ESA 6.5.0 GA Getting Started Guide

8/9/2019 ESA 6.5.0 GA Getting Started Guide

1/72

IronPort AsyncOS 6.5GETTING STARTED GUIDE

for Email Security Appliances

®


2/72

COPYRIGHTCopyright © 2008 by IronPort Systems®, Inc. All rights reserved.

Part Number: 421-0118Revision Date: December 2, 2008

The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, VirusOutbreak Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarksor registered trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and ProbeNetwork are trademarks or registered trademarks of Symantec Incorporated. McAfee and VirusScan are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Copyright 2007McAfee, Inc. All rights reserved. Used with permission. All other trademarks, service marks, trade names, or

company names referenced herein are used for identification only and are the property of their respective owners.This publication and the information contained herein is furnished “AS IS” and is subject to change withoutnotice. Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPortSystems, Inc., assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kindwith respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness forparticular purposes and non-infringement of third-party rights.

Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions ofsoftware license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National

Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporatedin IronPort license agreements.

The full text of these agreements can be found here:https://support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html.

Portions of the software within IronPort AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker.Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document arereproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of SymantecIncorporated. Portions of this document are reproduced with permission of Sophos Plc. Brightmail Anti-Spam is protected

under U.S. Patent No. 6,052,709.

IRONPORT SYSTEMS®, INC.IronPort Systems, Inc.950 Elm Ave.San Bruno, CA 94066

CONTACTING IRONPORT CUSTOMER SUPPORTIf you have purchased support directly from IronPort Systems, you can request

support by phone, email, or online 24 hours a day, 7 days a week. During office hours(24 hours per day, Monday through Friday, excluding U.S. holidays), an engineer willcontact you within an hour of your request. To report a critical issue that requiresurgent assistance outside of our office hours, contact IronPort using the followinginformation.

U.S. toll-free: 1 (877) 641-IRON (4766)

International: www.ironport.com/support/contact_support.html

Support Portal: www.ironport.com/support

If you have purchased support through a reseller or other entity, contact the supplierfor support of your IronPort products.


3/72

iii

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Where to Go for More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

IronPort Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4IronPort Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Overview of IronPort Email Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Content Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2. IronPort Email Security Appliance GUI . . . . . . . . . . . . . . . . . . . . . . . 9

3. Email Security Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Task 1: Drop Positive Spam Messages by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Dropping Spam Messages by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Task 2: Exempt Specified Groups of Users from Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Creating a Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Changing the Anti-Spam Settings for a Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Task 3: Quarantine Incoming Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuring the IronPort Spam Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Enabling the IronPort Spam Quarantine HTTP or HTTPS Service . . . . . . . . . . . . . . . . . . . . . . . . 22Configuring the Policy to Send Spam to the IronPort Spam Quarantine. . . . . . . . . . . . . . . . . . . . 23


4/72

iv

IRONPORT ASYNCOS GETT ING STARTED GUIDE

Task 4: Configure End User Safelists and Blocklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Enabling the End User Safelist/Blocklist on the IronPort Spam Quarantine . . . . . . . . . . . . . . . . . 24Adding Items to the Safelist for an End User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Adding Items to the Blocklist for an End User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Task 5: Quarantine Incoming Virus Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Enabling Virus Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Task 6: Strip Specified Types of Incoming Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Creating a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Applying a Filter to an Incoming Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Testing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Task 7: Enforce an Outgoing Email Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Creating a Content Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Creating an Outgoing Content Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Creating a Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Applying a Filter to an Outgoing Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Testing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Task 8: Add a Domain to Accept Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Accepting Mail for a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Creating an SMTP Route for a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Task 9: Add a Disclaimer to Outgoing Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Creating a Footer Text Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Associating a Footer with a Private Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Task 10: Configure a Scheduled Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Configuring a Scheduled Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4. Advanced Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Task 11: Access the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Enabling the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Task 12: Use the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55


5/72

v

Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Monitoring the IronPort Appliance and Email Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Configuring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Task 13: Retrieve and Use Mail Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Searching for Content in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Retrieving and Configuring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Task 14: Configure Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Configuring Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Task 15: Upgrade the IronPort Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65


6/72

vi



7/72

CHAPT ER 1 : INT RODUCTION 1

CHAPTER

1Introduction

This chapter contains the following sections:

• “Before You Begin” on page 2

• “About This Guide” on page 3

• “Where to Go for More Information” on page 4

• “Overview of IronPort Email Security” on page 5


8/72

2


BEFORE YOU BEGIN

Before you begin, read the Quickstart Guide for the IronPort Email Security appliance you areinstalling and any release notes that were shipped with your appliance. This guide assumesthat you have unpacked the appliance, physically installed it in a rack cabinet, and turned iton. You should also run the System Setup Wizard and accept the default configuration settingsthat are appropriate to the placement of the IronPort appliance in your network.


9/72

ABOUT TH IS GU IDE


ABOUT THIS GUIDE

The IronPort Getting Started Guide provides an overview of the IronPort Email Securityappliance and introduces its features.

This guide contains the following chapters:

• Chapter 1, “Introduction,” on page 1 - This chapter provides an introduction to this guideand an overview of Ironport email security.

• Chapter 2, “IronPort Email Security Appliance GUI,” on page 9 - This chapter provides ageneral introduction to the IronPort appliance and the Email Security Manager.

• Chapter 3, “Email Security Tasks,” on page 11 - This chapter provides tasks that will helpyou become acquainted with your IronPort appliance.

• Chapter 4, “Advanced Tasks,” on page 51 - This chapter provides advanced tasks that canhelp you understand some of the advanced features of the IronPort appliance.


10/72

4


WHERE TO GO FOR MORE INFORMATION

You can refer to the resources described in this section if you have questions about theIronPort Email Security appliance.

IronPort Knowledge Base

The IronPort Knowledge Base provides answers to questions about the IronPort Email Securityappliance. In addition to providing answers to common issues, the Knowledge Base containskey information about enhancing the functionality of the IronPort appliance. To access theKnowledge Base, select Help > Support Portal in the GUI.

You can also access the Knowledge Base by logging in to the Customer Support website at thefollowing address:

ht t p: / / www. i r onpor t . com/ suppor t

IronPort Documentation

The IronPort Email Security appliance ships with the following documents which providein-depth feature descriptions and guidance on how to use the features and services that the

IronPort email security appliance provides:• IronPort AsyncOS for Email Quickstart Guide

• IronPort AsyncOS for Email User Guide

• IronPort AsyncOS for Email Advanced User Guide

• IronPort AsyncOS CLI Reference Guide

Customer Support

You can request customer support by phone, email, or online 24 hours a day, 7 days a week.

During Customer Support office hours (24 hours per day, Monday through Friday, excludingU.S. holidays), one of the engineers will contact you within an hour of your request.

To report a critical issue that requires urgent assistance, notify IronPort using the followingcontact information:

U.S. toll-free: +1 (877) 641-4766

International: ht t p: / / www. i r onpor t . com/ suppor t / cont act _suppor t . ht ml

Support Portal: ht t p: / / www. i r onpor t . com/ suppor t

Support Request Page

You can also use the Support Request page in the GUI to request customer support. To accessthe Support Request page, select Help > Support Request. Complete the information on thepage, and then click the Submit button. A Customer Support representative will contact you

as soon as possible.


11/72

OV ERV IEW OF IRONPORT EMAIL S ECUR IT Y


OVERVIEW OF IRONPORT EMAIL SECURITY

The IronPort email security appliance combines several content scanning engines withIronPort preventive security solutions, such as SenderBase Reputation Filtering and VirusOutbreak Filters.

IronPort Consolidates Security Solutions for the Email Perimeter

The IronPort appliance provides unparalleled protection for corporate groupware servers, aswell as reliable inbound and outbound email delivery. It has earned its outstanding reputationthrough deployments at the world’s largest Internet Service Providers and thousands of global

customers.

IronPort Email Security appliances use the proprietary IronPort AsyncOS operating system.AsyncOS provides a high-performance, flexible platform that supports the advanced securitysystems of IronPort. Unlike traditional messaging systems, the IronPort mail transfer agent(MTA) can handle thousands of simultaneous connections. The ability to support highvolumes of simultaneous connections is critical to both large and small email sites because ofthe large number of spammers and spyware systems attempting to deliver spam and virus- or

malware-infected email messages. The IronPort appliance incorporates the AsyncOSoperating system with support tools, security scanning engines, a GUI, a command lineinterface (CLI), and other interfaces.

B e f o r e Ir o n P o r t A f t e r I r o n P o r t

IronPort Email Security Appliance

Internet

MTAs

Firewall

Anti-Spam

Anti-Virus

PolicyManagement

Mail Routing

Groupware

Users

Internet

Firewall

Groupware

Users


12/72

6


Spam Protection

For anti-spam protection, the IronPort email security appliance combines SenderBase

Reputation Filtering with traditional content filters. SenderBase is a global email-monitoringnetwork that tracks hundreds of parameters from thousands of contributing networks toestablish a historically accurate reputation score for IP addresses that send email on theInternet. Because it draws on traffic data from over 25% of all worldwide email traffic,SenderBase can help stop more than 80% of unwanted threat messages before acceptingthem for content scanning. This reputation filtering system allows the IronPort email securityappliance to dramatically increase the throughput of the traditional signature-based contentscanning engines, such as Symantec Brightmail and IronPort Anti-Spam, because it can filter

email messages before the signature-based scans take place.

Virus Protection

For anti-virus protection, IronPort offers anti-virus scanning engines from McAffee andSophos, as well as its exclusive Virus Outbreak Filters. You can configure your IronPortappliance to use one or both of the licensed anti-virus scanning engines. Because each enginerelies on a separate base of technology, scanning messages with both the McAffee and Sophosscanning engines combines the benefits of both anti-virus scanning engines.

Because viruses and spyware use email as their primary distribution vector, SenderBase candetect patterns of email messages that signal an infection outbreak before traditional content-scanning virus filter signatures can be updated and deployed. The IronPort Global ThreatOperations Center watches for emerging threats in email traffic and publishes outbreak rulesto the IronPort appliance, which quarantines possible threat messages. This protects networksfrom virus threats before virus signature updates are available. As the outbreak matures andthe threat rules adapt, non-matching messages are released from quarantine, and possible

threat messages are held back until a final signature is available for the virus-scanning engine.Over the course of a virus outbreak, you are protected from new infections coming into thenetwork, and you do not need to worry about possible false positive messages being dropped.

How Virus Outbreak Filters Work - Dynamic Quarantine in Action

M e s s a g e s

S c a n n e d &D e l e ted

T = 0 – zip (exe) files

T = 5 mins

-zip (exe) files

-Size 50 to 55 KB .

T = 10 mins – zip (exe) files

– Size 50 to 55KB

– “ Price” in the

name file

T = 8 hours – Release messages

if signature

update is in place


13/72

CONTENT COMPLIANCE


Content Compliance

IronPort security solutions are powered by an advanced content filtering engine, which comes

with built-in configurations for compliance with Health Insurance Portability andAccountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act. Youcan also use the content filtering engine to implement specific business-policy controls for avariety of systems. Email archiving, attachment control, keyword scanning, and encryptionintegration are all available for use in custom filtering rules.

You access this functionality with management and monitoring tools. AsyncOS provides bothan intuitive web-based GUI and a command line interface (CLI). You can use the EmailSecurity Manager in the GUI to set specific policies for groups of users so you can enforceappropriate levels of security for different business units. Many standard reports are built intothe system, as well as flexible application programming interfaces (APIs) for retrievingreporting and monitoring data. You can use these features to integrate the appliance with yourinformation systems infrastructure.

In addition, AsyncOS offers a unique centralized management feature that uses a peer-to-peerarchitecture to avoid the need for extra hardware in the data center and to eliminate anysingle point of failure.

With a multi-layer approach to spam and virus protection, IronPort provides the mostcomprehensive email security solution on the market. By combining pioneering preventivefeatures, such as SenderBase and Virus Outbreak Filters, with best-in-class content scanningengines, IronPort is a cost-effective solution to your email security needs.

The integrated architecture of AsyncOS provides all the necessary email protectioncapabilities to secure internal networks and groupware servers. This guide demonstrates thefeatures of the IronPort email security appliance so you can immediately take control of your

email perimeter and solve email security problems.


14/72

8



15/72

CHAPT ER 2 : IRONPORT EMAIL S ECUR IT Y APPL IANCE GU I 9

CHAPTER

2IronPort Email Security Appliance GUI

The graphical user interface (GUI) of the IronPort Email Security appliance provides access tofeatures and services to help you effectively monitor and administer your organization’s emailnetwork traffic.

Figure 2-1 IronPort GUI

1

2

3

5

4


16/72

10


The following table describes the GUI componenets shown in Figure 2-1.

Component Description

1 - Menu bar Click the menus to access the various areas of the GUI.

2 - Drop-down menu The menus display task-based links. Click the links to accesspages for the tasks you want to perform.

3 - Options menu The Options menu enables you to change your password or

log out of the IronPort appliance.

4 - Help menu The Help menu provides access to online help informationabout the current GUI page and access to the Support Portal.In addition, you can use this menu to send a support requestand provide Customer Support with remote access to yourIronPort appliance.

5 - Commit Changes button The Commit Changes button notifies you if changes arepending on your appliance. When you make changes to the

appliance configuration, you must commit the changes forthem take effect on the appliance.To commit the changes:1. Click the Commit Changes button.2. Optionally, enter a comment in the Comment box. Addingcomments can be useful for any future troubleshooting.3. Click Commit Changes. You return to the originating page,and the Commit box indicates that no changes are pending.


17/72

CHAPT ER 3 : EMAIL S ECUR IT Y T AS KS 11

CHAPTER

3Email Security Tasks

This chapter contains the following sections:

• “Task 1: Drop Positive Spam Messages by Default” on page 12

• “Task 2: Exempt Specified Groups of Users from Spam Filtering” on page 15

• “Task 3: Quarantine Incoming Spam” on page 19

• “Task 4: Configure End User Safelists and Blocklists” on page 24

• “Task 5: Quarantine Incoming Virus Messages” on page 28

• “Task 6: Strip Specified Types of Incoming Email Attachments” on page 33

• “Task 7: Enforce an Outgoing Email Policy” on page 37

• “Task 8: Add a Domain to Accept Mail” on page 43

• “Task 9: Add a Disclaimer to Outgoing Mail” on page 46

• “Task 10: Configure a Scheduled Report” on page 48


18/72

12


TASK 1: DROP POSITIVE SPAM MESSAGES BY DEFAULT

The IronPort Anti-Spam engine processes email for incoming and outgoing mail based onsettings that you configure. IronPort Anti-Spam scans messages through its filtering modulesfor classification. It classifies messages as positive spam, suspected spam, or not spam. Youdetermine the action to take on the message based on the IronPort Anti-Spam classification.You might choose to drop, deliver, or quarantine messages based on their classification. Forexample, you might decide to drop positive spam messages and quarantine suspected spammessages.

Note — If you set up your IronPort appliance using the System Setup Wizard, the IronPort

appliance drops positive spam messages by default.

Concepts

You can use the IronPort Email Security Manager to define mail filtering and security policiesfor users based on their email addresses or an LDAP query. You configure settings forincoming email in an incoming mail policy . The incoming mail policy instructs the IronPortappliance to perform an action on a message based on the classification of the message andmail recipient. The default mail policy applies to all incoming messages.

Goal

By default, the IronPort appliance is not configured to scan email messages for suspectedspam. In this task, you activate suspected spam scanning and configure the default policy todrop the suspected spam. Later, you will enable the end-user spam quarantine, which allowsusers to view and open email messages and release messages from the quarantine.

Dropping Spam Messages by Default

To drop spam messages by default:

1. Select Mail Policies > Incoming Mail Policies.

The Incoming Mail Policies page is displayed.


19/72

DROPP ING S PAM MES S AGES BY DEF AULT


2. In the Anti-Spam settings for the default policy, click the link to open the mail policy.

The Mail Policies: Anti-Spam page is displayed.

3. In the Anti-Spam Settings section, select “Use selected Anti-Spam service(s),” and selectIronPort Anti-Spam.

4. In the Positively Identified Spam Settings section, use the following settings:

• Apply this Action to the Message: Drop.

• Advanced > Archive Message: Select Yes to archive or No to skip archiving.

5. In the Suspected Spam Settings section, use the following settings:

• Enable Suspect Spam Scanning: Yes.

• Apply This Action to Message: Deliver.• Add Text to Subject: Select Prepend or Append if you want to add text, and enter

the text in the text field. For example, enter [ SUSPECTED SPAM] .

6. Click Submit. The new settings are displayed for the default policy.

7. The IronPort appliance notifies you that you have pending changes.

The changes you make are not activated until you commit them.


20/72

14


8. Click the Commit Changes button in the top right corner of the page.

The Uncommitted Changes page is displayed.

9. Add a comment to describe the change.

10. Click Commit Changes.

See Also

For more information about the Email Security Manager, see “Email Security Manager” in theIronPort AsyncOS for Email User Guide. For more information about anti-spam settings, see“Anti-Spam” in the IronPort AsyncOS for Email User Guide.


21/72

T AS K 2 : EXEMPT S PEC IF IED GROUPS OF US ERS F ROM S PAM F I LT ER ING


TASK 2: EXEMPT SPECIFIED GROUPS OF USERS FROM SPAM FILTERING

The default incoming mail policy you modified in Task 1 applies to all mail that enters thenetwork. However, you may want to create a new policy that applies security scanning orcontent filters differently for some users. For example, you might want to ensure thatexecutive users receive all messages.

Concepts

With the IronPort appliance, you can use mail policies to apply different mail delivery settingsto different users. You use incoming mail policies to manage flows of incoming emails to

different addresses.

Goal

In this task, you create a new mail policy. Then, you modify the policy’s anti-spam settings todeliver spam-positive messages and suspected spam with a tag in the messages’ subject line.This allows you to exempt some users from spam filtering.

Creating a Mail Policy

To create a mail policy:1. Select Mail Policies > Incoming Mail Policies.


2. Click the Add Policy button.

The Add Incoming Mail Policy page is displayed.

3. To define the policy, enter the following information:

• Policy Name: Enter a name. For example, enter Execs.


22/72

16


• Insert Before Policy: 1 (Default Policy).

• Add Users: This policy applies to the recipient of the message, so leave Recipient

selected.• Email Address(es): Add the email address that this policy applies to. For example,

enter bob@exampl e. com. Then click the Add button. You can repeat this processfor any number of email addresses or LDAP queries.

4. Click Submit.

The Incoming Mail Policies page is displayed with the new mail policy.

Changing the Anti-Spam Settings for a Mail Policy

After you create a mail policy, you need to modify its anti-spam settings so that spam-positive

messages and spam-suspect messages are tagged and sent to the address that you specified inthe mail policy.

To change the anti-spam settings:

1. On the Incoming Mail Policies page for the new policy (for example, the Execs policy),click the “(use default)” link in the Anti-Spam column. The Mail Policies: Anti-Spam pageis displayed.

2. In the Enable Anti-Spam Scanning for this Policy field, select “Use selected Anti-Spamservice(s),” and select IronPort Anti-Spam.

Important Note:

The position of the

policy in the EmailSecurity Monitor isimportant. Aliasesare matched startingwith the top policy.


23/72

CHANG ING T HE ANT I - S PAM S ET T INGS F OR A MAIL P OL ICY


3. Scroll down to the Positively-Identified Spam Settings section.

4. In the Positively-Identified Spam Settings section, enter the following information toensure that messages identified as spam are delivered with an identifying tag:

• Apply This Action to Message: Deliver.

• Add Text to Subject: Select Append or Prepend to add text to the subject, and entertext in the text field. For example, use the default entry, [ SPAM] .

5. Scroll down to the Suspected Spam Settings section.

6. In the Suspected Spam Settings section, enter the following information to ensure thatmessages identified as suspected spam are delivered with an identifying tag:

• Enable Suspect Spam Scanning: Yes.

• Apply This Action to Message: Deliver.

• Add Text to Subject: Select Append or Prepend to add text to the subject, and enter

text in the text field. For example, use the default entry, [ SUSPECTED SPAM] .7. Click Submit.



24/72

18



8. Review the Anti-Spam column.

The new mail policy delivers messages that are tagged as spam-positive and spam-suspect tothe specified accounts, and it drops spam-positive messages addressed to other accounts.

See Also

For more information about configuring anti-spam settings, see “Anti-Spam” in the IronPort AsyncOS for Email User Guide.

For information about quarantining incoming spam messages, see “Task 3: QuarantineIncoming Spam” on page 19.

T AS K 3 : QUARANT INE INCOMING S PAM


25/72

T AS K 3 : QUARANT INE INCOMING S PAM


TASK 3: QUARANTINE INCOMING SPAM

The IronPort Email Security appliance allows you to send spam or suspected spam messagesto the IronPort Spam Quarantine. End users can then access the quarantine to determine if themessages are incorrectly identified as spam. You can use a local IronPort Spam Quarantine,stored on the IronPort appliance, or you can send messages to an external IronPort SpamQuarantine, stored on an M-Series IronPort appliance. Both AsyncOS administrators and endusers can access the IronPort Spam Quarantine.

Concepts

To use the IronPort Spam Quarantine, you work with several areas of the IronPort appliance:

• IronPort Spam quarantine. The Spam Quarantine is a special quarantine designed formail end-user access. You can use a local quarantine or send spam to an externalquarantine (M-Series appliance).

• The interface where the Spam Quarantine is enabled. You enable access to the IronPortSpam Quarantine through an HTTP or HTTPS service.

• Anti-spam options for a mail policy. You enable the spam quarantine for a particular mail

policy. That way, you can quarantine mail for specified groups of users.

Goal

In this task, you enable the IronPort Spam Quarantine and configure the default policy to sendincoming spam to the quarantine.

To use the IronPort Spam Quarantine, complete the following steps:

1. Configure the local IronPort Spam Quarantine.

2. Enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.

3. Configure the anti-spam scanning options for the policy to send spam or suspect spam tothe IronPort Spam Quarantine.

Configuring the IronPort Spam Quarantine

To configure the IronPort Spam Quarantine:

1. Select Monitor > Quarantines.



26/72

20


The Quarantines page is displayed.

2. Click Edit.

The Edit IronPort Spam Quarantine page is displayed.

3. Use the default settings in the Spam Quarantine Settings panel and scroll down to End-User Quarantine Access.

4. Click Enable End-User Quarantine Access.

The End-User Quarantine Access page is displayed.

5. Select None in the End-User Authentication field.

CONF IGURING THE IRONPORT SPAM QUARANT INE


27/72

CONF IGURING THE IRONPORT SPAM QUARANT INE


By selecting None, you allow users to access quarantined mail by clicking links in thenotification messages that they receive.

6. Click Enable Spam Notification.The Enable Spam Notification page is displayed.

7. Enter an address to use in the From Address header if you want to send notifications.

8. Enter a subject (such as “IronPort Spam Quarantine Notification”).

9. Enter a title for the notification (such as “IronPort Spam Quarantine Notification”).

10. Optionally, enter a spam notification message.

11. Select a format.

12. Enter an address to deliver bounce messages to.

13. Leave the Consolidate Notifications field empty. This field consolidates email notificationsfor users when the IronPort Spam Quarantine is configured for LDAP authentication.

14. In the Notification Schedule field, choose a notification schedule.

15. Click Submit.

16. Commit your changes.



28/72

22

Enabling the IronPort Spam Quarantine HTTP or HTTPS Service

After you enable the IronPort Spam Quarantine, you must edit the IP interface to enable the

HTTP or HTTPS service for the IronPort Spam Quarantine.To enable the HTTP or HTTPS service:

1. On the Network > IP Interfaces page, click the interface name (this example uses theManagement interface).

The Edit IP Interface page is displayed.

2. In Services > IronPort Spam Quarantine, select HTTP, HTTPS, or both, enter the portnumbers, and optionally enable redirection of HTTP requests to HTTPS.

CONF IGURING THE POL ICY TO SEND SPAM TO THE IRONPORT SPAM QUARANT INE


29/72


3. Enter the default URL that appears in email notifications. This example uses the hostname.

4. Click Submit.


Configuring the Policy to Send Spam to the IronPort Spam Quarantine

To send spam to the IronPort Spam quarantine:


2. Click the anti-spam settings for the default mail policy.

The Anti-Spam Settings page is displayed.

3. In Positively Identified Spam Settings > Apply this Action to Message, select IronPort Spam

Quarantine. The Positively Identified Spam Settings field expands. It displays deliverysettings for the IronPort Spam Quarantine.

4. Use the default settings in the Positively Identified Spam field.

5. Leave the Suspected Spam Settings as you configured them.

6. Use default settings for Spam Thresholds.

7. Click Submit.


See Also

For more information about working with incoming mail policies, see “Configuring theGateway to Receive Email” in the IronPort AsyncOS for Email User Guide. For moreinformation about working with the IronPort Spam quarantine, see “Quarantines” in theIronPort AsyncOS for Email User Guide. For more information about configuring IP interfaces,see “Accessing the Appliance” in the IronPort AsyncOS for Email User Guide.



30/72

24

TASK 4: CONFIGURE END USER SAFELISTS AND BLOCKLISTS

The IronPort appliance allows you to send spam or suspected spam messages to the IronPort

Spam Quarantine; however, an end user may want to ensure that mail from a particularsender is never treated as spam. Conversely, an end user may want to guarantee that certainmail is always sent to the IronPort Spam Quarantine. For example, a user may be unable tounsubscribe from an automated mailing list, and may want to block the list server’s emailaddress. You can enable end users to create safelists and blocklists to better control whichemails are treated as spam. The end user safelist and blocklist settings are configured from theIronPort Spam Quarantine, so you must have enabled and configured the IronPort SpamQuarantine to use this feature.

Note — When you enable the safelist/blocklist feature, each end user maintains a safelist andblocklist for his or her email account.

Concepts

This task introduces concepts related to end user safelists and blocklists. Safelists allow a userto ensure that certain users or domains are not treated as spam. Blocklists ensure that certainusers or domains are always treated as spam.

Goal

In this task, you enable safelists and blocklists in the IronPort Spam Quarantine, and youconfigure a safelist and a blocklist for an end user account.

Note — Steps 2 and 3 require that you log into an end user account to create a safelist. Ensurethat you have created an end user account that you can access to complete this task.

Enabling the End User Safelist/Blocklist on the IronPort Spam QuarantineYou enable safelists and blocklists from the Quarantines page.

To enable safelists and blocklists on a C-Series appliance:

1. Select Monitor > Quarantines.

2. In the End-User Safelist/Blocklist section, click Edit Settings.

The Edit Safelist/Blocklist Settings page is displayed.

3. Select Enable End User Safelist/Blocklist Feature.

4. Select Quarantine or Delete for the blocklist action.

ADD ING I T EMS T O T HE S AF EL IS T F OR AN END US ER ACCOUNT


31/72


5. Specify the maximum list items per user. This value represents the maximum number ofaddresses or domains a user can list in each safelist and blocklist. For example, a value of100 would mean that the end user could add 100 terms in the safelist and 100 terms inthe blocklist.

6. Click Submit.

Adding Items to the Safelist for an End User Account

End users can use safelists to ensure that mail from specified senders is never treated as spam.

To add items to a safelist:

1. Log in to the IronPort Spam Quarantine.2. Select the Options drop-down menu.

3. Select Safelist.

4. In the Safelist dialog box, enter an email address, subdomain, or domain.

Entries can be added to safelists and blocklists using the following formats:

• [email protected]

• server.domain.com

• domain.com



32/72

26

5. Click Add to List.

Adding Items to the Blocklist for an End User Account

End users can use blocklists to ensure that they never receive mail from specified senders.

To add items to a blocklist:

1. In the IronPort Spam Quarantine, select the Options drop-down menu.

2. Select Blocklist.

3. Enter the domain or email address you want to blocklist.

ADD ING I T EMS T O T HE BLOCKL IS T F OR AN END US ER ACCOUNT


33/72


4. Click Add to List.

When the IronPort appliance receives mail from the specified email address or domain thatmatches an entry in the blocklist, it treats the mail as spam. Because you configured AsyncOSto quarantine blocklisted items, any items identified as blocklisted are quarantined.



34/72

28

TASK 5: QUARANTINE INCOMING VIRUS MESSAGES

You can configure the IronPort appliance to quarantine incoming virus messages. The Virus

quarantine stores messages marked by the anti-virus scanning engine as not scannable, virus-positive, or encrypted. Like the anti-spam settings, you configure the IronPort appliance totake different actions based on the results of the virus scan and the group of mail recipients.For example, you might want to quarantine all virus-positive messages to the TechnicalSupport group, but drop all virus-positive messages sent to the Marketing group.

Concepts

This task presents concepts related to IronPort virus scanning and the Virus quarantine.

Unlike the IronPort Spam quarantine, the Virus quarantine can be accessed only byadministrators. The Virus quarantine is enabled by default, but you must configure anti-virusscanning and quarantine settings in a mail policy to use the Virus quarantine. You also enablenotifications in the mail policy to allow administrators or end users to see that messages werequarantined.

Goal

In this task, you activate IronPort virus scanning, and you configure the default mail policy todeliver suspected virus email messages and drop confirmed virus email messages. You alsoconfigure the default mail policy to quarantine virus messages and suspected virus messages.

Enabling Virus Settings

To enable the Virus quarantine:


2. Click the anti-virus settings for the default mail policy.

ENABL ING V IRUS SETT INGS


35/72


The Anti-Virus Settings page is displayed.

3. Under Anti-Virus Settings, select Yes for Enable Anti-Virus Scanning for this Policy.

The anti-virus engines that you have licenses for are displayed.

4. Select an anti-virus engine.

5. Under Message Scanning, enter the following information:

• Select “Scan and Repair viruses” from the menu.• Select “Include an X-header with the Anti-Virus scanning results in messages.”

6. Use the default settings for the Repaired Messages section.

7. Use the default settings for the Encrypted Messages section.

8. Scroll down to the Unscannable Messages section.



36/72

30

9. Enter the following information in the Unscannable Messages section:

• Action Applied to Message: Quarantine.

• Archive Original Message: Yes.

• Modify Message Subject: Select Prepend or Append, and enter the text into the textfield. For example, [ WARNI NG: A/ V UNSCANNABLE] .

• Other Notification: Recipient.

10. Scroll down to the Virus Infected Messages section.

ENABL ING V IRUS SETT INGS


37/72


11. Enter the following information in the Virus Infected Messages section:

• Action Applied to Message: Quarantine.

• Archive Original Message: Yes.

• Modify Message Subject: Select Prepend or Append, and enter the text into the textfield. For example, [ WARNI NG: VI RUS DETECTED] .

• Other Notification: Recipient.

12. Click Submit.

The Default Mail Policy displays the anti-virus settings.




38/72

32

See Also

For more information about configuring anti-virus settings, see “Anti-Virus” in the IronPort

AsyncOS for Email User Guide. For more information about quarantines, see“Quarantines” in the IronPort AsyncOS for Email User Guide.

T AS K 6 : S T R IP S PEC IF IED T Y PES OF INCOMING EMAIL AT T ACHMENT S


39/72


TASK 6: STRIP SPECIFIED TYPES OF INCOMING EMAIL ATTACHMENTS

In addition to spam and virus filters, the IronPort appliance allows you to apply custom

scanning and email policies to messages by using content filters. You can use content filters toanalyze incoming email messages and take action based on a variety of factors. Content filterscan be enforced on different groups of users.

Concepts

This task introduces concepts related to the content filter . The content filter applies customfiltering to messages after the anti-spam and anti-virus engines perform scans. Like anti-spamand anti-virus policies, you create the content filter and then apply it to a group of users via a

mail policy.

Goal

In this task, you create a new content filter to strip a specified type of media attachment fromincoming messages, and then you add this filter to the default policy in the Email SecurityManager.

Creating a Content Filter

To create a content filter:

1. Click Mail Policies > Incoming Content Filters.

The Incoming Content Filters page is displayed.

2. Click the Add Filter button.

The Add Content Filter page is displayed.

Note — Content Filters are custom email rules that scan a message for specific content orrecipients and then take actions based on the results of the scan.



40/72

34

3. Enter the following information:

• Name: Enter a name to identify the filter. For example, Remove_MP3.

• Description: Briefly describe the filter.• Conditions: Leave this section blank. This ensures that this filter is applied to all

messages analyzed by the mail policy.

4. Click Add Action.

5. Select Strip Attachment by File Info.

The Strip Attachment by File Info page is displayed.

6. Specify the action that the appliance takes when it encounters a flagged email message.

• Select Fi l e t ype i s.

• In the drop-down menu, select - - mp3.• Enter a replacement message that is displayed to the recipient if an MP3

attachment is stripped from an email message. For example, [ MP3 FI LEDROPPED] .

• Click OK. The Edit Content Filter page displays the rule drop- at t achment s- by-f i l etype( "mp3" , " [ MP3 FI LE DROPPED] " ) in the Actions section of thepage.

7. Click Submit.

APPLY ING A F I LT ER T O AN INCOMING MAIL POL ICY


41/72


The Incoming Content Filters page displays the Remove_MP3 filter.

Applying a Filter to an Incoming Mail Policy

You apply the content filter to incoming messages by associating it with an incoming mailpolicy.

To apply a content filter to an incoming mail policy:


When you associate the content filter with a mail policy, it is applied to the appropriate

end users.2. Click the Disabled link in the Content Filters column. The Mail Policies: Content Filters

page displays the content filter that you created.

3. Click Yes to enable content filtering on the policy. Verify that the Enable check box isselected for the Remove_MP3 filter.

4. Click Submit.

The Incoming Mail Policies page displays a success message.


Testing the Filter

After you have created the filter and applied it to the default mail policy, test the filter bysending an email message with an MP3 attachment from an Internet email address (such asYahoo! Mail) to an alias in your network.

You can use the Trace page (and trace CLI command) to test and troubleshoot the filter. TheTrace page emulates a message that is accepted by a listener, and it prints a summary of

features that would have been “triggered” or affected by the current configuration of thesystem. You can also run the t ai l command against mail logs to view the most recent mail



42/72

36

logs in real time. For more information on mail flow monitoring, see “Email SecurityManager” in the IronPort AsyncOS for Email User Guide.

See AlsoFor more information about content filters and the Email Security Manager, see “EmailSecurity Manager” in the IronPort AsyncOS for Email User Guide.

T AS K 7 : ENF ORCE AN OUT GO ING EMAIL POL ICY

TASK 7 ENFORCE AN OUTGOING EMAIL POLICY


43/72


TASK 7: ENFORCE AN OUTGOING EMAIL POLICY

The IronPort appliance allows you to enforce a policy for outgoing mail that would quarantine

messages that may contain sensitive information or violate your company’s email policies. Forexample, you can quarantine all messages that contain Social Security numbers. Contentfilters can analyze outgoing messages for particular data patterns and take action based on thescanned content.

Concepts

This task introduces concepts related to the content dictionary and smart identifiers. Contentdictionaries are a list of terms you define to scan messages, message headers, and message

attachments in order to take action in accordance with your company’s email policies. Youcan also add smart identifiers to a content dictionary. Smart identifiers are algorithms thatsearch for patterns in data that correspond to common numeric patterns, such as SocialSecurity numbers and credit card numbers. Smart identifiers work more effectively thanregular expressions because they use mathematical calculations to ensure the validity of thesmart identifiers per the issuing authority.

For each term or smart identifier, you can specify a weight so that terms or smart identifierscan trigger filter actions more easily. When AsyncOS scans messages for the dictionary termsor smart identifiers, it scores the message by multiplying the number of instances by theweight of the term or identifier.

Then, when you add filter rules that search for patterns in content, you specify a minimumthreshold value for triggering the filter action. When you search for both smart identifiers andcontent dictionary terms, the scanning engine combines the scores of the identifiers anddictionary terms to create the total weight. If the minimum threshold is met, the filter action istriggered. If the threshold is not met, the expression does not evaluate to true.

Goal

In this task, you create a new content filter that uses content dictionary terms and smartidentifiers to identify outgoing emails that violate PCI compliance guidelines. You configurethe content filter to quarantine emails that show patterns in data corresponding to credit cardnumbers and that include terms related to credit cards. After you create the content dictionaryand content filter, you add the content filter to the default outgoing mail policy.

Creating a Content DictionaryTo create a content dictionary:

1. Select Mail Policies > Dictionaries.

The Dictionaries page is displayed.

2. Click Add Dictionary.


The Add Dictionary page is displayed


44/72

38

The Add Dictionary page is displayed.

3. In the Dictionary Properties section, enter the name PCI _Compl i ance.

4. Leave the default settings in the Advanced Matching field.

5. In the Smart Identifiers field, select Credit Card Numbers and specify a weight of 10.

6. In the Dictionary section, add the following dictionary terms in the Add Terms field, andspecify the following weight for each term:

When you specify a weight for a dictionary term, consider the threshold value you willconfigure to trigger the content filter action. For example, if you configure the threshold

Term Weight

Credit Card Number 10

PIN 5

CCN 5

CREAT ING AN OUT GO ING CONT ENT F I LT ER

value as 10 you might specify a weight of 10 for terms that always trigger the filter action


45/72


value as 10, you might specify a weight of 10 for terms that always trigger the filter action,and specify a weight of 5 for terms that do not trigger the filter action by themselves. Forexample, a message that contains the terms PIN and CCN would cause the message to be

quarantined, but a message containing only one of these terms would not cause themessage to be quarantined.

7. Click Submit.


Creating an Outgoing Content Filter

After you have defined the dictionary terms, smart identifiers, and their weights, you need to

create a content filter that queries the content dictionary to determine actions to take onoutgoing mail. You will create a content filter that quarantines messages that meet a scoreof 10 or higher using the PCI_Compliance dictionary you created.

Creating a Content Filter

To create a content filter:

1. Select Mail Policies > Outgoing Content Filters.

The Outgoing Content Filter page is displayed.

2. Click Add Filters.

The Add Content Filters page is displayed.


• Name: Enter PCI _Compl i ance.

• Description: Detect s messages t hat are non- PCI compl i ant .

4. Click Add Condition.

5. Select Message Body or Attachment.


The Message Body or Attachment condition is displayed.


46/72

40

The Message Body or Attachment condition is displayed.

6. Select “Contains term in content dictionary,” and choose the PCI_Compliance contentdictionary you created.

7. In the “Number of matches required” field, enter 10.

The number of matches is based on the weight of the term. If you enter 10 in the numberof matches field, one dictionary term with a weight of 10 will trigger the filter condition,or two dictionary terms with a weight of 5 each will trigger the filter condition.

8. Click OK.9. Click Add Action.

The Add Action page is displayed.

10. Select Quarantine.

11. In the Send Message to the Quarantine field select the Policy quarantine.

12. Click OK.

13. Click Submit.


The Outgoing Content Filters page displays the PCI_Compliance content filter.

Applying a Filter to an Outgoing Mail Policy

By default, the filter is not applied to outgoing messages. You apply the content filter by

associating it with an outgoing mail policy.

T ES T ING T HE F I LT ER

To associate the content filter with a mail policy:


47/72


p y

1. Select Mail Policies > Outgoing Mail Policies.

The Outgoing Mail Policies page is displayed.

You associate the content filter with a mail policy so that it is applied to the appropriateend users. In this example, the content filter is applied to the Default policy.

2. On the default policy, click the Disabled link in the Content Filters column. The MailPolicies: Content Filters page displays a list of available content filters. ThePCI_Compliance filter appears in this list.

3. Click Yes to enable content filtering for the policy. Verify that the Enable check box isselected for the PCI_Compliance filter.

4. Click Submit.

The Outgoing Mail Policies page displays a success message.


Testing the FilterAfter you have created the filter and applied it to the default outgoing mail policy, you can testthe filter by sending an outbound email message with dictionary terms in a message body orattachment. For example, send a message with the terms PIN and CCN, and then send amessage with each of these terms separately. Messages that contain both of these terms arequarantined, but messages that contain only one of the terms do not trigger the filter action.


See Also


48/72

42

For more information about content dictionaries, see “Text Resources” in the IronPort AsyncOS for Email User Guide. For more information about smart identifiers, see “Policy

Enforcement” in the IronPort AsyncOS for Email User Guide.

T AS K 8 : ADD A DOMAIN T O ACCEPT MAIL

TASK 8: ADD A DOMAIN TO ACCEPT MAIL


49/72


In this task, you configure the IronPort appliance to receive mail for another domain. Many

enterprise gateways are configured to receive messages for several local domains. Forexample, if your company changes its name, it needs to receive mail for the old domain nameand the new domain name.

Concepts

Incoming and outgoing mail is received through a listener , an email processing service that isconfigured on a particular IP interface. When you add accessibility for a new domain to theIronPort appliance, you must add entries to two tables. One table, the Recipient Access Table

(RAT), specifies the mail recipients for the domain. It defines which recipients will beaccepted by a public listener. The table specifies the address (which may be a partial addressor host name) and whether to accept or reject it. The other table, the Host Access Table(HAT), maintains a set of rules that control incoming connections from remote hosts for alistener. You add an SMTP route to enable email for the new domain to be routed to thecorrect mail exchange host. SMTP routes allow you to redirect all email for a particulardomain to a different mail exchange (MX) host.

GoalIn this task, you add accessibility to the IronPort appliance for a new domain. You do this byadding an entry for the domain in the RAT, the HAT, and the SMTP Routes table.

Accepting Mail for a Domain

To accept mail for a domain:

1. Select Network > Listeners.

The Listeners page is displayed.

2. Click the RAT link.


The Recipient Access Table Overview page is displayed.


50/72

44

3. Click the Add Recipient button.

The Add to Recipient Access Table page is displayed.


• Order: Enter 2 to place the domain second in the list.

• Recipient Address: Enter the domain address. For example, acqui si t i on. com.

• Action: Accept.

• Bypass LDAP Accept Queries for this Recipient: Leave as is.

• Custom SMTP Response: No.• Bypass Receiving Control: No.

5. Click Submit.

The Recipient Access Table Overview page is refreshed with the new domain listed inposition 2. At this point, your appliance is configured to accept mail for the new domain.

CREAT ING AN S MT P ROUT E F OR A DOMAIN

Creating an SMTP Route for a Domain


51/72


To create an SMTP route for a domain:

1. Select Network > SMTP Routes.The SMTP Routes page is displayed.

2. Click the Add Route button.

The Add SMTP Route page is displayed.

3. Enter the settings for the SMTP route:

• Receiving Domain: Enter the Receiving Domain. For example, enteracqui si t i on. com.

• Destination Hosts: Enter the IP address or host name of the MUA that will receivethe mail for the receiving domain. For example, enter exchange. company. com.

• Outgoing SMTP Authentication: Use default settings.

4. Click Submit.

The SMTP Routes page displays the new SMTP route.

See Also

For more information about configuring listeners amd working with the RAT and the HAT, see“Configuring the Gateway to Receive Email” in the IronPort AsyncOS for Email User Guide.


TASK 9: ADD A DISCLAIMER TO OUTGOING MAIL


52/72

46

You can use the IronPort appliance to add footer text to outgoing or incoming messages. For

example, you can append a copyright statement, promotional statement, or disclaimer tomessages sent from your network.

Concepts

To add an outgoing disclaimer, you create a disclaimer text resource and associate it with aprivate listener.

IronPort AsyncOS differentiates between public listeners — which, by default, can receiveemail from the Internet — and private listeners that accept email only from internal systemssuch as groupware, POP and IMAP, and other message generation systems.

Goal

To add an outgoing disclaimer, you first create a text resource and then associate the textresource with the private (outgoing) listener.

Creating a Footer Text Resource

To create a footer text resource:1. Select Mail Policies >Text Resources.

The Text Resources page is displayed.

2. Click the Add Text Resource button.

The Add Text Resource page is displayed.

Enter the following information:

• Name: Name of the text resource. For example, enter Conf i dent i al .

• Type: Disclaimer.

• Text: Enter the text to display as the disclaimer. Do not use variables.

3. Click Submit.

AS S OC IAT ING A F OOT ER WIT H A PR IV AT E L IS T ENER

The Text Resources page is displayed with the disclaimer text resource.

4 C i h


53/72



Associating a Footer with a Private ListenerAfter creating the disclaimer, you need to associate it with the private (outgoing) listener. Thelistener inserts the disclaimer text resource into every email message that the listener handles.

To associate the disclaimer with a private listener:

1. Select Network > Listeners.

2. Click the OutgoingMail link in the Listener Name column.

The Edit Listener page is displayed.

3. Select Confidential from the Disclaimer Below menu to display the disclaimer at the

bottom of messages.

4. Click Submit.


See Also

For more information about working with message stamping, see “Text Resources” in theIronPort AsyncOS for Email User Guide.


TASK 10: CONFIGURE A SCHEDULED REPOR T


54/72

48

You can run a variety of reports to track activity on your IronPort appliance. You can track the

flow of mail using incoming and outgoing mail summary reports, outgoing destinations,outgoing senders domains, and sender groups. You can track virus activity using the VirusTypes report and the Virus Outbreak report. You can also track user activity using the InternalUsers Summary report and the Content Filters report. You can also track system activity usingan Executive Summary report and track system health using the System Capacity report.

Concepts

The IronPort appliance allows you to track activity by using reports. You can also use reports

to monitor the effectiveness of the appliance and view trends in the mail flow.This task introduces the TLS Connections report . This report shows the overall usage of TLSconnections for sent and received mail. The report also shows details for each domainsending mail using TLS connections.

Goal

In this task, you schedule a daily TLS Connections report.

Configuring a Scheduled Report

To configure a scheduled report:

1. Select Monitor > Scheduled Reports.

The Scheduled Reports page is displayed.

The Available Reports section displays the scheduled reports.

2. Click the Add Scheduled Report button.

The Add Scheduled Report page is displayed.

3. Select a Report type from the menu. For example, you might use the TLS Connectionsreport to view the overall usage of TLS connections for emails sent to your network.

CONF IGURING A SCHEDULED REPORT

4. Enter a title for the report.

5 Under Time Range to Include select “Previous calendar day ”


55/72


5. Under Time Range to Include, select Previous calendar day.

6. Under Format, leave “PDF” selected.7. Under Schedule, select “Daily,” and leave the default time.

8. Enter the email address where you want to send the report.

9. Click Submit.


Note — If you used the System Setup Wizard to configure the IronPort appliance, some

reports are enabled by default.

See Also

For more information about generating and managing reports, see the section about reportingin “Using the Email Security Monitor” in the IronPort AsyncOS for Email User Guide.



56/72

50

CHAPTER


57/72

CHAPT ER 4 : ADV ANCED T AS KS 51

4Advanced TasksThis chapter contains the following sections:

• “Task 11: Access the Command Line Interface” on page 52

• “Task 12: Use the CLI” on page 55

• “Task 13: Retrieve and Use Mail Logs” on page 60

• “Task 14: Configure Email Alerts” on page 63

• “Task 15: Upgrade the IronPort Appliance” on page 65


TASK 11: ACCESS THE COMMAND LINE INTERFACE

The IronPort AsyncOS Command Line Interface (CLI) provides a set of management


58/72

52

The IronPort AsyncOS Command Line Interface (CLI) provides a set of managementcommands through a text-based interactive interface. You connect to the CLI using telnet orSecure Shell (SSH). SSH is encrypted and provides better security.

Concepts

The CLI and the GUI contain many of the same functions, but some advanced tasks areavailable only in the CLI. To use the CLI, you must first enable it from the GUI.

Note — Do not run multiple concurrent CLI or GUI sessions. Doing so will cause unexpectedbehavior and is not supported.

Goal

In this task, you enable and access the CLI. To use the CLI, you need to:

• Enable the CLI to use SSH or telnet.

• Connect to the configured IP address using telnet or SSH.

Enabling the CLI

You can enable the CLI on any IP interface. In this example, the CLI is enabled in theManagement interface.

To enable the CLI:

1. Select Network > IP Interfaces, and click the Management link.

ENABL ING THE CL I

The Edit IP Interface dialog box is displayed.


59/72


2. In the Services field, select SSH and Telnet, and enter port numbers.

Telnet uses port 25. SSH uses port 22. When you select both options, you can connect tothe IP address using either telnet or SSH.

3. Use telnet or SSH to connect to the Management interface.

Initially, only the admin user account has access to the CLI. You can add other users whenyou access the CLI through the admin account.

4. In the CLI, enter your username and password to log in to the appliance.


See Also

For more information about the CLI, see the IronPort AsyncOS CLI Reference Guide.


60/72

54

T AS K 1 2 : US E T HE CL I

TASK 12: USE THE CLI

You can perform many advanced tasks in the CLI, such as testing connectivity, viewing system


61/72


g g

status, and controlling services.

Concepts

You can use the CLI to complete the following types of tasks:

• Connectivity. You can test connectivity using the t el net command. You can use thetraceroute command to test connectivity to a network host from the appliance anddebug routing issues with network hops.

• System status. You can use the status command to determine the status of the IronPortappliance. You use the t ophost s command to view information about the email queueand determine if a particular recipient host has delivery problems, such as a queuebuildup.

• Control services. Use the suspendl i st ener and r esumel i st ener commands to stopand restart listeners if you need to troubleshoot a mail processing problem.

Goal

In this task, you run commands to test connectivity, review system status details, and suspendand resume listeners.

Testing Connectivity

The IronPort appliance allows you to use several common network diagnostic tools, such ast el net , pi ng, and t r acer out e. You can use t el net to connect to a remote host. You canuse pi ng to test whether a particular host is reachable across an IP network. You can uset r acer out e to display a network route to a remote host.

Use these commands to debug network connectivity from the IronPort appliance. Forexample, you can ensure that your diagnostics are not affected by firewalls or other rules thatmay treat the IronPort appliance differently from a workstation.

Ping a Network Host

To ping a network host:

1. Use telnet or SSH to connect to the Management interface, and enter your username and

password.

2. Enter pi ng and the host name for an address on your network.

3. Allow the IronPort appliance to ping the address several times.

4. Press Ctrl+C to stop the IronPort appliance from pinging the host.


5. Review the ping statistics.

Table 4-1 CLI ping Command


62/72

56

Use the traceroute Command

Use the t r acer out e command to test connectivity to a network host from the appliance anddebug routing issues with network hops.

1. From the CLI, enter t r acerout e .

2. Press Ctrl+C to stop the trace.

3. Review the t r acer out e statistics.

Use the telnet Command

Use telnet to establish a telnet connection or other interactive TCP connection.

To establish a telnet connection:

1. From the CLI, enter t el net .

The IronPort appliance opens a connection to the remote host.

mga. company. com> ping mail.example.com

Pr ess Ct r l - C t o st op.PI NG mai l . exampl e. com ( 69. 18. 55. 191) : 56 dat a bytes64 bytes f r om 69. 18. 55. 191: i cmp_seq=0 t t l =63 t i me=46. 078 ms64 bytes f r om 69. 18. 55. 191: i cmp_seq=1 t t l =63 t i me=41. 941 ms64 bytes f r om 69. 18. 55. 191: i cmp_seq=2 t t l =63 t i me=37. 616 ms

^C

- - - mai l . exampl e. com pi ng stati st i cs - - -

3 packet s t r ansmi t t ed, 3 packet s r ecei ved, 0% packet l ossr ound- t r i p mi n/ avg/ max/ st ddev = 37. 616/ 41. 878/ 46. 078/ 3. 455 ms

Table 4-2 Example of the traceroute Command

mga. company. com> traceroute mail.example.com

Pr ess Ct r l - C t o st op.t r acerout e t o mai l . exampl e. com( 69. 18. 55. 191) , 64 hops max, 44 byt e

packets 1 er1. sf o1. speakeasy. net ( 66. 93. 133. 1) 35. 199 ms 30. 697 ms 31. 543ms 2 * * *^C

MONIT OR ING T HE IRONPORT APPL IANCE AND EMAIL T RAF F IC

2. Press Ctrl+C to close the connection.

Table 4-3 Example of the telnet Command


63/72


Monitoring the IronPort Appliance and Email Traffic

You can use the CLI to monitor the IronPort appliance and traffic flowing through it. You canuse the status command to view a broad range of information about the IronPort appliance,such as the anti-spam and anti-virus features that are enabled and the last date you started theappliance. Use the det ai l subcommand to return more specific information.

Using the status Command

From the CLI, enter status det ai l to retrieve detailed status of the IronPort appliance.

mga. company. com> telnet mail.example.com 25

Tr yi ng 69. 18. 55. 191. . .Connect ed t o mai l . exampl e. com.Escape char act er i s ' ]̂ ' .220 mai l . exampl e. com ESMTP Post f i xEHLO mga. company. com250- mai l . exampl e. com250- PI PELI NI NG

250- SI ZE 102400000250- VRFY250- ETRN250- STARTTLS250 8BI TMI ME]̂

t el net > quitConnect i on cl osed.

Table 4-4 Example of the status Command

mga. company. com> status detail

Status as of : Thu Mar 30 13: 22: 24 2006 PSTUp si nce: Tue Mar 21 07: 24: 41 2006 PST ( 9d 5h 57m 43s)Last count er r eset : NeverSyst em st at us: Onl i neOl dest Message: No MessagesFeat ur e - Vi r us Out br eak Fi l t er s: 50 daysFeatur e - I r onPor t Ant i - Spam: 205 daysFeatur e - Recei vi ng: 50 daysFeat ur e - Br i ght mai l : 50 daysFeat ure - Sophos: 50 days

Count er s: Reset Upt i me Li f et i me

Recei vi ng


Messages Recei ved 22, 119 1, 267 22, 119 Reci pi ent s Recei ved 22, 651 1, 324 22, 651

Table 4-4 Example of the status Command (Continued)


64/72

58

For more information about counters, see the IronPort AsyncOS for Email User Guide.

Using the tophosts Command

To view immediate information about the email queue and determine if a particular recipienthost has delivery problems — such as a queue buildup — use the t ophost s command. Thet ophost s command returns a list of the top 20 recipient hosts in the queue. The list can be

sorted by a number of statistics, including active recipients, connections out, deliveredrecipients, soft bounced events, and hard bounced recipients.

To use the t ophost s command:

1. From the CLI, enter t ophost s.

The CLI displays a list of sorting options.

2. Sort the hosts by connections out.

The CLI returns a list of hosts in order of the connections out.

You can retrieve the information from these commands in an XML format by using a GUIrequest. For example, you can retrieve the information from the status command with the

URL ht t p: / / / xml / st atus. Other useful commands for gathering email

p , , ,

Gen. Bounce Reci pi ent s 81 7 81

Table 4-5 Example of the tophosts Command

mga. company. com> tophosts

Sor t r esul t s by:

1. Act i ve Reci pi ent s

2. Connect i ons Out3. Del i ver ed Reci pi ent s4. Hard Bounced Reci pi ent s

5. Sof t Bounced Events[ 1] > 2

Status as of : Thu Mar 30 13: 23: 42 2006 PSTHost s marked wi t h ' *' were down as of t he l ast del i ver y at t empt . Act i ve Conn. Del i v. Sof t Har d

# Reci pi ent Host Reci p. Out Reci p. Bounced Bounced

1 yahoo. com 0 0 2 0 02 hot mai l . com 0 0 128 76 53 mai l . exampl e. com 0 0 889 0 0

CONF IGUR ING T HE APPL IANCE

monitoring statistics include host st at us and t opi n. For information on using XML pages togather email monitoring statistics, see “Gathering XML Status from the GUI” in the IronPort AsyncOS User Guide.


65/72


Configuring the Appliance

You can control the operation of your IronPort appliance directly from the CLI. Thesuspendl i st ener and r esumel i st ener commands allow you to stop and restart listenersif you need to troubleshoot a mail processing problem.

Use the syntax in Table 4-6 to suspend a listener.

Other useful commands for stopping mail delivery from the appliance include suspenddel and r esumedel .

Table 4-6 Suspending and Resuming a Listener

mga. company. com> suspendlistener

Ent er t he number of seconds t o wai t bef ore abr upt l y cl osi ngconnect i ons.[ 30] >

Wai t i ng f or l i s teners t o exi t . . .

Recei vi ng suspended f or Ext er nal .mga. company. com> resumelistener

Mai l del i ver y r esumed.


TASK 13: RETRIEVE AND USE MAIL LOGS

AsyncOS offers extensive logging capabilities, and it makes these logs available through avariety of interfaces. Logs record information about mail flow, operation of various software


66/72

60

variety of interfaces. Logs record information about mail flow, operation of various softwaresystems on the appliance, CLI and GUI usage, and the AsyncOS system itself. By default,AsyncOS records, archives, and purges old log files. You can view and search the logs,change the options for how much detail is recorded to the logs, and how the files themselvesare handled on disk.

Concepts

This task introduces the t ai l command, which allows you to view log details in real time. It

also introduces the gr ep command, which allows you to search through logs for specificdetails. In addition, it introduces methods for retrieving logs.

Goal

In this task, you view the logs in real time through the CLI, search logs for information, andretrieve logs using different formats.

Viewing Logs

To view the logs in real-time as they are written to the log files, use the syntax in Table 4-7.

Searching for Content in Logs

You can search for content in the logs by using the gr ep command. For example, thefollowing gr ep query searches for mail logs for [email protected] and then retrieves thedetails of a message sent to that address by searching for the message ID.

Table 4-7 Example of tail Command

mga. company. com> tail bouncesPr ess Ct r l - C t o st op.Wed Mar 29 22: 25: 24 2006 I nf o: Del ayed: DCI D 12949 MI D 23365Fr om: To: RI D 0 - 4. 1. 0 -Unknown address err or ( ' 450' , [ ' : Sender addressr ej ect ed: Domai n not f ound' ] )

Wed Mar 29 23: 25: 26 2006 I nf o: Del ayed: DCI D 12951 MI D 23365Fr om: To: RI D 0 - 4. 1. 0 -

Unknown address err or ( ' 450' , [ ' : Sender addressr ej ect ed: Domai n not f ound' ] )

Table 4-8 Example of the grep Command

mga. company. com> grep -e “[email protected]” mail_logsSat J an 21 02: 43: 05 2006 I nf o: MI D 13276 I CI D 23441 RI D 0 To:

mga. company. com> grep -e “MID 13276” -e “ICID 23441” mail_logs

RET R IEV ING AND CONF IGUR ING LOGS

Sat J an 21 02: 43: 03 2006 I nf o: New SMTP I CI D 23441 i nter f ace Ext ernal( 66. 39. 133. 191) address 86. 203. 229. 163 r everse dns host al agny- 154- 1-

Table 4-8 Example of the grep Command (Continued)

8/9/2019 ESA 6.5.0 GA Getting

ESA 6.5.0 GA Getting Started Guide

Documents

Transcript of ESA 6.5.0 GA Getting Started Guide