program area provides the necessary means for maintaining Email Gateway effectiveness.
The following types of updates are available for download and installation:
Software updates
These updates are intended to provide the latest versions of Email Gateway software to allow you to stay as
current as possible.
Hotfix updates
This type of update is generally intended to fix one or more issues that have been encountered in Email
Gateway version currently installed.
Anti-Virus updates
These updates provide the latest additions to the signature engines that are licensed on this Email Gateway
appliance.
Pre-configuration updates
Pre-configuration updates are normally installed after a new version of the Email Gateway software, for
example when a new appliance is installed, and are intended to add any improvements that have been
created since the previous software was installed.
Compliance updates
These updates are intended to provide optimum configuration parameters for the Compliance functions.
Mail-IPS updates
These updates provide the most current information for use in preventing intrusions into the mail system.
All these updates can be managed from the Updates window.
Managing updates
The Updates window displays information about installed software and file updates, as well as those
currently available for installation.
Figure 313 Updates window
The figure that follows shows the window populated with Anti-Virus update information. This view illustrates
another capability as well. If you click the name of any installed or available update, the window expands to
show details about that update.
Install
This button carries out a manual installation. You select the update or updates you want to install using the
Select checkbox, then click Install. The update feature will install the updates you have selected. This
method requires that you know any interdependencies among the available updates and your installed
software and that you meet any prerequisites.
Express install
If you use the Express Install button, you do not have to make selections of updates. Email Gateway will
check all updates and the current installation for any interdependencies or requirements and try to resolve
them. It will then install all the available updates that can be safely installed. You do not necessarily have to
know about all interdependencies. If there are conflicts or dependencies that cannot be resolved, some
updates will remain available.
Viewing logs
Clicking the View Log File button opens a new browser window showing the status of the update process. A
sample update log is shown below.
Figure 314 Updates log
Configuring Auto-Updates
Caution: If this Email Gateway appliance is to be managed via an Email Gateway Control Center, please
coordinate with the Control Center Administrator about setting Automatic Updates!
If the Control Center is supposed to pull updates from the McAfee Update Server and then provide them to
managed Email Gateways, Auto-Updates should be set on the Control Center’s Central Management tab
and should be disabled on the Email Gateway appliance itself. If you desire to have the Email Gateway
appliance pull its own updates from the server, enable that functionality on the Email Gateway appliance
and do NOT enable it on the Control Center.
The Configure Auto Updates sub-menu displays the licensed Subscription Services installed on the
appliance. Each Service can be configured to query McAfee’s update server for newly available files. Email
Gateway will automatically download and install any files that become available.
Figure 315 Configure Auto Updates window
When the services are configured appropriately, click Submit to record the configuration.
Support scripts
Use this window to administer any special scripts provided by Technical Support. These scripts can gather
troubleshooting information about the appliance. The scripts are usually provided in an encrypted and
archived format as front-loadable compressed files, and are installed by the customer.
Figure 316 Support Scripts window
2 Log onto Email Gateway and navigate to System | Support Scripts. The Support Scripts window appears.
3 Click Browse.
4 Navigate to the location where you stored the script and select it. The navigation path appears in the Load
a Package field.
5 Click Upload. The support script is extracted and appears in the upper section of the window.
6 Select the Execute check box next to the script you want to run, then click Submit. The script runs, and
the results appear in the lower section of the window.
Note: If you have a problem uploading or running the script, contact Technical Support.
UPS statistics
If Email Gateway is connected to a supported Uninterruptable Power Supply (UPS), it will display useful
information about the status of the UPS. If Email Gateway is not connected to a supported UPS, this page
will say that a UPS is not present.
Figure 317 UPS Statistics - window
As is indicated on the screen, you have the option of gracefully shutting down only as much as necessary.
The options on the screen define those features and functions that will be impacted by the restart process.
After Email Gateway is running, never press the reset switch on the front of the appliance until Email
Gateway has been gracefully shut down from within either the graphical Web Administration or Command
Line interface. Pressing the reset switch while Email Gateway is currently running forces Email Gateway to
“hard boot” - a process that will corrupt its internal databases, and render it inoperable. Damage to Email
Gateway’s database will require McAfee’s Technical Support engineers to manually repair and rebuild the
corrupted files.
During the restarting process, a reminder message will display.
Figure 319 Example restart warning message
Manually adjust the time or date by specifying date and time values from the pick lists. After manually
selecting new values, click Save to update Email Gateway.
If a time or date is entered further ahead than the administrative inactivity time-out interval, Email
Gateway will log out all administrators currently logged onto the graphical user interface. Simply log back in
and continue the administrative session as usual. If the time is reset backward, administrators will be
prompted to reboot the appliance in order for the setting to take effect.
Caution: Use extreme caution whenever you manually change the internal Email Gateway time and date more
than one minute from what the NTP time server is reporting. (If NTP server information was provided in Email
Gateway’s Configuration window, Email Gateway automatically synchronizes with the server once every minute.)
Within the next minute after the time is manually changed, the automatic time server synchronization will reset
Email Gateway’s clock again.
Manually changing the internal clock more than one minute ahead or back will also affect Email
Gateway’s queues (for example, Outbound Queue, Content Analysis Queue, and so forth) and mail
services (such as SMTPI Service, SMTPO Service, and so forth). These processes all run on a cycle time —
on average, several times a minute. After processing messages and before going to sleep, they calculate
the time stamp for when they will next wake up to process new messages. If the internal clock is moved
forward one whole day, for example, the queues and services will instruct Email Gateway that their next
wake up time is going to be tomorrow plus nnn seconds (where nnn = the real cycle time). However, one
minute later, the time servers will re-sync Email Gateway’s clock back to today without resetting Email
Gateway’s queues’ and mail services’ wake up time. The queues and services will wait until tomorrow to
wake up and begin processing messages again. Therefore, if the clock is ever manually changed by more
than one minute, always stop and restart each of the queues and services to reset their wake up times.
Force Email Gateway to immediately synchronize with an Internet Time (NTP) Server by selecting Sync
with NTP Server. The name of a valid time server must have entered in the System | Configuration |
Email Gateway page to do this.
Email Gateway writes a timestamp in its database noting when each message enters the Outbound Queue
for delivery. Email Gateway uses this timestamp as a reference for when it can “pick up” messages for
delivery. Therefore, if the clock is set backward and there are currently messages in the outbound queue,
those messages’ delivery will be delayed until Email Gateway’s internal clock “catches up” to the
time-stamp originally entered in the database.
License Manager
The License Manager table shows all Product Licenses that have been installed on Email Gateway. Some of
the Licenses correspond to the tabbed program areas in the Email Gateway interface (for example,
Mail-Firewall, Mail-VPN, and so forth), where others refer to subscription services (for example, Anti-Virus,
Threat Response Updates, and so forth).
Figure 321 License Manager - Update window
Administrators can add licenses or extend the expiration date for product features or services at any time.
(Licenses accumulate—that is, concatenate—on the appliance.)
If a Secure Delivery license is installed after Email Gateway's initial installation, you must logout and log
back in to Email Gateway's Web Administration in order for the Secure Delivery program tab to display in
the top navigation bar of the Web Admin interface. Also, when an anti-virus licenses expires, it disappears
from the Web Administration interface and its functionality ceases on the midnight before the date of
expiration. Anti-virus license renewals should be installed prior to license expiration. If a renewal license is
installed after license expiration, administrators will have to manually re-configure anti-virus settings and
place the Virus Scan Queue back into the Queue Order.
In enterprise environments where Email Gateway Control Centers are managing multiple Email Gateway
slaves, the Control Center is responsible for acquiring and renewing all licenses. The Control Center will
automatically push product feature or service licenses to its Email Gateways.
While administrators were prompted to install a License Key when first running the Email Gateway Initial
Configuration Wizard, they can install additional Licenses within this License Manager window. Paste in the
License Number input field the key that McAfee Technical Support issued and click Submit. That program
area that key enables is immediately available after logging out of the Web Administration interface and
logging back in.
Resetting keys
You can regenerate and install SSH keys for your Email Gateway appliance using the Reset Keys window.
This action creates new SSH public and private keys and installs them on both the appliance and the Update
Server.
Follow these steps to restore the Email Gateway appliance:
1 Navigate to System | Reset Keys. The Reset Keys - Configure window appears.
3 Click Reset Keys. The action creates and installs the new SSH keys.
For Control Centers that have had keys reset, a new Control Center key must be generated and stored on
the Email Gateways, and the Email Gateways must be re-attached to the Control Center.
If your appliance has no access to McAfee’s Update Server via port 20022, the Reset Keys window provides
a button that allows you to download an encrypted keys file. With your logon ID and password, use the
Product Activation form from Support (https://supportcenter.securecomputing.com/home.php) to
generate/download keys. The form requires your hardware serial number, software serial number, and
hardware identifier. Click Contact Us in the upper right corner of the WebAdmin user interface to obtain
this information.
The Store Control Center Key page contains a Browse button. Use it to navigate to the file containing the
Control Center public key which the Administrator exported and saved to disk. The master/slave
connections can only be mediated though this public key. The key provides for encrypted sessions between
the Control Center and its slaves—a master and slave cannot communicate without it.
After navigating to and selecting the Control Center’s public key file, click Store Control Center Key to
install the Control Center’s public key.
The Reset button clears the Browse navigation input field if Store Control Center Key has not yet been
clicked.
If a Email Gateway appliance is not managed by an Email Gateway Control Center, the Server - Attributes
window displays a message conveying that fact.
2 Accept the default port for Control Center access, or enter the port number you want to use.
Caution: If your Email Gateway is part of an environment that does not enable Support access ( see McAfee
support access in Chapter 35, General System Functions), you must ensure that both Control Center and Email
Gateway use the same port number.
Email Gateway uses the TCP port you configure here for connectivity to the Control Center.
2 Select the Enable FIPS Compliance Verification check box on the FIPS Compliance - Configure window.
Role management for the command line is accomplished at log-in. The user name and password you enter
will be used to verify access rights and permissions.
The commands
Commands consist of a command word followed by one or more parameters. Separate the command word
and the parameters from each other with a single space. Press Enter after the last parameter to execute
the command. The information that appears in the CLI complies with any restrictions or parameters that
have been configured in the GUI. Any restrictions or permissions applicable in the GUI also apply to the CLI.
Furthermore, the amount of information in the detailed logs viewed in the GUI is controlled by the logging
level set in the Email Gateway GUI.
McAfee does not provide customers root access to the appliance; therefore, the CLI has limited shell
capabilities. Many of the commands found in a UNIX environment are not available. Only the following
commands can be executed:
help clear edit reset run set show capture connect system tail
test
HELP command
On-screen help can be accessed by typing help. If you type help at the Email Gateway command prompt,
the screen displays the top-level commands that can be used (along with any associated help text). Typing
help before any allowed command word or command string (command word plus parameters) displays
help for that subset.
[Email Gateway]: help
Command Summary
The words appearing on the line below are the top level commands. Type an individual word
to see the parameters for that command. Type 'help <word>' to see help for that command.
help edit wizard connect capture reset run set show system tail test
Commands are composed of a command word followed by one or more parameters. Separate the
command word and parameters from each other with a single space. Press Enter after the
last parameter.
On-screen help is available by typing help. Typing help before any command word displays
help for that command. For some commands, typing help before the command word and
parameters can provide more information.
[Email Gateway]:
EDIT command
The edit command is used to modify specific configuration settings for the parameters interface, route
and support. It impacts the way Email Gateway appears to and works with clients.
Examples showing the syntax for the edit command are shown in the simulated screen shot below.
The edit command is used to manage (add/delete/modify):
• Network interface
• Routing table
In addition to these functions, this command can also be used to enable or disable the support access
feature.
Examples showing the syntax for the edit command are shown in the simulated screen shot below.
Command Summary:
edit interface add
modify
delete
clearpending
host
add
modify
delete
route setdefault
add
modify
delete
clearpending
support enable
disable
Example:
[Email Gateway]: edit interface
<PRIMARY> IP Address [10.50.1.234]
<PRIMARY> Netmask [255.255.255.0]
<PRIMARY> Select media type from the list, or press ENTER to use default:
0. Default
1. autoselect
2. 10baseT/UTP
3. 10baseT/UTP (full-duplex)
4. 100baseTX
5. 100baseTX (full-duplex)
6. 1000baseTX
7. 1000baseTX (full-duplex)
Media Type (0-7) [0]:
Warning! The setting will affect the way [Email Gateway] works with clients. Are you sure
(Y/N) n
Change has been discarded.
Connect command
The connect command used to connect to a remote host using SSL/TLS. It is a very useful diagnostics tool
for SSL servers. If a connection is established with an SSL server, any data received from the server is
displayed. As this command is used to verify the connectivity over different protocol suites, the session will
end after the connection status is displayed to user
Command Summary:
connect secure <ipaddress> <port>
[Secure Mail]: connect secure google.com 443
Which secure protocol you wish to verify?
Press, [1] if HTTPS/STARTTLS
[2] if SMIME/SLAD
: 1
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
verify return:1
[Secure Mail]:
Capture command
The capture command dumps the headers of packets on a network interface for later viewing.
This command interactively takes the following user inputs:
• <interface> -
• <options>
• -X When printing hex, print ascii too. This is very handy for analyzing new protocols.
• -s < snaplen > Snarf snaplen bytes of data from each packet rather than the default of 68. You
should limit snaplen to smallest number that will capture the protocol information your are
interested in. Setting snaplen to 0 means use the required length to catch whole packets.
• -n Don't convert addresses such as host addresses, port numbers etc. to names.
A boolean expression that selects which packets will be dumped. If no expression is given, all packets
on the net will be dumped. Otherwise, only packets for which expression is “tru” will be dumped.
Please refer Network monitoring specification for 'expression' on tcpdump command for more details
on writing an expression.
The expression should begin with some logical operator such as and/or/not as we have inbuilt
expression prepended that describes the constraints on the packets that can be captured.
Write the raw packets to file rather than parsing and printing them out. Standard output is used if
file is ‘-’.
After collecting all the required inputs from user, this command dumps the headers of packets on a network
interface that match the <expression>.
Command Summary:
network traffic
[Secure Mail]: capture network traffic
Select an IP entry from the following:
ID IP Address Type Netmask
-- ---------- ---- -------
1 10.14.3.9 PRIMARY 255.255.128.0
RUN command
The run command allows you to execute specific commands at will. The two commands permitted are run
clean (to clean expired or deleted messages in a quarantine queue, to clean expired messages in other
queues) and run reports for a specified date. These commands can be configured within the GUI to
execute on a daily basis without intervention, but the run command allows on-command execution.
Because it executes a complex SQL query of the MEG database, the run command, whether for cleaning or
reporting functions, will have a significant impact on overall performance. Therefore, this command should
always be scheduled to run at a non-peak utilization period.
The simulated screen below shows the parameters and syntax for the run clean command string. The run
clean quarantine command will clear or delete messages in the quarantine queue that have reached the
time limit specified when the queues are configured. The run clean message command will clear or clean
messages in other queues that have met the configured time limit.
Command Summary:
run clean
message
quarantine
reports <MM/DD/YYYY>
SET command
The set command is used to start, stop, enable and disable Email Gateway services, to configure the serial
port, and to unlock user accounts that have been locked due to excessive failed login attempts. The set
command accepts three parameters: serial, service, and user unlock. Once you enter the command and
first parameter, the screen displays a list of sub-parameters.
Command Summary:
set node
usage
serial cli
ups
service enable <SERVICE>
disable <SERVICE>
start <SERVICE>
stop <SERVICE>
user unlock <USERNAME>
attribute
<SERVICE> = Email Gateway Services:
smtpproxy, smtpsproxy, smtpo, pop3proxy pop3sproxy, imap4proxy,
imap4sproxy, etc.
<USERNAME> = Email Gateway User Account
The set serial command configures the Email Gateway serial port to do one of two things: to allow
connection of a keyboard (console) directly to the appliance, using the cli sub-parameter; or to allow
connection of an uninterruptable power supply, using the ups sub-parameter.
[Email Gateway]:
[Email Gateway]: set serial
*** Invalid command: Usage - set serial [cli|ups] ***
A service can also be disabled in the GUI by deselected the Autostart option for that service.
[Email Gateway]:
[Email Gateway]: set service
SHOW command
The SHOW command displays:
1. logs from secure mail services
2. events from secure queues
3. network information such as:
a) connections
b) interface
c) routes
d) addresses
e) statistics
f) errors & collisions
g) previous packet captures
4. system message buffer of the kernel
Command Summary:
show log <SERVICE>
events
mailroute
network connections
interface
route
statistics
errors
buffer
capture
addresses
queue
services
stats
hosts
system disk
info
process
support
messages
Type 'help show <command>’ to get more information on each of these commands.
Example:
[Email Gateway]: help show log
The 'show log' command is used to view today's, or previous days' logs. To see the list
of services whose logs are available, type 'show log'.
To view today's logs for an individual service, type 'show log <SERVICE>' (where
<SERVICE> is one of the services displayed by the 'show log' command). Appending a '?'
after <SERVICE> displays the dates for previous days' logs. Appending the date after
<SERVICE> displays the log for that day.
Examples:
show log smtpproxy = Show today's smtpproxy log
show log smtpproxy? = Show dates for previous days' logs available
show log smtpproxy 20040101 = Show the smtpproxy log from 1/1/2004
[Email Gateway]:
[Email Gateway]: show log
show log
[ade|admin|alert|backuprestore|checktool|cleanup|ct_admin|ct_audit|ct_euser|ct_
swm|eusrquarantine|imap4proxy|ironwebmail|ldapsync|policyconfiguration|pop3prox
y|reports|sched|schedarchive|schedbackup|schedbayes|schedftp|schednightly|sched
rrd|schedupdate|smtpo|smtpproxy|sshd_cli|statscollector|summary|superq|swmq|tra
iner|update|VulnerabilityAssessment|watch] <Date, ? for list, Enter for today>
The show mailroute command displays information about the configured routing for various email
protocols.
[Email Gateway]: show mailroute
*** Invalid command: Usage - show mailroute <IMAP4|POP3|SMTP> ***
[Email Gateway]: show mailroute IMAP4
Protocol Routing Domain Routing Host
-------- -------------- ------------
IMAP4 DEFAULT mail.x3.ctqa.net
IMAP4 x3.ctqa.net mail.x3.ctqa.net
[Email Gateway]:
The show network command shows details about network configuration.
[Email Gateway]:
[Email Gateway]: show network interface
<PRIMARY> interface
Attribute Current Pending
========= ======= =======
IP Address 10.50.1.234 None
Netmasks 255.255.255.0 None
Media Type None None
Status active None
<OOB> interface DISABLED
Attribute Current Pending
The show network errors command displays the state of the network interfaces that are auto-configured.
An asterisk (*) after the interface name indicates that the interface is down. The errors and collisions are
displayed in the last two columns for each interface.
Example:
[Secure Mail]: show network errors
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
bce0 1500 <Link#1> 00:15:c5:f1:8f:92 1328221 0 271024 0 0
bce0 1500 10.14/17 ctdev62 264830 - 270791 - -
bce1* 1500 <Link#2> 00:15:c5:f1:8f:90 0 0 0 0 0
lo0 16384 <Link#3> 3412 0 3412 0 0
lo0 16384 fe80:3::1 fe80:3::1 0 - 0 - -
lo0 16384 localhost.ctd ::1 6 - 6 - -
lo0 16384 your-net localhost 3381 - 3381 - -
[Secure Mail]:
The show network buffer command displays statistics recorded by the memory management routines.
The network manages a private pool of memory buffers (mbuf) which provides analysis for the number of
mbufs in use, clusters in use, and number of denied requests to mbuf.
Example:
[Secure Mail]: show network buffer
504/786/1290 mbufs in use (current/cache/total)
502/570/1072/25600 mbuf clusters in use (current/cache/total/max)
0/384 mbuf+clusters out of packet secondary zone in use (current/cache)
0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/0 9k jumbo clusters in use (current/cache/total/max)
0/0/0/0 16k jumbo clusters in use (current/cache/total/max)
1130K/1336K/2466K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/6/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
2 calls to protocol drain routines
[Secure Mail]:
The show network capture command displays the files containing previously capture packets.
Example:
[Secure Mail]: show network capture
**** Available Network Captures ****
netcap-1241465312.cap
netcap-1241465328.cap
Please enter the capture file to play: netcap-1241465312.cap
Playing Network Capture From (-r/ct/data/admin/tmp/netcap/netcap-1241465312.cap)
reading from file /ct/data/admin/tmp/netcap/netcap-1241465312.cap, link-type EN10MB
(Ethernet)
15:28:34.322821 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 1912142067 win 63908
15:28:36.292045 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 0:52(52) ack 1 win 63908
15:28:36.292221 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 52 win 65535
15:28:36.293342 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 1:69(68) ack 52 win 65535
15:28:36.400924 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 69 win 63840
15:28:36.776912 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: P 52:104(52) ack 69 win
63840
15:28:36.777065 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: . ack 104 win 65535
15:28:36.777593 IP ctdev62.ctdev.net.ssh > 10.40.30.3.3006: P 69:121(52) ack 104 win
65535
15:28:36.947840 IP 10.40.30.3.3006 > ctdev62.ctdev.net.ssh: . ack 121 win 63788
[Secure Mail]:
The show network addresses command displays all of the current ARP (Address Resolution Protocol)
entries for the current host. All the network addresses are shown as numbers as opposed to displaying
symbolic addresses.
Example:
[Secure Mail]: show network addresses
? (10.14.0.1) at 00:19:07:a6:e8:00 on bce0 [ethernet]
? (10.14.1.11) at 00:18:8b:32:79:9a on bce0 [ethernet]
? (10.14.1.62) at 00:15:c5:f1:8f:92 on bce0 permanent [ethernet]
[Secure Mail]:
The show queue command displays configuration information about processing order.
[Email Gateway]: show queue
Queue Position and Name
=======================
1 Internal Queues - MIME Ripper
2 Internal Queue - Content Extraction
3 Super Queue
4 Queue - Anti Spam
5 Queue - Virus Scan
The show system command string displays critical information about the Email Gateway system, including
disk status and process statistics.
Command Summary:
show system
disk
info
process
support
messages
[Email Gateway]:
SYSTEM command
The system command is used to reboot/shutdown Email Gateway and restore the factory settings. (You
can restore either the security certificate, network settings, or disable ACL on the WebAdmin.) Restoring
factory settings can be used to recover when the Graphical User Interface of Email Gateway Web
Administration has become unavailable due to misconfiguration.
The system command accepts the following parameters: shutdown reboot restart restore. Restore
accepts these parameters: acl, certificate, and network.
TAIL command
The tail command shows a real-time view of all Email Gateway logs, beginning with the 10 most recent
entries. The command accepts the parameter: log The tail command accepts no additional switches.
The tail log command accepts the additional parameters of the names of Email Gateway logs. Typing tail
log will reveal a list of all available logs.
Command Summary:
tail log <SERVICE>
[Email Gateway]: tail log
tail log
[ade|admin|alert|backuprestore|checktool|cleanup|ct_admin|ct_audit|ct_euser|ct_
swm|eusrquarantine|imap4proxy|ironwebmail|ldapsync|policyconfiguration|pop3prox
y|reports|sched|schedarchive|schedbackup|schedbayes|schedftp|schednightly|sched
rrd|schedupdate|smtpo|smtpproxy|sshd_cli|statscollector|summary|superq|swmq|tra
iner|update|VulnerabilityAssessment|watch] <Date, ? for list, Enter for today>
[Email Gateway]:
[Email Gateway]: tail log cfq
Channel2::6:10122004 15:14:50:LOG_STAT_FINAL|6|PUSHED TO NEXT Q
Channel3::7:10122004 15:15:20:LOG_STAT_ATT_FIL: {}
Channel3::7:10122004 15:15:20:LOG_STAT_CONT_FIL: {}
Channel3::7:10122004 15:15:20:LOG_STAT_FINAL|7|PUSHED TO NEXT Q
Channel4::8:10122004 16:48:25:LOG_STAT_ATT_FIL: {}
Channel4::8:10122004 16:48:25:LOG_STAT_CONT_FIL: {}
Channel4::8:10122004 16:48:25:LOG_STAT_FINAL|8|PUSHED TO NEXT Q
Channel5::9:10122004 17:05:07:LOG_STAT_ATT_FIL: {}
Channel5::9:10122004 17:05:07:LOG_STAT_CONT_FIL: {}
Channel5::9:10122004 17:05:07:LOG_STAT_FINAL|9|PUSHED TO NEXT Q
TEST command
The test command is used to test network connections by using different methods, as well as to check
specific server connections. The test command accepts the following parameters: dns mail ping port
route server.
Examples are shown below:
Command Summary:
test dns forward <DNS SERVER IP> <HOSTNAME>
mx <DNS SERVER IP> <DOMAIN NAME>
reverse <DNS SERVER IP> <IP ADDRESS>
mailroute <MAIL SERVER IP> <SENDER> <RECIPIENT>
ping <HOST>
port <IP ADDRESS> <PORT>
route <DOMAIN NAME>
server rlb <IP ADDRESS> <RBL SERVER> <DNS SERVER IP> <QUEUE TYPE>
sls
update
[Email Gateway]:
[Email Gateway]: test server sls
# 10/13/04 11:42:01 EDT /ct/apps/sls/client/conf/map
# Re-resolve names after 13:41:56 Check RTTs after 11:57:01
# 8000.00 ms threshold, -8000.00 ms average 1 total, 1 working addresses
IPv6 off
sls1.ciphertrust.net,-123789 client101
# * 10.50.1.16,-qa1.DCC.ciphertrust ID 1040
# 100% of 32 requests ok 10.85 ms RTT 6 ms queue wait
History command
The history command will display a list of previously run commands. You can execute a previous command
listed in the history by prefixing the number from the list with an exclamation point.
Examples are shown below:
[Email Gateway]:
[Email Gateway]: history
1 history
2 show network interface
3 history
4 history
5 show log
6 show log admin
7 history
Reset command
The RESET command is used to reset:
1 The try count and delivery schedule of undelivered messages that are in the retry schedule. This will not
work for messages in Outbound Quarantine. Multiple domains can be entered using a space separated
format.
2 The network statistics counters. Although only TCP statistics are displayed, all the counters for other
protocols will be reset to zero also.
Command Summary:
reset message smtpo
network counters
Appendices
Contents
The subsystems
The alerts
The subsystems
Email Gateway automatically generates a variety of alerts for the following subsystems:
The alerts
The following table lists the alerts Email Gateway is capable of generating.
In ALL file formats for uploads, all the pipe symbols ( | ) are required, even if they delimit empty fields or optional
fields.
Contents
Whitelist rules
.Mail Firewall - Allow Relay
Group Manager - Definition
Attachment Analysis
Content Analysis dictionaries
Mail Firewall - Mail Routing
Whitelist rules
If you upload a new whitelist rule, the new rule will overwrite the existing entry.
The whitelist rule file must contain one or more lines in the following format:
who|direction|data|exclude option|entry expiration|anti_spam_bypass|
policy_manager_bypass|antivirus_bypass
The imported entry looks like this example:
1|100|foo.com|0|1|5:1,2|6:1,3,5|7:1,2,3,5
The allowed parameters are:
Allowed queue and bypass IDs are shown in the following table:
Examples
1|100|foo.com|0|1|5:1,2|6:1,3,5|7:1,2,3,5
What it says:
For inbound mail from the domain foo.com: bypass the Sophos and McAfee anti-virus engines; bypass Mail
Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and bypass Reverser DNS, Realtime
Blackhole List, Statistical Lookup Service and System Defined Header Analysis in Anti-Spam. The domain
cannot be excluded, and the entry will not expire.
2|101|0|0|baz.com|5:1,2|6:1,3,5|7:1,2,3,5
What it says
For outbound mail to the domain baz.com: bypass the Sophos and McAfee anti-virus engines; bypass Mail
Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and bypass Reverser DNS, Realtime
Blackhole List, Statistical Lookup Service and System Defined Header Analysis in Anti-Spam. The domain is
not to be excluded, and the rule will be allowed to expire.
4|102|0|0|abcd@foo.com|5:1,2|6:1,3,5|7:1,2,3,5
What it says
For both inbound and outbound mail to the email address abcd@foo.com: bypass the Sophos and McAfee
anti-virus engines; bypass Mail Monitoring, Off Hour Delivery and Content Filtering in Policy Manager; and
bypass Reverser DNS, Realtime Blackhole List, Statistical Lookup Service and System Defined Header
Analysis in Anti-Spam.The email address is not excluded from the rule, and the entry will expire
Attachment Analysis
The Attachment Analysis rules file should contain at least one row in the following format:
default_value|file_ext_name|is_file|action|action_value|alternative_action|altenative_a
ction_value|quarantine_type|sender|sender_template|internal_user|internal_user_template
|others|other_email_1|others_template_1|other_email_2|others_template_2|other_email_3|o
thers_template_3|archival|archival_target
Allowed parameters are:
Examples
1||0|8|||||0||0||0|||||||0|
What it says
This entry is to show as Default, and it is NOT a file. Occurrences should be logged. No notifications will be
sent, and triggering messages will not be archived.
0|test|0|8|||||0||0||0|||||||0|
What it says
This entry is listed as test, and it is NOT a file. Occurrences should be logged. No notifications will be sent,
and triggering messages will not be archived.
0|test|1|6|12|||2|1|2|1|2|1|demo&ciphertrust.com|2|demoto@ciphertrust.com|2|||0|
What it says
This entry is listed as test, and it is a file. Triggering messages will be quarantined for 12 days, with no
alternative actions. The quarantine type is 2. Notifications should be sent to: the sender, using sender
template 2; the internal user, using internal user template 2; and to other users demo@ciphertrust.com
using others template 2, and demo2@ciphertrust.com also using others template 2. Triggering messages
should not be archived.
0|testrt|1|3|wee|6|11|2|1|2|0||1|demo@ciphertrust.com|2|demo2@ciphertrust.com|2|||1|1
What it says
This entry is listed as testrt, and it is a file. Triggering messages will be renamed “wee” with alternative
action of quarantine for 11 days in quarantine type 2. Notifications will be sent to: the sender, using sender
template 2; and to other users demo@ciphertrust.com using others template 2, and
demo2@ciphertrust.com also using others template 2. Triggering messages will be archived to archive
target 1.
Examples
102|100|TEST|23|1|1|0|0|1|0|101:105|TEST
What it says
Word boundary search for the Regular Expression TEST in the message header. The weight is 23 points per
occurrence. The score is to be included in the dictionary contribution. Count the entry only once per
message. Apply the LOCALE and VERBOSE RegEx flags. The side note is TEST.
101|101|TEST1|23|0|1|0|0|0|33||
What it says
URL search for the URL TEST1 (not including path information) in the message header. The weight is 23
points per occurrence, and the score is not to be included in the dictionary’s contribution. Count the entry
to a maximum of 33 points.
100|101|TEST2|23|0|1|1|1|1|||
What it says
Substring search for the word/phrase TEST2 in the message header, body and attachments. The weight is
23 points per occurrence, and is not to be included in the dictionary’s contribution. Count the entry once
per message.
Examples:
SMTP|ctdev.net|DNS|10.65.1.30|A sample IP side note
What it says
This routing follows the SMTP protocol for the domain “ctdev.net.” The routing type is DNS, hosted at
10.65.1.30. It includes a side note as shown.
POP3|ctdev.net|STATIC|10.65.1.10|Another sample side note
What it says
This routing follows the POP3 protocol for the domain “ctdev.net.” The routing type is STATIC, hosted at
10.65.1.10. It includes a side note as shown.
SMTP|ciphertrust.com|STATIC_OUTBOUND|10.65.1.31|Sample Note #3
What it says
This routing follows the SMTP protocol for the domain “ciphertrust.com.” The routing type is
STATIC_OUTBOUND, hosted at 10.65.1.31. It includes a side note as shown.
SMTP|ctdev.net|ALTERNATE_MX|10.43.1.8|Sample Note #4
What it says
This routing follows the SMTP protocol for the domain “ctdev.net.” The routing type is ALTERNATE_MX,
hosted at 10.43.1.8. It includes a side note as shown.
IMAP4|ciphertrust.com|STATIC|10.34.2.10|Sample Note #5
What it says
This routing follows the IMAP4 protocol for the domain “ciphertrust.com.” The routing type is STATIC,
hosted at 10.34.2.10. It includes a side note as shown.
Contents
Email Gateway actions
Email Gateway action codes
Attachment Analysis
Content Analysis
Miscellaneous policies
501 Message(s) stamped
601 Scheduled delivery delayed until Off-Hour Delivery time
602 Notification message generated by Email Gateway
Anti-Virus
701 No action was taken by Virus Scan Queue
702 Dropped by Virus Scan Queue
703 Attachment extension changed by Virus Scan Queue
705 Repackaged by Virus Scan Queue
706 Virus cleaned by Virus Scan Queue
707 Neglecting file encryption errors (password protection)
708 Part(s) dropped by Virus Scan Queue
709 Quarantined by Virus Scan Queue
710 Virus(es) found by Virus Scan Queue
711 Sweep error(s) detected by Virus Scan Queue
712 File encryption (password protection) detected by Virus Scan Queue
713 Attachment extension changed for sweep error(s) by Virus Scan Queue
714 Attachment extension changed for file encryption (password protection) by Virus
Scan Queue
715 Generic scanning error(s) (sweep) ignored by Virus Scan Queue
716 File encryption error(s) (password protection) passed through by Virus Scan
Queue
717 Generic scanning error(s) (sweep) passed through by Virus Scan Queue
718 Virus detected by Sophos in Virus Scan Queue
719 Virus detected by McAfee in Virus Scan Queue
720 Virus detected by Authentium in Virus Scan Queue
MIME Ripper
801 Dropped by Rip Queue due to parse error(s)
802 Repackaged by Rip Queue due to parse error(s)
803 Quarantined by Rip Queue due to parse error(s)
804 Dropped by Rip Queue due to a mail loop
805 Quarantined by Rip Queue due to a mail loop
806 MIME parse failed. Message(s) delivered to recipient after passing through all
configured queues except Content Filtering Queue
807 MIME parse failed. Message(s) delivered to alternate address after passing
through all configured queues except Content Filtering Queue
1003 Forwarded from a quarantine queue by the Queue Manager user interface
1004 Released from a quarantine queue by the Queue Manager user interface
Corporate Compliance
3201 Logged by Corporate Compliance Queue Profiler
Contents
Process IDs
Queue IDs
Feature IDs
Sub-feature IDs
Default action
Message delivery modes
Message types
Anti-Spam tool IDs
Summary log actions
Message lock values
Message status values
Static rule IDs
Process IDs
The Summary Log file displays an internal ID number used by Email Gateway to identify the many
subsystems that can process a message. The Process ID is displayed in the second pipe-delimited field in
the log. The table below maps the Process ID number to the process' name
.
Queue IDs
Email Gateway Queue Services (for example, Envelope Analysis Queue, Anti-Spam Queue, and so forth)
are identified by numbers in Detailed Logs.
Feature IDs
Some of the Email Gateway log files will report a numeric value representing a program feature – that is, a
broad program area in Email Gateway. The table below maps the feature ID number with its program area
.
Sub-feature IDs
Some of the Email Gateway log files will report a numeric value representing a “sub-feature” — that is. a
category of—the Email Gateway Policy Manager. The table below maps the sub-feature ID number with its
policy category.
Default action
Email Gateway Attachment Analysis and Desktop Encryption Analysis policies both include a default action
value. These show up in Detailed Logs as numeric values. The table below maps the default action number
with the specific actions.
Message types
Email Gateway generates many notification emails to the administrator. These notifications are identified as
numbers in Email Gateway's logs.
Contents
Exchange 5.5 configuration
Exchange 2000 configuration
• Within the left directory tree frame, select Internet Information Server->Default Web
Site->Exchange
• Right click on the Exchange directory branch, then click the Properties option.
• Click the Edit button under the Anonymous Access and Authentication Control section
• Within the left directory tree frame, select Internet Information Server->Default Web Site->
IISADMIN
• Right click on the IISADMIN directory branch, then click the Properties option.
• Click the Edit button under the Anonymous Access and Authentication Control section
• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site->Exchange
• Right click on the Exchange directory branch, and then click the Properties option.
• Click the Edit button within the Anonymous Access and Authentication Control section.
• Within the Authentication Methods window click one option:
• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.
• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.
• In the Exchange Properties window, click the OK button to close the window.
• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site-> Exchweb
• Right click on the Exchweb directory branch, and then click the Properties option.
• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.
• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.
6 In the Exchweb Properties window, click the OK button to close the window.
• Within the left directory tree frame, click the name of your Exchange 2000 server->Default Web
Site-> IISAdmin
• Right click on the IISAdmin directory branch, and then click the Properties option.
• Click the Edit button under the Anonymous Access and Authentication Control section
• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.
• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes
9 Access page 3 of the “XWEB: Troubleshooting HTTP 401.x Errors in Outlook Web Access” document and
ensure the Exchange 2000 administrator has added the necessary access rights for:
• Access This Computer From the Network access (essential for remote access)
10 After all changes have been made, the Exchange 2000 administrator should stop and restart the Exchange
2000 server. It would be sufficient to stop and restart the IIS Manager, but there are so many services,
which depend on the IIS Manager that it is easier to restart the server.
Tip: For information about configuring WebMail protection, see Chapter 23, WebMail Protection in this
Administration Guide.
• Within the left directory tree frame, click the name of your Exchange 2007 server->Default Web
Site->Exchange
• Right click on the Exchange directory branch, and then click the Properties option.
• Click the Edit button within the Anonymous Access and Authentication Control section.
• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.
• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.
• In the Exchange Properties window, click the OK button to close the window.
• Within the left directory tree frame, click the name of your Exchange 2007 server->Default Web
Site-> Exchweb
• Right click on the Exchweb directory branch, and then click the Properties option.
• Click the Edit button within the Anonymous Access and Authentication Control section.
• On the Directory Security tab, click the Edit button within the IP Address and Domain Name
Restrictions window.
• In the IP Address and Domain Name Restrictions window, click the Grant Access radio button. If
needed, you can also click the Add button to type any computer, group of computers or domains, which
you want to deny OWA access. After all changes have been made, click the OK button on the IP Address
and Domain Name Restrictions window to save your changes.
6 In the Exchweb Properties window, click the OK button to close the window.
7 After all changes have been made, the Exchange 2007 administrator should stop and restart the Exchange
2007 server. It would be sufficient to stop and restart the IIS Manager, but there are so many services
that depend on the IIS Manager that it is easier to restart the server.
Tip: For information about configuring WebMail protection, see Chapter 23, WebMail Protection in this
Administration Guide.
Contents
Special characters in email addresses
Compressed file types
! # $ %
& ' * +
- / = ?
^ _ ` {
| } ~
• disk doubler – dd
• UU encoded – uu
• UNIX Compress – z
• GZ Compress – gz
• TAR – tar
Contents
About action precedence
General action precedence
Precedence in specific Email Gateway features
3 Threshold Preference
4 Action Precedence - highest triggered action applies, based on the hierarchy discussed below.
Feature order
Feature order is set under the Queue Manager tab (Queue Manager | Configure Queues). In that
window you set the order messages follow as they are processed by Email Gateway. When the message
triggers a rule in any of the enabled features, that feature takes the configured action. If the rule requires
you to set a threshold, and if you have configured more than one rule (each with it’s own threshold and
action), the queue will follow take the action associated with the highest threshold (see Threshold
preference, below). Further processing for the message is determined by the action.
• If the action taken by the current queue is a terminal action as indicated in Table 324, Email Gateway will
do no further processing.
• If the action is a non-terminal action, the current queue will take the action and the message will proceed
to the next queue.
Policy level
Policies are applied in the following order based on their level of application:
• User
• Domain
• User Group
• Domain Group
• Global
If a message triggers both a globally-applied policy and a policy applied to a single domain, the domain
action will take precedence.
Example: Email Gateway processes a message that triggers two rules. It triggers a user rule that requires
an action of copy and a domain group rule that requires an action of quarantine. Email Gateway will copy
the message to the configured email address. The quarantine action will not be taken.
Threshold preference
Equal policies are applied based upon the first threshold triggered, evaluated from the highest to the lowest
(applicable only for Spam Profiler and Image Analysis). When a threshold is matched, Email Gateway acts
on the message using the associated rule. There is no further evaluation.
• Non-terminal actions - action is taken and processing through other features and queues continues (but
might be delayed, as in the case of quarantined messages).
Note: Not all actions are applicable for all features. The order in specific features appears later in this appendix.
When a message conforms to multiple rules, more than one action can be taken on the message. There are
situations when all the actions cannot be performed. Specific features follow processes as outlined below.
If SpamProfiler is enabled:
All enabled spam features will evaluate messages before SpamProfiler’s evaluation. If a SpamProfiler rule is
matched and SpamProfiler is positioned higher than any of the individual features that are also matched,
Email Gateway will act based on the SpamProfiler rule. Otherwise, the highest individual spam feature will
take the action. If you want SpamProfiler to control the action Email Gateway takes, it must be in the first
position in the feature order. From the perspective of policy precedence, SpamProfiler is treated like any
other individual spam feature.
Attachment Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.
• If both Secure Delivery and Forward actions are triggered for a message, the Forward action will cause
the original message to be deleted, and it will not be available for Secure Delivery. Therefore, Secure
Delivery has a higher precedence than Forward in the action codes. Other actions, such as Copy, Subject
Rewrite, and so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the
conflict when the actions belong to different policies; comparison of action codes resolves it if the rules
belong to the same policy.
• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.
• Policy attribute comparison resolves conflicts that occur when Drop Part and Rename actions are defined
against the same attachment extension or filename. These are part-level actions, so only one of them can
be performed. Drop Part outranks Rename. The same process occurs for Pass Through and Drop Part
actions; Drop Part outranks Pass Through.
• Policy attribute comparison occurs to resolve conflicts arising from two Rename actions on the same
extension. This comparison is required since the part can be renamed to either of the action data values.
Is there any sort of general rule or parameter to decide which value wins in this case?
• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute, Drop, or Quarantine forever – and the other is an action in (4) or (5). A Copy action in a policy
applied to a user will override a Reroute action applied to a group.
Can you explain what the italicized text in the paragraph above is saying? What does “in (4) or
(5)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.
Content Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.
• If both Secure Delivery and Forward actions are triggered for a message, the Forward action will cause
the original message to be deleted, and it will not be available for Secure Delivery. Therefore, Secure
Delivery has a higher precedence than Forward in the action codes. Other actions, such as Copy, Subject
Rewrite, and so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the
conflict when the actions belong to different policies; comparison of action codes resolves it if the rules
belong to the same policy.
• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.
• Policy attribute comparison resolves conflicts that occur when Drop Part and Replace/Prefix actions are
defined against the same dictionary. These are part-level actions, so only one of them can be performed.
Drop Part outranks Replace/Prefix. The same process occurs for Replace and Prefix actions; Replace
outranks Prefix.
• Policy attribute comparison occurs to resolve conflicts arising from two Replace or Prefix actions on the
same dictionary. This comparison is required since the part can be replaced or prefixed based on either
of the action data values.
Is there any sort of general rule or parameter to decide which value wins in this case?
• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute, Drop, or Quarantine forever – and the other is an action in (4) or (5). A Copy action in a policy
applied to a user will override a Reroute action applied to a group.
Can you explain what the italicized text in the paragraph above is saying? What does “in (4) or
(5)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.
Envelope Analysis
• Policy attribute comparison is performed to resolve conflicting actions. In this comparison, a
system-defined policy will override a user-defined policy, a policy applied to a user will override a policy
applied to a group, and a higher action code will override lower codes.
• If both Secure Delivery and Forward actions are triggered for a message, the Forward action could cause
the original message to be deleted (if the forward rule is on the sender or he subject, or all recipients are
removed), and the original message will not be delivered securely. Therefore, Secure Delivery has a
higher precedence than Forward in the action codes. Other actions, such as Copy, Subject Rewrite, and
so forth, can be applied with Secure Delivery. Policy attribute comparison resolves the conflict when the
actions belong to different policies; comparison of action codes resolves it if the rules belong to the same
policy. Policy attribute comparison resolves this conflict when the actions belong to two different policies;
just comparing the action codes is sufficient if the actions belong to the same policy.
• When multiple Quarantine rules with finite quarantine days are triggered, policy attribute comparison is
done to select one. This comparison checks the quarantine periods rather than the action codes. The
longer quarantine period is applied.
• Policy attribute comparison is necessary between two rules when one of them is one of the following three
– Reroute or Drop configured on the sender or subject, or Quarantine forever – and the other is an action
from (4) through (10). A Log action in a policy applied to a user will override a Reroute action applied to
a group.
Can you explain what the italicized text in the paragraph above is saying? What does “from (4)
through (10)” mean?
• Policy attribute comparison is performed between two rules when either of them is one of the following
three: Reroute, Drop, or Quarantine forever. If the action is one of these, that action is performed, and
all other actions are ignored. The reason for this is that, in the case of Reroute, the message will not be
available for Join Queue to perform any other actions, or, in the case of Drop, the message is deleted. If
the action is Quarantine forever, the message will go to Join Queue, but Join Queue will take no action.
This is not the case when the message is quarantined for a specific number of days.
Contents
About text filtering
File types from which Email Gateway can extract content
Contents
What is Compliance Trainer?
Running the Compliance Trainer setup
Starting Compliance Trainer the first time
Using the Compliance Trainer interface
The Email Gateway (Secure Mail) appliance uses these to help train itself to better filter corporate email and
ensure that your compliance needs are met. Users select and upload confidential and non-confidential files
to be used as training files on the Email Gateway (Secure Mail) appliance.
Note: administrators should have already configured their compliance options on the Email Gateway (Secure Mail)
appliance before allowing users to submit training documents via the Compliance Trainer.
Terminology
This guide is intended for both administrators and users of the Compliance Trainer. It assumes you are
familiar with federal or state compliance categories that can apply to your company. Common compliance
categories are:
• CIPA (Children's Internet Protection Act)
• Sarbanes-Oxley Act of 2002 (Public Company Accounting Reform and Investor Protection Act)
• SB 1386 (California Information Practice Act) the Health Insurance Portability and Accountability Act
(HIPAA) and the Sarbanes-Oxley Act (SOX)
This guide also assumes you have a basic knowledge of computer and network terminology. You should
also be familiar with the internet and its associated terms and applications. Please take a few minutes to
become acquainted with this document.
Refer to the Email Gateway (Secure Mail) Administration Guide for more information about Compliance.
• IP address of the Email Gateway (Secure Mail) appliance that will receive the training files
• Email address for the Email Gateway (Secure Mail) appliance that will receive training emails (example:
train@yourdomain.com)
• List of compliance categories already configured on the Email Gateway (Secure Mail) appliance in .txt
format
The first time you run Compliance Trainer, you will be taken through a setup process to help you configure
your default settings.
1 To begin your setup, double-click the Compliance Trainer icon. The Welcome window appears.
This portion of the wizard will help you configure the default settings for Compliance Trainer.
3 Type the IP address or hostname of the Email Gateway (Secure Mail) appliance that is to receive the
training files. For example, 10.16.10.100 or ice.scur.com.
5 When you have finished adding hosts, click Next. The Import Categories window appears.
This window is used to import the list of categories that have already been configured on the Email
Gateway (Secure Mail) appliance.
Other administrator defined categories might include internal use only documents such as employee
payroll spreadsheets or patent application documents. Users should have received a .txt file containing
a list of categories from their Email Gateway (Secure Mail) administrator.
7 Navigate to the location of your category .txt file and click Open.
The list of categories will appear in the list window. For this example, we have included only one
category - HIPAA-PHI.
8 Click Next. The File Filter configuration window appears. This window displays the list of the default file
types for the training files. You can accept the defaults, edit a file filter, or add a new file filter.
If your training file types are already listed, you can simply accept the default settings.
a In the Display name field, type the display name of the file type. For example, OPEN OFFICE.
b In the Extension field, type the extension for the file type. For example, ODS. Note that you can add
multiple types by inserting a semi-colon between the types. For example, ODS;SXW.
c Click Add.
b Click Remove.
9 When you are finished with the File Filter Configuration window, click Next. The Training File List
Configuration window appears.
Figure 336 Training file list
This window allows you to specify the individual training files that are either confidential or
non-confidential.
10 Click Browse next to the Confidential Training File List field. A Browse window appears.
12 Navigate to the folder containing the file you want to use for training.
13 Select the file you want to use for confidential training, then click Open.
Note: If you are going to use multiple files of different types, you must select them individually by type. For
example, if you are going to use Excel and Word documents, select all the Excel documents, then select all of
the Word documents.
16 Navigate to the folder containing the file you want to use for training.
17 Select the file you want to use for non-confidential training, then Click Open.
18 The files selected will appear in their respective fields on the window.
This window is used to set the training schedule on the Email Gateway (Secure Mail) appliance. Two
methods are available – hourly or detailed.
c Check the box(es) next to the time(s) you want in the schedule.
20 When you have finished setting your training schedule, click Next. Set host, category, and training files
window appears.
In this window, select and save the host and training files that are to be scheduled for training. You
must select at least one host and one training file.
b Select the IP address/hostname of the host you want to schedule. (Already scheduled hosts will appear
with a green highlight.)
The categories you have selected appear in the Categories window and the training files you have
specified appear in their respective Confidential and Non-confidential windows.
c In both the Confidential and Non-confidential windows, select the file names of your training
documents. If you have multiple documents, click Select All under each of these windows.
Installation and setup are now complete and you can modify your configuration to suit your needs.
Functional areas
Different areas of the window provide different functions to help you manage your compliance files. These
are functional areas:
• Select files via the key combination of Ctrl+click or Shift+click to select multiple files.
Note: To view and choose files of a different type, simply choose a different type from the file type drop-down
box.
• Drag and drop – drag a particular file from list and drop it into the training file list.
• Drag and drop – drag a particular folder and drop it into the training file list. This will cause all of the files
that have the same type as specified in the filter list to be added to the training file list.
• Select a filename from the name list, then click the Add Files action button.
• Type the existing name of the file in the File Name field, then click the Add Files action button.
• Select the filename shown in the Insert Files window, then click the Add Files action button.
• Clear Selection – Clears the selections but does not remove them from the list.
• Check for File Changes – Checks for files that have been renamed or moved.
• Load Files – Loads the training files to be sent to the Email Gateway (Secure Mail) server, but does not
send them.
2 Select the hostname or IP address of the Email Gateway (Secure Mail) appliance where the training files
should be placed.
Figure 346 Files ready to load
3 Click Load. The files will be loaded and the main window will re-appear.
4 Click the No button to display the non-confidential files you have listed.
6 Select the hostname or IP address of the Email Gateway (Secure Mail) appliance where the training files
should be placed.
9 In the File list pane, highlight the file to be used for training. Note that the Send button is now enabled.
10 Click Send.
Note the Status area. It will display pertinent information about your file transfer.
Figure 349 Status area
Repeat steps 4 through 10 (changing the confidentiality setting in step 4 to Yes or No as appropriate) to
complete uploading your training files to the server.
If your uploads are successful, you have completed transferring your training files and you can exit the
program.
Contents
About events
Event classes
Events
About events
Event logging tracks and records each mail flow action Email Gateway takes. It records each individual
action as an event in binary format; each log message is an event.
Email Gateway identifies events at three levels:
• Transactions – each of the three mail flow components (SMTPI, SuperQueue, and SMTPO) can generate
events.
• Event classes – a range of ID numbers belongs to each of the transaction components. Events are grouped
into classes by their ID numbers.
• Events – each defined event has a unique ID number that makes identifying and tracking specific events
easier.
Event classes
Email Gateway categorizes events using the following event class number ranges.
Events
Email Gateway logs a variety of events, which can be subdivided by ID numbers as shown below for easier
identification.
Note: Some events require arguments (Args), as shown in the tables that follow. If an event requires an
argument, the description is followed by a dash (-).
Anti-spam events
Table 331 Anti-spam general events
Event ID Event Description
513 AS_FAIL_RFC822WRAPPER Cannot create RFC822 wrapper object.
514 AS_CNTTRKR_START Spam hourly count tracker thread started.
515 AS_CNTTRKR_HR Inserting counts for hr -
516 AS_CNTTRKR_SLEEP Spam hourly count tracker thread sleeping for
3600 secs.
Anti-virus events
Table 332 Anti-virus general events
Event ID Event Description
769 AV_CONFIG Configuration of engine: -
770 AV_CONFIG_NO (No configuration options)
771 AV_CONFIG_ITEM Item <key:val_ -
772 AV_ERR_SCAN Virus engine internal error <engine:errcode> -
773 AV_SKIP_ALERT Alerts not configured. Skipping alert generation.
774 AV_RIP_FAIL MIME parsing failed for the message. AV
engine(s) will scan the whole message instead of
the parts.
775 AV_RIP_OK AV engine(s) will scan the individual parts.
776 AV_SKIP_PART Part is message/rfc822.Skipping virus scanning
... part: -
777 AV_PART_STAT -
778 AV_XTN_OVERRIDE_RIPFAIL Error occurred on a MIME parse failed message.
Will not do Extension Override tests ... -
Bayesian events
Table 334 Bayesian events
Event ID Event Description
1281 BAYES_BYPASS Bayesian Filtering bypass for message ID: -
1282 BAYES_TRAIN-CAP Can train up to files for HAM?SPAM.
<number-files:type> -
1283 BAYES_EUSR_OFF Bayes Trainer on end user reporting turned off.
Skipping file for training -
1284 BAYES_FAIL Bayesian Filtering failed for message ID: File is
larger than specified limit. Assigning default
score: <msgid:score> -
1285 BAYES_SCORE Bayesian Filtering was successful. Score details: -
1286 BAYES_CLUES Bayes clues: -
1287 BAYES_MODE_WAIT Bayesian retraining is configured for WAIT mode.
1288 BAYES_MODE_PICK Bayesian retraining is configured for PICK mode.
1289 BAYES_CANTADD_MAX Can’t add message to training directory. Already
have maximum number of messages!
1290 BAYES_ADD File added to the directory for Bayesian training.
<file:dir> -
1291 BAYES_ADD_NOT No rfc822 attachments found! End user
SPAM/HAM reporting only works for rfc822
attachments!
DSpam events
Table 340 DSpam events
Event ID Event Description
2817 DSPAM_MON_STOP Lexanad monitor: stopped.
2818 DSPAM_AVAIL Lexanad monitor: lexanad available.
2819 DSPAM_NOTAVAIL Lexanad monitor: lexanad not available...
2820 DSPAM_START Lexanad monitor: lexanad started...
2821 DSPAM_STOP Lexanad monitor: stopped.
2822 DSPAM_SKIP_DUP Skipping the message in file (has already been
trained for lexanad): -
2823 DSPAM_SKIP_NOTPEND Skipping the message in file (not yet in pending
status): -
2824 DSPAM_TRAIN_SPAM Trained spam file:
<file:probability:confidence:result> -
2825 DSPAM_TRAIN_HAM Trained ham file:
<file:probability:confidence:result> -
2826 DSPAM_TRAIN_END Lexana Training completed. Trained x ham and y
spam. <ham:spam> -
2827 DSPAM_FAIL Adaptive Analysis failed for Message ID: -
2828 DSPAM_OK Adaptive Analysis was successful.
<probability:confidence:result:signature> -
2829 DSPAM_OK_BATCH Lexical Analysis OK: -
2830 DSPAM_FAIL_BATCH Lexical Analysis FAILS -
2831 DSPAM_FAIL_RECV Recv failed! -
2832 DSPAM_FAIL_SEND Send failed! -
2833 DSPAM_FAIL_CONN Connection to Lexanad failed! Bailing.
2834 DSPAM_OK_CONN Connection to Lexanad successful.
2835 DSPAM_CMD Lexanad Control command -
2836 DSPAM_EMB_PERIOD Lexical Analysis found embedded period(s) in
text -
2837 DSPAM_TRAIN_HAM_FAILED Training FAILED for ham file -
2838 DSPAM_TRAIN_SPAM_FAILED Training FAILED for spam file -
Encryption events
Table 341 Encryption events
Event ID Event Description
3073 ENCR_ENABLED Encryption Server enabled.
3074 ENCR_PROC_ST Encryption Processing started for msg <Msg ID>
-
3075 ENCR_PROC_OV Encryption Processing completed for msg <Msg
ID> -
3076 ENCR_HOSTNAME_ERR Can't start SWM. No external host name
available for vip. <VIP ID> -
3077 ENCR_SEC_LNK_MSG_LIMIT_ERR Sec Link MSG Limit Reached. No Link created for
msg <Msg ID> -
3078 ENCR_SEC_ENV_MSG_LIMIT_ERR Sec Envelope MSG Limit Reached. No Envelope
created for msg <Msg ID> -
3079 ENCR_DOM_PARSE_ERR Error occurred while parsing Domain list for
<Msg Id>:<Rcpt to> -
3080 ENCR_USER_INSERT_ERR Inserting User failed <Rcpt to>:<Error> -
SpamProfiler events
Table 342 ESP events
Event ID Event Description
3329 ESP_RULES ESP policies, Thresholds <policies:ruleid> -
3330 ESP_NOLIST Filter list for ESP is empty.
3331 ESP_NOPOLICY Applicable ESP policies not defined.
3332 ESP_SCORE_ISC ESP_ISC score -
3333 ESP_NOCF_DICT CF in ESP not performed. Dictionaries not
enabled.
3334 ESP_NOCF_ENCR CF in ESP not performed. Message is
signed/encrypted.
3335 ESP_NOCF_SF CF in ESP not performed. Content Filtering not in
sub feature list.
3336 ESP_CF_DEF MIME parsing failure, using default confidence
value for CF in ESP: -
3337 ESP_CF_START ----Content Filtering in ESP - Begin----
3338 ESP_CF_END ----Content Filtering in ESP - End----
3339 ESP_SCORE ESP total points for Message ID: <esp:msgid> -
3340 ESP_TRAIN_ADD Message was added to training directory.
3341 ESP_TRAIN_NOT Message was NOT added to training directory.
3342 ESP_SCORE_DETAILS ESP individual score details for Message ID:
<esp:msgid> -
3343 ESP_OUTRANGE_CONFI Confidence value is not in range 0-100: -
General events
Table 345 General events
Event ID Event Description
4097 IM_EXCEPTIO -
4098 LOG_STAT -
4099 CONNECT_BASE Connecting to
<BindHost:ConnectHost:ConnectPort> -
4100 OUTBD_DNS_SERVERS Channel will use per-vip user configured
outbound DNS servers <servers> -
4101 INBD_DNS_SERVERS Channel will use per-vip user configured
inbound DNS servers <servers> -
4102 SMTPC_ERR_STARTTLS STARTTLS failed <code:resp> -
4103 SMTPC_ERR_CONN Connect error in HELO: -
4104 SMTPC_ERR_MF Mail From - Sender Refused:
<from:to:code:msg> -
4105 DOS_ATTACK DOS attack detected. Closing connection...
4106 WAIT_DB Waiting to get a Database Handle...
4107 READ_CONFIG Reading configuration data...
4108 READ_ALLTABLES Base Class readAllTables()
4109 CHARSET_NOTFOUND Unable to find the charset associated with the
mibenum x. Exiting the process. -
4110 SIGINT_CALLED SIGINT called.
4111 SIGHUP_CALLED SIGHUP called.
4112 SIGTERM_CALLED SIGTERM called.
4113 SIGUSR1_CALLED SIGUSR1 called.
4114 SIGUSR2_CALLED SIGUSR2 called.
4115 ACCEPT_BAD_ADDR Invalid socket received from accept method.
Quitting connection...
4116 CREATE_CHANNEL -
LDAP events
Table 350 LDAP events
Event ID Event Description
5377 LDAP_START Starting to monitor unavailable LDAP profiles.
5378 LDAP_TEST Beginning to test LDAP profile -
5379 LDAP_TEST_OK LDAP profile test successful. Making the profile
available...
5380 LDAP_TEST_FAIL Issues with LDAP profile <issue:err:profile> -
5381 LDAP_END Monitoring unavailable LDAP profiles
completed.
5382 LDAP_RCPT_GRP The recipient address belongs to the following
domain groups (IDs) -
5383 LDAP_RULES LDAP rules to be used for evaluation -
Message events
Table 355 MSS events
Event ID Event Description
6657 MSS_QTN_CLONE QTN message Details
ID||FILENAME||FROMADDR||TOADDR
<msgid:filename:fromaddr:toaddr> -
6658 MSS_QUEU_COMMAND QUEU COMMAND RECEIVED
<mailfrom:frm_addr:rcptList:rcptLineList:ipa
ddress:msgtype:ehloDomain:notifysender:for
gedDomain> -
6659 MSS_DEL_MSGS Deleting messages and files ... <msgids:files>
-
6660 MSS_ERR_QORDER getQueueOrder failed. Backing out of message
creation
6661 MSS_MARK_ARCHIVAL Message is inbound and global archiving is
enabled. Marking for archival to Profile Id -
6662 MSS_ERR_INSERTMSG Insert message failed. Backing out of message
creation
6663 MSS_ERR_ADDACTION Insert into ct_action_bak failed for forged
domain action for msg Id: -
6664 MSS_DETAILS Message Details
ID||FILENAME||FROMADDR||TOADDR|VIPID
<msgid:filename:fromaddr:toaddr:vip> -
6665 MSS_CREATEMSG Created new Message ID and File
<msgid:file> -
6666 MSS_ERR_INSERTDOMS Failed to insert domain records. Message
dispatch failed.
6667 MSS_DROP_COMMAND DROP COMMAND RECEIVED
<msgId:msgFileName> -
6668 MSS_ERR_DECODEUTF8 errString -
Notification events
Table 356 Notification events
Event ID Event Description
6913 NOTIF_ERR_QUEUECONT cmd_queu_cont failed.
6914 NOTIF_ERR_EMPTYRCPT Cannot generate notification as the rcpt is
empty
6915 NOTIF_CHANGE_HDR Change Header done.
6916 NOTIF_USE_DEFTMPL The original template for the rule has been
deleted. Defaulting to the system defined
template for -
6917 NOTIF_CUSTOM_STOP customNotification, Stop
6918 NOTIF_RCPTS notify_rcpts is -
6919 NOTIF_RCPTS_NOMATCH None of the users match the notification
condition
6920 NOTIF_SINGLE_STOP singleNotification: Stop
6921 NOTIF_ERR_SETLOCALE Could not convert date for locale -
6922 NOTIF_ERR_DECODEUTF8_DATE Could not decode date to utf8 -
SMTPI events
Table 364 SMTPI events
Event ID Event Description
9217 SI_INVALID_PATTERN Invalid address pattern in the configuration.
Skipping .... -
9218 SI_EMPTY_PATTERN_LIST Empty pattern lists. Address Pattern Matching
will not take effect.
9219 SI_INVALID_WL_ADDR Invalid address in White list for Pattern
Match. Skipping .... -
9220 SI_CURRENT_LOAD Current load as calculated from the database
(number of messages) -
9221 SI_LOAD_THROTTLE_SLEEP Load throttling encountered, will sleep for x
seconds
<sleep:current_load:max_msg_limit> -
9222 SI_CHANNELS_CREATED Created channels -
9223 SI_CLEAN_DNSCACHE Cleaning DNS cache
9224 SI_WARN_NO_DNSSERVER:Warning No working DNS server in your configured
server list.
9225 SI_CLEANUP_SMTPB4POP Starting cleanup of smtpb4pop data.
9226 SI_COUNT_IN SMTP In Count -
9227=SI_CO
UNT_OUT:SM
TP Out Count
-
9228 SI_COUNT_DROP SMTP Dropped Count -
9229 SI_CONN_STATS_UPDATED Connection details update completed ...
9230 SI_CONN_STAT -
9231 SI_CONN_REJECT_STATS -
9232 SI_FAIL_OPEN_TSFILE Failed to open ts hit file. IP hit counter update
failed. -
9233 SI_PROCESS_START Processing started.
9234 SI_PROCESS_END Processing completed.
9235 SI_CONNECTION_INFO ChannelID:ThreadID:Source
IP:Port:Destination IP:Port -
9236 SI_CONNECTION_ACCEPT Connection accepted.
9237 SI_MSG_INCOMPLETE Incomplete message transmission.
9238 SI_MSG_SIZE_OVER_LIMIT Message size exceeds the limit. Message not
queued. -
9239 SI_MSG_Q_FAILED Database/File System issues. Message
queuing failed.
SMTPO events
Table 365 SMTPO events
Event ID Event Description
9473 SO_PICKED Num messages picked -
9474 SO_OUTBOUND Channel outbound flag -
9475 SO_MAX_RETRY Max retry attempts -
9476 SO_MSG_START Starting to process msgid -
9477 SO_ENCR_START This is an Encryption Server Box (SWD) and
msg type is -
9478 SO_ENCR_END Finished processing SWM message
9479 SO_ENCR_REDIRECT Redirect one or more domains to SWM
server. Will re-pick msgid -
9480 SO_MSG_END Finished processing msgid -
9481 SO_DOM_PROCESS Processing Domain -
9482 SO_PROCESSED_LOCK Already processed, skipping
domain:msgid:msglock -
9483 SO_CONF_DNS_SERVERS Channel will use per-domain user configured
DNS servers. Host -
9484 SO_AUTH_RET_CODE Return Code <code &/ msg> -
9485 SO_AUTH_PASSED SMTP Auth Passed -
9486 SO_DOM_LOOKUPS_UNUSED -
9487 SO_CONN_BLOCK_TO Block timeout in seconds -
9488 SO_CONN_MX Connecting to MX -
9489 SO_CONN_ADR Connecting to A -
9490 SO_RECONN_TIME Timed out on connection attempts.
domain:timeout:status -
9491 SO_VIP_HOST Channels Vip vipid:bindhost -
9492 SO_CONN_STATUS Connection Status <status> -
9493 SO_DM_SMIME The messages for the domain are S/MIME
encrypted. Connection might get established
non secured. Domain -
9494 SO_DM_PGP The messages for the domain are PGP
encrypted. Connection might get established
non secured. Domain -
Sender ID events
Table 366 Sender ID events
Event ID Event Description
9729 SPF_BYPASS SenderID Lookup bypass for Message ID: -
9730 SPF_ALLOW_RELAY IP is in allow relay, SenderID lookup
bypassed.
9731 SPF_RESULT SenderID Result for PRA MTA Status
Explanation:
<pra:spfresult0:spfresult1:spfresult2> -
SuperQueue events
Table 367 SuperQueue events
Event ID Event Description
9985 Q_PAUSE_SET Pausing the Queue through Monitor channel
9986 Q_PAUSE_RESET Resetting pause for the Queue through
Monitor channel
9987 Q_PAUSE_RELEASE Releasing the Queue through Monitor channel
9988 Q_NO_SENDDOMAIN Sending domain not available, From address
is: -
9989 Q_FW_TYPES Message data -
9990 Q_GROUP_ID User - GroupID info -
9991 Q_GROUP_NAME Group ID - Name -
9992 Q_GET_RULES Applied Policies, Applied Rules:
<policies:rules> -
9993 Q_QTNREMOTE_SELF Remote system specified points to self.
Proceeding with local quarantine -
9994 Q_QTNREMOTE_REROUTE Re-routed to EUQ server for quarantine -
9995 Q_QTNREMOTE_NOT Remote system not specified. Proceeding with
local quarantine
9996 Q_ARCHIVE_NOPROF Profile Id not found. Abandoning archiving for
Message Id: <profile:msgid> -
9997 Q_ARCHIVE_NOTO Could not replace the To field. Message might
be corrupt. Cannot archive message to target
-
9998 Q_ARCHIVE_MSG Archiving message to -
9999 Q_ARCHIVE_MARK Marking message for archival to -
10000 Q_POLICY_RULES Policies -
10001 Q_VH_RELATIONS Policy application to Virtual Hosts -
10002 Q_DICT_RECONFIG_CFGSTART Dictionary data reconfig. Wait on channels
begin.
10003 Q_DICT_RECONFIG_CFGSTARTED Dictionary data reconfig. Channels
suspended.
10004 Q_DICT_RECONFIG_CFGDONE Dictionary data reconfig. Channel release
begins.
10005 Q_CLEANUP_STARTPREV Cleaning previous run activity...
10006 Q_CLEANUP_PREV Picked/ST mode messages <msgids> -
10007 Q_CLEANUP_INQTN Messages in Quarantine <msgids> -
10008 Q_CLEANUP_CHKQTN Checking for complete quarantine information
for the messages....
10009 Q_CLEANUP_QTNCOMPL Cleaning live information for msgs as the
information is complete in quarantine
<msgids> -
10010 Q_CLEANUP_QTNINCOMPL Cleaning quarantine information for msgs as
information in quarantine is incomplete
<msgids> -
10011 Q_CLEANUP_STARTSTFAILURES Handling Single Thread Mode Failures...
TrustedSource events
Table 368 TrustedSource events
Event ID Event Description
10241 TS_BYPASS TrustedSource bypass for Message ID: -
10242 TS_ZOMBIE Zombie detected
10243 TS_LKUP_TO TrustedSource lookup timed out
10244 TS_FINGER_MSG Fingerprinting message
<ehlo-dom:subj:msgid> -
10245 TS_REPPER repper response: -
V
Virtual Hosts
Configuring Virtual Hosts 411
Adding a Virtual Host 411
Deleting a Virtual Host 423
Domain Based Administration 425
Creating Accounts 425
Managing Virtual Hosts 410
Using Virtual Hosts 424
Applying Rules 424
W
Web Administration