How the Canadian Anti-Spam Legislation CASL Affects Email Surveys
Email Security Appliance - Jive Software · Email Security Appliance ... IronPort Anti-spam Sophos...
Transcript of Email Security Appliance - Jive Software · Email Security Appliance ... IronPort Anti-spam Sophos...
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Email Security Appliance
Appliance Evaluation and Deployment Chris Porter
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
One Armed Deployment with Private Address Original public IP and MX record are kept. Firewall rules will map the public
address to private address on C-Series. Internal groupware servers will route outgoing mail to this private IP address. No need to place appliance inside a DMZ.
Mail Server
Incoming M
ail
SMTP
Public IP XXX.XXX.XXX.XXX
192.168.10.101
Cisco ASA 5500 or equivalent
Internet
192.168.10.56
NAT
One physical interface with one Public IP and one listener for accepting incoming
mail and outgoing mail
C-160
Optional Management network on DATA 2 not shown.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
One Armed Deployment with Public Address I need to map a single MX record to a public IP address and forward
mail to a hosting mail backend
Mail Server
Incoming M
ail
SMTP Public IP
XXX.XXX.XXX.XXX Cisco ASA 5500 or equivalent
192.168.10.56
Internet
C-160
One physical interface with one Public IP and one listener for accepting incoming
mail and outgoing mail
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Considering your Evaluation Options
Virtual Evaluation: on demand virtual evaluation
environment for the C-Series
Preferred option
Fast to deploy
Cost Effective
A 30 Day Hardware Installation Evaluation
Typical for Enterprise engagements
Necessary where performance cannot be easily gauged
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
The Evaluation Process
1. Identify the Customer’s Hardware
2. Identify the Customer’s Functional specs
3. Identify the Network Topology
4. Gather Installation Information
5. Perform the Installation
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Identify the Customer's Hardware Requirements
The following are general performance numbers
C160 ~ 43,000 MPH
C360 ~ 68,000 MPH
C660 ~ 108,000 MPH
X1060 ~ 118,000 MPH
Base guideline accounts for:
SenderBase + AS + AV + VOF
Additional customer filtering requirements may require derating these guidelines, typically 10% - 40%
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Identifying Customer’s Functional Needs Which of the following features are needed?
Incoming Mail Handling IronPort Anti-spam Sophos or McAfee Anti-virus IronPort Virus Outbreak Filters Recipient Validation via LDAP Content Filters
Outgoing Mail Handling Sophos or McAfee Anti-virus Encryption Data Leakage Protection (DLP) Content Filters
End User Spam Quarantine Safelist/Blocklist Spam Quarantine Notifications End User Access to Spam Quarantine Via LDAP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Identifying the Customer's Current Topology
Email Server With Anti-Spam
internet internet
Email Gateway With Anti-Spam
Email Server
internet
Firewall Only Email Gateway in DMZ
Email Gateway with Firewall
(Most common)
Email Gateway With Anti-Spam
Email Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Gathering Installation Information Network Information
Network Settings
DNS Settings
NTP Settings
Mail Information
Incoming Mail Information Recipient Access Domains IP addresses of Groupware Servers
Outgoing Mail Information IP addresses allowed to Relay
Monitoring Addresses Alert Recipient Scheduled Report Recipient
Directory Information
LDAP Server Type
IP Address / Hostname
Port Number
Base DN
Credential Info
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Configuring Firewall Settings
From the Internet to the IronPort
From the IronPort to the Internet
internet
192.168.10.103
IronPort C-Series
Intranet
Groupware Administrator LDAP
DNS NTP
SMTP
IronPort HTTP Updates
DMZ From the IronPort to the Intranet LAN
From the Intranet LAN to the IronPort
A detailed list is part of your Pre-install Checklist
Port 25
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Firewall Settings
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Staging the Installation (Virtual Eval)
1. Complete the "ESA Pre-Installation Worksheet" available on the Channel Portal
2. Download the relevant Install Guide for the C-Series hardware from the Support Portal
3. Verify your IT Structures account and setup
4. Allocate the Eval instance
5. Power Up the appliance
6. Perform installation based on Customer information in the "IronPort ESA Evaluation Configuration Guide"
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Staging the Installation (C-160)
1. Complete the "ESA Pre-Installation Worksheet" available on the Channel Portal
2. Download the relevant Install Guide for the C-Series hardware from the Support Portal
3. Verify that your installation parts are present
4. Rack the appliance
5. Connect the Ethernet cable
6. Power Up the appliance
7. Perform installation based on Customer information in the "IronPort ESA Evaluation Configuration Guide"
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
The Cisco IronPort C-160
Data 1
Data 2
Power
Serial Interface
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Sample Installation
Data 1
Inside
Mgmt (management) (192.168.42.42 Default)
Data 1 Interface • Interface hostname will be the same as the MX-Record
• Is the first email hop in the enterprise
Exchange Mail Server
Incoming M
ail
SMTP
Public IP XXX.XXX.XXX.XXX
192.168.10.103
Cisco ASA 5500 or equivalent
Internet
SSC
admin
Outside
HTTP/HTTPS
172.20.0.10
Data 2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
System Setup Wizard System Administration > system setup wizard
ironport
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
System Setup Wizard (continued)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
System Setup Review
/32
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Verifying Port 25 to Internet and Intranet
Mail servers
Remote MTA
telnet 192.168.10.200 25
quit
quit
quit
telnet 172.20.0.20 25
telnet 172.20.0.10 25
Look for: • Connection • SMTP Banner
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Verifying MX Records & Access to Updates
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Tracking Individual Emails You can quickly determine the exact location of a
message by using the Message Tracking Feature
Tracking must be explicitly enabled
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Creating Email Reports Reporting in AsyncOS involves three basic actions:
• Create Scheduled Reports to be run daily, weekly, or monthly
• Generate a report immediately (“on-demand” report).
• View archived reports (both scheduled and on-demand).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Incoming Mail Listener
192.168.10.110
outside.com
SenderBaseData
IP = 64.12.193.85
SBRS = -2.7
Controlling the SMTP Connection
Joel
HAT RAT
Body Header Envelope
mail from: [email protected] rcpt to: [email protected]
64.12.193.85
Jerry
Ant
i-Spa
m
SMB Install
exchange.juliet.com
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Incoming Mail Listener
192.168.10.110
outside.com
SenderBaseData
64.12.193.85 oldname.com
Body Header Envelope
To: [email protected] From: [email protected]
exchange.juliet.com 172.20.0.10
Jerry
Joel
Defining HAT Operation (Outgoing Mail)
Internet
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Using Mail Flow Policies in the HAT
Sender Group Name Mail Flow Policy RELAYLIST RELAYED WHITELIST TRUSTED BLACKLIST BLOCKED SUSPECTLIST THROTTLED UNKNOWNLIST ACCEPTED ALL ACCEPTED
HAT for an Incoming Mail Listener (1 Data interface)
Policy Name Action Inbound Throttling
Anti-Spam Anti-Virus
RELAYED RELAY NO NO YES TRUSTED ACCEPT NO NO YES BLOCKED REJECT N/A N/A N/A THROTTLED ACCEPT YES YES YES ACCEPTED ACCEPT NO YES YES
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Matching Domains to HAT Sender Groups
TCP Connection: 192.168.10.200,12345 (mail1.from.com)
SMTP Session: EHLO from.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> RCPT TO:<[email protected]>
Content Headers: Received: from mail1.from.com (1.2... Subject: Hello From: “Joe” [email protected] To: “User One” [email protected] To: "User two" [email protected] Data
Message Body: Hello,
192.168.10.103,25 (mx1.scu.com)
Identify senders by their IP addresses:
Complete address Partial address CIDR block Range of addresses SenderBase score for an address Validated Domain name (PTR+A record) Partial domain name DNS List lookup
HAT Matching
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Matching Domains to HAT Sender Groups Continued
192.35.195.42 Full IP Address 216.255.128. Partial IP Address - matches any IP address
beginning with this string 216.255.128-159. Range of IP addresses 216.255.128.0/19 CIDR address block AOL.COM A fully-qualified domain name
.mx.AOL.COM Everything within the partial host domain
SBRS[-10.0:-7.0]* SenderBase Reputation Score range
dnslist[bl.spamcop.net]* DNS List query against domain dns server
ALL Special keyword that matches ALL addresses
Sender Group Meaning
* This syntax is only used in the CLI; DNS lists and SenderBase Reputation Score ranges are handled in the GUI using different syntax
Domain listed by FQDN must have valid PTR records
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Creating New Mail Flow Policies
Example: The Default HAT settings are not correctly limiting domains with SBRS between -3 and -1.
Solution: Create an alternate Mail Flow Policy
Internet
New_BP.com
Outside.com
Incoming Mail Listener
192.168.10.103
oldname.com
exchange.charlie.com
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Creating New Mail Flow Policies (continued)
Settings for LIMITED Connection Behavior = Accept Custom SMTP Banner Text = Your messages are being limited Max Recipients / hour = 50
Mail Policies Tab > Mail Flow Policies > Add Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Changing a Sender Group’s Mail Flow Policy Mail Policies Tab > HAT Overview > Suspect List > Edit Settings
Enable Connecting Host DNS Verification for SUSPECTLIST
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Incoming Mail Listener
192.168.10.103
outside.com
Unblocking a Preferred Sender
Example: add a New Business Partner to the Sender Group: “WHITELIST”
NewBP.com
SBRS = - 4
Black List NewBP.com :
Internet
Note: The WHITELIST Mail Flow Policy skips all Anti-Spam processing. This should be considered a termporary measure only!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Using the Mail Policies Tab to Edit the HAT
Example: Click to add a trusted sender to the WHITELIST Sender Group of the IncomingMail listener
1
2
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Using the Recipient Access Table (RAT)
Accept recipient
Reject recipient
Accept recipient and bypass throttling
The RAT is applied only to SMTP conversations that have an "Accept" Connection Behavior.
TCP Connection: 192.168.10.200,12345 (mail1.from.com)
SMTP Session: EHLO from.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> RCPT TO:<[email protected]>
Content Headers: Received: from mail1.from.com (1.2... Subject: Hello From: “Joe” [email protected] To: “User One” [email protected] To: "User two" [email protected] Data
Message Body: Hello,
192.168.10.103,25 (mx1.scu.com)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
How the RAT Matches on Recipients
example.com Everything just at example.com .example.com Everything within the .example.com domain division.example.com A fully-qualified domain name
Recipient Syntax Match ON
User@domain Complete email address User@ Anything with the given username User@[192.168.10.200] Username at a domain literal address
(square brackets required)
Q: When do you add to the RAT? A: When you acquire a new domain.
Less common usages
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Specifying New Recipients in the RAT
Users in domain notes.charlie.com can not receive mail
Fix: notes.charlie.com needs to be in the RAT.
Internet
new_bp.com
Outside.com
Incoming Mail Listener
192.168.10.103
oldname.com
exchange.charlie.com
notes.charlie.com
Body Header Envelope
To: [email protected] From: [email protected]
Rejected by RAT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Configuring the Recipient Access Table
1
2
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Adding a New RAT Entry scu.com ACCEPT notes.scu.com ACCEPT oldname.com REJECT
(with custom SMTP message)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Specifying SMTP Routes on a Per-Domain Basis
Mail for *@notes.charlie.com needs to be delivered to 172.20.0.20
172.20.0.20
A comma-separated list will round-robin to multiple servers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
A Mistake in SMTP Routing Causes a Loop Problem: 1. The recipient domain is specified in the RAT but there is no SMTP route to override the DNS MX record. 2. The mail is processed to the delivery stage where the route lookup fails. 3. The appliance falls back to the MX Record for delivery which sends the mail to itself. 4. Process loops until incoming mail limits are applied.
DNS
charllie.com MX = 192.168.10.103
Data 1
Internet
Incoming Mail Listener
192.168.10.103 oldname.com exchange.charlie.com
notes.charlie.com
DNS Records charlie.com IN MX smtp.charlie.com smtp.charlie.com IN A 192.168.10.103
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Adding New Servers to the Relay List
Notes.charlie.com can not send outbound mail
Add it to the relay list
new_bp.com
Internet
Incoming Mail Listener
192.168.10.103
oldname.com
exchange.charlie.com
notes.charlie.com
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Adding New Servers to the Relay List Mail Policies > Hat Overview > RELAYLIST > Add Sender
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Verifying Changes with the Trace Tool
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Troubleshooting with the Mail Logs The CLI tail command watches the logs in real time
Log subscriptions (configured in the GUI or the CLI) put logs at your disposal on your desktop for detailed searches
You can enable deeper levels of debugging when troubleshooting tough problems
Log viewer tools provided at the support site extract data from the binary logs
Not all logs are enabled by default, so it is good to know what is available
Access logs at: ftp://smtp.<teamname>.com
bounces directory: bounces.text.current [email protected] [email protected]
Log file naming The .current and .c are really the same file
The current log, open for writing .c means the file is current, open for writing .s means the file is saved, complete
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Troubleshooting with the Mail Logs (Continued) Contains details of message receiving, delivery, and bounces
Status information is also logged every minute (unless you change it with System Administration->Log Subscriptions->Edit Settings and change System Measurements Frequency) Does not include delivery codes
Use cases Track the receipt, processing, and delivery of specific messages Track Anti-Spam and Anti-Virus checking results Analyze system performance
How event records are identified New New connection initiated; ICID created ICID Incoming Connection ID Start New message started; MID created MID Message ID RID Recipient ID DCID Delivery Connection ID Done Command Complete Ready System waiting for next command in SMTP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Mon Mar 9 12:03:36 2009 Info: New SMTP ICID 9 interface Data 1 (192.168.10.103) address 172.20.0.20 reverse dns host notes.inside.com verified yes Mon Mar 9 12:03:36 2009 Info: ICID 9 RELAY SG RELAYLIST match 172.20.0.20/32 SBRS -2.7SBRS[-3.0:-1.0] SBRS -2.7 Mon Mar 9 12:04:28 2009 Info: Start MID 24 ICID 9 Mon Mar 9 12:04:28 2009 Info: MID 24 ICID 9 From: <[email protected]> Mon Mar 9 12:06:21 2009 Info: MID 24 Message-ID '<[email protected]>' Mon Mar 9 12:06:21 2009 Info: MID 24 Subject 'The real email' Mon Mar 9 12:06:21 2009 Info: MID 24 ready 314 bytes from <[email protected]> Mon Mar 9 12:06:21 2009 Info: MID 24 matched all recipients for per-recipient policy DEFAULT in the outbound table
New connection initiated; ICID created Incoming Connection ID
New message started; MID created
Tracking Mail Messages with "tail mail_logs" Sender Group match
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
Mon Mar 9 12:06:21 2009 Info: MID 24 interim AV verdict using Sophos CLEAN Mon Mar 9 12:06:21 2009 Info: MID 24 antivirus negative Mon Mar 9 12:06:21 2009 Info: MID 24 queued for delivery Mon Mar 9 12:06:21 2009 Info: New SMTP DCID 14 interface 192.168.10.103 address 192.168.10.200 port 25 Mon Mar 9 12:06:21 2009 Info: Delivery start DCID 14 MID 24 to RID [0] Mon Mar 9 12:06:21 2009 Info: Message done DCID 14 MID 24 to RID [0] Mon Mar 9 12:06:21 2009 Info: MID 24 RID [0] Response '2.0.0 n29J6Kmr023516 Message accepted for delivery' Mon Mar 9 12:06:21 2009 Info: Message finished MID 24 done Mon Mar 9 12:06:26 2009 Info: DCID 14 close Mon Mar 9 12:06:30 2009 Info: ICID 9 close
Tracking Mail Messages with "tail mail_logs" (Continued)
New Delivery Connection ID Destination Server Outside.com
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
Using the findevent Command
example.com> findevent Please choose which type of search you want to perform: 1. Search by envelope FROM 2. Search by Message ID 3. Search by Subject 4. Search by envelope TO [1]> 3 Enter the regular expression to search for. []> confidential Currently configured logs: 1. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll Enter the number of the log you wish to use for message tracking. []> 1 Please choose which set of logs to search: 1. All available log files 2. Select log files by date list
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
Using the grep Command mgmt.alpha.com> grep Currently configured logs: 1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll
: 13. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Pol []> 13 Enter the regular expression to grep. []> Warning Do you want this search to be case insensitive? [Y]> y Do you want to tail the logs? [N]> n Do you want to paginate the output? [N]> n
Wed Sep 26 22:12:29 2008 Warning: Your "Centralized Management" key will expire in under 30 day(s). Please contact your authorized IronPort sales representative.
mgmt.alpha.com>
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
mgmt.bravo.com> grep -e "ENCRYPTED" mail_logs Sat Nov 1 19:36:47 2008 Info: MID 31 interim AV verdict using Sophos ENCRYPTED Sat Nov 1 19:45:09 2008 Info: MID 32 interim AV verdict using Sophos ENCRYPTED mgmt.bravo.com> findevent Please choose which type of search you want to perform: 1. Search by envelope FROM 2. Search by Message ID 3. Search by Subject 4. Search by envelope TO [1]> 2 Enter the Message ID (MID) to search for. []> 31 Sat Nov 1 19:36:47 2008 Info: New SMTP ICID 24 interface Data 1 (192.168.10.102) address 192.168.10.200 reverse dns host mail.outside.com verified yes Sat Nov 1 19:36:47 2008 Info: ICID 24 ACCEPT SG SUSPECTLIST match SBRS[-3.0:-1.0] SBRS -2.7 Sat Nov 1 19:36:47 2008 Info: Start MID 31 ICID 24 Sat Nov 1 19:36:47 2008 Info: MID 31 ICID 24 From: <[email protected]> Sat Nov 1 19:36:47 2008 Info: MID 31 ICID 24 RID 0 To: <[email protected]> Sat Nov 1 19:36:47 2008 Info: MID 31 Subject 'Exercise 6.1d' Sat Nov 1 19:36:47 2008 Info: MID 31 ready 4088 bytes from <[email protected]> Sat Nov 1 19:36:47 2008 Info: MID 31 matched all recipients for per-recipient policy DEFAULT in the inbound table Sat Nov 1 19:36:47 2008 Info: ICID 24 close Sat Nov 1 19:36:47 2008 Info: MID 31 interim verdict using engine: CASE spam negative Sat Nov 1 19:36:47 2008 Info: MID 31 using engine: CASE spam negative Sat Nov 1 19:36:47 2008 Info: MID 31 interim AV verdict using Sophos ENCRYPTED Sat Nov 1 19:36:47 2008 Info: MID 31 antivirus encrypted
Using grep and findevent to search for "encrypted" in the mail logs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Injection Debug & Domain Debug
Injection Debug records the SMTP conversation for connections made to the IronPort
Domain Debug records the SMTP conversation for connections made by the IronPort
Domain 1 Domain 2 Incoming Connections
Outgoing Connections
Injection Debug Domain
Debug
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51