Documente Academic
Documente Profesional
Documente Cultură
5
GETTING STARTED GUIDE
for Email Security Appliances
COPYRIGHT
Copyright 2008 by IronPort Systems, Inc. All rights reserved.
Part Number: 421-0118
Revision Date: December 2, 2008
The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, Virus
Outbreak Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarks
or registered trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and Probe
Network are trademarks or registered trademarks of Symantec Incorporated. McAfee and VirusScan are registered
trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Copyright 2007
McAfee, Inc. All rights reserved. Used with permission. All other trademarks, service marks, trade names, or
company names referenced herein are used for identification only and are the property of their respective owners.
This publication and the information contained herein is furnished AS IS and is subject to change without
notice. Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPort
Systems, Inc., assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind
with respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness for
particular purposes and non-infringement of third-party rights.
Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions of
software license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National
Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporated
in IronPort license agreements.
The full text of these agreements can be found here:
https://support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html.
Portions of the software within IronPort AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker.
Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are
reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Symantec
Incorporated. Portions of this document are reproduced with permission of Sophos Plc. Brightmail Anti-Spam is protected
under U.S. Patent No. 6,052,709.
If you have purchased support directly from IronPort Systems, you can request
support by phone, email, or online 24 hours a day, 7 days a week. During office hours
(24 hours per day, Monday through Friday, excluding U.S. holidays), an engineer will
contact you within an hour of your request. To report a critical issue that requires
urgent assistance outside of our office hours, contact IronPort using the following
information.
U.S. toll-free:
1 (877) 641-IRON (4766)
International: www.ironport.com/support/contact_support.html
Support Portal: www.ironport.com/support
If you have purchased support through a reseller or other entity, contact the supplier
for support of your IronPort products.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Where to Go for More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IronPort Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IronPort Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview of IronPort Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Content Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
iii
24
24
24
24
25
26
28
28
28
28
33
33
33
33
35
35
37
37
37
37
39
39
40
41
43
43
43
43
45
46
46
46
46
47
48
48
48
48
4. Advanced Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Task 11: Access the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task 12: Use the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
52
52
52
52
55
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Monitoring the IronPort Appliance and Email Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Task 13: Retrieve and Use Mail Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Searching for Content in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Retrieving and Configuring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Task 14: Configure Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Task 15: Upgrade the IronPort Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
vi
CHAPTER
Introduction
This chapter contains the following sections:
Before You Begin on page 2
About This Guide on page 3
Where to Go for More Information on page 4
Overview of IronPort Email Security on page 5
CHAPTER 1: INTRODUCTION 1
BE FO R E YOU B E G I N
Before you begin, read the Quickstart Guide for the IronPort Email Security appliance you are
installing and any release notes that were shipped with your appliance. This guide assumes
that you have unpacked the appliance, physically installed it in a rack cabinet, and turned it
on. You should also run the System Setup Wizard and accept the default configuration settings
that are appropriate to the placement of the IronPort appliance in your network.
A B OU T T HI S G U ID E
The IronPort Getting Started Guide provides an overview of the IronPort Email Security
appliance and introduces its features.
This guide contains the following chapters:
Chapter 1, Introduction, on page 1 - This chapter provides an introduction to this guide
and an overview of Ironport email security.
Chapter 2, IronPort Email Security Appliance GUI, on page 9 - This chapter provides a
general introduction to the IronPort appliance and the Email Security Manager.
Chapter 3, Email Security Tasks, on page 11 - This chapter provides tasks that will help
you become acquainted with your IronPort appliance.
Chapter 4, Advanced Tasks, on page 51 - This chapter provides advanced tasks that can
help you understand some of the advanced features of the IronPort appliance.
CHAPTER 1: INTRODUCTION 3
W H E R E T O G O F O R M O R E I N F O R M A TI O N
You can refer to the resources described in this section if you have questions about the
IronPort Email Security appliance.
IronPort Documentation
The IronPort Email Security appliance ships with the following documents which provide
in-depth feature descriptions and guidance on how to use the features and services that the
IronPort email security appliance provides:
IronPort AsyncOS for Email Quickstart Guide
IronPort AsyncOS for Email User Guide
IronPort AsyncOS for Email Advanced User Guide
IronPort AsyncOS CLI Reference Guide
Customer Support
You can request customer support by phone, email, or online 24 hours a day, 7 days a week.
During Customer Support office hours (24 hours per day, Monday through Friday, excluding
U.S. holidays), one of the engineers will contact you within an hour of your request.
To report a critical issue that requires urgent assistance, notify IronPort using the following
contact information:
U.S. toll-free:
+1 (877) 641-4766
International:
http://www.ironport.com/support/contact_support.html
You can also use the Support Request page in the GUI to request customer support. To access
the Support Request page, select Help > Support Request. Complete the information on the
page, and then click the Submit button. A Customer Support representative will contact you
as soon as possible.
OV E R V I EW O F I RO N PO R T E M A I L S E C UR I TY
The IronPort email security appliance combines several content scanning engines with
IronPort preventive security solutions, such as SenderBase Reputation Filtering and Virus
Outbreak Filters.
IronPort Consolidates Security Solutions for the Email Perimeter
A fte r Ir o n P o r t
B e fo re Iro n P o rt
Internet
Internet
Firewall
Firewall
MTAs
Anti-Spam
IronPort Email Security Appliance
Anti-Virus
Policy
Management
Mail Routing
Groupware
Groupware
Users
Users
The IronPort appliance provides unparalleled protection for corporate groupware servers, as
well as reliable inbound and outbound email delivery. It has earned its outstanding reputation
through deployments at the worlds largest Internet Service Providers and thousands of global
customers.
IronPort Email Security appliances use the proprietary IronPort AsyncOS operating system.
AsyncOS provides a high-performance, flexible platform that supports the advanced security
systems of IronPort. Unlike traditional messaging systems, the IronPort mail transfer agent
(MTA) can handle thousands of simultaneous connections. The ability to support high
volumes of simultaneous connections is critical to both large and small email sites because of
the large number of spammers and spyware systems attempting to deliver spam and virus- or
malware-infected email messages. The IronPort appliance incorporates the AsyncOS
operating system with support tools, security scanning engines, a GUI, a command line
interface (CLI), and other interfaces.
CHAPTER 1: INTRODUCTION 5
Spam Protection
For anti-spam protection, the IronPort email security appliance combines SenderBase
Reputation Filtering with traditional content filters. SenderBase is a global email-monitoring
network that tracks hundreds of parameters from thousands of contributing networks to
establish a historically accurate reputation score for IP addresses that send email on the
Internet. Because it draws on traffic data from over 25% of all worldwide email traffic,
SenderBase can help stop more than 80% of unwanted threat messages before accepting
them for content scanning. This reputation filtering system allows the IronPort email security
appliance to dramatically increase the throughput of the traditional signature-based content
scanning engines, such as Symantec Brightmail and IronPort Anti-Spam, because it can filter
email messages before the signature-based scans take place.
Virus Protection
For anti-virus protection, IronPort offers anti-virus scanning engines from McAffee and
Sophos, as well as its exclusive Virus Outbreak Filters. You can configure your IronPort
appliance to use one or both of the licensed anti-virus scanning engines. Because each engine
relies on a separate base of technology, scanning messages with both the McAffee and Sophos
scanning engines combines the benefits of both anti-virus scanning engines.
Because viruses and spyware use email as their primary distribution vector, SenderBase can
detect patterns of email messages that signal an infection outbreak before traditional contentscanning virus filter signatures can be updated and deployed. The IronPort Global Threat
Operations Center watches for emerging threats in email traffic and publishes outbreak rules
to the IronPort appliance, which quarantines possible threat messages. This protects networks
from virus threats before virus signature updates are available. As the outbreak matures and
the threat rules adapt, non-matching messages are released from quarantine, and possible
threat messages are held back until a final signature is available for the virus-scanning engine.
Over the course of a virus outbreak, you are protected from new infections coming into the
network, and you do not need to worry about possible false positive messages being dropped.
How Virus Outbreak Filters Work - Dynamic Quarantine in Action
M essages
Scanned &
D e le te d
T=0
T = 5 mins
T = 10 mins
T = 8 hours
Release messages
if signature
update is in place
CONTENT COMPLIANCE
Content Compliance
IronPort security solutions are powered by an advanced content filtering engine, which comes
with built-in configurations for compliance with Health Insurance Portability and
Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act. You
can also use the content filtering engine to implement specific business-policy controls for a
variety of systems. Email archiving, attachment control, keyword scanning, and encryption
integration are all available for use in custom filtering rules.
You access this functionality with management and monitoring tools. AsyncOS provides both
an intuitive web-based GUI and a command line interface (CLI). You can use the Email
Security Manager in the GUI to set specific policies for groups of users so you can enforce
appropriate levels of security for different business units. Many standard reports are built into
the system, as well as flexible application programming interfaces (APIs) for retrieving
reporting and monitoring data. You can use these features to integrate the appliance with your
information systems infrastructure.
In addition, AsyncOS offers a unique centralized management feature that uses a peer-to-peer
architecture to avoid the need for extra hardware in the data center and to eliminate any
single point of failure.
With a multi-layer approach to spam and virus protection, IronPort provides the most
comprehensive email security solution on the market. By combining pioneering preventive
features, such as SenderBase and Virus Outbreak Filters, with best-in-class content scanning
engines, IronPort is a cost-effective solution to your email security needs.
The integrated architecture of AsyncOS provides all the necessary email protection
capabilities to secure internal networks and groupware servers. This guide demonstrates the
features of the IronPort email security appliance so you can immediately take control of your
email perimeter and solve email security problems.
CHAPTER 1: INTRODUCTION 7
CHAPTER
IronPort GUI
1
2
The following table describes the GUI componenets shown in Figure 2-1.
10
Component
Description
1 - Menu bar
2 - Drop-down menu
3 - Options menu
4 - Help menu
CHAPTER
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 11
TA SK 1 : D RO P PO S IT IV E S P A M M E S SA GE S BY D E F A U L T
The IronPort Anti-Spam engine processes email for incoming and outgoing mail based on
settings that you configure. IronPort Anti-Spam scans messages through its filtering modules
for classification. It classifies messages as positive spam, suspected spam, or not spam. You
determine the action to take on the message based on the IronPort Anti-Spam classification.
You might choose to drop, deliver, or quarantine messages based on their classification. For
example, you might decide to drop positive spam messages and quarantine suspected spam
messages.
Note If you set up your IronPort appliance using the System Setup Wizard, the IronPort
appliance drops positive spam messages by default.
Concepts
You can use the IronPort Email Security Manager to define mail filtering and security policies
for users based on their email addresses or an LDAP query. You configure settings for
incoming email in an incoming mail policy. The incoming mail policy instructs the IronPort
appliance to perform an action on a message based on the classification of the message and
mail recipient. The default mail policy applies to all incoming messages.
Goal
By default, the IronPort appliance is not configured to scan email messages for suspected
spam. In this task, you activate suspected spam scanning and configure the default policy to
drop the suspected spam. Later, you will enable the end-user spam quarantine, which allows
users to view and open email messages and release messages from the quarantine.
12
2. In the Anti-Spam settings for the default policy, click the link to open the mail policy.
The Mail Policies: Anti-Spam page is displayed.
3. In the Anti-Spam Settings section, select Use selected Anti-Spam service(s), and select
IronPort Anti-Spam.
4. In the Positively Identified Spam Settings section, use the following settings:
Apply this Action to the Message: Drop.
Advanced > Archive Message: Select Yes to archive or No to skip archiving.
5. In the Suspected Spam Settings section, use the following settings:
Enable Suspect Spam Scanning: Yes.
Apply This Action to Message: Deliver.
Add Text to Subject: Select Prepend or Append if you want to add text, and enter
the text in the text field. For example, enter [SUSPECTED SPAM].
6. Click Submit. The new settings are displayed for the default policy.
7. The IronPort appliance notifies you that you have pending changes.
The changes you make are not activated until you commit them.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 13
8. Click the Commit Changes button in the top right corner of the page.
The Uncommitted Changes page is displayed.
For more information about the Email Security Manager, see Email Security Manager in the
IronPort AsyncOS for Email User Guide. For more information about anti-spam settings, see
Anti-Spam in the IronPort AsyncOS for Email User Guide.
14
TA SK 2 : E X E M P T S P E C I FI E D G R OU P S O F US E R S FR O M S P A M F I L TE R I NG
The default incoming mail policy you modified in Task 1 applies to all mail that enters the
network. However, you may want to create a new policy that applies security scanning or
content filters differently for some users. For example, you might want to ensure that
executive users receive all messages.
Concepts
With the IronPort appliance, you can use mail policies to apply different mail delivery settings
to different users. You use incoming mail policies to manage flows of incoming emails to
different addresses.
Goal
In this task, you create a new mail policy. Then, you modify the policys anti-spam settings to
deliver spam-positive messages and suspected spam with a tag in the messages subject line.
This allows you to exempt some users from spam filtering.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 15
4. Click Submit.
The Incoming Mail Policies page is displayed with the new mail policy.
16
6. In the Suspected Spam Settings section, enter the following information to ensure that
messages identified as suspected spam are delivered with an identifying tag:
Enable Suspect Spam Scanning: Yes.
Apply This Action to Message: Deliver.
Add Text to Subject: Select Append or Prepend to add text to the subject, and enter
text in the text field. For example, use the default entry, [SUSPECTED SPAM].
7. Click Submit.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 17
For more information about configuring anti-spam settings, see Anti-Spam in the IronPort
AsyncOS for Email User Guide.
For information about quarantining incoming spam messages, see Task 3: Quarantine
Incoming Spam on page 19.
18
TA SK 3 : Q UA RA NT IN E I NC OM IN G S P A M
The IronPort Email Security appliance allows you to send spam or suspected spam messages
to the IronPort Spam Quarantine. End users can then access the quarantine to determine if the
messages are incorrectly identified as spam. You can use a local IronPort Spam Quarantine,
stored on the IronPort appliance, or you can send messages to an external IronPort Spam
Quarantine, stored on an M-Series IronPort appliance. Both AsyncOS administrators and end
users can access the IronPort Spam Quarantine.
Concepts
To use the IronPort Spam Quarantine, you work with several areas of the IronPort appliance:
IronPort Spam quarantine. The Spam Quarantine is a special quarantine designed for
mail end-user access. You can use a local quarantine or send spam to an external
quarantine (M-Series appliance).
The interface where the Spam Quarantine is enabled. You enable access to the IronPort
Spam Quarantine through an HTTP or HTTPS service.
Anti-spam options for a mail policy. You enable the spam quarantine for a particular mail
policy. That way, you can quarantine mail for specified groups of users.
Goal
In this task, you enable the IronPort Spam Quarantine and configure the default policy to send
incoming spam to the quarantine.
To use the IronPort Spam Quarantine, complete the following steps:
1. Configure the local IronPort Spam Quarantine.
2. Enable access to the IronPort Spam Quarantine through an HTTP or HTTPS service.
3. Configure the anti-spam scanning options for the policy to send spam or suspect spam to
the IronPort Spam Quarantine.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 19
2. Click Edit.
The Edit IronPort Spam Quarantine page is displayed.
3. Use the default settings in the Spam Quarantine Settings panel and scroll down to EndUser Quarantine Access.
4. Click Enable End-User Quarantine Access.
The End-User Quarantine Access page is displayed.
20
By selecting None, you allow users to access quarantined mail by clicking links in the
notification messages that they receive.
6. Click Enable Spam Notification.
The Enable Spam Notification page is displayed.
7. Enter an address to use in the From Address header if you want to send notifications.
8. Enter a subject (such as IronPort Spam Quarantine Notification).
9. Enter a title for the notification (such as IronPort Spam Quarantine Notification).
10. Optionally, enter a spam notification message.
11. Select a format.
12. Enter an address to deliver bounce messages to.
13. Leave the Consolidate Notifications field empty. This field consolidates email notifications
for users when the IronPort Spam Quarantine is configured for LDAP authentication.
14. In the Notification Schedule field, choose a notification schedule.
15. Click Submit.
16. Commit your changes.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 21
2. In Services > IronPort Spam Quarantine, select HTTP, HTTPS, or both, enter the port
numbers, and optionally enable redirection of HTTP requests to HTTPS.
22
3. Enter the default URL that appears in email notifications. This example uses the hostname.
4. Click Submit.
5. Commit your changes.
3. In Positively Identified Spam Settings > Apply this Action to Message, select IronPort Spam
Quarantine. The Positively Identified Spam Settings field expands. It displays delivery
settings for the IronPort Spam Quarantine.
4. Use the default settings in the Positively Identified Spam field.
5. Leave the Suspected Spam Settings as you configured them.
6. Use default settings for Spam Thresholds.
7. Click Submit.
8. Commit your changes.
See Also
For more information about working with incoming mail policies, see Configuring the
Gateway to Receive Email in the IronPort AsyncOS for Email User Guide. For more
information about working with the IronPort Spam quarantine, see Quarantines in the
IronPort AsyncOS for Email User Guide. For more information about configuring IP interfaces,
see Accessing the Appliance in the IronPort AsyncOS for Email User Guide.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 23
TA SK 4 : C ON F IG UR E E N D U SE R SA FE L IS TS A N D BL O C K L I ST S
The IronPort appliance allows you to send spam or suspected spam messages to the IronPort
Spam Quarantine; however, an end user may want to ensure that mail from a particular
sender is never treated as spam. Conversely, an end user may want to guarantee that certain
mail is always sent to the IronPort Spam Quarantine. For example, a user may be unable to
unsubscribe from an automated mailing list, and may want to block the list servers email
address. You can enable end users to create safelists and blocklists to better control which
emails are treated as spam. The end user safelist and blocklist settings are configured from the
IronPort Spam Quarantine, so you must have enabled and configured the IronPort Spam
Quarantine to use this feature.
Note When you enable the safelist/blocklist feature, each end user maintains a safelist and
blocklist for his or her email account.
Concepts
This task introduces concepts related to end user safelists and blocklists. Safelists allow a user
to ensure that certain users or domains are not treated as spam. Blocklists ensure that certain
users or domains are always treated as spam.
Goal
In this task, you enable safelists and blocklists in the IronPort Spam Quarantine, and you
configure a safelist and a blocklist for an end user account.
Note Steps 2 and 3 require that you log into an end user account to create a safelist. Ensure
that you have created an end user account that you can access to complete this task.
24
5. Specify the maximum list items per user. This value represents the maximum number of
addresses or domains a user can list in each safelist and blocklist. For example, a value of
100 would mean that the end user could add 100 terms in the safelist and 100 terms in
the blocklist.
6. Click Submit.
3. Select Safelist.
4. In the Safelist dialog box, enter an email address, subdomain, or domain.
Entries can be added to safelists and blocklists using the following formats:
user@domain.com
server.domain.com
domain.com
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 25
2. Select Blocklist.
3. Enter the domain or email address you want to blocklist.
26
When the IronPort appliance receives mail from the specified email address or domain that
matches an entry in the blocklist, it treats the mail as spam. Because you configured AsyncOS
to quarantine blocklisted items, any items identified as blocklisted are quarantined.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 27
TA SK 5 : Q UA RA N T IN E I NC OM IN G V I R U S M E S SA G E S
You can configure the IronPort appliance to quarantine incoming virus messages. The Virus
quarantine stores messages marked by the anti-virus scanning engine as not scannable, viruspositive, or encrypted. Like the anti-spam settings, you configure the IronPort appliance to
take different actions based on the results of the virus scan and the group of mail recipients.
For example, you might want to quarantine all virus-positive messages to the Technical
Support group, but drop all virus-positive messages sent to the Marketing group.
Concepts
This task presents concepts related to IronPort virus scanning and the Virus quarantine.
Unlike the IronPort Spam quarantine, the Virus quarantine can be accessed only by
administrators. The Virus quarantine is enabled by default, but you must configure anti-virus
scanning and quarantine settings in a mail policy to use the Virus quarantine. You also enable
notifications in the mail policy to allow administrators or end users to see that messages were
quarantined.
Goal
In this task, you activate IronPort virus scanning, and you configure the default mail policy to
deliver suspected virus email messages and drop confirmed virus email messages. You also
configure the default mail policy to quarantine virus messages and suspected virus messages.
28
3. Under Anti-Virus Settings, select Yes for Enable Anti-Virus Scanning for this Policy.
The anti-virus engines that you have licenses for are displayed.
4. Select an anti-virus engine.
5. Under Message Scanning, enter the following information:
Select Scan and Repair viruses from the menu.
Select Include an X-header with the Anti-Virus scanning results in messages.
6. Use the default settings for the Repaired Messages section.
7. Use the default settings for the Encrypted Messages section.
8. Scroll down to the Unscannable Messages section.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 29
30
11. Enter the following information in the Virus Infected Messages section:
Action Applied to Message: Quarantine.
Archive Original Message: Yes.
Modify Message Subject: Select Prepend or Append, and enter the text into the text
field. For example, [WARNING: VIRUS DETECTED].
Other Notification: Recipient.
12. Click Submit.
The Default Mail Policy displays the anti-virus settings.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 31
See Also
For more information about configuring anti-virus settings, see Anti-Virus in the IronPort
AsyncOS for Email User Guide. For more information about quarantines, see
Quarantines in the IronPort AsyncOS for Email User Guide.
32
TA SK 6 : S TR I P S P E C IF I E D TY P E S O F I N CO M I NG E M A I L A T TA C H M E N TS
In addition to spam and virus filters, the IronPort appliance allows you to apply custom
scanning and email policies to messages by using content filters. You can use content filters to
analyze incoming email messages and take action based on a variety of factors. Content filters
can be enforced on different groups of users.
Concepts
This task introduces concepts related to the content filter. The content filter applies custom
filtering to messages after the anti-spam and anti-virus engines perform scans. Like anti-spam
and anti-virus policies, you create the content filter and then apply it to a group of users via a
mail policy.
Goal
In this task, you create a new content filter to strip a specified type of media attachment from
incoming messages, and then you add this filter to the default policy in the Email Security
Manager.
Note Content Filters are custom email rules that scan a message for specific content or
recipients and then take actions based on the results of the scan.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 33
6. Specify the action that the appliance takes when it encounters a flagged email message.
Select File type is.
In the drop-down menu, select -- mp3.
Enter a replacement message that is displayed to the recipient if an MP3
attachment is stripped from an email message. For example, [MP3 FILE
DROPPED].
Click OK. The Edit Content Filter page displays the rule drop-attachments-byfiletype("mp3", "[MP3 FILE DROPPED]") in the Actions section of the
page.
7. Click Submit.
34
When you associate the content filter with a mail policy, it is applied to the appropriate
end users.
2. Click the Disabled link in the Content Filters column. The Mail Policies: Content Filters
page displays the content filter that you created.
3. Click Yes to enable content filtering on the policy. Verify that the Enable check box is
selected for the Remove_MP3 filter.
4. Click Submit.
The Incoming Mail Policies page displays a success message.
5. Commit your changes.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 35
logs in real time. For more information on mail flow monitoring, see Email Security
Manager in the IronPort AsyncOS for Email User Guide.
See Also
For more information about content filters and the Email Security Manager, see Email
Security Manager in the IronPort AsyncOS for Email User Guide.
36
TA SK 7 : E N F OR CE A N O UT GO I NG E M A I L PO L I CY
The IronPort appliance allows you to enforce a policy for outgoing mail that would quarantine
messages that may contain sensitive information or violate your companys email policies. For
example, you can quarantine all messages that contain Social Security numbers. Content
filters can analyze outgoing messages for particular data patterns and take action based on the
scanned content.
Concepts
This task introduces concepts related to the content dictionary and smart identifiers. Content
dictionaries are a list of terms you define to scan messages, message headers, and message
attachments in order to take action in accordance with your companys email policies. You
can also add smart identifiers to a content dictionary. Smart identifiers are algorithms that
search for patterns in data that correspond to common numeric patterns, such as Social
Security numbers and credit card numbers. Smart identifiers work more effectively than
regular expressions because they use mathematical calculations to ensure the validity of the
smart identifiers per the issuing authority.
For each term or smart identifier, you can specify a weight so that terms or smart identifiers
can trigger filter actions more easily. When AsyncOS scans messages for the dictionary terms
or smart identifiers, it scores the message by multiplying the number of instances by the
weight of the term or identifier.
Then, when you add filter rules that search for patterns in content, you specify a minimum
threshold value for triggering the filter action. When you search for both smart identifiers and
content dictionary terms, the scanning engine combines the scores of the identifiers and
dictionary terms to create the total weight. If the minimum threshold is met, the filter action is
triggered. If the threshold is not met, the expression does not evaluate to true.
Goal
In this task, you create a new content filter that uses content dictionary terms and smart
identifiers to identify outgoing emails that violate PCI compliance guidelines. You configure
the content filter to quarantine emails that show patterns in data corresponding to credit card
numbers and that include terms related to credit cards. After you create the content dictionary
and content filter, you add the content filter to the default outgoing mail policy.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 37
6. In the Dictionary section, add the following dictionary terms in the Add Terms field, and
specify the following weight for each term:
Term
Weight
10
PIN
CCN
When you specify a weight for a dictionary term, consider the threshold value you will
configure to trigger the content filter action. For example, if you configure the threshold
38
value as 10, you might specify a weight of 10 for terms that always trigger the filter action,
and specify a weight of 5 for terms that do not trigger the filter action by themselves. For
example, a message that contains the terms PIN and CCN would cause the message to be
quarantined, but a message containing only one of these terms would not cause the
message to be quarantined.
7. Click Submit.
8. Commit your changes.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 39
6. Select Contains term in content dictionary, and choose the PCI_Compliance content
dictionary you created.
7. In the Number of matches required field, enter 10.
The number of matches is based on the weight of the term. If you enter 10 in the number
of matches field, one dictionary term with a weight of 10 will trigger the filter condition,
or two dictionary terms with a weight of 5 each will trigger the filter condition.
8. Click OK.
9. Click Add Action.
The Add Action page is displayed.
10. Select Quarantine.
11. In the Send Message to the Quarantine field select the Policy quarantine.
12. Click OK.
13. Click Submit.
14. Commit your changes.
The Outgoing Content Filters page displays the PCI_Compliance content filter.
40
You associate the content filter with a mail policy so that it is applied to the appropriate
end users. In this example, the content filter is applied to the Default policy.
2. On the default policy, click the Disabled link in the Content Filters column. The Mail
Policies: Content Filters page displays a list of available content filters. The
PCI_Compliance filter appears in this list.
3. Click Yes to enable content filtering for the policy. Verify that the Enable check box is
selected for the PCI_Compliance filter.
4. Click Submit.
The Outgoing Mail Policies page displays a success message.
5. Commit your changes.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 41
See Also
For more information about content dictionaries, see Text Resources in the IronPort
AsyncOS for Email User Guide. For more information about smart identifiers, see Policy
Enforcement in the IronPort AsyncOS for Email User Guide.
42
TA S K 8 : A D D A D O M A I N T O A C C E P T M A I L
In this task, you configure the IronPort appliance to receive mail for another domain. Many
enterprise gateways are configured to receive messages for several local domains. For
example, if your company changes its name, it needs to receive mail for the old domain name
and the new domain name.
Concepts
Incoming and outgoing mail is received through a listener, an email processing service that is
configured on a particular IP interface. When you add accessibility for a new domain to the
IronPort appliance, you must add entries to two tables. One table, the Recipient Access Table
(RAT), specifies the mail recipients for the domain. It defines which recipients will be
accepted by a public listener. The table specifies the address (which may be a partial address
or host name) and whether to accept or reject it. The other table, the Host Access Table
(HAT), maintains a set of rules that control incoming connections from remote hosts for a
listener. You add an SMTP route to enable email for the new domain to be routed to the
correct mail exchange host. SMTP routes allow you to redirect all email for a particular
domain to a different mail exchange (MX) host.
Goal
In this task, you add accessibility to the IronPort appliance for a new domain. You do this by
adding an entry for the domain in the RAT, the HAT, and the SMTP Routes table.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 43
44
Destination Hosts: Enter the IP address or host name of the MUA that will receive
the mail for the receiving domain. For example, enter exchange.company.com.
Outgoing SMTP Authentication: Use default settings.
4. Click Submit.
The SMTP Routes page displays the new SMTP route.
See Also
For more information about configuring listeners amd working with the RAT and the HAT, see
Configuring the Gateway to Receive Email in the IronPort AsyncOS for Email User Guide.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 45
TA S K 9 : A D D A D IS C L A I M E R T O O UT G O I N G M A I L
You can use the IronPort appliance to add footer text to outgoing or incoming messages. For
example, you can append a copyright statement, promotional statement, or disclaimer to
messages sent from your network.
Concepts
To add an outgoing disclaimer, you create a disclaimer text resource and associate it with a
private listener.
IronPort AsyncOS differentiates between public listeners which, by default, can receive
email from the Internet and private listeners that accept email only from internal systems
such as groupware, POP and IMAP, and other message generation systems.
Goal
To add an outgoing disclaimer, you first create a text resource and then associate the text
resource with the private (outgoing) listener.
46
The Text Resources page is displayed with the disclaimer text resource.
4. Commit your changes.
3. Select Confidential from the Disclaimer Below menu to display the disclaimer at the
bottom of messages.
4. Click Submit.
5. Commit your changes.
See Also
For more information about working with message stamping, see Text Resources in the
IronPort AsyncOS for Email User Guide.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 47
TA SK 1 0: CO N FI GU R E A S C HE DU L E D R E P O R T
You can run a variety of reports to track activity on your IronPort appliance. You can track the
flow of mail using incoming and outgoing mail summary reports, outgoing destinations,
outgoing senders domains, and sender groups. You can track virus activity using the Virus
Types report and the Virus Outbreak report. You can also track user activity using the Internal
Users Summary report and the Content Filters report. You can also track system activity using
an Executive Summary report and track system health using the System Capacity report.
Concepts
The IronPort appliance allows you to track activity by using reports. You can also use reports
to monitor the effectiveness of the appliance and view trends in the mail flow.
This task introduces the TLS Connections report. This report shows the overall usage of TLS
connections for sent and received mail. The report also shows details for each domain
sending mail using TLS connections.
Goal
In this task, you schedule a daily TLS Connections report.
3. Select a Report type from the menu. For example, you might use the TLS Connections
report to view the overall usage of TLS connections for emails sent to your network.
48
For more information about generating and managing reports, see the section about reporting
in Using the Email Security Monitor in the IronPort AsyncOS for Email User Guide.
C H A P T E R 3 : E M A I L S E C U R I T Y T A S K S 49
50
CHAPTER
Advanced Tasks
This chapter contains the following sections:
Task 11: Access the Command Line Interface on page 52
Task 12: Use the CLI on page 55
Task 13: Retrieve and Use Mail Logs on page 60
Task 14: Configure Email Alerts on page 63
Task 15: Upgrade the IronPort Appliance on page 65
C H A P T E R 4 : A D V A N C E D T A S K S 51
TA S K 1 1: A C CE SS T H E C O MMA N D L I N E I N TE RF A C E
The IronPort AsyncOS Command Line Interface (CLI) provides a set of management
commands through a text-based interactive interface. You connect to the CLI using telnet or
Secure Shell (SSH). SSH is encrypted and provides better security.
Concepts
The CLI and the GUI contain many of the same functions, but some advanced tasks are
available only in the CLI. To use the CLI, you must first enable it from the GUI.
Note Do not run multiple concurrent CLI or GUI sessions. Doing so will cause unexpected
behavior and is not supported.
Goal
In this task, you enable and access the CLI. To use the CLI, you need to:
Enable the CLI to use SSH or telnet.
Connect to the configured IP address using telnet or SSH.
52
2. In the Services field, select SSH and Telnet, and enter port numbers.
Telnet uses port 25. SSH uses port 22. When you select both options, you can connect to
the IP address using either telnet or SSH.
3. Use telnet or SSH to connect to the Management interface.
Initially, only the admin user account has access to the CLI. You can add other users when
you access the CLI through the admin account.
4.
In the CLI, enter your username and password to log in to the appliance.
C H A P T E R 4 : A D V A N C E D T A S K S 53
See Also
For more information about the CLI, see the IronPort AsyncOS CLI Reference Guide.
54
TA S K 1 2 : U S E T H E C L I
You can perform many advanced tasks in the CLI, such as testing connectivity, viewing system
status, and controlling services.
Concepts
You can use the CLI to complete the following types of tasks:
Connectivity. You can test connectivity using the telnet command. You can use the
traceroute command to test connectivity to a network host from the appliance and
debug routing issues with network hops.
System status. You can use the status command to determine the status of the IronPort
appliance. You use the tophosts command to view information about the email queue
and determine if a particular recipient host has delivery problems, such as a queue
buildup.
Control services. Use the suspendlistener and resumelistener commands to stop
and restart listeners if you need to troubleshoot a mail processing problem.
Goal
In this task, you run commands to test connectivity, review system status details, and suspend
and resume listeners.
Testing Connectivity
The IronPort appliance allows you to use several common network diagnostic tools, such as
telnet, ping, and traceroute. You can use telnet to connect to a remote host. You can
use ping to test whether a particular host is reachable across an IP network. You can use
traceroute to display a network route to a remote host.
Use these commands to debug network connectivity from the IronPort appliance. For
example, you can ensure that your diagnostics are not affected by firewalls or other rules that
may treat the IronPort appliance differently from a workstation.
Ping a Network Host
C H A P T E R 4 : A D V A N C E D T A S K S 55
Use the traceroute command to test connectivity to a network host from the appliance and
debug routing issues with network hops.
1. From the CLI, enter traceroute <network host name>.
2. Press Ctrl+C to stop the trace.
3. Review the traceroute statistics.
Table 4-2 Example of the traceroute Command
56
From the CLI, enter status detail to retrieve detailed status of the IronPort appliance.
Table 4-4 Example of the status Command
Reset Uptime
Lifetime
C H A P T E R 4 : A D V A N C E D T A S K S 57
Messages Received
Recipients Received
Gen. Bounce Recipients
22,119 1,267
22,651 1,324
81 7
22,119
22,651
81
For more information about counters, see the IronPort AsyncOS for Email User Guide.
Using the tophosts Command
To view immediate information about the email queue and determine if a particular recipient
host has delivery problems such as a queue buildup use the tophosts command. The
tophosts command returns a list of the top 20 recipient hosts in the queue. The list can be
sorted by a number of statistics, including active recipients, connections out, delivered
recipients, soft bounced events, and hard bounced recipients.
To use the tophosts command:
1. From the CLI, enter tophosts.
The CLI displays a list of sorting options.
2. Sort the hosts by connections out.
The CLI returns a list of hosts in order of the connections out.
Table 4-5 Example of the tophosts Command
mga.company.com> tophosts
Sort results by:
1. Active Recipients
2. Connections Out
3. Delivered Recipients
4. Hard Bounced Recipients
5. Soft Bounced Events
[1]> 2
Status as of:
Thu Mar 30 13:23:42 2006 PST
Hosts marked with '*' were down as of the last delivery attempt.
Active
Conn.
Deliv.
Soft
Hard
#
Recipient Host
Recip.
Out
Recip.
Bounced
Bounced
1
2
3
yahoo.com
hotmail.com
mail.example.com
0
0
0
0
0
0
2
128
889
0
76
0
You can retrieve the information from these commands in an XML format by using a GUI
request. For example, you can retrieve the information from the status command with the
URL http://<hostname>/xml/status. Other useful commands for gathering email
58
0
5
0
monitoring statistics include hoststatus and topin. For information on using XML pages to
gather email monitoring statistics, see Gathering XML Status from the GUI in the IronPort
AsyncOS User Guide.
mga.company.com> suspendlistener
Enter the number of seconds to wait before abruptly closing
connections.
[30]>
Waiting for listeners to exit...
Receiving suspended for External.
mga.company.com> resumelistener
Mail delivery resumed.
Other useful commands for stopping mail delivery from the appliance include suspenddel
and resumedel.
C H A P T E R 4 : A D V A N C E D T A S K S 59
TA S K 1 3: R E T R I E V E A N D U S E M A I L L O G S
AsyncOS offers extensive logging capabilities, and it makes these logs available through a
variety of interfaces. Logs record information about mail flow, operation of various software
systems on the appliance, CLI and GUI usage, and the AsyncOS system itself. By default,
AsyncOS records, archives, and purges old log files. You can view and search the logs,
change the options for how much detail is recorded to the logs, and how the files themselves
are handled on disk.
Concepts
This task introduces the tail command, which allows you to view log details in real time. It
also introduces the grep command, which allows you to search through logs for specific
details. In addition, it introduces methods for retrieving logs.
Goal
In this task, you view the logs in real time through the CLI, search logs for information, and
retrieve logs using different formats.
Viewing Logs
To view the logs in real-time as they are written to the log files, use the syntax in Table 4-7.
Table 4-7 Example of tail Command
23365
- 4.1.0 Sender address
23365
- 4.1.0 Sender address
60
Sat Jan 21 02:43:03 2006 Info: New SMTP ICID 23441 interface External
(66.39.133.191) address 86.203.229.163 reverse dns host alagny-154-170-163.w86-203.abo.wanadoo.fr verified yes
Sat Jan 21 02:43:03 2006 Info: ICID 23441 ACCEPT SG SUSPECTLIST match
sbrs[-4.0:-1.0] SBRS -2.2
Sat Jan 21 02:43:04 2006 Info: Start MID 13276 ICID 23441
Sat Jan 21 02:43:04 2006 Info: MID 13276 ICID 23441 From:
<mduffm@309s.com>
Sat Jan 21 02:43:05 2006 Info: MID 13276 ICID 23441 RID 0 To:
<bob@company.com>
Sat Jan 21 02:43:17 2006 Info: MID 13276 Message-ID
'<000001c61ea1$2ec70280$0100007f@localhost>'
Sat Jan 21 02:43:17 2006 Info: MID 13276 Subject 'Hey bro, check out
the huge sale these guys are offering'
Sat Jan 21 02:43:17 2006 Info: MID 13276 ready 9637 bytes from
<mduffm@309s.com>
Sat Jan 21 02:43:17 2006 Info: MID 13276 matched all recipients for
per-recipient policy EUQ Testers in the inbound table
Sat Jan 21 02:43:17 2006 Info: MID 13276 using engine: CASE spam
positive
Sat Jan 21 02:43:17 2006 Info: EUQ: Tagging MID 13276 for quarantine
Sat Jan 21 02:43:17 2006 Info: MID 13276 antivirus negative
Sat Jan 21 02:43:17 2006 Info: MID 13276 queued for delivery
Sat Jan 21 02:43:18 2006 Info: Start delivery of MID 13276 over RPC
connection 8572
Sat Jan 21 02:43:18 2006 Info: EUQ: Quarantined MID 13276
Sat Jan 21 02:43:18 2006 Info: Delivery of MID 13276 over RPC completed
on connection 8572
Sat Jan 21 02:43:18 2006 Info: Message finished MID 13276 done
Sat Jan 21 02:43:19 2006 Info: ICID 23441 close
You can retrieve log files directly from the appliance using either an FTP or an SCP client. On
the Network > IP Interfaces page, you can enable both the FTP and the SSH (for SCP) services.
After you enable the service, you can connect to the IronPort appliance using the FTP or SCP
client to browse and retrieve log files.
C H A P T E R 4 : A D V A N C E D T A S K S 61
Other types of files are available for download, including saved configuration files, archive
mailboxes created by different filter commands, and saved reports.
Configuring Log Subscriptions
By default, the appliance is configured to roll over the log files when they reach a specified
size, and it stores up to 10 old log files. You can configure the log settings to reduce or
increase the number and size of the log files. You can also configure the appliance to push
logs to a remote server for further archiving and processing.
Log subscriptions can be managed through the logconfig CLI command and through the
GUI on the System Administration > Log Subscriptions page.
See Also
For more information, see Logging in the IronPort AsyncOS for Email Advanced User
Guide.
62
TA SK 1 4: CO N FI GU R E E M A I L A L E R T S
You can configure the IronPort appliance to send email-based alerts when errors and other
types of events occur.
Concepts
The IronPort appliance can send informational and error alerts. You can configure these alerts
based on the information you want to receive and the users who need to receive the
information. Different levels of alerts can be delivered to different recipients.
Goal
In this task, you view email alerts and add a recipient for the email alerts.
Alerts Page
Figure 4-1 shows the default configuration for email alerts. You can configure the system to
deliver a different set of alerts to another email address. To do this, click Add Recipient.
C H A P T E R 4 : A D V A N C E D T A S K S 63
Figure 4-2
On this page, you choose the recipient to receive alerts and the level and type of alert
messages to send to that recipient. After select the alerts, click the Submit button and commit
your changes.
See Also
For more information about alerts, see System Administration in the IronPort AsyncOS for
Email User Guide.
64
TA S K 1 5: U P G R A D E T H E I R O N POR T A P P L I A N C E
You can use either the CLI or the GUI to perform system upgrades. In the CLI, use the
upgrade command. In the GUI, select System Administration > System Upgrades. The
system checks for available upgrades and provides a choice of upgrade versions. While the
IronPort appliance performs the upgrade, it continues to process mail. The upgrade requires a
reboot, which you can perform at a convenient time.
Note that upgrades require download of a significant amount of data. Depending on the
speed of your Internet connection, the download can take from several minutes to over an
hour. For some sites, it is easier to perform upgrades from the CLI. This allows you to watch
the upgrade events more closely than when you perform the upgrade from the GUI.
See also
For more information about upgrading the IronPort appliance, see System Administration in
the IronPort AsyncOS for Email User Guide.
For information about upgrading IronPort appliances that belong to a centralized
management cluster, see System Administration in the IronPort AsyncOS for Email User
Guide.
C H A P T E R 4 : A D V A N C E D T A S K S 65
66