AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide March 14, 2016 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS CHAPTER 1 Getting Started with the Cisco Email Security Appliance What’s New in This Release 1-1 1-1 Where to Find More Information 1-1 Documentation 1-2 Training 1-2 Cisco Notification Service 1-2 Knowledge Base 1-3 Cisco Support Community 1-3 Cisco Customer Support 1-3 Third Party Contributors 1-3 Cisco Welcomes Your Comments 1-4 Registering for a Cisco Account 1-4 Cisco Email Security Appliance Overview Supported Languages 1-5 CHAPTER 2 Accessing the Appliance 1-4 2-1 Web-based Graph
Contents Configuration Scenarios 3-5 Preparing for System Setup 3-8 Determine Method for Connecting to the Appliance 3-8 Determining Network and IP Address Assignments 3-9 Gathering the Setup Information 3-11 Using the System Setup Wizard 3-14 Accessing the Web-Based Graphical User Interface (GUI) 3-15 Defining Basic Configuration Using the Web-Based System Setup Wizard Setting up the Connection to Active Directory 3-24 Proceeding to the Next Steps 3-24 Accessing the Command Line Interface (CLI) 3-25 Run
Contents Domain-Based Limits 4-11 Domain-Based Routing 4-11 Global Unsubscribe 4-11 Bounce Limits 4-12 CHAPTER 5 Configuring the Gateway to Receive Email 5-1 Overview of Configuring the Gateway to Receive Email Working with Listeners 5-1 5-2 Configuring Global Settings for Listeners 5-6 Settings for Messages Containing Multiple Encodings: localeconfig 5-8 Listening for Connection Requests by Creating a Listener via the GUI 5-8 Partial Domains, Default Domains, and Malformed MAIL FROMs 5-12 Listen
Contents Handling Messages from a Group of Senders in the Same Manner 7-13 Creating a Sender Group for Message Handling 7-13 Adding a Sender to an Existing Sender Group 7-14 Rearranging the Order of the Rules to Perform for Incoming Connections Searching for Senders 7-15 Defining Rules for Incoming Messages Using a Mail Flow Policy 7-15 Defining Default Values for Mail Flow Policies 7-20 7-14 Working with the Host Access Table Configuration 7-21 Exporting the Host Access Table Configuration to an Externa
Contents Message Filter Example Syntax 9-3 Message Filter Processing 9-4 Message Filter Order 9-4 Message Header Rules and Evaluation 9-5 Message Bodies vs.
Contents Policy Enforcement Filters 9-105 Routing and Domain Spoofing 9-109 Configuring Scan Behavior CHAPTER 10 Mail Policies 9-112 10-1 Overview of Mail Policies 10-1 How to Enforce Mail Policies on a Per-User Basis 10-2 Handling Incoming and Outgoing Messages Differently 10-3 Matching Users to a Mail Policy 10-3 First Match Wins 10-4 Examples of Policy Matching 10-4 Message Splintering 10-5 Managed Exceptions 10-6 Configuring Mail Policies 10-7 Configuring the Default Mail Policy for Incomin
Contents Detection Methods 12-3 Virus Descriptions 12-4 Sophos Alerts 12-4 When a Virus is Found 12-4 McAfee Anti-Virus Filtering 12-5 Pattern-Matching Virus Signatures 12-5 Encrypted Polymorphic Virus Detection 12-5 Heuristics Analysis 12-5 When a Virus is Found 12-6 How to Configure the Appliance to Scan for Viruses 12-6 Enabling Virus Scanning and Configuring Global Settings 12-7 Configuring Virus Scanning Actions for Users 12-7 Configuring the Anti-Virus Policies for Different Groups of Senders and Rec
Contents Enabling Different Anti-Spam Scanning Engines in Different Mail Policies: Configuration Example 13-12 Protecting Appliance-Generated Messages From the Spam Filter Headers Added During Anti-Spam Scanning 13-14 13-14 Reporting Incorrectly Classified Messages to Cisco Systems 13-15 Determining Sender IP Address In Deployments with Incoming Relays Example Environments with Incoming Relays 13-15 Configuring the Appliance to Work with Incoming Relays 13-17 How Incoming Relays Affect Functionality 1
Contents Outbreak Filters Overview and Rules Listing 14-23 Outbreak Quarantine 14-23 Alerts, SNMP Traps, and Outbreak Filters 14-23 Troubleshooting The Outbreak Filters Feature 14-24 Reporting Incorrectly Classified Messages to Cisco 14-24 Multiple Attachments and Bypassed Filetypes 14-24 Message and Content Filters and the Email Pipeline 14-24 CHAPTER 15 URL Filtering 15-1 Overview of URL Filtering 15-1 Which URLs Are Evaluated 15-1 Setting Up URL Filtering 15-2 Requirements for URL Filtering 15-2 En
Contents Reporting Uncategorized and Misclassified URLs Future URL Category Set Changes 15-22 CHAPTER 16 File Reputation Filtering and File Analysis 15-21 16-1 Overview of File Reputation Filtering and File Analysis File Threat Verdict Updates 16-1 File Processing Overview 16-2 Which Files Are Evaluated and Analyzed? 16-3 FIPS Compliance 16-4 16-1 Configuring File Reputation and Analysis Features 16-4 Requirements for Communication with File Reputation and Analysis Services 16-5 Enabling and Config
Contents RSA Email DLP 17-4 How to Set Up Data Loss Prevention for Deployments Using RSA Email DLP Enabling Data Loss Prevention (RSA Email DLP) 17-5 17-4 DLP Policies for RSA Email DLP 17-6 DLP Policy Description 17-6 Predefined DLP Policy Templates 17-6 Setting Up RSA Email DLP Using a Wizard 17-7 Creating a DLP Policy Using a Predefined Template 17-8 Creating a Custom DLP Policy (Advanced) 17-9 About Defining Disallowed Content Using Content Matching Classifiers 17-10 Filtering Messages for DLP Polici
Contents Troubleshooting Data Loss Prevention 17-42 Enterprise Manager Disconnects the Email Security Appliance 17-42 RSA Email DLP Fails to Detect Violations in Email Attachments 17-43 CHAPTER 18 Cisco Email Encryption 18-1 Overview of Cisco Email Encryption 18-1 How to Encrypt Messages with a Local Key Server Encryption Workflow 18-2 18-2 Encrypting Messages using the Email Security Appliance 18-4 Enabling Message Encryption on the Email Security Appliance 18-4 Configuring How a Key Service Hand
Contents Setting Up Public Keys for Verifying Signed Messages 19-17 Enabling S/MIME Decryption and Verification 19-19 Configuring an Action for S/MIME Decrypted or Verified Message 19-20 S/MIME Certificate Requirements 19-20 Certificate Requirements for Signing 19-21 Certificate Requirements for Encryption 19-21 Exporting Public Keys 19-23 CHAPTER 20 Email Authentication 20-1 Email Authentication Overview 20-1 DomainKeys and DKIM Authentication 20-1 DomainKeys and DKIM Authentication Workflow 20-2
Contents DMARC Verification Workflow in AsyncOS for Email 20-36 How to Verify Incoming Messages Using DMARC 20-36 CHAPTER 21 Text Resources 21-1 Overview of Text Resources 21-1 Content Dictionaries 21-1 Text Resources 21-2 Message Disclaimer Stamping 21-2 Content Dictionaries 21-2 Dictionary Content 21-2 Importing and Exporting Dictionaries as Text Files Adding Dictionaries 21-4 Deleting Dictionaries 21-5 Importing Dictionaries 21-5 Exporting Dictionaries 21-5 21-3 Using and Testing the Content Di
Contents Enabling a Listener to Validate Incoming Mail Via the SMTP Server Configuring LDAP Routing Query Settings SMTP Call-Ahead Query Routing 22-6 22-7 Bypassing SMTP Call-Ahead Validation for Certain Users or Groups CHAPTER 23 22-6 Encrypting Communication with Other MTAs 22-8 23-1 Overview of Encrypting Communication with Other MTAs 23-1 How to Encrypt SMTP Conversations using TLS 23-2 Obtaining Certificates 23-2 Intermediate Certificates 23-3 Certificates and Centralized Management 23-3 Cre
Contents SMTP Routes and DNS 24-3 SMTP Routes and Alerts 24-4 SMTP Routes, Mail Delivery, and Message Splintering 24-4 SMTP Routes and Outbound SMTP Authentication 24-4 Managing SMTP Routes to Send Outbound Email Using the GUI Rewriting Addresses 24-4 24-6 Creating Alias Tables 24-7 Configuring an Alias Table from the Command Line Exporting and Importing an Alias Table 24-8 Deleting Entries from the Alias Table 24-9 24-7 Configuring Masquerading 24-16 Masquerading and altsrchost 24-17 The Domain Map F
Contents Review: Email Pipeline CHAPTER 25 LDAP Queries 24-73 25-1 Overview of LDAP Queries 25-1 Understanding LDAP Queries 25-2 Understanding How LDAP Works with AsyncOS 25-3 Configuring the Cisco IronPort Appliance to Work with an LDAP Server 25-4 Creating LDAP Server Profiles to Store Information About the LDAP Server 25-5 Testing LDAP Servers 25-6 Enabling LDAP Queries to Run on a Particular Listener 25-7 Enhanced Support for Microsoft Exchange 5.
Contents Configuring AsyncOS for SMTP Authentication 25-32 Configuring SMTP Authentication 25-33 Configuring an SMTP Authentication Query 25-34 SMTP Authentication via Second SMTP Server (SMTP Auth with Forwarding) SMTP Authentication with LDAP 25-36 Authenticating SMTP Sessions Using Client Certificates 25-39 Outgoing SMTP Authentication 25-39 Logging and SMTP Authentication 25-40 Configuring External LDAP Authentication for Users User Accounts Query 25-41 Group Membership Queries 25-41 25-35 25-40 Aut
Contents Configuration Changes in FIPS Mode 27-1 Switching the Appliance to FIPS Mode 27-2 Encrypting Sensitive Data in FIPS Mode Checking FIPS Mode Compliance Managing Certificates and Keys 27-3 27-4 27-4 Managing Keys for DKIM Signing and Verification DKIM Signing 27-5 DKIM Verification 27-6 CHAPTER 28 Using Email Security Monitor 27-5 28-1 Email Security Monitor Overview 28-1 Email Security Monitor and Centralized Management Email Security Monitor Pages 28-2 Searching and Email Security Mon
Contents Setting the Return Address for Reports 28-36 Managing Reports 28-36 Scheduled Reports 28-36 Archived Reports 28-38 Troubleshooting Email Reports CHAPTER 29 Tracking Messages 28-39 29-1 Message Tracking Overview Enabling Message Tracking Searching for Messages 29-1 29-1 29-2 Working with Message Tracking Search Results Message Details 29-5 29-4 Checking Message Tracking Data Availability 29-6 About Message Tracking and Upgrades 29-6 Troubleshooting Message Tracking 29-7 Attachments Do
Contents Viewing Messages in Quarantines 30-11 Finding Messages in Policy, Virus, and Outbreak Quarantines Manually Processing Messages in a Quarantine 30-12 Messages in Multiple Quarantines 30-13 Message Details and Viewing Message Content 30-14 About Rescanning of Quarantined Messages 30-17 The Outbreak Quarantine 30-17 CHAPTER 31 Spam Quarantine 30-11 31-1 Overview of the Spam Quarantine 31-1 Local Versus External Spam Quarantine 31-1 Setting Up the Local Spam Quarantine 31-2 Enabling and Conf
Contents Disk Space for the Spam Quarantine 31-24 About Disabling the Spam Quarantine 31-24 Troubleshooting Spam Quarantine Features CHAPTER 32 Distributing Administrative Tasks Working with User Accounts User Roles 32-2 Managing Users 32-3 31-24 32-1 32-1 Managing Custom User Roles for Delegated Administration 32-7 Account Privileges Page 32-8 Assigning Access Privileges 32-9 Defining a Custom User Role 32-13 Defining a Custom User Role When Adding a User Account 32-14 Updating Responsibilities
Contents Resetting to Factory Defaults 33-4 Displaying the Version Information for AsyncOS 33-5 Feature Keys 33-5 Adding and Managing Feature Keys 33-5 Automating Feature Key Download and Activation Expired Feature Keys 33-7 33-6 Cisco Email Security Virtual Appliance License 33-7 Virtual Appliance License Expiration 33-7 Managing the Configuration File 33-7 Managing Configuration Files Using the GUI 33-8 CLI Commands for Configuration Files 33-12 Managing Disk Space 33-16 (Virtual Appliances Only) Inc
Contents Reverting AsyncOS 33-31 Configuring the Return Address for Appliance Generated Messages Alerts 33-34 AutoSupport 33-34 Alert Delivery 33-34 Adding Alert Recipients 33-36 Configuring Alert Settings 33-37 Viewing Recent Alerts 33-38 Alert Descriptions 33-38 Changing Network Settings 33-53 Changing the System Hostname 33-53 Configuring Domain Name System (DNS) Settings Configuring TCP/IP Traffic Routes 33-57 Configuring the Default Gateway 33-57 Configuring SSL Settings 33-58 Disabling SSLv3 for En
Contents Identifying Active TCP/IP Services 34-22 Managing the Email Queue 34-22 Deleting Recipients in Queue 34-22 Bouncing Recipients in Queue 34-24 Redirecting Messages in Queue 34-26 Showing Messages Based on Recipient in Queue 34-27 Suspending Email Delivery 34-28 Resuming Email Delivery 34-29 Suspending Receiving Email 34-29 Resuming Receiving Email 34-30 Resuming Delivery and Receiving of Email 34-31 Scheduling Email for Immediate Delivery 34-31 Pausing the Work Queue 34-32 Locating and Archiving
Contents VLANs and Physical Ports Managing VLANs 37-8 37-7 Direct Server Return 37-13 Enabling Direct Server Return 37-13 Ethernet Interface’s Maximum Transmission Unit CHAPTER 38 Logging 38-1 Overview 38-1 Understanding Log Files and Log Subscriptions Log Types 38-1 Log Retrieval Methods 38-6 Log Types 38-8 Timestamps in Log Files 38-8 Using Text Mail Logs 38-9 Using Delivery Logs 38-15 Using Bounce Logs 38-17 Using Status Logs 38-19 Using Domain Debug Logs 38-22 Using Injection Debug Logs 38-23
Contents Creating a Log Subscription in the GUI 38-40 Configuring Global Settings for Logging 38-40 Rolling Over Log Subscriptions 38-43 Viewing Recent Log Entries in the GUI 38-45 Viewing Recent Log Entries in the CLI (tail Command) Configuring Host Keys 38-47 CHAPTER 39 Centralized Management Using Clusters 39-1 Overview of Centralized Management Using Clusters Cluster Requirements 38-45 39-1 39-2 Cluster Organization 39-2 Initial Configuration Settings 39-3 Creating and Joining a Cluster 39-4
Contents CHAPTER 40 Testing and Troubleshooting 40-1 Debugging Mail Flow Using Test Messages: Trace Using the Listener to Test the Appliance 40-1 40-12 Troubleshooting the Network 40-16 Testing the Network Connectivity of the Appliance Troubleshooting the Listener 40-22 Troubleshooting Email Delivery From the Appliance Troubleshooting Performance 40-16 40-23 40-26 Responding to Alerts 40-27 Alert: Battery Relearn Timed Out (RAID Event) on C380 or C680 Hardware 40-27 Troubleshooting Alerts That
Contents Working with an External Spam Quarantine 42-2 Mail Flow and the External Spam Quarantine 42-2 Migrating from a Local Spam Quarantine to an External Quarantine 42-3 Enabling an External Spam Quarantine and External Safelist/Blocklist 42-3 Disabling the Local Spam Quarantine to Activate the External Quarantine 42-4 Troubleshooting an External Spam Quarantine 42-5 About Centralizing Policy, Virus, and Outbreak Quarantines 42-5 Centralized Policy, Virus, and Outbreak Quarantines 42-5 About Migration o
Contents Filtering Messages Based on Content C-12 Applying Individual Content Filters to Different Groups of Recipients Notes on Configuring Content Filters in the GUI C-17 APPENDIX D Firewall Information APPENDIX E End User License Agreement C-15 D-1 E-1 Cisco Systems End User License Agreement E-1 Supplemental End User License Agreement for Cisco Systems Content Security Software GLOSSARY INDEX AsyncOS 9.1.
CH A P T E R 1 Getting Started with the Cisco Email Security Appliance • What’s New in This Release, page 1-1 • Where to Find More Information, page 1-1 • Cisco Email Security Appliance Overview, page 1-4 What’s New in This Release Support for new hardware appliance models: • C190 • C390 • C690 Where to Find More Information Cisco offers the following resources to learn more about your appliance: • Documentation, page 1-2 • Training, page 1-2 • Cisco Notification Service, page 1-2 • Kno
Chapter 1 Getting Started with the Cisco Email Security Appliance Where to Find More Information Documentation You can access the online help version of this user guide directly from the appliance GUI by clicking Help and Support in the upper-right corner. Documentation for all Cisco Content Security products is available from: Documentation For Cisco Content Security Products Location Hardware and virtual appliances See the applicable product in this table.
Chapter 1 Getting Started with the Cisco Email Security Appliance Where to Find More Information Knowledge Base (TechNotes) Step 1 Go to the main product page (http://www.cisco.com/c/en/us/support/security/email-security-appliance/tsd-products-support-series-h ome.html) Step 2 Look for links with TechNotes in the name. Cisco Support Community The Cisco Support Community is an online forum for Cisco customers, partners, and employees.
Chapter 1 Getting Started with the Cisco Email Security Appliance Cisco Email Security Appliance Overview Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Sophos Plc. Cisco Welcomes Your Comments The Cisco Technical Publications team is interested in improving the product documentation. Your comments and suggestions are always welcome.
Chapter 1 Getting Started with the Cisco Email Security Appliance Cisco Email Security Appliance Overview • Email Security Manager, a single, comprehensive dashboard to manage all email security services and applications on the appliance. Email Security Manager can enforce email security based on user groups, allowing you to manage Cisco Reputation Filters, Outbreak Filters, Anti-Spam, Anti-Virus, and email content policies through distinct inbound and outbound policies. • On-box message tracking.
Chapter 1 Cisco Email Security Appliance Overview • Japanese • Portuguese (Brazil) • Chinese (traditional and simplified) • Russian AsyncOS 9.1.
CH A P T E R 2 Accessing the Appliance • Web-based Graphical User Interface (GUI), page 2-1 • Command Line Interface (CLI), page 2-3 Web-based Graphical User Interface (GUI) You can administer the appliance using both the web-based Graphical User Interface (GUI) and Command Line Interface (CLI). The GUI contains most of the functionality you need to configure and monitor the system. However, not all CLI commands are available in the GUI; some features are only available through the CLI.
Chapter 2 Accessing the Appliance Web-based Graphical User Interface (GUI) Related Topics • Factory Default Username and Password, page 2-2 • Centralized Management, page 2-2 Factory Default Username and Password • Username: admin • Password: ironport For example: Figure 2-1 The Login Screen On brand new (not upgraded from previous releases of AsyncOS) systems, you will automatically be redirected to the System Setup Wizard.
Chapter 2 Accessing the Appliance Changing Configuration Settings Changing Configuration Settings • Configuration Changes, page 2-3 • Commit or Abandoning Changes, page 2-3 Configuration Changes You can make configuration changes while email operations proceed normally. Commit or Abandoning Changes You must explicitly save most configuration changes. When changes are pending a commit, the Commit Changes button turns orange.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) • History, page 2-6 • Command Completion, page 2-6 • Configuration Changes, page 2-6 Command Prompt The top-level command prompt consists of the fully qualified hostname, followed by the greater than (>) symbol, followed by a space. For example: mail3.example.com> If the appliance has been configured as part of a cluster, the prompt in the CLI changes to indicate the current mode.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) Command Syntax When operating in the interactive mode, the CLI command syntax consists of single commands with no white spaces and no arguments or parameters. For example: mail3.example.com> systemsetup Select Lists When you are presented with multiple choices for input, some commands use numbered lists. Enter the number of the selection at the prompt. For example: Log level: 1. Error 2. Warning 3. Information 4. Debug 5.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) - GROUPS - Define interface groups. - DELETE - Remove an interface. []> Within subcommands, typing Enter or Return at an empty prompt returns you to the main command. Escape You can use the Control-C keyboard shortcut at any time within a subcommand to immediately exit return to the top level of the CLI. History The CLI keeps a history of all commands you type during a session.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) Changes to configuration that have not been committed will be recorded but not put into effect until the commit command is run. Note Not all commands in AsyncOS require the commit command to be run. See the Cisco AsyncOS CLI Reference Guide for a summary of commands that require commit to be run before their changes take effect.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) Note To successfully commit changes, you must be at the top-level command prompt. Type Return at an empty prompt to move up one level in the command line hierarchy. Clearing Configuration Changes The clear command clears any changes made to the Cisco AsyncOS configuration since the last commit or clear command was issued. mail3.example.
Chapter 2 Accessing the Appliance Command Line Interface (CLI) Enter the number of the config to revert to. []> 1 Reverted to Wed Sep 19 18:50:41 2012 admin Do you want to commit this configuration now? [N]> y Committed the changes successfully Quitting the Command Line Interface Session The quit command logs you out of the CLI application. Configuration changes that have not been committed are cleared. The quit command has no effect on email operations. Logout is logged into the log files.
Chapter 2 Command Line Interface (CLI) AsyncOS 9.1.
CH A P T E R 3 Setup and Installation • Installation Planning, page 3-1 • Physically Connecting the Email Security Appliance to the Network, page 3-5 • Preparing for System Setup, page 3-8 • Using the System Setup Wizard, page 3-14 • Verifying Your Configuration and Next Steps, page 3-39 Installation Planning • Review Information That Impacts Planning Decisions, page 3-1 • Plan to Place the Email Security Appliance at the Perimeter of Your Network, page 3-1 • Register the Email Security App
Chapter 3 Setup and Installation Installation Planning messages from the Internet and from your internal network. You can configure the appliance for policy enforcement (Overview of Defining Which Hosts Are Allowed to Connect, page 7-1) for all email traffic to and from your enterprise. Ensure that the Email Security appliance is both accessible via the public Internet and is the “first hop” in your email infrastructure.
Chapter 3 Setup and Installation Installation Planning Installation Scenarios You can install your Email Security appliance into your existing network infrastructure in several ways. Most customers’ network configurations are represented in the following scenarios. If your network configuration varies significantly and you would like assistance planning an installation, please contact Cisco Customer Support (see Cisco Customer Support, page 1-3).
Chapter 3 Setup and Installation Installation Planning Ethernet Interfaces Only one of the available Ethernet interfaces on the Email Security appliance is required in these configurations. However, you can configure two Ethernet interfaces and segregate your internal network from your external Internet network connection.
Chapter 3 Setup and Installation Physically Connecting the Email Security Appliance to the Network Physically Connecting the Email Security Appliance to the Network • Configuration Scenarios, page 3-5 Configuration Scenarios The typical configuration scenario for the Email Security appliance is as follows: • Interfaces - Only one of the three available Ethernet interfaces on the Email Security appliance is required for most network environments.
Chapter 3 Setup and Installation Physically Connecting the Email Security Appliance to the Network Configuration worksheets for both one and two listener configurations are included below (see Gathering the Setup Information, page 3-11). Most configuration scenarios are represented by one of the following three figures.
Chapter 3 Setup and Installation Physically Connecting the Email Security Appliance to the Network Figure 3-2 Internet SMTP Firewall One Listener Configuration Notes: • 1 Listener • 1 IP addresses • 1 Ethernet interface • SMTP routes configured Inbound Listener: “InboundMail” (public) • IP address: 1.2.3.
Chapter 3 Setup and Installation Preparing for System Setup Preparing for System Setup • Determine Method for Connecting to the Appliance, page 3-8 • Determining Network and IP Address Assignments, page 3-9 • Gathering the Setup Information, page 3-11 Do This More Information Step 1 Determine how you will connect to the See Determine Method for Connecting to the Appliance, appliance. page 3-8 Step 2 Determine network and IP address assignments.
Chapter 3 Setup and Installation Preparing for System Setup Connecting to the Appliance During the initial setup, you can connect to the appliance in one of two ways: Table 3-1 Options for Connecting to the Appliance Ethernet An Ethernet connection between a PC and the network and between the network and the Management port. The IPv4 address that has been assigned to the Management port by the factory is 192.168.42.42. This is the easiest way to connect if it works with your network configuration.
Chapter 3 Setup and Installation Preparing for System Setup Choosing Network Connections to Receive and Deliver Email Most users take advantage of the two Data Ethernet ports on the Email Security appliance by connecting to two networks from the appliance: • The private network accepts and delivers messages to your internal systems. • The public network accepts and delivers messages to the Internet. Other users may want to use only one Data port serving both functions.
Chapter 3 Setup and Installation Preparing for System Setup Gathering the Setup Information Now that you understand the requirements and strategies when making the necessary selections in the System Setup Wizard, use the following tables to gather information about your system setup while reading this section. See Appendix B, “Assigning Network and IP Addresses” for more detailed information on network and IP addresses.
Chapter 3 Setup and Installation Preparing for System Setup Table 3-2 System Setup Worksheet: 2 Listeners for Segregating Email Traffic (continued) IPv6 Address: Prefix: Fully Qualified Hostname: Accept Incoming Mail: Domain Relay Outgoing Mail: System Destination Message Security SenderBase Reputation Filtering: Enable / Disable Anti-Spam Scanning Engine None / IronPort McAfee Anti-Virus Scanning Engine Enable / Disable Sophos Anti-Virus Scanning Engine Enable / Disable Outbreak Filters
Chapter 3 Setup and Installation Using the System Setup Wizard Table 3-3 System Setup Worksheet: 1 Listener for All Email Traffic (continued) IPv6 Address / Prefix: Fully Qualified Hostname: Message Security SenderBase Reputation Filtering: Enable / Disable Anti-Spam Scanning Engine None / IronPort McAfee Anti-Virus Scanning Engine Enable / Disable Sophos Anti-Virus Scanning Engine Enable / Disable Outbreak Filters Enable / Disable Using the System Setup Wizard • Accessing the Web-Based Grap
Chapter 3 Setup and Installation Using the System Setup Wizard If you are connecting multiple factory-configured content security appliances to your network, add them one at a time, reconfiguring each appliance’s default IP address as you go. Accessing the Web-Based Graphical User Interface (GUI) To access the web-based Graphical User Interface (GUI), open your web browser and point it to 192.168.42.42. Log in to the appliance by entering the username and password below.
Chapter 3 Setup and Installation Using the System Setup Wizard • Step 5 Step 6 Step 7 Enabling and configuring network interfaces, including: Configuring incoming mail (inbound listener) Defining SMTP routes (optional) Configuring outgoing mail (outbound listener) and defining systems allowed to relay mail through the appliance (optional) Security. Se Step 4: Security.
Chapter 3 Setup and Installation Using the System Setup Wizard Configuring System Alerts Cisco AsyncOS sends alert messages via email if there is a system error that requires the user’s intervention. Enter the email address (or addresses) to which to send those alerts. You must add at least one email address that receives System Alerts. Enter a single email address, or separate multiple addresses with commas.
Chapter 3 Setup and Installation Using the System Setup Wizard Click Next to continue. Step 3: Network In Step 3, you define the default router (gateway) and configure the DNS settings, and then set up the appliance to receive and or relay email by configuring the Data 1, Data 2, and Management interfaces.
Chapter 3 Setup and Installation Using the System Setup Wizard For C370, C670, X1070, C380, C680, C390, and C690 appliances: Cisco recommends using one of the physical Ethernet ports to connect directly to the Internet for the purposes of receiving inbound email through public listeners, and using another physical Ethernet port to connect directly to your internal network for the purposes of relaying outbound email through private listeners.
Chapter 3 Setup and Installation Using the System Setup Wizard Relaying Mail (Optional) When configuring your interfaces to relay mail, you define the systems allowed to relay email through the appliance. These are entries in the RELAYLIST of the Host Access Table for a listener. See Sender Group Syntax, page 7-4 for more information. Mark the check box for Relay Outgoing Mail to configure the interface to relay mail. Enter the hosts that may relay mail through the appliance.
Chapter 3 Setup and Installation Using the System Setup Wizard Figure 3-4 Network Interfaces: 1 IP Address for Incoming and Outgoing (Nonsegregated) Traffic Click Next to continue. Step 4: Security In step 4, you configure anti-spam and anti-virus settings. The anti-spam options include SenderBase Reputation Filtering and selecting an anti-spam scanning engine. For anti-virus, you can enable Outbreak Filters and Sophos or McAfee anti-virus scanning.
Chapter 3 Setup and Installation Using the System Setup Wizard Enabling Anti-Spam Scanning Your appliance may ship with a 30-day evaluation key for Anti-Spam software. During this portion of the System Setup Wizard, you can choose to enable Anti-Spam globally on the appliance. You can also elect to not enable the service. If you choose to enable the anti-spam service, you can configure AsyncOS to send spam and suspected spam messages to the local Spam Quarantine.
Chapter 3 Setup and Installation Using the System Setup Wizard Note Clicking Install will cause the connection to the current URL (http://192.168.42.42) to be lost if you changed the IP address of the interface you used to connect to the appliance (the Management interface on C370, C670, X1070, C380, C680, C390, and C690 appliances, or the Data 1 interface on C170 and C190 appliances) from the default. However, your browser will be redirected to the new IP address.
Chapter 3 Setup and Installation Using the System Setup Wizard Accessing the Command Line Interface (CLI) Access to the CLI varies depending on the management connection method you chose in Connecting to the Appliance, page 3-9. The factory default username and password are listed next. Initially, only the admin user account has access to the CLI. You can add other users with differing levels of permission after you have accessed the command line interface for the first time via the admin account.
Chapter 3 Setup and Installation Using the System Setup Wizard The System Setup Wizard warns you that you will reconfigure your system. If this is the very first time you are installing the appliance, or if you want to completely overwrite your existing configuration, answer “Yes” to this question. WARNING: The system setup wizard will completely delete any existing 'listeners' and all associated settings including the 'Host Access Table' - mail operations may be interrupted.
Chapter 3 Setup and Installation Using the System Setup Wizard Change the Admin Password First, you change the password for the AsyncOS admin account. You must enter the old password to continue. The new password must be six characters or longer. Be sure to keep the password in a secure location. Changes made to the password are effective once the system setup process is finished. Accept the License Agreement Read and accept the software license agreement that is displayed.
Chapter 3 Setup and Installation Using the System Setup Wizard • The netmask of the interface. The netmask must be in CIDR format. For example, use /24 for the 255.255.255.0 subnet. Note IP addresses within the same subnet cannot be configured on separate physical Ethernet interfaces. See Appendix B, “Assigning Network and IP Addresses”for more detailed information on Network and IP Address configuration. Note For C170 and C190 appliances, the Data 2 interface is configured first.
Chapter 3 Setup and Installation Using the System Setup Wizard • One of the IP interfaces (that you created earlier in the systemsetup command) on which to receive email. • The name of the machine(s) to which you want to route email (public listeners only). (This is the first smtproutes entry. See Routing Email for Local Domains, page 24-1.) • Whether or not to enable filtering based on SenderBase Reputation Scores (SBRS) for public listeners.
Chapter 3 Setup and Installation Using the System Setup Wizard Please create a name for this listener (Ex: "InboundMail"): []> InboundMail Please choose an IP interface for this Listener. 1. Management (192.168.42.42/24: mail3.example.com) 2. PrivateNet (192.168.1.1/24: mail3.example.com) 3. PublicNet (192.168.2.1/24: mail3.example.com) [1]> 3 Enter the domains or specific addresses you want to accept mail for. Hostnames such as "example.com" are allowed. Partial hostnames such as ".example.
Chapter 3 Setup and Installation Using the System Setup Wizard Default Policy Parameters ========================== Maximum Message Size: 100M Maximum Number Of Connections From A Single IP: 1,000 Maximum Number Of Messages Per Connection: 1,000 Maximum Number Of Recipients Per Message: 1,000 Maximum Number Of Recipients Per Hour: 4,500 Maximum Recipients Per Hour SMTP Response: 452 Too many recipients received this hour Use SenderBase for Flow Control: Virus Detection Enabled: Yes Yes Allow TLS Connec
Chapter 3 Setup and Installation Using the System Setup Wizard Please choose an IP interface for this Listener. 1. Management (192.168.42.42/24: mail3.example.com) 2. PrivateNet (192.168.1.1/24: mail3.example.com) 3. PublicNet (192.168.2.1/24: mail3.example.com) [1]> 2 Please specify the systems allowed to relay email through the appliance. Hostnames such as "example.com" are allowed. Partial hostnames such as ".example.com" are allowed.
Chapter 3 Setup and Installation Using the System Setup Wizard Listener OutboundMAil created. Defaults have been set for a Private listener. Use the listenerconfig->EDIT command to customize the listener. ***** Listener Example for C170 and C190 Appliances Note The following example of creating a listener applies to C170 and C190 appliances only. In this example portion of the systemsetup command, a listener named MailInterface is configured to run on the MailNet IP interface.
Chapter 3 Setup and Installation Using the System Setup Wizard Enter the domain names or specific email addresses you want to accept mail for. Hostnames such as "example.com" are allowed. Partial hostnames such as ".example.com" are allowed. Usernames such as "postmaster@" are allowed. Full email addresses such as "joe@example.com" or "joe@[1.2.3.4]" are allowed. Separate multiple addresses with commas. []> example.com Would you like to configure SMTP routes for example.
Chapter 3 Setup and Installation Using the System Setup Wizard ========================== Maximum Message Size: 10M Maximum Number Of Connections From A Single IP: 50 Maximum Number Of Messages Per Connection: 100 Maximum Number Of Recipients Per Message: 100 Maximum Number Of Recipients Per Hour: 450 Maximum Recipients Per Hour SMTP Response: 452 Too many recipients received this hour Use SenderBase for Flow Control: Spam Detection Enabled: Virus Detection Enabled: Yes Yes Yes Allow TLS Connections: N
Chapter 3 Setup and Installation Using the System Setup Wizard Select a Default Anti-Spam Scanning Engine If you have enabled more than one anti-spam scanning engine, you are prompted to select which engine will be enabled for use on the default incoming mail policy. Enable the Spam Quarantine If you choose to enable an anti-spam service, you can enable the incoming mail policy to send spam and suspected spam messages to the local Spam Quarantine.
Chapter 3 Setup and Installation Using the System Setup Wizard If you agree to participate in the SenderBase Email Traffic Monitoring Network, Cisco will collect aggregated statistics about email sent to your organization. This includes summary data on message attributes and information on how different types of messages were handled by Email Security appliances. See Chapter 35, “SenderBase Network Participation” for more information.
Chapter 3 Setup and Installation Using the System Setup Wizard Test the Configuration To test the Cisco AsyncOS configuration, you can use the mailconfig command immediately to send a test email containing the system configuration data you just created with the systemsetup command: mail3.example.com> mailconfig Please enter the email address to which you want to send the configuration file. Separate multiple addresses with commas. []> user@example.
Chapter 3 Setup and Installation Verifying Your Configuration and Next Steps Configuring your system as an Enterprise Gateway To configure your system as an Enterprise Gateway (accepting email from the Internet), complete this chapter first, and then see Chapter 5, “Configuring the Gateway to Receive Email” for more information. Verifying Your Configuration and Next Steps Now that system setup is complete, your Email Security appliance should be sending and receiving email.
Chapter 3 Verifying Your Configuration and Next Steps AsyncOS 9.1.
CH A P T E R 4 Understanding the Email Pipeline • Overview of the Email Pipeline, page 4-1 • Email Pipeline Flows, page 4-1 • Incoming / Receiving, page 4-4 • Work Queue / Routing, page 4-7 • Delivery, page 4-10 Overview of the Email Pipeline The Email Pipeline is the flow of email as it is processed by the appliance. It has three phases: • Receipt — As the appliance connects to a remote host to receive incoming email, it adheres to configured limits and other receipt policies.
Chapter 4 Email Pipeline Flows Figure 4-1 Email Pipeline — Receiving Email Connections AsyncOS 9.1.
Chapter 4 Understanding the Email Pipeline Email Pipeline Flows Figure 4-2 Email Pipeline — Work Queue AsyncOS 9.1.
Chapter 4 Understanding the Email Pipeline Incoming / Receiving Figure 4-3 Email Pipeline — Delivering Email Incoming / Receiving The receiving phase of the Email Pipeline involves the initial connection from the sender’s host. Each message’s domains can be set, the recipient is checked, and the message is handed off to the work queue.
Chapter 4 Understanding the Email Pipeline Incoming / Receiving • LDAP Recipient Acceptance, page 4-6 • SMTP Call-Ahead Recipient Validation, page 4-6 Host Access Table (HAT), Sender Groups, and Mail Flow Policies The HAT allows you to specify hosts that are allowed to connect to a listener (that is, which hosts you will allow to send email). Sender Groups are used to associate one or more senders into groups, upon which you can apply message filters, and other Mail Flow Policies.
Chapter 4 Understanding the Email Pipeline Incoming / Receiving Domain Map For each listener you configure, you can construct a domain map table which rewrites the envelope recipient for each recipient in a message that matches a domain in the domain map table. For example, joe@old.com -> joe@new.com For more information, see “The Domain Map Feature” in the “Configuring Routing and Delivery Features” chapter.
Chapter 4 Understanding the Email Pipeline Work Queue / Routing Work Queue / Routing The Work Queue is where the received message is processed before moving to the delivery phase. Processing includes masquerading, routing, filtering, safelist/blocklist scanning, anti-spam and anti-virus scanning, file reputation scanning and analysis, Outbreak Filters, and quarantining. Note Data loss prevention (DLP) scanning is only available for outgoing messages.
Chapter 4 Understanding the Email Pipeline Work Queue / Routing combat directory harvest attacks (DHAP) in a unique way: the system accepts the message and performs the LDAP acceptance validation within the SMTP conversation or the work queue. If the recipient is not found in the LDAP directory, you can configure the system to perform a delayed bounce or drop the message entirely. For more information, see the “LDAP Queries” chapter.
Chapter 4 Understanding the Email Pipeline Work Queue / Routing Safelist/Blocklist Scanning End user safelists and blocklists are created by end users and stored in a database that is checked prior to anti-spam scanning. Each end user can identify domains, sub domains or email addresses that they wish to always treat as spam or never treat as spam.
Chapter 4 Understanding the Email Pipeline Delivery Content Filters You can create content filters to be applied to messages on a per-recipient or per-sender basis. Content filters are similar to message filters, except that they are applied later in the email pipeline — after a message has been “splintered” into a number of separate messages for each matching Email Security Manager policy.
Chapter 4 Understanding the Email Pipeline Delivery • Delivery Limits, page 4-11 • Domain-Based Limits, page 4-11 • Domain-Based Routing, page 4-11 • Global Unsubscribe, page 4-11 • Bounce Limits, page 4-12 Virtual gateways The Virtual Gateway technology enables users to separate the appliance into multiple Virtual Gateway addresses from which to send and receive email. Each Virtual Gateway address is given a distinct IP address, hostname and domain, and email delivery queue.
Chapter 4 Understanding the Email Pipeline Delivery For more information, see “Using Global Unsubscribe” in the “Configuring Routing and Delivery Features” chapter. Bounce Limits You use the Network > Bounce Profiles page (or the bounceconfig command) to configure how AsyncOS handles hard and soft conversational bounces for each listener you create. You create bounce profiles and then apply profiles to each listener using the Network > Listeners page (or the listenerconfig command).
CH A P T E R 5 Configuring the Gateway to Receive Email • Overview of Configuring the Gateway to Receive Email, page 5-1 • Working with Listeners, page 5-2 • Configuring Global Settings for Listeners, page 5-6 • Listening for Connection Requests by Creating a Listener via the GUI, page 5-8 • Listening for Connection Requests by Creating a Listener via the CLI, page 5-13 • Enterprise Gateway Configuration, page 5-15 Overview of Configuring the Gateway to Receive Email The appliance functions as
Chapter 5 Configuring the Gateway to Receive Email Working with Listeners • Which hosts that are allowed to connect to the listener. Define a set of rules that control incoming connections from remote hosts. For example, you can define remote hosts and whether or not they can connect to the listener. For details on how to do this, see Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT), page 7-1.
Chapter 5 Configuring the Gateway to Receive Email Working with Listeners • To help test and troubleshoot the appliance, you can create a “blackhole” type listener instead of a public or private listener. When you create a blackhole listener, you choose whether messages are written to disk or not before they are deleted. (See the “Testing and Troubleshooting” chapter for more information.) Writing messages to disk before deleting them can help you measure the rate of receiving and the speed of the queue.
Chapter 5 Configuring the Gateway to Receive Email Working with Listeners Figure 5-2 Public and Private Listeners on Appliance Models with More than Two Ethernet Interfaces Note SMTP Public Listener: “InboundMail” IP interface: PublicNet (e.g. 192.168.2.1) This public listener uses SMTP protocol on Port 25 of the PublicNet IP interface on the Data2 Ethernet interface to accept messages from the Internet. IP interface PublicNet sends messages to destination hosts on the Internet.
Chapter 5 Configuring the Gateway to Receive Email Working with Listeners Figure 5-3 Public Listener on Appliance Models with Only Two Ethernet Interfaces SMTP Public Listener: “MailInterface” IP interface: MailNet (e.g. 192.168.2.
Chapter 5 Configuring the Gateway to Receive Email Configuring Global Settings for Listeners Configuring Global Settings for Listeners Global settings for the listeners affect all of the listeners that are configured on the appliance. If the listener uses an interface that has both Internet Protocol version 4 (IPv4) and version 6 (IPv6) addresses, the listener settings apply to both IPv4 and IPv6 traffic. Procedure Step 1 Choose Network > Listeners. Step 2 Click Edit Global Settings.
Chapter 5 Configuring the Gateway to Receive Email Configuring Global Settings for Listeners Table 5-1 Listener Global Settings Global Setting Description Total Time Limit for All Inbound Connections Set the length of time AsyncOS will allow an inbound connection to remain intact before closing it. This setting is intended to preserve system resources by enforcing a maximum allowable connection time.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the GUI Settings for Messages Containing Multiple Encodings: localeconfig You can set the behavior of AsyncOS regarding modifying the encoding of message headings and footers during message processing. This setting is not configured via the GUI. Instead, it is configured via the localeconfig in the CLI.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the GUI Step 4 (Optional) Configure settings for controlling parsing in SMTP “MAIL FROM” and “RCPT TO” commands as defined in the following table. Setting Description Address Parser Type Choose how strictly the appliance adheres to the RFC2821 standard using one of the following parser types: Strict Mode: Strict mode tries to follow RFC 2821.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the GUI Setting Description Allow Partial Domains If enabled, will allow partial domains. Partial domains can be no domain at all, or a domain with no dots. The following addresses are examples of partial domains: • foo • foo@ • foo@bar This option must be enabled in order for the Default Domain feature to work properly.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the GUI Step 5 (Optional) Configure advanced settings for customizing the behavior of the listener as defined in the following table. Setting Description Maximum Concurrent Connections The maximum number of connections allowed. TCP Listen Queue Size The backlog of connections that AsyncOS will manage before the SMTP server accepts them.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the GUI For more information about creating LDAP queries, see LDAP Queries, page 25-1. Query Type Description Accept Queries For Accept queries, select the query to use from the list. You can specify whether the LDAP Accept occurs during the work queue processing or during the SMTP conversation.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the CLI Listening for Connection Requests by Creating a Listener via the CLI Table 5-3 lists some of the listenerconfig subcommands used in the tasks involved in creating and editing listeners.
Chapter 5 Configuring the Gateway to Receive Email Listening for Connection Requests by Creating a Listener via the CLI Advanced HAT Parameters Table 5-4 defines the syntax of advanced HAT parameters. Note that for the numeric values below, you can add a trailing k to denote kilobytes or a trailing M to denote megabytes. Values with no letters are considered bytes. Parameters marked with an asterisk support the variable syntax shown in Table 5-4.
Chapter 5 Configuring the Gateway to Receive Email Enterprise Gateway Configuration Enterprise Gateway Configuration In this configuration, the Enterprise Gateway configuration accepts email from the Internet and relays email to groupware servers, POP/IMAP servers, or other MTAs. At the same time, the enterprise gateway accepts SMTP messages from groupware servers and other email servers for relay to recipients on the Internet.
Chapter 5 Enterprise Gateway Configuration AsyncOS 9.1.
CH A P T E R 6 Sender Reputation Filtering • Overview of Sender Reputation Filtering, page 6-1 • SenderBase Reputation Service, page 6-1 • Editing Sender Reputation Filtering Score Thresholds for a Listener, page 6-5 • Entering Low SBRS Scores in the Message Subject, page 6-7 Overview of Sender Reputation Filtering Sender reputation filtering is the first layer of spam protection, allowing you to control the messages that come through the email gateway based on senders’ trustworthiness as determin
Chapter 6 Sender Reputation Filtering SenderBase Reputation Service Note The SenderBase Reputation Service is only available with a current anti-spam feature key.
Chapter 6 Sender Reputation Filtering SenderBase Reputation Service Figure 6-1 The SenderBase Reputation Service 5 250-Recipient Accepted or 452-Too many recipients this hour or 554-Access Denied Email Security Appliance Sending MTA 2 HELO 3 1.2.3.4 4 SBRS = x.x SBRS Scoring Engine SenderBase Affiliate Network 1.2.3.4 Rule hits for 1.2.3.4 1 •Global complaint data •Global volume data 1. SenderBase affiliates send real-time, global data 2. Sending MTA opens connection with the appliance 3.
Chapter 6 Sender Reputation Filtering SenderBase Reputation Service Figure 6-2 Sender Reputation Filtering Example Recommended Settings for Different Sender Reputation Filtering Approaches Depending on the objectives of your enterprise, you can implement a conservative, moderate, or aggressive approach.
Chapter 6 Sender Reputation Filtering Editing Sender Reputation Filtering Score Thresholds for a Listener Editing Sender Reputation Filtering Score Thresholds for a Listener Use this procedure if you want to change the default SenderBase Reputation Service (SBRS) score thresholds or add a sender group for reputation filtering.
Chapter 6 Sender Reputation Filtering Editing Sender Reputation Filtering Score Thresholds for a Listener Testing Sender Reputation Filtering Using the SBRS Unless you regularly receive a large portion of spam, or you have set up “dummy” accounts to specifically receive spam for your organization, it may be difficult to immediately test the SBRS policies you have implemented.
Chapter 6 Sender Reputation Filtering Entering Low SBRS Scores in the Message Subject Note In the $THROTTLED policy, the maximum recipients per hour from the remote host is set to 20 recipients per hour, by default. Note that this setting controls the maximum throttling available. You can increase the number of recipients to receive per hour if this parameter is too aggressive.
Chapter 6 Entering Low SBRS Scores in the Message Subject insert-header("Subject", "$Subject \\{Spam $REPUTATION\\}"); } } . Related Topic • Chapter 9, “Using Message Filters to Enforce Email Policies”. AsyncOS 9.1.
CH A P T E R 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) • Overview of Defining Which Hosts Are Allowed to Connect, page 7-1 • Defining Remote Hosts into Sender Groups, page 7-3 • Defining Access Rules for Email Senders Using Mail Flow Policies, page 7-8 • Understanding Predefined Sender Groups and Mail Flow Policies, page 7-11 • Handling Messages from a Group of Senders in the Same Manner, page 7-13 • Working with the Host Access Table Configuration, page 7-
Chapter 7 Overview of Defining Which Hosts Are Allowed to Connect Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Define which hosts are allowed to connect to the listener on the Mail Policies > HAT Overview page. Figure 7-1 shows the HAT Overview with the sender groups and mail flow policies defined by default for a public listener.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Remote Hosts into Sender Groups Note By rejecting all hosts other than the ones you specify, the listenerconfig and systemsetup commands prevent you from unintentionally configuring your system as an “open relay.” An open relay (sometimes called an “insecure relay” or a “third party” relay) is an SMTP email server that allows third-party relay of email messages.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Remote Hosts into Sender Groups Sender Group Syntax Table 7-1 Defining Remote Hosts in the HAT: Sender Group Syntax Syntax Meaning n:n:n:n:n:n:n:n IPv6 address; does not need to include leading zeroes. n:n:n:n:n:n:n:nn:n:n:n:n:n:n:n n:n:n-n:n:n:n:n:n Range of IPv6 addresses; does not need to include leading zeroes. n.n.n.n Full (complete) IPv4 Address n.n.n. Partial IPv4 address n.n.n n.n. n.n n.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Remote Hosts into Sender Groups or simply rotating through different domain names.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Remote Hosts into Sender Groups The Mail Flow Monitor feature is a way of defining the sender and providing you with monitoring tools to create mail flow policy decisions about the sender.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Remote Hosts into Sender Groups Using the SBRS, you configure the appliance to apply mail flow policies to senders based on their trustworthiness. For example, all senders with a score less than -7.5 could be rejected. This is most easily accomplished via the GUI; see Creating a Sender Group for Message Handling, page 7-13.
Chapter 7 Defining Access Rules for Email Senders Using Mail Flow Policies Note Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Be sure to include brackets in the query in the CLI. Brackets are not necessary when specifying a DNS List query in the GUI. Use the dnslistconfig command in the CLI to test a query, configure general settings for DNL queries, or flush the current DNS list cache.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Defining Access Rules for Email Senders Using Mail Flow Policies • CONTINUE. The mapping in the HAT is ignored, and processing of the HAT continues. If the incoming connection matches a later entry that is not CONTINUE, that entry is used instead. The CONTINUE rule is used to facilitate the editing of the HAT in the GUI. For more information, see Creating a Sender Group for Message Handling, page 7-13.
Chapter 7 Defining Access Rules for Email Senders Using Mail Flow Policies Figure 7-2 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Using HAT Variables Or like this, in the CLI: Would you like to specify a custom SMTP response? [Y]> y Enter the SMTP code to use in the response. 220 is the standard code. [220]> 200 Enter your custom SMTP response. Press Enter on a blank line to finish.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Understanding Predefined Sender Groups and Mail Flow Policies Understanding Predefined Sender Groups and Mail Flow Policies Table 7-6 lists the predefined sender groups and mail flow policies that are configured when a public listener is created.
Chapter 7 Understanding Predefined Sender Groups and Mail Flow Policies Table 7-6 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Predefined Sender Groups and Mail Flow Policies for Public Listeners (continued) Default Configured Mail Flow Policy Predefined Sender Group Description UNKNOWNLIST The Unknownlist sender group may be useful if $ACCEPTED you are undecided about the mail flow policy you should use for a given sender.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Handling Messages from a Group of Senders in the Same Manner Handling Messages from a Group of Senders in the Same Manner Use the Mail Policies > HAT Overview and Mail Flow Policy pages to configure how the listener handles messages from senders. Do this by creating, editing, and deleting sender groups and mail flow policies.
Chapter 7 Handling Messages from a Group of Senders in the Same Manner Note Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) If you attempt to enter duplicate entries (identical domain or IP addresses) in a single sender group, the duplicates are discarded. Step 14 (Optional) Enter a comment. Step 15 Submit and commit your changes.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Handling Messages from a Group of Senders in the Same Manner Procedure Step 1 Navigate to the Mail Policies > HAT Overview page. Step 2 Choose the listener to edit in the Listener field. Step 3 Click Edit Order. Step 4 Type the new order for existing rows of sender groups in the HAT.
Chapter 7 Handling Messages from a Group of Senders in the Same Manner Table 7-8 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Mail Flow Policy Parameters (continued) Parameter Description Maximum recipients per message That maximum number of recipients per message that will be accepted from this host. SMTP Banner Custom SMTP Banner Code The SMTP code returned when a connection is established with this listener.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Handling Messages from a Group of Senders in the Same Manner Table 7-8 Mail Flow Policy Parameters (continued) Parameter Description Max. Recipients per Time Interval The maximum number of recipients during a specified time period that this listener will receive from a unique envelope sender, based on the mail-from address. The number of recipients is tracked globally.
Chapter 7 Handling Messages from a Group of Senders in the Same Manner Table 7-8 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Mail Flow Policy Parameters (continued) Parameter Description Directory Harvest Attack The appliance will drop a connection to a host if the threshold of invalid Prevention: Drop Connection recipients is reached. if DHAP threshold is Reached within an SMTP Conversation Max.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Handling Messages from a Group of Senders in the Same Manner Table 7-8 Mail Flow Policy Parameters (continued) Parameter Description SMTP Authentication Allows, disallow, or requires SMTP Authentication from remote hosts connecting to the listener. SMTP Authentication is described in detail in the “LDAP Queries” chapter. If Both TLS and SMTP Authentication are enabled: Require TLS to offer SMTP Authentication.
Chapter 7 Handling Messages from a Group of Senders in the Same Manner Table 7-8 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Mail Flow Policy Parameters (continued) Parameter Description DMARC Feedback Reports Enable sending of DMARC aggregate feedback reports. For more information about DMARC aggregate feedback report, see DMARC Aggregate Reports, page 20-42. Note DMARC specification requires the feedback report messages to be DMARC compliant.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Working with the Host Access Table Configuration Step 5 Submit and commit your changes. Working with the Host Access Table Configuration You can export all information stored in a Host Access Table to a file, and you can import Host Access Table information stored in a file into the appliance for a listener, overwriting all existing Host Access Table information.
Chapter 7 Using a List of Sender Addresses for Incoming Connection Rules Step 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Commit your changes. You can place “comments” in the file. Lines that begin with a ‘#’ character are considered comments and are ignored by AsyncOS. For example: # File exported by the GUI at 20060530T215438 $BLOCKED REJECT {} [ ...
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) SenderBase Settings and Mail Flow Policies Step 7 Submit and commit your changes.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) SenderBase Settings and Mail Flow Policies HAT Significant Bits Feature Beginning with the 3.8.3 release of AsyncOS, you can track and rate limit incoming mail on a per-IP address basis while managing sender group entries in a listener’s Host Access Table (HAT) in large CIDR blocks. For example, if an incoming connection matched against the host “10.1.1.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) SenderBase Settings and Mail Flow Policies []> 2345 Would you like to specify a custom SMTP limit exceeded response? [Y]> n Would you like to use SenderBase for flow control by default? [N]> n Would you like to group hosts by the similarity of their IP addresses? [N]> y Enter the number of bits of IP address to treat as significant, from 0 to 32.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) SenderBase Settings and Mail Flow Policies The current default value is 3600 seconds (1 hour).You can specify periods ranging from as little as 1 minute (60 seconds) to as long as 4 hours (14,400 seconds). Adjust this period via the GUI, using the global settings (for more information, see Configuring Global Settings for Listeners, page 5-6).
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) SenderBase Settings and Mail Flow Policies [1]> 3 Enter the time, in seconds, to cache SenderBase data: [300]> Enter the rate at which injection control counters are reset. [1h]> 15m Enter the timeout for unsuccessful inbound connections. [5m]> Enter the maximum connection time for inbound connections. [15m]> What hostname should Received: headers be stamped with? 1.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Verifying Senders Spam and unwanted mail is frequently sent by senders whose domains or IP addresses cannot be resolved by DNS. DNS verification means that you can get reliable information about senders and process mail accordingly.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Using the sender group “Connecting Host DNS Verification” settings, you can specify a behavior for unverified senders (see Throttling Messages from Unverified Senders Using the SUSPECTLIST Sender Group, page 7-32).
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Though most spam is from unverifiable senders, there are reasons why you might want to accept mail from an unverified sender. For example, not all legitimate email can be verified through DNS lookups — a temporary DNS server problem can stop a sender from being verified.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders The sender verification exception table is defined in the GUI via the Mail Policies > Exception Table page (or the CLI, via the exceptionconfig command) and then is enabled on a per-policy basis via the GUI (see Defining Messages to Send to Unverified Senders Using the ACCEPTED Mail Flow Policy, page 7-34) or the CLI (see the Cisco AsyncOS CLI Reference Guide.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Related Topics • Throttling Messages from Unverified Senders Using the SUSPECTLIST Sender Group, page 7-32 • Implementing More Stringent Throttling Settings for Unverified Senders, page 7-33 • Defining Messages to Send to Unverified Senders Using the ACCEPTED Mail Flow Policy, page 7-34 • Excluding Unverified Senders from Sender Verification Rules Based on Sender’s Email Address, page 7-35 •
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Step 5 Check the “Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A)” checkbox under Connecting Host DNS Verification. Step 6 Submit and commit your changes. Now, senders for which reverse DNS lookups fail will match the SUSPECTLIST sender group and will receive the default action from the THROTTLED mail flow policy.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders d. Submit and commit your changes. Figure 7-8 HAT Overview Defining Messages to Send to Unverified Senders Using the ACCEPTED Mail Flow Policy Procedure Step 1 Select Mail Policies > Mail Flow Policies. Step 2 On the Mail Flow Policies page, click on the ACCEPTED mail flow policy.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Step 7 Submit and commit your changes. Excluding Unverified Senders from Sender Verification Rules Based on Sender’s Email Address Procedure Step 1 Select Mail Policies > Exception Table. Note The exception table applies globally to all mail flow policies with “Use Exception Table” enabled. Step 2 Click Add Domain Exception on the Mail Policies > Exception Table page.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Figure 7-11 Listing Matching Entries in the Exception Table Testing Your Settings for Messages from Unverified Senders Now that you have configured sender verification settings, you can verify the behavior of your appliance. Note that testing DNS-related settings is beyond the scope of this document.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders mail from: admin 553 #5.5.4 Domain required for sender address Note that the SMTP code and response is the one you configured for the envelope sender verification settings for the THROTTLED mail flow policy.
Chapter 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) Verifying Senders Envelope Sender Verification Malformed Envelope Senders: Thu Aug 10 10:14:10 2006 Info: ICID 3248 Address: sender rejected, envelope sender domain missing Domain does not exist (NXDOMAIN): Wed Aug 9 15:39:47 2006 Info: ICID 1424 Address:
CH A P T E R 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address • Overview of Accepting or Rejecting Connections Based on the Recipient’s Address, page 8-1 • Overview of the Recipient Access Table (RAT), page 8-2 • Accessing the RAT, page 8-2 • Editing the Default RAT Entry, page 8-2 • Domains and Users, page 8-3 Overview of Accepting or Rejecting Connections Based on the Recipient’s Address AsyncOS uses a Recipient Access Table (RAT) for each public listener to manag
Chapter 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address Overview of the Recipient Access Table (RAT) Overview of the Recipient Access Table (RAT) The Recipient Access Table defines which recipients are accepted by a public listener. At a minimum, the table specifies the address and whether to accept or reject it.
Chapter 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address Domains and Users Domains and Users Modifying the Domains For Which to Accept Messages using the RAT Use the Mail Policies > Recipient Access Table (RAT) page to configure the local domains and specific users for which the appliance accepts messages. On this page, you can perform the following tasks: • Add, delete, and modify entries in the RAT. • Change the order of the entries.
Chapter 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address Domains and Users Defining Recipient Addresses The RAT allows you to define a recipient or group of recipients. Recipients can be defined by full email address, domain, partial domain, username, or IP address: [IPv4 address] Specific Internet Protocol version 4 (IPv4) address of the host. Note that the IP address must be between the “[]” characters.
Chapter 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address Domains and Users When you configure a RAT entry to bypass LDAP acceptance, be aware that the order of RAT entries affects how recipient addresses are matched. The RAT matches the recipient address with the first RAT entry that qualifies. For example, you have the following RAT entries: postmaster@ironport.com and ironport.com. You configure the entry for postmaster@ironport.
Chapter 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address Domains and Users Step 2 Choose the listener to edit in the Overview for Listener field. Step 3 Click Export RAT. Step 4 Enter a file name for the exported entries. This is the name of the file that will be created in the configuration directory on the appliance. Step 5 Submit and commit your changes.
CH A P T E R 9 Using Message Filters to Enforce Email Policies The Cisco appliance contains extensive content scanning and message filtering technology that allows you to enforce corporate policies and act on specific messages as they enter or leave your corporate networks. This chapter contains information about the powerful combinations of features available for policy enforcement: a content scanning engine, message filters, attachment filters, and content dictionaries.
Chapter 9 Using Message Filters to Enforce Email Policies Components of a Message Filter • Message Filter Rules. Each filter has a rule that defines the collection of messages that the filter can act upon. You define those rules when you create a message filter. For more information, see Message Filter Rules, page 9-10. • Message Filter Actions. Each filter has an action that is performed on a message if the rule evaluates to true.
Chapter 9 Using Message Filters to Enforce Email Policies Components of a Message Filter Note Non-final message filter actions are cumulative. If a message matches multiple filters where each filter specifies a different action, then all actions are accumulated and enforced. However, if a message matches multiple filters specifying the same action, the prior actions are overridden and the final filter action is enforced.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing Message Filter Processing When AsyncOS processes message filters, the content that AsyncOS scans, the order of the processing, and the actions taken are based on several factors: • Message filter order. Message filters are maintained in an ordered list. When a message is processed, AsyncOS applies each message filter in the order it appears in the list. If a final action occurs, no further action is taken on the message.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing • The filter has been superseded by an earlier filter that executed a final action for the message. Message Header Rules and Evaluation Filters evaluate “processed” headers rather than the original message headers when applying header rules. Thus: • If a header was added by a previous processing action, it can now be matched by any subsequent header rule.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing Figure 9-1 Message with “Attachment” Because the Cisco appliance makes this distinction between the body and the attachment in multipart messages, there are several cases you should be aware of when using the body-variable or attachment-variable message filter rules in order to achieve the expected behavior: • If you have a message with a single text part—that is, a message containing a header of “Content-Type: text/pl
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing • Threshold Scoring for Content Dictionaries, page 9-8 Threshold Syntax To specify a threshold for the minimum number of occurrences, specify the pattern and the minimum number of matches required to evaluate to true: if(('',)){ For example, to specify that the body-contains filter rule must find the value “Company Confidential” at least two times, use the following syntax: if(bo
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing text/plain text/html application/octet-stream application/octet-stream The body-contains filter rule would determine the score for this message by first scoring the text/plain and text/html parts of the message. It would then compare the results of these scores and select the highest score from the results. Next, it would add this result to the score from each of the attachments to determine the final score.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Processing the total score. If you set the threshold value for the message filter to 6, AsyncOS would determine that the threshold score has been met. Or, if the message contained one instance of each term, the total value would be 6, and this score would trigger the filter action. AND Test and OR Tests in Message Filters When evaluating AND or OR tests within message filters, AsyncOS does not evaluate unneeded tests.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Message Filter Rules Each message filter contains a rule that defines the collection of messages that a filter can act upon. You define the filter rules, and then you define a filter action for messages that return true.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Rule Message Filter Rules Syntax Envelope Recipient rcpt-to-group in Group Description Is the Envelope Recipient, (i.e. the Envelope To, ) in a given LDAP group? See Envelope Recipient in Group Rule, page 9-25. Note: The rcpt-to-group rule is message-based. If a message has multiple recipients, only one recipient has to be found in a group for the specified action to affect the message to all recipients.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Message Filter Rules Rule Syntax Description S/MIME Gateway Verified smime-gateway-verified Is the S/MIME message successfully verified, decrypted, or decrypted and verified? See S/MIME Gateway Verified Rule, page 9-40 Image verdict image-verdict What was the image scanning verdict? This filter rule allows you to query for different image analysis verdicts. See Image Analysis, page 9-77.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Message Filter Rules Rule Attachment File Type a Syntax Description attachment-filetype Does the message contain an attachment of a file type that matches a specific pattern based on its fingerprint (similar to a UNIX file command)? If the attachment is an Excel or Word document, you can also search for the following embedded file types: .exe , .dll, .bmp, .tiff, .pcx, .gif, .jpeg, png, and Photoshop images.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Message Filter Rules Rule Syntax Description Attachment Scanning a attachment-contains() Does the message contain an attachment that contains text or another attachment that matches a specific pattern? Does the pattern occur the minimum number of times you specified for the threshold value? This rule is similar to the body-contains() rule, but it attempts to avoid scanning the entire “body”
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Message Filter Rules Rule Syntax Description dictionary-match() Does the message body contain any of the regular expressions or terms in the content dictionary named dictionary_name? Does the pattern occur the minimum number of times you specified for the threshold value? See Dictionary Rules, page 9-35.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-2 Message Filter Rules Rule Syntax Description Signed Certificate signed-certificate( [ ]) Does the message signer or X.509 certificate issuer match a certain pattern? See Signed Certificate Rule, page 9-43.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Table 9-3 Regular Expression in Rules Letters, white space and the at sign (@) character Rules containing characters, white space, and the at sign character ( @) only match themselves explicitly. For example, the regular expression ^George@admin$ only matches the string George@admin. Period character (.) Rules containing a period character ( .) match any character (except a new line). For example, the regular expression ^.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Related Topics • Using Regular Expressions to Filter Messages, page 9-18 • Guidelines for Using Regular Expressions, page 9-18 • Regular Expression and Non-ASCII Character Sets, page 9-19 • n Tests, page 9-19 • Case-sensitivity, page 9-19 • Writing Efficient Filters, page 9-19 • PDFs and Regular Expressions, page 9-20 Using Regular Expressions to Filter Messages You can use filters to search for strings and patte
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Regular Expression and Non-ASCII Character Sets In some languages, the concepts of a word or word boundary, or case do not exist. Complex regular expressions that depend on concepts like what is or is not a character that would compose a word (represented as “\w” in regex syntax) cause problems when the locale is unknown or if the encoding is not known for certain.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules In this instance, AsyncOS will have to start the regular expression engine 30 times, once for each attachment type and the recv-listener. Instead, write the filter to look like this: attachment-filter: if (recv-listener == "Inbound") AND (attachment-filename == "\\.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules To use smart identifiers in a filter, enter the following keywords in a filter rule that scans body or attachment content: Table 9-4 Smart Identifiers in Message Filters Key Word Smart Identifier Description *credit Credit card number Identifies 14-, 15-, and 16- digit credit card numbers. NOTE: The smart identifier does not identify enRoute or JCB cards. *aba ABA routing number Identifies ABA routing numbers.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Description and Examples of Message Filter Rules The following section describes the various message filter rules in use and their examples.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules • Header Repeats Rule, page 9-45 • URL Reputation Rules, page 9-47 • URL Category Rule, page 9-47 • Corrupt Attachment Rule, page 9-47 True Rule The true rule matches all messages. For example, the following rule changes the IP interface to external for all messages it tests.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules You can specify non-ASCII characters to search for in the value of the header. When working with headers, remember that the current value of the header includes changes made during processing (such as with filter actions that add, remove, or modify message headings). See Message Header Rules and Evaluation, page 9-5 for more information.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Envelope Recipient in Group Rule The rcpt-to-group rule selects those messages where any Envelope Recipient is found to be a member of the LDAP group given. For example, the following filter drops all messages sent with an email address within the LDAP group “ExpiredAccounts.” expiredFilter: if (rcpt-to-group == 'ExpiredAccounts') { drop(); } Note The rcpt-to-group rule is message-based.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules { skip-filters(); } Sender Group Rule The sendergroup message filter selects a message based on which sender group was matched in a listener's Host Access Table (HAT). This rule uses '==' (for matching) or '!=' (for not matching) to test for matching a given regular expression (the right side of the expression).
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules As a convenience, the size measurement may be specified with a suffix: Quantity Description 10b ten bytes (same as 10) 13k thirteen kilobytes 5M five megabytes 40G 40 gigabytes (Note: The Cisco appliance cannot accept messages larger than 100 megabytes.) Remote IP Rule The remote-ip rule tests to see if the IP address of the host that sent that message matches a certain pattern.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Receiving IP Interface Rule The recv-int rule selects those messages received via the named interface. The interface name must be the nickname of one of the interfaces currently configured for the system. For example, the following filter bounces any message arriving from the interface named outside.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules message, and “false” if it is not found. For example, the following example checks to see if the header X-Sample is found, and if its value contains the string “ sample text”. If a match is made, the message is bounced. FooHeaderFilter: if (header('X-Sample') == 'sample text') { bounce(); } You can specify non-ASCII characters to search for in the value of the header.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules load_balance_b: if (random(2)) { alt-src-host('interface_a'); } else { alt-src-host('interface_b'); } Recipient Count Rule The rcpt-count rule compares the number of recipients of a message against an integer value, in a similar way to the body-size rule.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Body Scanning Rule The body-contains() rule scans the incoming email and all its attachments for a particular pattern defined by its parameter. This includes delivery-status parts and associated attachments. The body-contains() rule does not perform multi-line matching.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules notify('hresource@example.com'); } Encryption Detection Rule The encrypted rule examines the contents of a message for encrypted data. It does not attempt to decode the encrypted data, but merely examines the contents of the message for the existence of encrypted data. This can be useful for preventing users from sending encrypted email. Note The encrypted rule can only detect encrypted data in the content of messages.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules bounce(); } Attachment Filename Rule The attachment-filename rule checks the filenames of each attachment in a message to see if it matches the given regular expression. This comparison is case-sensitive. The comparison is, however sensitive to whitespace so if the filename has encoded whitespace at the end, the filter will skip the attachment. If one of the message’s attachments matches the filename, this rule returns “true.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules quarantine("Policy"); } DNS List Rule The dnslist() rule queries a public DNS List server that uses the DNSBL method (sometimes called “ip4r lookups”) of querying. The IP address of the incoming connection is reversed (so an IP of 1.2.3.4 becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate the two is added if the server name does not start with one).
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules for a SBRS score of “none” using the no-reputation rule described below. The following example adjusts the “Subject:” line of a message to be prefixed by “*** BadRep ***” if the reputation score returned from the SenderBase Reputation Service is below a threshold of -7.5.. note_bad_reps: if (reputation < -7.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules The following example sends the message to the Policy quarantine if the message body contains any words within the dictionary named “secret_words.” Unlike the only-body-contains condition, the body-dictionary-match condition does not require that all the content parts individually match the dictionary. The scores of each content part (taking into account multipart/alternative parts) are added together.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules quarantine('Policy'); } The header-dictionary-match(, ) rule works like the dictionary-match rule above, except that it looks for matches in the header specified in . The header name is case insensitive, so, for example, “subject” and “Subject” both work.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules } quarantine-spf-failed-mail: if (spf-status("pra") == "Fail") { if (spf-status("mailfrom") == "Fail"){ # completely malicious mail quarantine("Policy"); } else { if(spf-status("mailfrom") == "SoftFail") { # malicious mail, but tempting quarantine("Policy"); } } } else { if(spf-status("pra") == "SoftFail"){ if (spf-status("mailfrom") == "Fail" or spf-status("mailfrom") == "SoftFail"){ # malicious mail, but tempting quarantine
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules insert-header("Subject", "[POTENTIAL PHISHING] $Subject"); } . SPF-Passed Rule The following example shows an spf-passed rule used to quarantine emails that are not marked as spf-passed: quarantine-spf-unauthorized-mail: if (not spf-passed) { quarantine("Policy"); } Note Unlike the spf-status rule, the spf-passed rule reduces the SPF/SIDF verification values to a simple Boolean.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules The following filter checks the workqueue count, and skips spam check if the queue is greater than the specified number. wqfull: if (workqueue-count > 1000) { skip-spamcheck(); } For more information on SPF/SIDF, see Overview of SPF and SIDF Verification, page 20-22.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules SMTP Auth ID Comparison Address Matches? someuser someuser@another.com Yes SomeUser someuser@example.com Yes someuser someuser+folder@example.com No someuser+folder@example.com Yes someuser@example.com someuser@forged.com No someuser@example.com someuser@example.com Yes SomeUser@example.com someuser@example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules quarantine("forged"); } } Signed Rule The signed rule checks messages for a signature. The rule returns a boolean value to indicate if the message is signed or not. This rule evaluates whether the signature is encoded according to ASN.1 DER encoding rules and that it conforms to the CMS SignedData Type structure (RFC 3852, Section 5.1.).
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules • Issuer, page 9-43 • Escaping in Regular Expressions, page 9-43 • $CertificateSigners Action Variable, page 9-44 • Examples, page 9-45 Signer For message signers, the rule extracts the sequence of rfc822Name names from the X.509 certificate’s subjectAltName extension.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules For example, Alice signs a message with her two certificates. Bob signs the message with his single certificate. All certificates are issued by a single corporate authority. After the message passes the S/MIME scan, the extracted data contain three items: [ { 'issuer': 'CN=Auth,O=Example\, Inc.', 'signer': ['alice@example.com', 'al@private.example.com'] }, { 'issuer': 'CN=Auth,O=Example\, Inc.', 'signer': ['alice@example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules notify("admin@example.com"); } The following example adds a header if the message has an X.509 certificate: AnyX509: if signed-certificate ("issuer") { insert-header("X-Test", "X.509 present"); } The following example adds a header if the message’s certificate does not have a signer: NoSigner: if not signed-certificate ("signer") { insert-header("X-Test", "Old X.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules Using Header Repeats Rule with Other Rules You can use the Header Repeats rule with other rules using AND or OR operators.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Rules : if url-category ([‘’,’’,…, ‘’],’’) { } Where: is the name of this message filter. • msg_filter_name • action • category-name is the URL category. Separate multiple categories with commas. To obtain correct category names, look at a URL Category condition or action in a Content Filter.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Message Filter Actions The purpose of message filters is to perform actions on selected messages. The two types of actions are: • Final actions — such as deliver, drop, and bounce — end the processing of a message, and permit no further processing through subsequent filters. • Non-final actions perform an action which permits the message to be processed further. Non-final message filter actions are cumulative.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Table 9-5 Message Filter Actions Action Syntax Description Archive archive Archive this message into an mbox-format file. See Archive Action, page 9-67. Quarantine quarantine (quarantine_name) Flag this message to be sent to the quarantine named quarantine_name. See Quarantine and Duplicate Actions, page 9-64.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Table 9-5 Action Message Filter Actions Syntax Description Drop Attachments drop-attachments-by-ty Drop all attachments on messages that have a MIME type, pe by Type determined by either the given MIME type or the file extension. Archive file attachments (zip, tar) will be dropped if they contain a file that matches. See Examples of Attachment Scanning Message Filters, page 9-83.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Table 9-5 Message Filter Actions Action Syntax Description Encrypt on Delivery encrypt-deferred Encrypt message on delivery, which means that the message continues to the next stage of processing, and when all processing is complete, the message is encrypted and delivered.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Attachment Groups You can specify a particular file type (“exe” files for example) or common groups of attachments in the attachment-filetype and drop-attachments-by-filetype rules. AsyncOS divides the attachments into the groups listed in Table 9-6.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Table 9-6 Attachment Groups (continued) Attachment Group Name Compressed Scanned File Types • ace (ACE Archiver compressed file) • arc (SQUASH Compressed archive) • arj (Robert Jung ARJ compressed archive) • binhex • bz (Bzip compressed file) • bz2 (Bzip compressed file) • cab (Microsoft cabinet file) • gzip* (Compressed file - UNIX gzip) • lha (Compressed Archive [LHA/LHARC/LHZ]) • rar (Compressed archi
Chapter 9 Message Filter Actions Table 9-6 Attachment Groups (continued) Attachment Group Name Image Media Scanned File Types • bmp • cur • gif • ico • jpeg • pcx • png • psd • psp • tga • tiff • aac • aiff • asf • avi • flash • midi • mov • mp3 • mpeg • ogg • ram • snd • wav • wma • wmv AsyncOS 9.1.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Action Variables The bcc(), bcc-scan(), notify(), notify-copy(), add-footer(), add-heading(), and insert-headers() actions have parameters that may use certain variables that will be automatically replaced with information from the original message when the action is executed. These special variables are called action variables.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Table 9-7 Message Filter Action Variables (continued) Variable Syntax Description Mail Flow Policy $Policy Returns the name of the HAT policy applied to the sender when injecting the message. If no predefined policy name was used, the string “>Unknown<” is inserted. Header $Header['string'] Returns the value of the quoted header, if the original message contains a matching header.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Matched Content Visibility When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message. When you display the message body, the matched content is highlighted in yellow.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions • Archive Action, page 9-67 • Strip Header Action, page 9-68 • Insert Header Action, page 9-68 • Edit Header Text Action, page 9-69 • Edit Body Text Action, page 9-69 • HTML Convert Action, page 9-70 • Bounce Profile Action, page 9-71 • Bypass Anti-Spam System Action, page 9-71 • Bypass Anti-Virus System Action, page 9-72 • Bypass File Reputation Filtering and File Analysis System Actions, page 9-72 • By
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The following filter first notifies george@whitehouse.gov and then discards any message where the subject begins with SPAM. spamFilter: if(subject == '^SPAM.*') { notify('george@whitehouse.gov'); drop(); } Bounce Action The bounce action sends the message back to the sender (Envelope Sender) without further processing. The following filter returns (bounces) any message from an email address that ends in @yahoo\\.com.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions S/MIME Sign or Encrypt on Delivery Action The smime-gateway-deferred action performs an S/MIME signing or encryption of the message using the specified sending profile during the delivery. This means that the message continues to the next stage of processing, and when all processing is complete, the message is signed or encrypted and delivered.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions { notify-copy('admin@example.com'); drop(); } The Envelope Recipient parameter may be any valid email address (for example, admin@example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions You can also use the $MatchedContent action variable to notify senders or administrators that a content filter was triggered. The $MatchedContent action variable displays the content that triggered the filter. For example, the following filter sends a notification to an administrator if the email contains ABA account information. ABA_filter: if (body-contains ('*aba')){ notify('admin@example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The following filter sends a blind carbon copy to mom@home.org for each message addressed to sue from johnny: momFilter: if ((mail-from == '^johnny$') and (rcpt-to == '^sue$')) { bcc('mom@home.org'); } The bcc action also supports up to three additional, optional arguments that allow you to specify the subject header and Envelope Sender to use on the copied message, as well as an alt-mailhost.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions Caution The Bcc(), notify(), and bounce() filter actions can allow viruses through your network. The blind carbon copy filter action creates a new message which is a full copy of the original message. The notify filter action creates a new message that contains the headers of the original message. While it is rare, headers can contain viruses.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions When flagged for quarantine, the message continues through the rest of the email pipeline. When the message reaches the end of the pipeline, if the message has been flagged for one or more quarantines then it enters those queues. Otherwise, it is delivered. Note that if the message does not reach the end of the pipeline, it is not placed in a quarantine.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The following filter sends all messages with an Envelope Recipient address that contain .freelist.com and changes all recipients for the message to system-lists@myhost.com: freelistFilter: if(rcpt-to == '\\.freelist\\.com$') { alt-rcpt-to('system-lists@myhost.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions alt-mailhost('192.168.12.5'); } Alter Source Host (Virtual Gateway address) Action The alt-src-host action changes the source host for the message to the source specified. The source host consists of the IP interface or group of IP interfaces that the messages should be delivered from.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The mbox format is a standard UNIX mailbox format, and there are many utilities available to make viewing the messages easier. Most UNIX systems allow you to type “mail -f mbox.filename” to view the files. The mbox format is in plain text, so you can use a simple text editor to view the contents of the messages.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions insert-header('X-Company', 'My Company Name'); } The insert-header() action allows the use of non-ASCII characters in the text of the header, while restricting the header name to be ASCII (to comply with standards). The transport encoding will be quoted-printable to maximize the readability. Note The strip-headers and insert-header actions can be used in combination to rewrite any message headers in the original message.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions "parameter 2"); } The edit-body-text() message filter only works on the message body parts. For more information about whether a given MIME part is considered a message “body” or a message “attachment”, see Message Bodies vs. Message Attachments, page 9-5.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The Cisco message filters make a determination on whether a given MIME part is considered a message “body” or a message “attachment”. The html-convert() filter only works on the message body parts. For more information about message bodies and attachments, see Message Bodies vs. Message Attachments, page 9-5. Depending on the format, the html-convert() filter uses different methods to strip the HTML from within the documents.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions skip-spamcheck(); } Related Topics • How to Configure the Appliance to Scan Messages for Spam, page 13-2 • Protecting Appliance-Generated Messages From the Spam Filter, page 13-14 Bypass Anti-Virus System Action The skip-viruscheck action instructs the system to allow the message to bypass any virus protection system configured on the system.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions The following example specifies that messages received on the listener “private_listener” should bypass Outbreak Filter scanning. internal_mail_is_safe: if (recv-listener == 'private_listener') Outbreak Filters { skip-vofcheck(); } Add Message Tag Action The tag-message action inserts a custom term into an outgoing message to use with RSA Email DLP policy filtering.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Actions bounce(); } Related Topics • Replace URL with Text, Based on URL Reputation, page 9-75 • Defang URL, Based on URL Reputation, page 9-76 • Redirect URL to Cisco Security Proxy, Based on URL Reputation, page 9-76 URL Category Actions Use the categories of URLs in messages to modify the URLs or their behavior.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Defang URL, Based on URL Category The syntax of a filter using the url-category-defang action is: : if { url-category-defang([‘’,’’,…, ‘’], ’’, ); } Redirect URL to Cisco Security Proxy, Based on URL Category The syntax of a filter using the url-category-proxy-redirect action is: : if { url-ca
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Related Topics • Message Filters for Scanning Attachments, page 9-76 • Image Analysis, page 9-77 • Configuring the Image Analysis Scanning Engine, page 9-77 • Configuring the Message Filter to Perform Actions Based on Image Analysis Results, page 9-81 • Notifications, page 9-83 • Examples of Attachment Scanning Message Filters, page 9-83 Message Filters for Scanning Attachments The message filter actions described i
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Table 9-8 Message Filter Actions for Attachment Filtering (continued) Action Syntax Description Attachment Scanning drop-attachments-where-contai ns ([, ]) Drops all attachments on message that contain the regular expression. Archive files (zip, tar) will be dropped if any of the files they contain match the regular expression pattern.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Figure 9-3 Cisco Image Analysis Overview The image analysis filter rule allows you to determine the actions to take based on the following verdicts: • Clean: The image is free of inappropriate content. The image analysis verdict is computed on the message as a whole, so a message without any images will receive a "clean" verdict if scanned. • Suspect: The image may contain inappropriate content.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Figure 9-4 Edit IronPort Image Analysis Settings Step 3 Configure the settings for image analysis sensitivity. The default sensitivity setting of 65 is recommended. Step 4 Configure the settings for Clean, Suspect, and Inappropriate verdicts. When you configure the value ranges, ensure that you do not overlap values and that you use whole integers.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Define the image analysis sensitivity. Enter a value between 0 (least sensitive) and 100 (most sensitive). As sensitivity increases, so does the false positive rate. The default setting of 65 is recommended. [65]> Define the range for a CLEAN verdict. Enter the upper bound of the CLEAN range by entering a value between 0 and 98. The default setting of 49 is recommended. [49]> Define the range for a SUSPECT verdict.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning For example, the following mail log shows attachments dropped by message filter rules as a result of Image Analysis scanning: Thu Apr 3 08:17:56 2009 Debug: MID 154 IronPort Image Analysis: image 'Unscannable.jpg' is unscannable. Thu Apr 3 08:17:56 2009 Info: MID 154 IronPort Image Analysis: attachment 'Unscannable.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Creating Content Filters to Strip Attachments Based on Image Analysis Verdicts After you enable image analysis, you can create a content filter to strip attachments based on image analysis verdicts, or you can configure a filter to perform different actions for different message verdicts. For example, you might decide to quarantine messages that contain inappropriate content.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Step 9 Submit and commit your changes. Notifications Using the Text Resources page in the GUI or the textconfig CLI command to configure custom notification templates as text resources is another useful tool when used in conjunction with attachment filtering rules. The notification template supports non-ASCII characters (you are prompted to choose an encoding while creating the template).
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning insert-header("X-Example-Approval", "AttachOK"); } In the following example, the attachment is scanned for a pattern in the binary data. The filter uses the attachment-binary-contains filter rule to search for a pattern that indicates that the PDF document is encrypted.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning In the following example, a specific member of a file type (“wmf”) as well as a the same “executable” group of attachments (.exe, .dll, and .scr) are stripped from messages whose Envelope Sender is not within the domain example.com. strip_inbound_exes_and_wmf: if (mail-from != "@example\\.
Chapter 9 Using Message Filters to Enforce Email Policies Attachment Scanning Dropping Attachments by Dictionary Matches This drop-attachments-where-dictionary-match action strips attachments based on matches to dictionary terms. If the terms in the MIME parts considered to be an attachment match a dictionary term (and the user-defined threshold is met), the attachment is stripped from the email.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters Using the CLI to Manage Message Filters You can use the CLI to add, delete, activate and de-activate, import and export, and set logging options for message filters. The table below shows a summary of the commands and subcommands. The table below shows a summary of the commands and subcommands. Table 9-9 Note Message Filters Subcommands Syntax Description filters The main command.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters Table 9-10 Filter Management Parameters filtname The colloquial name of a filter. range A range may be used to represent more than one filter, and appears in the form of X-Y, where X and Y are the first and last seqnums that identify the extent. For example, 2-4 represents filters in the second, third, and fourth positions. Either X or Y may be left off to represent an open-ended list.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters Deleting a Message Filter delete [seqnum|filtname|range] Deletes the filter(s) identified. The following conditions can cause errors: • No filter with a given filter name. • No filter with a given sequence number. Moving a Message Filter move [seqnum|filtname|range seqnum|last] Moves the filters identified by the first parameter to the position identified by the second parameter.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters []> new Enter filter script. Enter '.' on its own line to end. filterstatus: if true{skip-filters();} . 1 filters added. Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. []> set Enter the filter name, number, or range: [all]> all Enter the attribute to set: [active]> inactive 1 filters updated.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters []> all Num Active Valid Name 1 N Y filterstatus filterstatus! if (true) { skip-filters(); } Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters The following conditions can cause errors: Note • No filter with a given filtname. • No filter with a given sequence number. A filter which is inactive may also be noted in its syntax; the colon after the label (name of the filter) is changed to an exclamation point (!). A filter entered manually from the CLI, or imported, that contains this syntax, will automatically be marked inactive.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters The best way to manage non-ASCII characters in filters is to edit the filter in a text file and then import that text file (see Importing Message Filters, page 9-93) into the appliance. Displaying a Message Filter List list [seqnum|filtname|range] Shows summarized information about the identified filters in a tabular form without printing the filter body.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. []> logconfig Currently configured logs: 1.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters Please enter the maximum file size: [10485760]> Please enter the maximum number of files: [10]> Currently configured logs: 1. "joesmith" Type: "Filter Logs" Retrieval: FTP Poll Enter "EDIT" to modify or press Enter to go back.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters in the same encoding as the message body may cause certain characters in the modified header to be lost.) [Y]> If a non-ASCII header is not properly tagged with a character set and is being used or modified, impose the encoding of the body on the header during processing and final representation of the message? (Many MUAs create non-RFC-compliant headers that are then handled in an undefined way.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters - SETUP - Configure multi-lingual settings. The first prompt determines whether or not a message header’s encoding should be changed to match that of the message body if the header is changed (via a filter, for example). The second prompt controls whether or not the appliance should impose the encoding of the message body on the header if the header is not properly tagged with a character set.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters 1 filters added. Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. []> new Enter filter script. Enter '.' on its own line to end. mailfrompm: if (mail-from == "^postmaster$") { bcc ("administrator@example.com");} . 1 filters added.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters 2 Y Y no_mp3s 3 Y Y mailfrompm Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file.
Chapter 9 Using Message Filters to Enforce Email Policies Using the CLI to Manage Message Filters []> 1 1 filters moved. Choose the operation you want to perform: - NEW - Create a new filter. - DELETE - Remove a filter. - IMPORT - Import a filter script from a file. - EXPORT - Export filters to a file - MOVE - Move a filter to a different position. - SET - Set a filter attribute. - LIST - List the filters. - DETAIL - Get detailed information on the filters.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples - LIST - List the filters. - DETAIL - Get detailed information on the filters. - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. []> mail3.example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples Cisco appliances are not susceptible to these third party relay hacks that are often used to exploit traditional Sendmail/Qmail systems. As many of these symbols (for example %) can be part of a perfectly legal email address, Cisco appliances will accept these as valid addresses, verify them against the configured recipient lists, and pass them on to the next internal server.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples BCC and Scan Mail Sent to Competitors This filter scans and blind copies messages that are sent to competitors. Note that you could use a dictionary and the header-dictionary-match() rule to specify a more flexible list of competitors (see Dictionary Rules, page 9-35): competitorFilter: if (rcpt-to == '@competitor1.com|@competitor2.com') { bcc-scan('legal@example.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples Use the archive() line for verification of proper action, with drop() enabled or disabled for extra safety: toTooBig: if(header('To') == "^.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples Alter SRBS Filter Alter the (SenderBase Reputation Score) SBRS threshold for certain domains: mod_sbrs: if ( (rcpt-count == 1) AND (rcpt-to == "@domain\\.com$") AND (reputation < -2) ) { drop (); } Filename Regex Filter This filter specifies a range of size for the body of the message, and looks for an attachment that matches the regular expression (this matches files named “readme.zip”, “readme.exe”, “attach.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples insert-header ('X-HAT', 'Sender Group $Group, Policy $Policy applied.'); } Too Many Recipients Bounce Filter Bounce all outbound email messages with more than 50 recipients from more than two unique domains: bounce_high_rcpt_count: if ( (rcpt-count > 49) AND (rcpt-to != "@example\\.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples Same Listener for Deliver and Listener Filter Use the same listener for delivery and receiving.
Chapter 9 Using Message Filters to Enforce Email Policies Message Filter Examples archive('domain_spoof'); drop (); } Another Drop Spoofed Domain Filter Summary: Anti domain spoof filter: reject_domain_spoof: if (recv-listener == "MailListener") { insert-header("X-Group", "$Group"); if ((mail-from == "@test\\.mycompany\\.com") AND (header("X-Group") != "RELAYLIST")) { notify("me@here.
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior } else {insert-header("X-ExtLoopCount9", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount8", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount7", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount6", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount5", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount4", "from $RemoteIP");}} else {insert-header("X-ExtLoopCount3", "from $RemoteIP");}} els
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior Step 3 Configure the global settings. Do the following: a. Under Global Settings, click Edit Global Settings. b. Edit the desired fields: Table 9-11 Field Description Action for attachments with MIME Choose whether to scan or skip attachments types types / fingerprints in table above defined in the attachment type mapping.
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior Note • The attachment is enabled for metadata scanning. When the scanning engine scans attachments, it scans the metadata for the regular expression. This is the default setting. • The attachment timeout scanning is configured for 60 seconds. The default is 30 seconds. • Attachments that were not scanned are assumed to not match the search pattern. (This is the default behavior.
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior Enter the maximum depth of attachment recursion to scan: [5]> 10 Enter the maximum size of attachment to scan: [5242880]> 10m Do you want to scan attachment metadata? [Y]> Y Enter the attachment scanning timeout (in seconds): [30]> 60 If a message has attachments that were not scanned for any reason (e.g.
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior 8. Simplified Chinese (HZ GB 2312) 9. Korean (ISO 2022-KR) 10. Korean (KS-C-5601/EUC-KR) 11. Japanese (Shift-JIS (X0123)) 12. Japanese (ISO-2022-JP) 13. Japanese (EUC) [1]> Scan behavior changed. There are currently 5 attachment type mappings configured to be SKIPPED. Choose the operation you want to perform: - NEW - Add a new entry. - DELETE - Remove an entry. - SETUP - Configure scanning behavior.
Chapter 9 Using Message Filters to Enforce Email Policies Configuring Scan Behavior Choose the operation you want to perform: - NEW - Add a new entry. - DELETE - Remove an entry. - SETUP - Configure scanning behavior. - IMPORT - Load mappings from a file. - EXPORT - Save mappings to a file. - PRINT - Display the list. - CLEAR - Remove all entries. - SMIME - Configure S/MIME unpacking. []> print 1. Fingerprint Image 2. Fingerprint Media 3. MIME Type audio/* 4. MIME Type image/* 5.
Chapter 9 Configuring Scan Behavior - SMIME - Configure S/MIME unpacking. []> AsyncOS 9.1.
CH A P T E R 10 Mail Policies • Overview of Mail Policies, page 10-1 • How to Enforce Mail Policies on a Per-User Basis, page 10-2 • Handling Incoming and Outgoing Messages Differently, page 10-3 • Matching Users to a Mail Policy, page 10-3 • Message Splintering, page 10-5 • Configuring Mail Policies, page 10-7 Overview of Mail Policies The Email Security appliance enforces your organization’s policies for messages sent to and from your users through the use of mail policies.
Chapter 10 Mail Policies How to Enforce Mail Policies on a Per-User Basis How to Enforce Mail Policies on a Per-User Basis Step 1 Do This More Info Enable the content-scanning features that you want the Email Security appliance to use for incoming or outgoing messages.
Chapter 10 Mail Policies Handling Incoming and Outgoing Messages Differently Handling Incoming and Outgoing Messages Differently The Email Security appliances uses two different sets of mail policies for message content security: • Incoming mail policies for messages are messages received from connections that match an ACCEPT HAT policy in any listener. • Outgoing mail policies for messages are messages from connections that match a RELAY HAT policy in any listener.
Chapter 10 Mail Policies Matching Users to a Mail Policy First Match Wins Each user (sender or recipient) is evaluated for each mail policy defined the appropriate mail policy table in a top-down fashion. For each user, the first matching policy wins. If a user does not match any specific policy, user will automatically match the default policy of the table. If a match is made based on a sender address, all remaining recipients of a message will match that policy.
Chapter 10 Mail Policies Message Splintering • The message for recipient jane@newdomain.com will receive the anti-spam, anti-virus, outbreak filters, and content filters defined in policy #3. • The message for recipient john@example.com will receive the settings defined in policy #5. • Because the recipient bill@example.com does not match the engineering LDAP query, the message will receive the settings defined by the default policy.
Chapter 10 Mail Policies Message Splintering Message Filters (filters) Anti-Spam Messages are splintered immediately after message filter processing but before anti-spam processing: (antispamconfig, antispamupdate) (antivirusconfig, antivirusupdate) File Reputation and Analysis (Advanced Malware Protection) (ampconfig) Content Filters (policyconfig -> filters) Outbreak Filters Work Queue (outbreakconfig, outbreakflush, outbreakstatus, outbreakupdate) Note Data Loss Prevention (policyconfig)
Chapter 10 Mail Policies Configuring Mail Policies Configuring Mail Policies Mail policies map different user groups to specific security settings, such as Anti-Spam or Anti-Virus.
Chapter 10 Mail Policies Configuring Mail Policies • (Optional) Define the delegated administrators who will be responsible for managing the mail policy. Delegated administrators can edit a policy’s Anti-Spam, Anti-Virus, Advanced Malware Protection, and Outbreak Filters settings and enable or disable content filters for the policy. Only operators and administrators can modify a mail policy’s name or its senders, recipients, or groups.
Chapter 10 Mail Policies Configuring Mail Policies While defining senders and recipients for mail policies, keep in mind that: • You must specify at least one sender and recipient. • You can set the policy to match if, – The message is from any sender, one or more of the specified senders, or none of the specified senders. – The message is sent to any recipient, one or more of the specified recipients, or all of the specified recipients and none of the specified recipients.
Chapter 10 Mail Policies Configuring Mail Policies Examples The following table describes how conditions are set when you choose various options on the Add User page.
Chapter 10 Mail Policies Configuring Mail Policies Note that the default policy will always be shown when you search for any user, because, by definition, if a sender or recipient does not match any other configured policies, it will always match the default policy. Related Topics • Managed Exceptions, page 10-11 Managed Exceptions Using the steps shown in the two examples above, you can begin to create and configure policies on a managed exception basis.
Chapter 10 Configuring Mail Policies AsyncOS 9.1.
CH A P T E R 11 Content Filters • Overview of Content Filters, page 11-1 • How Content Filters Work, page 11-1 • Filtering Messages Based on Content, page 11-16 Overview of Content Filters Sometimes the Email Security appliance receives a message that should be given special treatment due to its content, whether it’s because the content warrants quarantining for later examination, because corporate policy requires certain messages to be encrypted before delivery, or any number of reasons.
Chapter 11 Content Filters How Content Filters Work Related Topics • How to Scan Message Content Using a Content Filter, page 11-2 • Content Filter Conditions, page 11-2 • Content Filter Actions, page 11-9 • Action Variables, page 11-14 How to Scan Message Content Using a Content Filter Step 1 Step 2 Do This More Info (Optional) Define the supporting features for the content filter.
Chapter 11 Content Filters How Content Filters Work Multiple conditions may be defined for each filter. When multiple conditions are defined, you can choose whether the conditions are tied together as a logical OR (“Any of the following conditions...”) or a logical AND (“All of the following conditions”). Table 11-1 Content Filter Conditions Condition Description (no conditions) Specifying conditions in content filters is optional. If no conditions are specified, a true rule is implied.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Message Body Contains text: Does the message body contain text that matches a specific pattern? Contains smart identifier: Does content in the message body match a smart identifier? Smart identifiers can detect the following patterns: • Credit card numbers • U.S.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Attachment Content Contains text. Does the message contain an attachment that contains text or another attachment that matches a specific pattern? This rule is similar to the body-contains() rule, but it attempts to avoid scanning the entire “body” of the message. That is, it attempts to scan only that which the user would view as being an attachment.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Attachment File Info Filename. Does the message have an attachment with a filename that matches a specific pattern? Filename contains term in content dictionary.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Subject Header Subject Header: Does the subject header match a certain pattern? Contains terms in content dictionary: Does the subject header contain any of the regular expressions or terms in the content dictionary ? To search for dictionary terms, the dictionary must already have been created. See Content Dictionaries, page 21-2.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Envelope Sender Envelope Sender. Does the Envelope Sender (i.e., the Envelope From, ) match a given pattern? Matches LDAP group. Is the Envelope Sender, i.e., the Envelope From, ) in a given LDAP group? Contains term in content dictionary.
Chapter 11 Content Filters How Content Filters Work Table 11-1 Content Filter Conditions (continued) Condition Description Remote IP Was the message sent from a remote host that matches a given IP address or IP block? The Remote IP rule tests to see if the IP address of the host that sent that message matches a certain pattern. This can be an Internet Protocol version 4 (IPv4) or version 6 (IPv6) address.
Chapter 11 Content Filters How Content Filters Work Only one final action may be defined per filter, and the final action must be last action listed. Bounce, deliver, and drop are final actions. When entering actions for content filters, the GUI and CLI will force final actions to be placed last. Table 11-2 Content Filter Actions Action Description Quarantine Quarantine. Flags the message to be held in one of the policy quarantine areas.
Chapter 11 Content Filters How Content Filters Work Table 11-2 Content Filter Actions (continued) Action Description Strip Attachment by File Info File name. Drops all attachments on messages that have a filename that match the given regular expression. Archive file attachments (zip, tar) will be dropped if they contain a file that matches. File size. Drops all attachments on the message that, in raw encoded form, are equal to or greater than the size (in bytes) given.
Chapter 11 Content Filters How Content Filters Work Table 11-2 Content Filter Actions (continued) Action Description Send Copy (Bcc:) Email addresses. Copies the message anonymously to the specified recipients. Subject. Add a subject for the copied message. Return path (optional). Specify a return path. Alternate mail host (optional). Specify an alternate mail host. Notify Notify. Reports this message to the specified recipients. You can optionally notify the sender and recipients. Subject.
Chapter 11 Content Filters How Content Filters Work Table 11-2 Content Filter Actions (continued) Action Description Add/Edit Header Inserts a new header into the message or modifies an existing header. Header name. Name of new or existing header. Specify value of new header. Inserts a value for the new header into the message before delivering. Prepend to the Value of Existing Header. Prepends the value to the existing header before delivering. Append to the Value of Existing Header.
Chapter 11 Content Filters How Content Filters Work Table 11-2 Content Filter Actions (continued) Action Description Encrypt and Deliver Now (Final Action) Encrypts and delivers the message, skipping any further processing. Encryption rule: Always encrypts the message or only encrypts it if an attempt to send it over a TLS connection first fails. See Using a TLS Connection as an Alternative to Encryption, page 18-9 for more information. Encryption Profile.
Chapter 11 Content Filters How Content Filters Work Table 11-3 Action Variables (continued) Variable Syntax Description Envelope Sender $envelopefrom or $envelopesender Replaced by the Envelope Sender (Envelope From, ) of the message. Envelope Recipients $EnvelopeRecipients Replaced by all Envelope Recipients (Envelope To, ) of the message. File Names $filenames Replaced with a comma-separated list of the message’s attachments’ filenames.
Chapter 11 Content Filters Filtering Messages Based on Content Table 11-3 Action Variables (continued) Variable Syntax Description Remote IP Address $RemoteIP Replaced by the IP address of the system that sent the message to the Email Security appliance. Remote Host Address $remotehost Replaced by the hostname of the system that sent the message to the appliance. SenderBase Reputation Score $Reputation Replaced by the SenderBase Reputation score of the sender.
Chapter 11 Content Filters Filtering Messages Based on Content Step 2 Click Add Filter. Step 3 Enter a name and description for the filter. Step 4 (X-REF) Click the Editable By (Roles) link, select the Policy Administrator and click OK. Delegated administrators who belong to the Policy Administrator user role will be able to edit this content filter and use it in their mail policies. Step 5 (Optional) Add a condition for triggering the filter. a. Click Add Condition. b.
Chapter 11 Content Filters Filtering Messages Based on Content Step 2 Click the link for the Content Filters security service in the default policy row. Step 3 On the Content Filtering security service page, change the value Content Filtering for Default Policy from “Disable Content Filters” to “Enable Content Filters (Customize settings).” The content filters defined in the master list (which were created in Overview of Content Filters, page 11-1) are displayed on this page.
Chapter 11 Content Filters Filtering Messages Based on Content If you do not wish to use regular expression you should use a '\' (backslash) to escape any of these characters. For example: "\*Warning\*" • You can test message splintering and content filters by creating “benign” content filters. For example, it is possible to create a content filter whose only action is “deliver.
Chapter 11 Content Filters Filtering Messages Based on Content You can mix and match multiple character sets within a single content filter. Refer to your web browser’s documentation for help displaying and entering text in multiple character encodings. Most browsers can render multiple character sets simultaneously.
CH A P T E R 12 Anti-Virus • Anti-Virus Scanning Overview, page 12-1 • Sophos Anti-Virus Filtering, page 12-2 • McAfee Anti-Virus Filtering, page 12-5 • How to Configure the Appliance to Scan for Viruses, page 12-6 • Sending an Email to the Appliance to Test Anti-Virus Scanning, page 12-16 • Updating Virus Definitions, page 12-18 Anti-Virus Scanning Overview The Cisco appliance includes integrated virus scanning engines from third party companies Sophos and McAfee.
Chapter 12 Anti-Virus Sophos Anti-Virus Filtering Evaluation Key Your Cisco appliance ships with a 30-day evaluation key for each available anti-virus scanning engine. You enable the evaluation key by accessing the license agreement in the System Setup Wizard or Security Services > Sophos/McAfee Anti-Virus pages (in the GUI) or running the antivirusconfig or systemsetup commands (in the CLI).
Chapter 12 Anti-Virus Sophos Anti-Virus Filtering Virus Detection Engine The Sophos virus detection engine lies at the heart of the Sophos Anti-Virus technology. It uses a proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number of objects with well-defined interfaces. The modular filing system used by the engine is based on separate, self-contained dynamic libraries each handling a different “storage class,” for example, file type.
Chapter 12 Anti-Virus Sophos Anti-Virus Filtering Heuristics The virus engine can combine basic pattern matching techniques with heuristics – a technique using general rather than specific rules – to detect several viruses in the same family, even though Sophos researchers might have analyzed only one virus in that family. The technique enables a single description to be created that will catch several variants of one virus.
Chapter 12 Anti-Virus McAfee Anti-Virus Filtering configure these settings on a per-recipient basis using the Email Security Feature: the Mail Policies > Incoming or Outgoing Mail Policies pages (GUI) or the policyconfig -> antivirus command (CLI). For more information on configuring these settings, see Configuring Virus Scanning Actions for Users, page 12-7. McAfee Anti-Virus Filtering The McAfee® scanning engine: • Scans files by pattern-matching virus signatures with data from your files.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Programs, documents or email messages that carry a virus often have distinctive features. They might attempt unprompted modification of files, invoke mail clients, or use other means to replicate themselves. The engine analyzes the program code to detect these kinds of computer instructions.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Enabling Virus Scanning and Configuring Global Settings You may have enabled a virus scanning engine when you ran the System Setup Wizard. Regardless, configure settings using this procedure. Note Depending on your feature keys, you can enable Sophos, McAfee, or both. Procedure Step 1 Navigate to the Security Services > McAfee page. Or Navigate to the Security Services > Sophos page. Step 2 Click Enable.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Message Scanning Settings • Scan for Viruses Only: Messages processed by the system are scanned for viruses. Repairs are not attempted for infected attachments. You can choose whether to drop attachments and deliver mail for messages that contain viruses or could not be repaired. • Scan and Repair Viruses: Messages processed by the system are scanned for viruses.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Repaired Message Handling Messages are considered repaired if the message was completely scanned and all viruses have been repaired or removed. These messages will be delivered as is. Encrypted Message Handling Messages are considered encrypted if the engine is unable to finish the scan due to an encrypted or protected field in the message. Messages that are marked encrypted may also be repaired.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Action to Apply Choose which overall action to take on each message type for encrypted, unscannable, or virus positive messages: drop the message, deliver the message as an attachment to a new message, deliver the message as is, or send the message to the anti-virus quarantine area (Quarantines and Anti-Virus Scanning, page 12-10).
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses The default text is: Table 12-2 Default Subject Line Text for Anti-Virus Subject Line Modification Verdict Default Text to Add to Subject Encrypted [WARNING: MESSAGE ENCRYPTED] Infected [WARNING: VIRUS DETECTED] Repaired [WARNING: VIRUS REMOVED] Unscannable [WARNING: A/V UNSCANNABLE] Any message with multiple states causes a multi-part notification message informing users what actions the appliance performed on the messag
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Modify message recipient You can modify the message recipient, causing the message to be delivered to a different address. Click Yes and enter the new recipient address. Send message to alternate destination host You can choose to send the notification to a different recipient or destination host for encrypted, unscannable, or virus infected messages. Click Yes and enter an alternate address or host.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Figure 12-1 Options for Handling Messages Scanned for Viruses Firewall Internet mail SMTP IronPort Email Security appliance with Anti-Virus scanning enabled Scanned – virus found and repaired Scanned – virus found, attachment dropped Scanned – virus found but unable to clean Could not scan: unscannable Scanned – no virus found Could not scan: encrypted The message is “known clean.” The message could be infected.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses You enable anti-virus actions on a per-recipient basis using Incoming or Outgoing Mail Policies. You can configure mail policies in the GUI or in the CLI using the policyconfig > antivirus command. After you enable anti-virus settings globally, you configure these actions separately for each mail policy you create. You can configure different actions for different mail policies.
Chapter 12 Anti-Virus How to Configure the Appliance to Scan for Viruses Table 12-4 lists some common Anti-Virus configuration options. Table 12-4 Common Anti-Virus Configuration Options Situation Anti-Virus Configuration Widespread Virus Outbreak Drop-attachments: NO Any viral message is simply dropped Scanning: Scan-Only from the system with little other Cleaned messages: Deliver processing taking place.
Chapter 12 Anti-Virus Sending an Email to the Appliance to Test Anti-Virus Scanning Figure 12-2 Note Flow Diagram for Anti-Virus Actions If you configure multi-layer anti-virus scanning, the Cisco appliance performs virus scanning with the McAfee engine first and the Sophos engine second. It scans messages using both engines, unless the McAfee engine detects a virus. If the McAfee engine detects a virus, the Cisco appliance performs the anti-virus actions (repairing, quarantining, etc.
Chapter 12 Anti-Virus Sending an Email to the Appliance to Test Anti-Virus Scanning Step 2 Open a standard text editor, then type the following character string as one line, with no spaces or line breaks: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Note The line shown above should appear as one line in your text editor window, so be sure to maximize your text editor window and delete any line breaks. Also, be sure to type the letter O, not the number 0, in the “X5O...
Chapter 12 Anti-Virus Updating Virus Definitions Confirm that the actions taken match your configuration for Repaired Message Handling (the settings in Repaired Message Handling, page 12-9). For more information obtaining virus files for testing anti-virus scanning, see: http://www.eicar.org/anti_virus_test_file.htm This page provides 4 files for downloading. Note that it may be difficult to download and extract these files if you have a client-side virus scanning software installed.
Chapter 12 Anti-Virus Updating Virus Definitions Related Topics • Manually Updating Anti-Virus Engines using the GUI, page 12-19 • Manually Updating Anti-Virus Engines using the CLI, page 12-19 Manually Updating Anti-Virus Engines using the GUI Procedure Step 1 Navigate to the Security Services > Sophos or McAfee Anti-Virus page. Step 2 Click Update Now in the Current McAfee/Sophos Anti-Virus Files table. The appliance checks for and downloads the latest updates.
Chapter 12 Anti-Virus Updating Virus Definitions Verifying Anti-Virus Files Have Updated on the Appliance You can view the Updater Logs to verify whether or not the antivirus files have been successfully downloaded, extracted, or updated. Use the tail command to show the final entries in the Updater log subscription to ensure that virus updates were obtained. AsyncOS 9.1.
CH A P T E R 13 Anti-Spam • Overview of Anti-Spam Scanning, page 13-1 • How to Configure the Appliance to Scan Messages for Spam, page 13-2 • IronPort Anti-Spam Filtering, page 13-3 • Cisco Intelligent Multi-Scan Filtering, page 13-6 • Defining Anti-Spam Policies, page 13-7 • Protecting Appliance-Generated Messages From the Spam Filter, page 13-14 • Headers Added During Anti-Spam Scanning, page 13-14 • Reporting Incorrectly Classified Messages to Cisco Systems, page 13-15 • Determining Se
Chapter 13 Anti-Spam How to Configure the Appliance to Scan Messages for Spam of users. You can also treat positively identified spam differently from suspected spam in the same policy. For example, you may want to drop messages positively identified as spam, but quarantine suspected spam messages. For each mail policy, you can specify thresholds for some of the categories, and determine the action to take for each category.
Chapter 13 Anti-Spam IronPort Anti-Spam Filtering Do This More Info Step 6 (Recommended) Enable SenderBase Reputation Service For each inbound mail flow policy, ensure that “Use scoring for each inbound mail flow policy, even if you SenderBase for Flow Control” is On. are not rejecting connections based on SenderBase See Defining Rules for Incoming Messages Using a Mail Reputation Scores. Flow Policy, page 7-15.
Chapter 13 Anti-Spam IronPort Anti-Spam Filtering Cisco Anti-Spam: an Overview IronPort Anti-Spam addresses a full range of known threats including spam, phishing and zombie attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In addition, IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks distributing malicious content through a download URL or an executable.
Chapter 13 Anti-Spam IronPort Anti-Spam Filtering Configuring IronPort Anti-Spam Scanning Note When IronPort Anti-Spam is enabled during system setup, it is enabled for the default incoming mail policy with the default values for the global settings. Before You Begin • Determine whether you will use regional scanning. See Spam Scanning for International Regions, page 13-4. Procedure Step 1 Select Security Services > IronPort Anti-Spam.
Chapter 13 Anti-Spam Cisco Intelligent Multi-Scan Filtering Step 6 Option Description Timeout for Scanning Single Message Enter the number of seconds to wait for timeout when scanning a message. Regional Scanning Enable or disable regional scanning and if applicable, select a region. Enter an integer from 1 to 120. The default value is 60 seconds. Enable this feature only if you receive the bulk of your email from the specified region.
Chapter 13 Anti-Spam Defining Anti-Spam Policies Configuring Cisco Intelligent Multi-Scan Note When Cisco Intelligent Multi-Scan is enabled during system setup, it is enabled for the default incoming mail policy with the default values for the global settings. Before You Begin Activate the feature key for this feature. See Feature Keys, page 33-5. You will see the IronPort Intelligent Multi-Scan option only if you have done so.
Chapter 13 Anti-Spam Defining Anti-Spam Policies Before You Begin • Complete all steps to this point in the table in How to Configure the Appliance to Scan Messages for Spam, page 13-2.
Chapter 13 Anti-Spam Defining Anti-Spam Policies Option Description (Optional) Send to Alternate Host You can send identified messages to an alternate destination mailhost (an email server other than the ones listed in SMTP Routes or DNS). Enter an IP address or hostname. If you enter a hostname, its Mail Exchange (MX) will be queried first. If none exists, the A record on the DNS server will be used (as with SMTP Routes).
Chapter 13 Anti-Spam Defining Anti-Spam Policies What To Do Next If you enabled anti-spam scanning for outgoing mail, check the anti-spam settings of the relevant host access table, especially for a private listener. See Defining Access Rules for Email Senders Using Mail Flow Policies, page 7-8.
Chapter 13 Anti-Spam Defining Anti-Spam Policies Configuration Examples: Actions for Positively Identified versus Suspected Spam Spam Positively Identified Suspected Sample Actions (Aggressive) Sample Actions (Conservative) Drop Deliver with “[Suspected Spam]” added to the subject of messages • Deliver with “[Positive Spam]” added to the subject of messages, or • Quarantine Deliver with “[Suspected Spam]” added to the subject of messages The aggressive example tags only suspected spam messages
Chapter 13 Anti-Spam Defining Anti-Spam Policies Step 2 c. In the Suspected Spam Settings section, enable suspected spam scanning. d. Click Advanced to display the Add Custom Header option. e. Add a custom header such as url_redirect. f. Submit and commit your changes. Create a content filter to redirect URLs in messages that have the custom header: a. Select Mail Policies > Incoming Content Filters. b. Click Add Filter. c. Name the filter url_redirect. d. Click Add Condition. e.
Chapter 13 Anti-Spam Defining Anti-Spam Policies After the system is set up, you can configure the anti-spam scanning solution for incoming mail policies via the Mail Policies > Incoming Mail Policies page. (Anti-spam scanning is typically disabled for outgoing mail policies.) You can even disable anti-spam scanning for a policy. In this example, the default mail policy and the “Partners” policy are using the Cisco Anti-Spam scanning engine to quarantine positive and suspected spam.
Chapter 13 Anti-Spam Protecting Appliance-Generated Messages From the Spam Filter After submitting and committing the changes, the mail policy looks like this: Figure 13-3 Mail Policies - Intelligent Multi-Scan Enabled in Policy Protecting Appliance-Generated Messages From the Spam Filter Because automated email messages that are sent from the Cisco IronPort appliance (such as email alerts and scheduled reports) may contain URLs or other information that may cause them to be incorrectly identified as s
Chapter 13 Anti-Spam Reporting Incorrectly Classified Messages to Cisco Systems Reporting Incorrectly Classified Messages to Cisco Systems Messages that appear to be incorrectly classified may be reported to Cisco for analysis. Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product. Each message should be forwarded as an RFC 822 attachment to the following addresses: • spam@access.ironport.com - for reporting missed spam • ham@access.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays Figure 13-4 Mail Relayed by MX/MTA — Simple Firewall IP: 7.8.9.1 Sending Machine IP: 10.2.3.4 MX / MTA IP: 10.2.3.5 Cisco IronPort Email Security appliance Figure 13-5 shows two other, slightly more complicated examples of how mail may be relayed inside the network and how mail may be processed by several servers within the network before it is passed to the Cisco appliance. In example A, mail from 7.8.9.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays Configuring the Appliance to Work with Incoming Relays Related Topics • Enabling the Incoming Relays Feature, page 13-17 • Adding an Incoming Relay, page 13-17 • Message Headers for Relayed Messages, page 13-18 Enabling the Incoming Relays Feature Note You should only enable the incoming relays feature if a local MX/MTA relays mail to your Cisco appliance. Procedure Step 1 Select Network > Incoming Relays.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays Step 4 Enter the IP address of the MTA, MX, or other machine that connects to the Email Security appliance to relay incoming messages. You can use IPv4 or IPv6 addresses, standard CIDR format, or an IP address range. For example, if you have several MTAs at the edge of your network receiving email, you might want to enter a range of IP addresses to include all of your MTAs, such as 10.2.3.1/8 or 10.2.3.1-10.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays • Received Header, page 13-19 Custom Header Using custom headers is the recommended method of identifying original senders. The machine connecting to the original sender needs to add this custom header. The value of the header is expected to be the IP address of the external sending machine. For example: SenderIP: 7.8.9.1 X-CustomHeader: 7.8.9.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays network. If incoming mail can take different paths (resulting in a different number of hops, as described in Figure 13-6) to the machine connecting to your Cisco appliance, you must use a custom header (see Custom Header, page 13-19). Specify a parsing character or string and the number of network hops (or Received: headers) back to look.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays Table 13-1 4 A Series of Received: Headers (Path A Example 1) (continued) Received: from sending-machine.spamham.com (sending-machine.spamham.com [ 7.8.9.1 ]) by mx.customerdomain.org (Postfix) with ESMTP id 4F3DA15AC22 for 5 Received: from linux1.thespammer.com (HELO linux1.thespammer.com) ([10.1.1.89]) by sending-machine.spamham.com with ESMTP; Received: from exchange1.thespammer.
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays Figure 13-7 A Configured Incoming Relay with Received Header Related Topics • Adding an Incoming Relay, page 13-17 How Incoming Relays Affect Functionality • Incoming Relays and Filters, page 13-22 • Incoming Relays, HAT, SBRS, and Sender Groups, page 13-22 • Incoming Relays and Directory Harvest Attack Prevention, page 13-22 • Incoming Relays and Trace, page 13-22 • Incoming Relays and Email Security Moni
Chapter 13 Anti-Spam Determining Sender IP Address In Deployments with Incoming Relays mail from the attacking host. To work around this issue and continue receiving messages from the incoming relay, add the relay to a sender group with a mail flow policy that has unlimited messages for DHAP. Incoming Relays and Trace Trace returns the Incoming Relay’s SenderBase Reputation Score in its results instead of the reputation score for the source IP address.
Chapter 13 Anti-Spam Monitoring Rules Updates 12 Fri Apr 28 17:07:35 2006 Info: MID 201434 antivirus negative 13 Fri Apr 28 17:07:35 2006 Info: MID 201434 queued for delivery Incoming Relays and Mail Logs The following example shows a typical log entry containing Incoming Relay information: Wed Aug 17 11:20:41 2005 Info: MID 58298 IncomingRelay(myrelay): Header Received found, IP 192.168.230.
Chapter 13 Anti-Spam Testing Anti-Spam Testing Anti-Spam To Do This More Information Test your configuration. The test message you send with this header is flagged by Cisco Anti-Spam, and you can confirm that the actions For testing purposes, Cisco Anti-Spam you configured for the mail policy (Defining Anti-Spam Policies, page 13-7) are performed. considers any message with an X-header formatted as Use this header with one of the following: X-Advertisement: spam to be spam.
Chapter 13 Anti-Spam Testing Anti-Spam Related Topics • Testing Anti-Spam Configuration: Example Using SMTP, page 13-25 Testing Anti-Spam Configuration: Example Using SMTP For this example, the mail policy must be configured to receive messages for the test address and the HAT must accept the test connection. # telnet IP_address_of_IronPort_Appliance_with_IronPort_Anti-Spam port 220 hostname ESMTP helo example.com 250 hostname mail from: 250 sender
Chapter 13 Anti-Spam Testing Anti-Spam Removing the “easy spam” using SBRS, blacklists, message filters, etc. will result in a lower overall catch rate percentage. • Resending spam caught by another anti-spam vendor. • Testing older messages. The scanning engine adds and removes rules rapidly based on current threats. Testing using old messages will therefore lead to inaccurate test results. AsyncOS 9.1.
CH A P T E R 14 Outbreak Filters • Overview of Outbreak Filters, page 14-1 • How Outbreak Filters Work, page 14-2 • How the Outbreak Filters Feature Works, page 14-8 • Managing Outbreak Filters, page 14-11 • Monitoring Outbreak Filters, page 14-23 • Troubleshooting The Outbreak Filters Feature, page 14-24 Overview of Outbreak Filters Outbreak Filters protects your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they o
Chapter 14 Outbreak Filters How Outbreak Filters Work How Outbreak Filters Work Related Topics • Delaying, Redirecting, and Modifying Messages, page 14-2 • Threat Categories, page 14-2 • Cisco Security Intelligence Operations, page 14-3 • Context Adaptive Scanning Engine, page 14-4 • Delaying Messages, page 14-4 • Redirecting URLs, page 14-5 • Modifying Messages, page 14-6 • Types of Rules: Adaptive and Outbreak, page 14-6 • Outbreaks, page 14-7 • Threat Levels, page 14-7 Delaying, Re
Chapter 14 Outbreak Filters How Outbreak Filters Work Related Topics • Virus Outbreaks, page 14-3 • Phishing, Malware Distribution, and Other Non-Viral Threats, page 14-3 Virus Outbreaks The Outbreak Filters feature provides you with a head start when battling virus outbreaks. An outbreak occurs when messages with attachments containing never-before-seen viruses or variants of existing viruses spread quickly through private networks and the Internet.
Chapter 14 Outbreak Filters How Outbreak Filters Work SIO compares real-time data from the global SenderBase network to common traffic patterns to identify anomalies that are proven predictors of an outbreak. TOC reviews the data and issues a threat level of the possible outbreak. Cisco Email Security appliances download updated threat levels and Outbreak Rules and use them to scan incoming and outgoing messages, as well as messages already in the Outbreak quarantine.
Chapter 14 Outbreak Filters How Outbreak Filters Work See Dynamic Quarantine, page 14-10 for more information on how Outbreak Filters quarantine suspicious messages. Redirecting URLs When CASE scans a message at the Outbreak Filters stage, it searches for URLs in the message body in addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the message is a threat and then scores the message with the appropriate threat level.
Chapter 14 Outbreak Filters How Outbreak Filters Work Tip To redirect all URLs in suspected spam messages to the Cisco Web Security proxy service, see Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example, page 13-11. Modifying Messages The Outbreak Filters feature modifies the message body of a non-viral threat message not only to rewrite the URLs but to alert the user that the message is a suspected threat.
Chapter 14 Outbreak Filters How Outbreak Filters Work • File Name & Sophos IDE Adaptive Rules Adaptive Rules are a set of rules within CASE that accurately compare message attributes to attributes of known virus outbreak messages. These rules have been created after studying known threat messages and known good messages within an extensive virus corpus. Adaptive Rules are updated often as the corpus is evaluated. They complement existing Outbreak Rules to detect outbreak messages at all times.
Chapter 14 Outbreak Filters How the Outbreak Filters Feature Works Related Topics • Guidelines for Setting Your Quarantine Threat Level Threshold, page 14-8 • Containers: Specific and Always Rules, page 14-8 Guidelines for Setting Your Quarantine Threat Level Threshold The quarantine threat level threshold allows administrators to be more or less aggressive in quarantining suspicious messages.
Chapter 14 Outbreak Filters How the Outbreak Filters Feature Works Note Messages that skip anti-spam and anti-virus scanning due to filters or the engines being disabled will still be scanned by Outbreak Filters.
Chapter 14 Outbreak Filters How the Outbreak Filters Feature Works Dynamic Quarantine The Outbreak Filters feature’s Outbreak quarantine is a temporary holding area used to store messages until they’re confirmed to be threats or it’s safe to deliver to users. (See Outbreak Lifecycle and Rules Publishing, page 14-11 for more information.) Quarantined messages can be released from the Outbreak quarantine in several ways.
Chapter 14 Outbreak Filters Managing Outbreak Filters Outbreak Lifecycle and Rules Publishing Very early in a virus outbreak’s life cycle, broader rules are used to quarantine messages. As more information becomes available, increasingly focused rules are published, narrowing the definition of what is quarantined.
Chapter 14 Outbreak Filters Managing Outbreak Filters Figure 14-2 Outbreak Filters Main Page The Outbreak Filters page shows two sections: the Outbreak Filters Overview and a listing of current Outbreak Filter Rules (if any). In Figure 14-2, Outbreak Filters are enabled, Adaptive Scanning is enabled, and the maximum message size is set to 512k.
Chapter 14 Outbreak Filters Managing Outbreak Filters Figure 14-3 Outbreak Filters Global Settings Page Use this page to: • Enable Outbreak Filters globally • Enable Adaptive Rules scanning • Set a maximum size for files to scan (note that you are entering the size in bytes) • Enable alerts for the Outbreak Filter Note that alerts and Adaptive Rules are not enabled by default. This functionality is also available via the outbreakconfig CLI command (see the Cisco AsyncOS CLI Reference Guide).
Chapter 14 Outbreak Filters Managing Outbreak Filters Enabling Alerts for Outbreak Filters Check the box labeled “Emailed Alerts” to enable alerting for the Outbreak Filters feature. Enabling emailed alerts for Outbreak Filters merely enables the alerting engine to send alerts regarding Outbreak Filters. Specifying which alerts are sent and to which email addresses is configured via the Alerts page in the System Administration tab.
Chapter 14 Outbreak Filters Managing Outbreak Filters Choose the operation you want to perform: - SETUP - Change Outbreak Filters settings. []> Outbreak Filters Rules Outbreak Rules are published by the Cisco Security Intelligence Operations and your appliance checks for and downloads new outbreak rules every 5 minutes. You can change this update interval. See Configuring Server Settings for Downloading Upgrades and Updates, page 33-21 for more information.
Chapter 14 Outbreak Filters Managing Outbreak Filters Figure 14-4 Mail Policy Listing To modify the Outbreak Filters feature settings for a specific mail policy, click the link in the Outbreak Filters column of the policy to change. Figure 14-5 Outbreak Filters Settings and Mail Policies AsyncOS 9.1.
Chapter 14 Outbreak Filters Managing Outbreak Filters To enable and customize the Outbreak Filters feature for a particular mail policy, select Enable Outbreak Filtering (Customize Settings).
Chapter 14 Outbreak Filters Managing Outbreak Filters Note You cannot quarantine non-viral threats unless you enable Message Modification for the policy. CASE recommends a quarantine retention period when assigning the threat level to the message. The Email Security appliance keeps the message quarantined for the length of time that CASE recommends unless it exceeds the maximum quarantine retention time for its threat type.
Chapter 14 Outbreak Filters Managing Outbreak Filters Message Modification Threat Level Select a Message Modification Threat Level threshold from the list. This setting determines whether to modify a message based on the threat level returned by CASE. A smaller number means that you will be modifying more messages, while a larger number results in fewer messages being modified. Cisco recommends the default value of 3.
Chapter 14 Outbreak Filters Managing Outbreak Filters In the Alternate Destination Mail Host field, enter the IP address (IPv4 or IPv6) or the FQDN of the appliance where you want to send the processed messages for further scans. URL Rewriting and Bypassing Domains If the message’s threat level exceeds the message modification threshold, the Outbreak Filters feature rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if they click on any of them.
Chapter 14 Outbreak Filters Managing Outbreak Filters The Outbreak Filters Feature and the Outbreak Quarantine Messages quarantined by the Outbreak Filters feature are sent to the Outbreak quarantine.
Chapter 14 Outbreak Filters Managing Outbreak Filters Note You can use the Outbreak Filters feature without having enabled anti-virus scanning on the appliance. However, Outbreak Filters cannot scan for non-viral threats if anti-spam scanning is not enabled on the appliance. Outbreak Quarantine and the Manage by Rule Summary View You can view the contents of the Outbreak quarantine by clicking on the name of the quarantine in the listing on the Monitor menu in the GUI.
Chapter 14 Outbreak Filters Monitoring Outbreak Filters Monitoring Outbreak Filters The appliance includes several tools to monitor the performance and activity of the Outbreak Filters feature.
Chapter 14 Outbreak Filters Troubleshooting The Outbreak Filters Feature AsyncOS also generates alerts when rules are published, the threshold changes, or when a problem occurs while updating rules or the CASE engine. Troubleshooting The Outbreak Filters Feature This section provides some basic troubleshooting tips for the Outbreak Filters feature.
CH A P T E R 15 URL Filtering • Overview of URL Filtering, page 15-1 • Setting Up URL Filtering, page 15-2 • Taking Action Based on the Reputation or Category of URLs in Messages, page 15-7 • Monitoring URL Filtering Results, page 15-10 • Troubleshooting URL Filtering, page 15-10 • About URL Categories, page 15-13 Overview of URL Filtering URL filtering uses the reputation and category of URL links in messages to: • Increase the effectiveness of protection from malicious URLs in messages URL
Chapter 15 URL Filtering Setting Up URL Filtering • http, https, or www • domain or IP address • port number preceded by a colon (:) • uppercase or lowercase letters When evaluating URLs to determine whether a message is spam, if necessary for load management, the system prioritizes screening of incoming messages over outgoing messages.
Chapter 15 URL Filtering Setting Up URL Filtering Step 2 Click Enable. Step 3 Select the Enable URL Category and Reputation Filters check box. Step 4 (Optional) If you have created a list of URLs to exempt from URL filtering when evaluating messages for spam and malware, and from all content and message filtering, select that list. This setting does not cause the message to bypass anti-spam or Outbreak Filters processing generally. Step 5 Submit and commit your changes.
Chapter 15 URL Filtering Setting Up URL Filtering • Alert: SDS: Error Fetching Enrollment Certificate, page 15-11 • Alert: SDS: Certificate Is Invalid, page 15-11 Certificates for URL Filtering Features AsyncOS is designed to automatically deploy and update the certificates needed for communications with cloud services used for URL filtering features. However, if for any reason the system is unable to update these certificates, you will receive an alert that requires action from you.
Chapter 15 URL Filtering Setting Up URL Filtering Step 2 Select Add URL List or click a list to edit. Be sure all URLs that you want to globally whitelist are in a single list. You can select only one global whitelist for URL filtering. Step 3 Create and submit the URL list. To view a list of supported URL formats, enter a semicolon (;) into the URLs box and click Submit. Then click the more... link that appears. Each URL, domain, or IP address can be on a separate line, or separate each with a comma.
Chapter 15 URL Filtering Setting Up URL Filtering Related Topics • Redirecting URLs, page 14-5 • Taking Action Based on the Reputation or Category of URLs in Messages, page 15-7 Customizing the Appearance of End User Notification Page Based on the evaluation by the Cisco Cloud Web Security proxy service, if the site is malicious, the end user sees a notice that the site is malicious and access to it has been blocked.
Chapter 15 URL Filtering Taking Action Based on the Reputation or Category of URLs in Messages Taking Action Based on the Reputation or Category of URLs in Messages You can take action based on the reputation or category of URL links in messages using message filters and content filters in incoming and outgoing mail policies.
Chapter 15 URL Filtering Taking Action Based on the Reputation or Category of URLs in Messages Filtering by URL Reputation or URL Category: Conditions and Rules You can perform actions on messages based on the reputation or category of URLs in the message. If you want to perform any action other than modifying URLs or their behavior, add a URL Reputation or URL Category condition and select the reputation scores or URL categories for which you want to apply the action.
Chapter 15 URL Filtering Taking Action Based on the Reputation or Category of URLs in Messages URL reputation score ranges for clean, suspect, and malicious URLs are predefined and not editable. However, you can specify a custom range instead. The specified endpoints are included in the range you specify. For example, if you create a custom range from -8 to -10, then -8 and -10 are included in the range. Use "No Score" for URLs for which a reputation score cannot be determined.
Chapter 15 URL Filtering Monitoring URL Filtering Results Related Topics • Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example, page 13-11 • Chapter 11, “Content Filters” • URL Reputation Actions, page 9-75 • URL Category Actions, page 9-74 • Creating Whitelists for URL Filtering, page 15-4 Redirected URLs: What Does the End User Experience? Based on the evaluation by the Cisco Cloud Web Security proxy service: • If the site is benign,
Chapter 15 URL Filtering Troubleshooting URL Filtering • Manually Configuring a Certificate for Communication with Cisco Web Security Services, page 15-13 Viewing Logs URL filtering information is posted to the following logs: • Mail Logs (mail_logs). Information related to the result of scanning a URL (action taken of a message depending on the URL) is posted to this log. • URL Filtering Logs (web_client).
Chapter 15 URL Filtering Troubleshooting URL Filtering • If you are connecting via a proxy specified in Security Services > Service Updates, verify that this is configured and working properly. • Check for other network issues that might prevent connection.
Chapter 15 URL Filtering About URL Categories URLs in a Filtered Category Are Not Handled Correctly Problem The defined action in a content or message filter based on URL category is not applied. Solution • Use the Trace feature (described in the Troubleshooting chapter) to follow the message processing path. • This can occur if the Email Security appliance is unable to connect to the Cisco Web Security Services. See Unable to Connect to Cisco Web Security Services, page 15-11.
Chapter 15 URL Filtering About URL Categories • Determining the Category of a URL, page 15-21 • Reporting Uncategorized and Misclassified URLs, page 15-21 • Future URL Category Set Changes, page 15-22 URL Category Descriptions These URL categories are the same categories that are used on recent releases of AsyncOS for Web Security appliances. Table 15-1 URL Category Abbreviation Code Adult adlt 1006 Directed at adults, but not necessarily pornographic. www.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Description Example URLs Business and Industry busi 1019 Marketing, commerce, corporations, business www.freightcenter.com practices, workforce, human resources, www.staples.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Education edu 1001 Education-related, such as schools, colleges, www.education.com universities, teaching materials, and teachers’ www.greatschools.org resources; technical and vocational training; online training; education issues and policies; financial aid; school funding; standards and testing. Entertainment ent 1093 Details or discussion of films; music and bands; www.eonline.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Example URLs Government websites; foreign relations; news and information relating to government and elections; information relating to the field of law, such as attorneys, law firms, law publications, legal reference material, courts, dockets, and legal associations; legislation and court decisions; civil rights issues; immigration; patents and copyrights; information relating to law enforcement and correctional s
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Illegal Drugs drug Infrastructure and Content Delivery Networks infr Internet Telephony voip 1047 Description Example URLs Information about recreational drugs, drug paraphernalia, drug purchase and manufacture. www.cocaine.org www.hightimes.com 1018 Content delivery infrastructure and dynamically www.akamai.net generated content; websites that cannot be classified www.webstat.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Online Communities Abbreviation Code comm 1024 Description Example URLs Affinity groups; special interest groups; web newsgroups; message boards. Excludes websites classified as “Professional Networking” or “Social Networking.” www.igda.org www.ieee.org Online Storage and osb Backup 1066 Offsite and peer-to-peer storage for backup, sharing, www.adrive.com and hosting. www.dropbox.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Reference ref 1017 City and state guides; maps, time; reference sources; www.wikipedia.org dictionaries; libraries. www.yellowpages.com Religion rel 1086 Religious content, information about religions; religious communities. www.religionfacts.com Web portals for online business services; online meetings. www.netsuite.com Directed at, and specifically approved for, young children. kids.discovery.
Chapter 15 URL Filtering About URL Categories Table 15-1 URL Category Abbreviation Code Tobacco tob 1078 Pro-tobacco websites; tobacco manufacturers; pipes www.bat.com and smoking products (not marketed for illegal drug www.tobacco.org use). Tobacco addiction is classified as “Health and Nutrition.” Transportation trns 1044 Personal transportation; information about cars and www.cars.com motorcycles; shopping for new and used cars and www.motorcycles.
Chapter 15 URL Filtering About URL Categories https://securityhub.cisco.com/web/submit_urls To check the status of submitted URLs, click the Status on Submitted URLs tab on this page. Future URL Category Set Changes Rarely, the set of URL categories may change as a result of emerging trends and technologies. For example, a category may be added or removed, renamed, merged with another category, or split into two categories.
CH A P T E R 16 File Reputation Filtering and File Analysis • Overview of File Reputation Filtering and File Analysis, page 16-1 • Configuring File Reputation and Analysis Features, page 16-4 • File Reputation and File Analysis Reporting and Tracking, page 16-11 • Taking Action When File Threat Verdicts Change, page 16-13 • Troubleshooting File Reputation and Analysis, page 16-13 Overview of File Reputation Filtering and File Analysis Advanced Malware Protection protects against zero-day and tar
Chapter 16 File Reputation Filtering and File Analysis Overview of File Reputation Filtering and File Analysis File Processing Overview Evaluation of file reputation and sending of files for analysis occur immediately after anti-virus scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on the message. Communications between the appliance and the file reputation service are encrypted and protected from tampering.
Chapter 16 File Reputation Filtering and File Analysis Overview of File Reputation Filtering and File Analysis If the file is sent for analysis: • Files are sent over HTTPS. • Analysis normally takes minutes, but may take longer. • Information about every file that is sent for analysis is added to the reputation database. . For information about verdict updates, see File Threat Verdict Updates, page 16-1. Which Files Are Evaluated and Analyzed? The reputation service evaluates most file types.
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features • Archive or Compressed File Processing, page 16-4 Archive or Compressed File Processing If the file is compressed or archived, • Reputation of the compressed or archive file is evaluated. • The compressed or archive file is decompressed and reputations of all the extracted files are evaluated.
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features • Advanced Malware Protection and Clusters, page 16-10 • Ensuring That You Receive Alerts About Advanced Malware Protection Issues, page 16-11 • Configuring Centralized Reporting for Advanced Malware Protection Features, page 16-11 Requirements for Communication with File Reputation and Analysis Services • All Email Security appliances that use these services must be able to connect to them dire
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features Step 8 Adjust the following Advanced Settings as needed: Option Description SSL Communication for File Reputation Check Use SSL (Port 443) to communicate on port 443 instead of the default port, 32137. This option also allows you to configure an upstream proxy for communication with the file reputation service.
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features – Whether to deliver or drop the message. – Whether to archive the original message. Archived messages are stored as an mbox-format log file in the amparchive directory on the appliance. The preconfigured AMP Archive (amparchive) log subscription is required. – Whether to deliver the message after removing the malware attachments.
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features • • Whether to archive the original message. Archived messages are stored as an mbox-format log file in the amparchive directory on the appliance. The preconfigured AMP Archive ( amparchive) log subscription is required. Whether to warn the end user by modifying the message subject, for example, “[WARNING: ATTACHMENT(S) MAY CONTAIN MALWARE].
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features Option Information Modify Subject Type the text to add and specify whether to add it to the beginning or the end of the original message subject. For example, you might want to warn the recipient that the message may contain malware attachments. Note Add X-Header In order for a subject with non-ASCII characters to display correctly it must be represented according to RFC 2047.
Chapter 16 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features Step 3 Depending on your requirements, perform the following actions on messages: • Delete • Release • Delay Scheduled Exit from quarantine • Send a copy of messages to email addresses that you specify Centralized File Analysis Quarantine For information about the centralized File Analysis quarantine, see About Centralized Policy, Virus, and Outbreak Quarantines, page 8-19.
Chapter 16 File Reputation Filtering and File Analysis File Reputation and File Analysis Reporting and Tracking Ensuring That You Receive Alerts About Advanced Malware Protection Issues Ensure that the appliance is configured to send you alerts related to Advanced Malware Protection. You will receive alerts when: Alert Description Type Severity Feature keys expire (As is standard for all features) The file reputation or file analysis service is unreachable.
Chapter 16 File Reputation Filtering and File Analysis File Reputation and File Analysis Reporting and Tracking In most reports, files are listed by their SHA-256 value (in an abbreviated format). File Reputation and File Analysis Report Pages Report Description Advanced Malware Protection Shows file-based threats that were identified by the file reputation service. For files with changed verdicts, see the AMP Verdict updates report.
Chapter 16 File Reputation Filtering and File Analysis Taking Action When File Threat Verdicts Change • To search for malicious files found by the file reputation service, select Advanced Malware Protection Positive for the Message Event option in the Advanced section in Message Tracking. • Message Tracking includes only information about file reputation processing and the original file reputation verdicts returned at the time a message was processed.
Chapter 16 File Reputation Filtering and File Analysis Troubleshooting File Reputation and Analysis • Using Trace, page 16-14 • Several Alerts About Failure to Connect to File Reputation or File Analysis Servers, page 16-14 • Many Files Have Verdict "Unscannable", page 16-15 Log Files In logs: and amp refer to the file reputation service or engine. • AMP • Retrospective • VRT refers to verdict updates. and sandboxing refer to the file analysis service.
Chapter 16 File Reputation Filtering and File Analysis Troubleshooting File Reputation and Analysis Many Files Have Verdict "Unscannable" Problem Many files have an "Unscannable" verdict. Solution This can happen if there are connection issues between the appliance and the file reputation services in the cloud. Try the following: • Check for issues on your network. • Increase the timeout value on the Security Services > File Reputation and Analysis page.
Chapter 16 Troubleshooting File Reputation and Analysis AsyncOS 9.1.
CH A P T E R 17 Data Loss Prevention • Overview of Data Loss Prevention, page 17-1 • DLP Deployment Options, page 17-3 • System Requirements for Data Loss Prevention, page 17-4 • RSA Email DLP, page 17-4 • DLP Policies for RSA Email DLP, page 17-6 • RSA Enterprise Manager, page 17-23 • Message Actions, page 17-34 • Showing or Hiding Sensitive DLP Data in Message Tracking, page 17-38 • About Updating the DLP Engine and Content Matching Classifiers, page 17-39 • Working with DLP Incident
Chapter 17 Data Loss Prevention Overview of Data Loss Prevention Overview of the DLP Scanning Process 1. Action More Information A user in your organization sends an email message to a recipient outside of your organization. The Email Security appliance is a “gateway” appliance that processes messages that are entering or leaving your network. Messages sent to other users within your network are not scanned. 2.
Chapter 17 Data Loss Prevention DLP Deployment Options The appliance then assigns the severity level (such as Critical or Low) that you have defined for that risk factor score, and performs the message action that you have specified for that severity level in the applicable DLP Policy. DLP Deployment Options RSA Email DLP RSA Enterprise Manager All DLP activities are handled by the Email Security appliance.
Chapter 17 Data Loss Prevention System Requirements for Data Loss Prevention Note The following actions occur only on the Email Security appliance: • Outgoing mail policy definition • Message action definition • DLP scanning System Requirements for Data Loss Prevention Data Loss Prevention is supported on all supported C-Series and X-Series appliances except appliances using D-Mode licenses. The RSA Enterprise Manager feature requires Enterprise Manager 9.0.
Chapter 17 Data Loss Prevention RSA Email DLP Do This More Information Step 5 Ensure that you have created Outgoing Mail Policies for See Chapter 10, “Mail Policies.” each group of senders and recipients whose messages will To further refine permitted and restricted message be scanned for DLP violations. senders and recipients in individual DLP policies, see Filtering Messages for DLP Policies, page 17-20.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP DLP Policies for RSA Email DLP Related Topics • DLP Policy Description, page 17-6 • Predefined DLP Policy Templates, page 17-6 • Setting Up RSA Email DLP Using a Wizard, page 17-7 • Creating a DLP Policy Using a Predefined Template, page 17-8 • Creating a Custom DLP Policy (Advanced), page 17-9 • About Defining Disallowed Content Using Content Matching Classifiers, page 17-10 • Filtering Messages for DLP Policies, page 17-20 •
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP • Regulatory Compliance. These templates identify messages and attachments that contain personally identifiable information, credit information, or other protected or non-public information. • Acceptable Use. These templates identify messages sent to competitors or restricted recipients that contain sensitive information about an organization. • Privacy Protection.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Step 6 • Any business that operates in California and owns or licenses computerized personally identifying information (PII) data for California residents, regardless of their physical location, is required to comply with California SB-1386. This law is one of the policy choices in the wizard. • If you do not enter an email address to receive automatically-generated scheduled DLP Incident Summary report, the report will not be generated.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP – Regular Expressions for Identifying Identification Numbers, page 17-15. Note Step 7 You cannot add or remove content matching classifiers for policies based on a predefined template. (Optional) Apply the DLP policy only to messages with specific recipients, senders, attachment types, or previously-added message tags. For more information, see Filtering Messages for DLP Policies, page 17-20.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Step 5 Enter a name and description for the policy. Step 6 Identify the content and context that constitute a DLP violation: a. Select a content matching classifier. b. Click Add. c. • If you selected Create a Classifier, see Creating a Content Matching Classifier for Custom DLP Policies, page 17-14. • Otherwise, the selected classifier is added to the table. (Optional) Add additional classifiers to the policy.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP For this example, you might create a DLP policy that uses the HIPAA and HITECH template. This template includes the Patient Identification Numbers content matching classifier, which you can customize to detect a patient’s identification number. To detect numbers in the pattern of 123-CL456789, you would enter the regular expression [0-9]{3}\-[A-Z]{2}[0-9]{6} for the classifier. Enter “Patient ID” for a related phrase.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Content Matching Classifier Examples The following examples show how classifiers match message content: • Credit Card Number, page 17-12 • US Social Security Number, page 17-12 • ABA Routing Number, page 17-12 • US Drivers License, page 17-13 • US National Provider Identifier, page 17-13 • Student Records, page 17-13 • Corporate Financials, page 17-13 Credit Card Number Several DLP policy templates include the Credit Card Number
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP • routing 119999992 account 1234567 (Match) US Drivers License Many policies use a US Drivers License classifier. By default, this classifier searches for drivers licenses for all 50 US states and the District of Columbia. Even US state-specific policies such as California AB-1298 and Montana HB-732 search for all 51 types of US drivers licenses.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Examples: 2009 Cisco net sales, net income, depreciation (Match) FORM 10-Q 2009 I.R.S. Employer Identification No. (Match) Creating a Content Matching Classifier for Custom DLP Policies Custom classifiers that you create are added to the list of classifiers that you can use when creating custom DLP policies. Step Do This Step 1 Understand how content matching classifiers are used to identify potential DLP violations.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Related Topics • Viewing the Policies in Which Custom Content Classifiers are Used, page 17-20 Classifier Detection Rules for Identifying Sensitive Content (Custom DLP Policies Only) Content matching classifiers require rules for detecting DLP violations in a message or document. Classifiers can use one or more of the following detection rules: • Words or Phrases. A list of words and phrases for which the classifier should look.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Element Description Regular expression (abc) Regular expressions for classifiers match a string if the sequence of directives in the regular expression match any part of the string. For example, the regular expression ACC matches the string ACCOUNT as well as ACCT. [] Use brackets to indicate a set of characters. Characters can defined individually or within a range.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP • An 8-digit number: \d{8} • Identification code with hyphens between sets of numbers: \d{3}-\d{4}-\d • Identification code that begins with a single letter that can be upper or lower case: [a-zA-Z]\d{7} • Identification code that begins with three digits and is followed by nine uppercase letters: \d{3}[A-Z]{9} • Using | to define two different number patterns to search for: \d{3}[A-Z]{9}|\d{2}[A-Z]{9}-\d Using Custom Dictionaries of
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Procedure Step 1 Select Mail Policies > DLP Policy Manager. Step 2 Click the link for the Custom DLP Dictionaries section under Advanced Settings. Step 3 Click Export Dictionary. Step 4 Select a dictionary to export. Step 5 Enter a file name for the dictionary. Step 6 Choose where to save the exported dictionary, either on your local computer or in the configuration directory on the appliance.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP For DLP Policies Based On Predefined Templates You cannot view or modify risk factor scoring parameters for DLP policies created from predefined templates. However, if there are too many false positive matches for a particular DLP policy, you can adjust the severity scale for that policy. See About Assessing Violation Severity, page 17-21.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Viewing the Policies in Which Custom Content Classifiers are Used Procedure Step 1 Select Mail Policies > DLP Policy Customizations. Step 2 In the Custom Classifiers section, click the Policies link in the heading of the Custom Classifiers table.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP About Assessing Violation Severity When the DLP scanning engine detects a potential DLP violation, it calculates a risk factor score that represents the likelihood that the instance actually is a DLP violation. The policy compares the risk factor score to the Severity Scale defined in that policy in order to determine the severity level (for example, Low or Critical.
Chapter 17 Data Loss Prevention DLP Policies for RSA Email DLP Step 3 Once you have finished reordering the policies, submit and commit your changes.
Chapter 17 Data Loss Prevention RSA Enterprise Manager Using Outgoing Mail Policies to Assign DLP Policies to Senders and Recipients Specify which DLP policies apply to which senders and recipients by enabling them in outgoing mail policies. You can use DLP policies only in outgoing mail policies. Before You Begin Configure the DLP policy settings for the default Outgoing Mail policy. See Associating DLP Policies with the Default Outgoing Mail Policy, page 17-22.
Chapter 17 Data Loss Prevention RSA Enterprise Manager • About Deleting and Disabling Policies in Enterprise Manager Deployments, page 17-33 • Lost Connectivity Between the Email Security Appliance and Enterprise Manager, page 17-33 • Switching from Enterprise Manager to RSA Email DLP, page 17-33 How Enterprise Manager and the Email Security Appliance Work Together When you enable RSA Enterprise Manager DLP on the Email Security appliance, the appliance sends the configuration to Enterprise Manager
Chapter 17 Data Loss Prevention RSA Enterprise Manager Do This More Information Step 1 Set up Enterprise Manager on your network and prepare for partnering with the Email Security appliance. See RSA’s documentation for DLP Datacenter, including the online help and the technical note Managing Partner Device DLP with Enterprise Manager. Step 2 On the Email Security appliance, create Outgoing Mail See Chapter 10, “Mail Policies.
Chapter 17 Data Loss Prevention RSA Enterprise Manager Step 10 Do This More Information On Enterprise Manager, specify the order of the DLP policies. Order the DLP policies in Enterprise Manager. See the RSA Enterprise Manager documentation. When the appliance evaluates messages for DLP violations, it applies only the first matching policy in the list. Step 11 On the Email Security appliance, configure settings for storage of and access to sensitive DLP information in Message Tracking.
Chapter 17 Data Loss Prevention RSA Enterprise Manager When configuring the SSL connection, the Enterprise Manager server is the server and the Email Security appliance is the client.
Chapter 17 Data Loss Prevention RSA Enterprise Manager You can also use the following additional command-line switches: -org -orgunit -title -validity This procedure outputs the .p12 file to the same folder. This .p12 file is the certificate that you will upload to the Email Security appliance. You will also need: • The .
Chapter 17 Data Loss Prevention RSA Enterprise Manager Procedure Step 1 Select Network > Certificates. Step 2 In the Certificate Authorities section, click Edit Settings. Step 3 Click Enable for the Custom List. Step 4 Enter the full path to the custom list (the .pem file) on a local or network machine. Step 5 Submit and commit your changes.
Chapter 17 Data Loss Prevention RSA Enterprise Manager c. Select the Client Certificate. The client is the Email Security appliance. You can use the same certificate for client and server. Step 8 (Optional) If your deployment includes RSA’s DLP Datacenter, choose whether to enable fingerprinting to improve detection of source code, databases, and other documents. Step 9 (Optional) If message tracking is already enabled on your appliance, choose whether or not to enable matched content logging.
Chapter 17 Data Loss Prevention RSA Enterprise Manager Step 7 Submit and commit your changes. About Associating Outgoing Mail Policies with DLP Policies in Enterprise Manager Deployments You will use Enterprise Manager to associate Outgoing Mail Policies with DLP policies, in order to specify which DLP policies apply to which senders and recipients. For information, see the RSA Enterprise Manager documentation.
Chapter 17 Data Loss Prevention RSA Enterprise Manager Note If the Email Security appliance is part of a cluster, the appliance only exports the policies from the lowest level of the cluster. For example, if there are DLP policies at both the cluster and machine level, the appliance only exports the DLP policies from the machine level.
Chapter 17 Data Loss Prevention RSA Enterprise Manager About Deleting and Disabling Policies in Enterprise Manager Deployments Deleting and Disabling DLP Policies • To delete DLP policies, use Enterprise Manager. • To disable or enable DLP policies, use the Email Security appliance. Go to Mail Policies > DLP Policy Manager. Any outgoing mail policies associated with the disabled DLP policy will skip the policy when evaluating messages for DLP violations.
Chapter 17 Data Loss Prevention Message Actions Message Actions You specify primary and secondary actions that the Email Security appliance will take when it detects a possible DLP violation in an outgoing message. Different actions can be assigned for different violation types and severities. Primary actions include: • Deliver • Drop • Quarantine Secondary actions include: Note • Sending a copy to a policy quarantine if you choose to deliver the message.
Chapter 17 Data Loss Prevention Message Actions For deployments with Enterprise Manager: – Set a timeout large enough for Enterprise Manager to complete its tasks. – Consider automatic actions carefully; although quarantined messages must be managed in Enterprise Manager, the Email Security appliance still releases or deletes quarantined messages when the quarantine exceeds the allotted space. For information, see Chapter 30, “Policy, Virus, and Outbreak Quarantines.
Chapter 17 Data Loss Prevention Message Actions Step 9 Submit and commit your changes. Viewing and Editing Message Actions Procedure Step 1 Select Mail Policies > DLP Policy Customizations. Step 2 In the Message Actions section, choose an action: To Do This View the mail policies to which each action is assigned Click the Policies link in the heading of the Message Actions table.
Chapter 17 Data Loss Prevention Message Actions Procedure Step 1 Select Mail Policies > Text Resources. Step 2 Click Add Text Resource. Step 3 For Type, select DLP Notification Template. DLP variables are not available for the plain Notification template. Step 4 Enter notification text and variables. The notification should inform its recipients that an outgoing message may contain sensitive data that violates your organization’s data loss prevention policies.
Chapter 17 Data Loss Prevention Showing or Hiding Sensitive DLP Data in Message Tracking Variable Substituted With $filenames Replaced with a comma-separated list of the message’s attachments’ filenames. $filetypes Replaced with a comma-separated list of the message's attachments' file types. $filesizes Replaced with a comma-separated list of the message’s attachment’s file sizes. $remotehost Replaced by the hostname of the system that sent the message to the Cisco appliance.
Chapter 17 Data Loss Prevention About Updating the DLP Engine and Content Matching Classifiers Procedure Step 1 Select Security Services > RSA Email DLP. Step 2 Click Edit Settings. Step 3 To Do This Include sensitive content in Message Tracking. Select the Enable Matched Content Logging check box. Hide sensitive content from Message Tracking. Deselect the Enable Matched Content Logging check box. Submit and commit your changes.
Chapter 17 Data Loss Prevention About Updating the DLP Engine and Content Matching Classifiers Caveats for DLP Updates Deployment Mode Caveat All Cisco does not recommend enabling automatic updates. See Enabling Automatic Updates (Not Recommended), page 17-40 RSA Email DLP DLP updates may change the content matching classifiers used by your existing local DLP policies.
Chapter 17 Data Loss Prevention Working with DLP Incident Messages and Data Procedure Step 1 Select Security Services > RSA Email DLP. Step 2 Click Edit Settings. Step 3 Select the Enable automatic updates check box. Step 4 Submit and commit your changes. DLP Updates on Centralized (Clustered) Appliances Note the following: • You cannot enable automatic DLP updates for appliances in clustered deployments. • DLP updates are performed at the level that DLP was configured.
Chapter 17 Data Loss Prevention Troubleshooting Data Loss Prevention To Do This Search for messages containing DLP violations See Chapter 29, “Tracking Messages.” using criteria such as DLP policy name, violation For Enterprise Manager deployments, you can severity, and action taken, and view details of also view messages in Enterprise Manager. See the messages found Enterprise Manager documentation.
Chapter 17 Data Loss Prevention Troubleshooting Data Loss Prevention RSA Email DLP Fails to Detect Violations in Email Attachments Problem When using predefined DLP policies, RSA Email DLP fails to detect violations in email attachments. This can be caused by the small value of the proximity parameter in the predefined DLP policies. Note You cannot change the proximity of a predefined DLP policy. Solution Do one of the following: • Create a custom policy and adjust the proximity as required.
Chapter 17 Troubleshooting Data Loss Prevention AsyncOS 9.1.
CH A P T E R 18 Cisco Email Encryption • Overview of Cisco Email Encryption, page 18-1 • How to Encrypt Messages with a Local Key Server, page 18-2 • Encrypting Messages using the Email Security Appliance, page 18-4 • Determining Which Messages to Encrypt, page 18-8 • Inserting Encryption Headers into Messages, page 18-11 Overview of Cisco Email Encryption AsyncOS supports using encryption to secure inbound and outbound email.
Chapter 18 Cisco Email Encryption How to Encrypt Messages with a Local Key Server How to Encrypt Messages with a Local Key Server Table 18-1 How to Encrypt Messages with a Local Key Server Steps Do This Step 1 Set up the Cisco IronPort Encryption appliance See Chapter 3, “Setup and Installation.” on the network. Step 2 Enable message encryption.
Cisco Email Encryption How to Encrypt Messages with a Local Key Server Figure 18-1 Encryption Workflow 1) Email Security appliance encrypts and stores message key in key server 2) User opens secure envelope in browser rd swo Pas Key 3) User authenticates and gets message key. 4) Decrypted message is displayed. Key Server or Hosted Key Service 370550 Chapter 18 The basic workflow for opening encrypted messages is: 1.
Chapter 18 Cisco Email Encryption Encrypting Messages using the Email Security Appliance Encrypting Messages using the Email Security Appliance To use encryption with the Email Security appliance, you must configure an encryption profile. You can enable and configure an encryption profile using the encryptionconfig CLI command, or via Security Services > Cisco IronPort Email Encryption in the GUI.
Chapter 18 Cisco Email Encryption Encrypting Messages using the Email Security Appliance You can assign an encryption profile to a custom user role to allow delegated administrators assigned to that role to use the encryption profile with their DLP policies and content filters. Only administrators, operators, and delegated users can use encryption profiles when configuring DLP policies and content filters.
Chapter 18 Cisco Email Encryption Encrypting Messages using the Email Security Appliance Step 7 Click Advanced under Key Server Settings to specify whether to use HTTP or HTTPS for transferring the envelope’s encrypted payload when the recipient opens the envelope. Choose from one of the following: • Use the Key Service with HTTP. Transfers the encrypted payload from the key service using HTTP when the recipient opens the envelope.
Chapter 18 Cisco Email Encryption Encrypting Messages using the Email Security Appliance • Step 13 To enable secure message forwarding feature, check the Enable Secure Message Forwarding check box. (Optional) If you have selected Cisco Registered Envelope Service and this service supports localization of envelopes, enable localization of envelopes. In Notification Settings section, check the Use Localized Envelope check box.
Chapter 18 Cisco Email Encryption Determining Which Messages to Encrypt • Japanese • Portuguese • Spanish Before You Begin • Create an encryption profile with Cisco Registered Envelope Service as Key Service Type and envelope localization enabled. See Configuring How a Key Service Handles Encrypted Messages, page 18-4. • Make sure that Cisco Registered Envelope Service supports localization of envelopes. Procedure Step 1 Click Security Services > Cisco IronPort Email Encryption.
Chapter 18 Cisco Email Encryption Determining Which Messages to Encrypt • Encrypting a Message upon Delivery using a Content Filter, page 18-10 Using a TLS Connection as an Alternative to Encryption Based on the destination controls specified for a domain, your Email Security appliance can securely relay a message over a TLS connection instead of encrypting it, if a TLS connection is available.
Chapter 18 Cisco Email Encryption Determining Which Messages to Encrypt Step 8 Select Encrypt and Deliver Now (Final Action) from the Add Action list. Step 9 Select whether to always encrypt messages that meet the condition or to only encrypt messages if the attempt to send it over a TLS connection fails. Step 10 Select the encryption profile to associate with the content filter.
Chapter 18 Cisco Email Encryption Inserting Encryption Headers into Messages Procedure Step 1 Go to Mail Policies > Outgoing Content Filters. Step 2 In the Filters section, click Add Filter. Step 3 In the Conditions section, click Add Condition. Step 4 Add a condition to filter the messages that you want to encrypt. For example, to encrypt sensitive material, you might add a condition that identifies messages containing particular words or phrases, such as “Confidential,” in the subject or body.
Chapter 18 Cisco Email Encryption Inserting Encryption Headers into Messages Procedure Step 1 Go to Mail Policies > Outgoing Content Filters or Incoming Content Filters. Step 2 In the Filters section, click Add Filter. Step 3 In the Actions section, click Add Action and select Add/Edit Header to insert an encryption header into the messages to specify an additional encryption setting.
Chapter 18 Cisco Email Encryption Inserting Encryption Headers into Messages Table 18-3 Email Encryption Headers MIME Header Description Value X-PostX-ExpirationDate Defines a Registered Envelope’s expiration date before sending it. The key server restricts access to the Registered Envelope after the expiration date. The Registered Envelope displays a message indicating that the message has expired. This header adds an encryption setting to the message.
Chapter 18 Cisco Email Encryption Inserting Encryption Headers into Messages Table 18-3 Email Encryption Headers MIME Header Description Value X-PostX-Use-Script Indicates whether to send JavaScript-free envelopes. A JavaScript-free envelope is a Registered Envelope that does not include the JavaScript that is used to open envelopes locally on the recipient's computer. The recipient must use either the Open Online method or the Open by Forwarding method to view the message.
Chapter 18 Cisco Email Encryption Inserting Encryption Headers into Messages Enabling JavaScript-Free Envelopes To send a Registered Envelope that is JavaScript-free, insert the following header into the message: X-PostX-Use-Script: false When the recipient opens the securedoc.html attachment, the Registered Envelope is displayed with an Open Online link, and the Open button is disabled.
Chapter 18 Inserting Encryption Headers into Messages AsyncOS 9.1.
CH A P T E R 19 S/MIME Security Services • Overview of S/MIME Security Services, page 19-1 • Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME, page 19-4 • Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME, page 19-14 • S/MIME Certificate Requirements, page 19-20 Overview of S/MIME Security Services Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standards-based method for sending and receiving secure, verified email messages.
Chapter 19 S/MIME Security Services S/MIME Security Services in Email Security Appliance • Verify, decrypt, or decrypt and verify messages using S/MIME. See Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME, page 19-14.
Chapter 19 S/MIME Security Services S/MIME Security Services in Email Security Appliance Organization A sending a message to Organization B: 1. Bob (Organization A) uses an email client to send an unsigned and unencrypted message to Dave (Organization B). 2. Email Security appliance in the Organization A signs and encrypts the messages and sends it to Organization B. 3. The third-party application at the gateway of Organization B decrypts and verifies the message. 4.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME Organization A sending a message to Organization B: 1. Alice (Organization A) uses an email client to send an unsigned and unencrypted message to Erin (Organization B). 2. Email Security appliance in the Organization A signs and encrypts the messages and sends it to Organization B. 3. The email client in the Organization B decrypts and verifies the message and displays it to Erin.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME 3. Create a PKCS7 signature with the encrypted message digest and public key of the appliance’s S/MIME certificate. 4. Sign the message by attaching the PKCS7 signature to the message. 5. Send the signed message to the recipient. S/MIME Encryption Workflow The following process describes how Email Security appliance performs S/MIME encryption. Note 1.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME How to Sign, Encrypt, or Sign and Encrypt Outgoing Messages using S/MIME Steps Do This More Info Step 1 Understand the S/MIME certificate requirements. See S/MIME Certificate Requirements, page 19-20. Step 2 Depending on your requirements, do one of the See: following: • Setting Up Certificates for S/MIME Signing, • For S/MIME signing, set up an S/MIME page 19-6 signing certificate.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME • Note Import an existing S/MIME certificate to the appliance. See Importing an S/MIME Signing Certificate, page 19-8. Cisco recommends that you use self-signed S/MIME certificates for sending signed messages to the users within your organization or in a testing environment.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME Note An S/MIME signing certificate can contain both Subject Alternative Name (Domains) and Subject Alternative Name (Email). Step 5 Click Next to view the certificate and signature information. Step 6 Depending on your requirements, do the following: Step 7 Note • Enter a name for the certificate.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME Setting Up Public Keys for S/MIME Encryption You must add the public key of the recipient's S/MIME certificate to the appliance for encrypting messages. Depending on your organizational policies and processes, you can use one of the following methods to add the public key to the appliance: • Request the recipient to send the public key using an electronic channel, for example, email.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME Procedure Step 1 Click Mail Policies > Mail Flow Policies. Step 2 Create a new Mail Flow Policy or modify an existing one. See Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT), page 7-1. Step 3 Scroll down to the Security Features section. Step 4 Under S/MIME Public Key Harvesting, do the following: • Enable S/MIME public key harvesting.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME You to can create, edit, delete, import, export, and search S/MIME sending profiles using the web interface or CLI. Create an S/MIME Sending Profile for Signing, Encrypting, or Signing and Encrypting Messages Procedure Step 1 Click Mail Policies > Sending Profiles. Step 2 Click Add Profile. Step 3 Configure the following fields: S/MIME Profile Name Enter the name of the sending profile.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME S/MIME Sign Mode Choose the mode of S/MIME signing. Possible values are: • Opaque. An opaque-signed message contains the message and signature combined in a single part and can be read only by verifying the signature. • Detached. The signature information is separate from the text being signed.
Chapter 19 S/MIME Security Services Signing, Encrypting, or Signing and Encrypting Outgoing Messages using S/MIME Determining Which Messages to Sign, Encrypt, or Sign and Encrypt After you create a sending profile, you need to create an outgoing content filter that determines which email messages should be signed, encrypted, or signed and encrypted. The content filter scans outgoing email and determines if the message matches the conditions specified.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME Signing, Encrypting, or Signing and Encrypting a Message upon Delivery using a Content Filter Create a content filter to sign, encrypt, or sign and encrypt a message on delivery, which means that the message continues to the next stage of processing, and when all processing is complete, the message is signed, encrypted, or signed and encrypted, and delivered.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME Note You can use Email Security appliance S/MIME security services to verify, decrypt, or decrypt and verify outgoing and incoming messages.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME How to Verify, Decrypt, or Decrypt and Verify Incoming Messages Using S/MIME Steps Do This More Info Step 1 Understand the S/MIME certificate requirements. See S/MIME Certificate Requirements, page 19-20.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME Before You Begin • Share the public key of the appliance's S/MIME certificate with the sender (business or consumer) in one of the following ways: – Send the public key using an electronic channels, for example, email. – Request the sender to the retrieve the public key using key harvesting. The sender can use this public key to send encrypted messages to your appliance.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME Adding a Public Key for S/MIME Verification Before You Begin • Make sure that the public key meets the requirements described in S/MIME Certificate Requirements, page 19-20. • Make sure that the public key is in PEM format. Procedure Step 1 Click Mail Policies > Public Keys. Step 2 Click Add Public Key. Step 3 Enter the name of the public key. Step 4 Enter the public key.
Chapter 19 S/MIME Security Services Verifying, Decrypting, or Decrypting and Verifying Incoming Messages using S/MIME Step 2 Create a new Mail Flow Policy or modify an existing one. See Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT), page 7-1. Step 3 Scroll down to the Security Features section. Step 4 Under S/MIME Public Key Harvesting, do the following: • Enable S/MIME public key harvesting.
Chapter 19 S/MIME Security Services S/MIME Certificate Requirements Step 4 Under S/MIME Decryption/Verification, do the following: • Enable S/MIME decryption and verification. • Choose whether to retain or remove the digital signature from the messages after S/MIME verification. If you do not want your end users to know about S/MIME gateway verification, select Remove. For triple wrapped messages, only the inner signature is retained or removed. Step 5 Tip Submit and commit your changes.
Chapter 19 S/MIME Security Services S/MIME Certificate Requirements Certificate Requirements for Signing The S/MIME certificate for signing must contain the following information: Common Name The fully qualified domain name. Organization The exact legal name of the organization. Organizational Unit Section of the organization. City (Locality) The city where the organization is legally located. State (Province) The state, county, or region where the organization is legally located.
Chapter 19 S/MIME Security Services S/MIME Certificate Requirements Subject Alternative Name(Domains) Name of the domain to which you plan to send encrypted messages. Examples include domain.com and *.domain.net. For multiple entries, use a comma-separated list. If you plan to send encrypted messages to all the users in a domain, the public key should include a SAN Domain.
Chapter 19 S/MIME Security Services S/MIME Certificate Requirements Note Step 4 The import process may take longer if you are importing a file with large number of public keys. Make sure that you adjust the web interface or CLI inactivity timeout accordingly. Commit your changes. Exporting Public Keys All public keys on the appliance are exported together in a single text file and stored in the /configuration directory. Procedure Step 1 Choose Mail Policies > Public Keys.
Chapter 19 S/MIME Certificate Requirements AsyncOS 9.1.
CH A P T E R 20 Email Authentication • Email Authentication Overview, page 20-1 • DomainKeys and DKIM Authentication, page 20-1 • Configuring DomainKeys and DKIM Signing, page 20-3 • How to Verify Incoming Messages Using DKIM, page 20-16 • Overview of SPF and SIDF Verification, page 20-22 • How to Verify Incoming Messages Using SPF/SDIF, page 20-23 • Enabling SPF and SIDF, page 20-24 • Determining the Action to Take for SPF/SIDF Verified Mail, page 20-31 • Testing the SPF/SIDF Results, pa
Chapter 20 Email Authentication DomainKeys and DKIM Authentication Related Topics • DomainKeys and DKIM Authentication Workflow, page 20-2 • DomainKeys and DKIM Signing in AsyncOS, page 20-2 DomainKeys and DKIM Authentication Workflow Figure 20-1 Authentication Work Flow 1. Administrator (domain owner) publishes a public key into the DNS name space. 2. Administrator loads a private key in the outbound Mail Transfer Agent (MTA). 3.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing As messages are received on a listener used to send messages (outbound), the appliance checks to see if any domain profiles exist. If there are domain profiles created on the appliance (and implemented for the mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present, the Sender: is used for DomainKeys. The From: address is always used for DKIM signing.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing If you are entering an existing key, simply paste it into the form. Another way to use existing signing keys is to import the key as a text file. For more information about adding existing signing keys, see Importing or Entering Existing Signing Keys, page 20-11. Once a key is entered, it is available for use in domain profiles, and will appear in the Signing Key drop-down list in the domain profile.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Figure 20-3 View Public Key Link on Signing Keys Page Domain Profiles A domain profile associates a sender domain with a signing key, along with some other information needed for signing. • A name for the domain profile. • A domain name (the domain to be included in the “d=” header). • A selector (a selector is used to form the query for the public key. In the DNS query type, this value is prepended to the “_domainkey.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Exporting and Importing Domain Profiles You can export your existing domain profiles to a text file on the appliance. When you export the domain profiles, all of the profiles existing on the appliance are put into a single text file. See Exporting Domain Profiles, page 20-14. You can import domain profiles that you have previously exported.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing profile. For example, you would configure a return address of MAILER-DAEMON@example.com for the bounce return address, and add MAILER-DAEMON@example.com as a profile user in the domain profile. Configuring DomainKeys/DKIM Signing (GUI) Procedure Step 1 Create a new or import an existing private key. For information on creating or importing signing keys, see Signing Keys, page 20-3.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing • Searching Domain Profiles, page 20-15 • Signing System-Generated Messages, page 20-15 Creating Domain Profiles for DomainKeys Signing Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 In the Domain Signing Profiles section, click Add Profile. Step 3 Enter a name for the profile. Step 4 For the Domain Key Type, choose Domain Keys. Additional options appear on the page. Step 5 Enter the domain name.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Step 6 Enter a selector. Selectors are arbitrary names prepended to the "_domainkey." namespace, used to help support multiple concurrent public keys per sending domain. A selector value and length must be legal in the DNS namespace and in email headers with the additional provision that they cannot contain a semicolon. Step 7 Select the canonicalization for the header. Choose from the following options: Step 8 • Relaxed.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing • Step 12 Sign first _ bytes. Sign the message body up to the specified number of bytes. Select the tags you want to include in the message signature’s header field. The information stored in these tags are used for message signature verification. Select one or more of the following options: • “i” Tag. The identity of the user or agent (e.g., a mailing list manager) on behalf of which this message is signed.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Step 4 Click Generate and select a key size. Step 5 Submit and commit your changes. Note If you have not done so already, you may need to edit your domain profile to assign the key. Edit an Existing Signing Key Procedure Step 1 Choose Mail Policies > Signing Keys. Step 2 Click the intended signing key. Step 3 Edit the intended fields as described in .
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Pasting a Key Procedure Step 1 Choose Mail Policies > Signing Keys. Step 2 Click Add Key. Step 3 Paste the key into the Paste Key field (must be PEM-formatted and must be RSA keys only). Step 4 Submit and commit your changes. Importing Keys from an Existing Export File Note To obtain a key file, see Exporting Signing Keys, page 20-11. Procedure Step 1 Choose Mail Policies > Signing Keys. Step 2 Click Import Keys.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Removing All Signing Keys Procedure Step 1 Choose Mail Policies > Signing Keys. Step 2 Click Clear All Keys on the Signing Keys page. Step 3 Confirm the deletion. Generating a DNS Text Record Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 In the Domain Signing Profiles section, in the DNS Text Record column, click the Generate link for the corresponding domain profile.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Testing Domain Profiles Once you have created a signing key, associated it with a domain profile, and generated and inserted the DNS text into your authorized DNS, you can test your domain profile. Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 In the Domain Signing Profiles section, in the Test Profile column, click the Test link for the domain profile.
Chapter 20 Email Authentication Configuring DomainKeys and DKIM Signing Removing Selected Domain Profiles Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 Mark the checkbox to the right of each domain profile to remove. Step 3 Click Delete. Step 4 Confirm the deletion. Removing All Domain Profiles Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 Click Clear All Profiles. Step 3 Confirm the deletion.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM Procedure Step 1 Choose Mail Policies > Signing Profiles. Step 2 In the DKIM Signing of System Generated Messages section, click Edit Settings. Step 3 Select On. Step 4 Submit and commit your changes. Domain Keys and Logging Lines such as the following are added to the mail logs upon DomainKeys signing: Tue Aug 28 15:29:30 2007 Info: MID 371 DomainKeys: signing with dk-profile - matches user123@example.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM • Configuring DKIM Verification on the Mail Flow Policy, page 20-20 • Configuring an Action for DKIM Verified Mail, page 20-21 DKIM Verification Checks Performed by AsyncOS When you configure an AsyncOS appliance for DKIM verification, the following checks are performed: Procedure Step 1 AsyncOS checks for the DKIM-Signature field in incoming mail, the syntax of the signature header, valid tag values, and required tags.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM • A name for the verification profile. • The smallest and largest acceptable public key size. The default key sizes are 512 and 2048, respectively. • The maximum number of signatures in the message to verify. If a message has more signatures than the maximum amount you defined, the appliance skips verification of the remaining signatures and continues to process the message. The default is 5 signatures.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM Step 10 Select whether the Email Security appliance accepts or rejects the message if there is a temporary failure when verifying its signature. If you want the appliance to reject the message, you can choose to have it send the default 451 SMTP response code or another SMTP response code and text.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM Removing Selected DKIM Verification Profiles Procedure Step 1 Choose Mail Policies > Verification Profiles. Step 2 Mark the checkbox to the right of each DKIM verification profile you want to delete. Step 3 Click Delete. Step 4 Confirm the deletion. Removing All DKIM Verification Profiles Procedure Step 1 Choose Mail Policies > Verification Profiles. Step 2 Click Clear All Profiles. Step 3 Confirm the deletion.
Chapter 20 Email Authentication How to Verify Incoming Messages Using DKIM Step 5 Commit your changes. Related Topics • DKIM Verification and Logging, page 20-21 DKIM Verification and Logging Lines such as the following are added to the mail logs upon DKIM verification: mail.current:Mon Aug 6 13:35:38 2007 Info: MID 17 DKIM: no signature mail.
Chapter 20 Email Authentication Overview of SPF and SIDF Verification Step 9 Commit your changes. Overview of SPF and SIDF Verification AsyncOS supports Sender Policy Framework (SPF) and Sender ID Framework (SIDF) verification. SPF and SIDF are methods for verifying authenticity of email based on DNS records. SPF and SIDF allow the owner of an Internet domain to use a special format of DNS TXT records to specify which machines are authorized to transmit email for that domain.
Chapter 20 Email Authentication How to Verify Incoming Messages Using SPF/SDIF Valid SIDF Records To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example, your DNS record may look like the following example: example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all" smtp-out.example.com TXT "v=spf1 a -all" example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all" SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.
Chapter 20 Email Authentication Enabling SPF and SIDF Caution Although Cisco strongly endorses email authentication globally, at this point in the industry's adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more organizations gain greater control of their authorized mail sending infrastructure, Cisco urges customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.
Chapter 20 Email Authentication Enabling SPF and SIDF Table 20-3 SPF/SIDF Conformance Levels Conformance Level Description SIDF The SPF/SIDF verification behaves according to RFC4406. -The PRA Identity is determined with full conformance to the standard. - SPF v1.0 records are treated as spf2.0/mfrom,pra. - For a nonexistent domain or a malformed identity, a verdict of Fail is returned.
Chapter 20 Email Authentication Enabling SPF and SIDF • Neutral. The domain owner does not assert whether the client is authorized to use the given identity. • SoftFail. The domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement. • Fail. The client is not authorized to send mail with the given identity. • TempError. A transient error occurred during verification. • PermError. A permanent error occurred during verification.
Chapter 20 Email Authentication Enabling SPF and SIDF The following SPF control settings are available for the Host Access Table: Table 20-4 SPF Control Settings via the CLI Conformance Level SPF Only Available SPF Control Settings • whether to perform HELO identity check • SMTP actions taken based on the results of the following identity checks: – HELO identity (if enabled) – MAIL FROM Identity SIDF Compatible • SMTP response code and text returned for the REJECT action • verification time out
Chapter 20 Email Authentication Enabling SPF and SIDF What Conformance Level would you like to use? 1. SPF only 2. SIDF compatible 3. SIDF strict [2]> 1 Would you like to have the HELO check performed? [Y]> y Would you like to change SMTP actions taken as result of the SPF verification? [N]> y Would you like to change SMTP actions taken for the HELO identity? [N]> y What SMTP action should be taken if HELO check returns None? 1. Accept 2.
Chapter 20 Email Authentication Enabling SPF and SIDF 1. Accept 2. Reject [1]> 2 What SMTP action should be taken if HELO check returns TempError? 1. Accept 2. Reject [1]> 2 What SMTP action should be taken if HELO check returns PermError? 1. Accept 2.
Chapter 20 Email Authentication Enabling SPF and SIDF SoftFail, Fail, TempError, PermError: Reject For MAIL FROM Identity: Accept SMTP Response Settings: Reject code: 550 Reject text: #5.7.1 SPF unauthorized mail is prohibited. Get reject response text from publisher: Yes Defer code: 451 Defer text: #4.4.3 Temporary error occurred during SPF verification. Verification timeout: 40 See the Cisco AsyncOS CLI Reference Guide for more information on the listenerconfig command.
Chapter 20 Email Authentication Determining the Action to Take for SPF/SIDF Verified Mail Determining the Action to Take for SPF/SIDF Verified Mail When you receive SPF/SIDF verified mail, you may want to take different actions depending on the results of the SPF/SIDF verification. You can use the following message and content filter rules to determine the status of SPF/SIDF verified mail and perform actions on the messages based on the verification results: • spf-status. • spf-passed.
Chapter 20 Email Authentication Determining the Action to Take for SPF/SIDF Verified Mail • Pass - the client is authorized to send mail with the given identity. • Neutral - the domain owner does not assert whether the client is authorized to use the given identity. • SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement. • Fail - the client is not authorized to send mail with the given identity.
Chapter 20 Email Authentication Determining the Action to Take for SPF/SIDF Verified Mail quarantine("Policy"); } } } stamp-mail-with-spf-verification-error: if (spf-status("pra") == "PermError, TempError" or spf-status("mailfrom") == "PermError, TempError" or spf-status("helo") == "PermError, TempError"){ # permanent error - stamp message subject strip-header("Subject"); insert-header("Subject", "[POTENTIAL PHISHING] $Subject"); } .
Chapter 20 Email Authentication Testing the SPF/SIDF Results Note Unlike the spf-status rule, the spf-passed rule reduces the SPF/SIDF verification values to a simple Boolean. The following verification results are treated as not passed in the spf-passed rule: None, Neutral, Softfail, TempError, PermError, and Fail. To perform actions on messages based on more granular results, use the spf-status rule.
Chapter 20 Email Authentication DMARC Verification content filters and review the Content Filters report as explained in Basic Granularity Test of SPF/SIDF Results, page 20-34. If you find that the verification is effective, then you can use SPF/SIDF verification as a basis for deciding whether to drop or bounce emails for this specified group of senders. Procedure Step 1 Create a mail flow policy for SPF/SIDF verification. Enable SPF/SIDF verification for the mail flow policy on an incoming listener.
Chapter 20 Email Authentication DMARC Verification DMARC Verification Workflow in AsyncOS for Email The following describes how AsyncOS for Email performs DMARC verification. 1. A listener configured on AsyncOS receives an SMTP connection. 2. AsyncOS performs SPF and DKIM verification on the message. 3. AsyncOS fetches the DMARC record for the sender’s domain from the DNS. 4. • If no record is found, AsyncOS skips the DMARC verification and continues processing.
Chapter 20 Email Authentication DMARC Verification Table 20-5 How to Verify Incoming Messages Using DMARC Do This More Information Step 4 (Optional) Configure a return address for DMARC feedback reports.
Chapter 20 Email Authentication DMARC Verification Note By default, AsyncOS provides a default DMARC verification profile. If you do not want to create a new DMARC verification profile, you can use the default DMARC verification profile. The default DMARC verification profile is available on Mail Policies > DMARC page. For instructions to edit the default DMARC verification profile, see Edit a DMARC Verification Profile, page 20-39. Procedure Step 1 Choose Mail Policies > DMARC.
Chapter 20 Email Authentication DMARC Verification Edit a DMARC Verification Profile Procedure Step 1 Choose Mail Policies > DMARC. Step 2 Click the intended verification profile name. Step 3 Edit the intended fields as described in Create a DMARC Verification Profile, page 20-37. Step 4 Submit and commit your changes. Exporting DMARC Verification Profiles You can export all DMARC verification profiles on your appliance to a single text file in the configuration directory.
Chapter 20 Email Authentication DMARC Verification Step 4 Confirm the deletion. Configure Global DMARC Settings Procedure Step 1 Choose Mail Policies > DMARC. Step 2 Click Edit Global Settings. Step 3 Make changes to the settings defined in the following table. Table 20-6 DMARC Global Settings Global Setting Description Specific senders bypass address list Skip DMARC verification of messages from specific senders. Choose an address list from the drop-down list.
Chapter 20 Email Authentication DMARC Verification Table 20-6 DMARC Global Settings Global Setting Description Send copy of all aggregate reports to Send a copy of all DMARC aggregate reports to specific users, for example, internal users who perform analysis on the aggregate reports. Enter an email address or multiple addresses separated by commas.
Chapter 20 Email Authentication DMARC Verification • Error report delivery for a domain succeeded • Error report delivery for a domain failed Configure a Return Address for DMARC Feedback Reports Procedure Step 1 Choose System Administration > Return Addresses. Step 2 Click Edit Settings. Step 3 Provide a return address for DMARC aggregate feedback reports. Step 4 Submit and commit your changes.
Chapter 20 Email Authentication DMARC Verification example.com r r none
none 100 1.1.1.1 2 none fail pass
example.com example.
Chapter 20 DMARC Verification AsyncOS 9.1.
CH A P T E R 21 Text Resources • Overview of Text Resources, page 21-1 • Content Dictionaries, page 21-2 • Using and Testing the Content Dictionaries Filter Rules, page 21-6 • Understanding Text Resources, page 21-8 • Overview of Text Resource Management, page 21-9 • Using Text Resources, page 21-12 Overview of Text Resources This chapter discusses creating and managing various text resources, such as content dictionaries, disclaimers, and templates.
Chapter 21 Text Resources Content Dictionaries Text Resources Text resources are text objects, such as disclaimers, notification templates, and anti-virus templates. You can create new objects for use in various components of AsyncOS. You can import and export text resources. Message Disclaimer Stamping Message disclaimer stamping allows you to add a disclaimer text resource to messages.
Chapter 21 Text Resources Content Dictionaries For each term, you specify a “weight,” so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary terms, it “scores” the message by multiplying the number of term instances by the weight of term. Two instances of a term with a weight of three would result in a score of six.
Chapter 21 Text Resources Content Dictionaries You can also create your own dictionary files and import them onto the appliance. The best way to add non-ASCII characters to dictionaries is to add the terms into the dictionary in a text file off the appliance, move that file onto the appliance, and then import that file as a new dictionary. For more information about importing dictionaries, see Importing Dictionaries, page 21-5.
Chapter 21 Text Resources Content Dictionaries Deleting Dictionaries Before You Begin Be aware that AsyncOS marks any message filter that references the deleted dictionary as invalid. AsyncOS leaves any content filter that references the deleted dictionary enabled, but will evaluate them to false. Procedure Step 1 Navigate to the Mail Policies > Dictionaries page. Step 2 Click the trash can icon next to the dictionary to delete in the dictionary listing.
Chapter 21 Text Resources Using and Testing the Content Dictionaries Filter Rules Step 2 Click Export Dictionary. Step 3 Select the dictionary to export. Step 4 Enter a file name for the exported dictionary. This is the name of the file that will be created in the configuration directory on the appliance. Step 5 Select the location to export to. Step 6 Select an encoding for the text file. Step 7 Submit and commit your changes.
Chapter 21 Text Resources Using and Testing the Content Dictionaries Filter Rules In the following example, a new message filter using the dictionary-match() rule is created to blind carbon copy the administrator when the appliance scans a message that contains any words within the dictionary named “secret_words” (created in the previous example). Note that because of the settings, only messages that contain the whole word “ codename” matching the case exactly will evaluate to true for this filter.
Chapter 21 Text Resources Understanding Text Resources Testing Content Dictionaries The trace function can provide quick feedback on message filters that use the dictionary-match() rule. See Debugging Mail Flow Using Test Messages: Trace, page 40-1 for more information. You can also use the quarantine() action to test filters, as in the quarantine_codenames filter example above. Understanding Text Resources Text resources are text templates that can be attached to messages or sent as messages.
Chapter 21 Text Resources Overview of Text Resource Management To add non-ASCII characters to text resources, add the terms into the text resource in a text file off the appliance, move that file onto the appliance, and then import that file as a new text resource. For more information about importing text resources, see Importing Text Resources, page 21-10. For information about exporting text resources, see Exporting Text Resources, page 21-10.
Chapter 21 Text Resources Overview of Text Resource Management Deleting Text Resources Before you begin Note the impact of deleting text resources: • Any message filters that reference the deleted text resource are marked as invalid. • Any content filters that reference the deleted text resource are left enabled, but will evaluate to false. Procedure Step 1 On the Mail Policies > Text Resources page, click the trash can icon under the Delete column for the text resource you want to delete.
Chapter 21 Text Resources Overview of Text Resource Management Step 4 Select an encoding for the text file. Step 5 Click Submit to create the text file containing the text resource in the configuration directory. Overview of HTML-Based Text Resources You can create some text resources with both HTML-based and plain text messages, such as Disclaimers.
Chapter 21 Text Resources Using Text Resources • When you import from a file that contains an empty or nonexistent [html_version] section to create a HTML-based text resource, the appliance creates both an HTML and plain text message using the text in the [text_version] section. Using Text Resources All types of text resources are created in the same way, using the Text Resources page or the textconfig CLI command. Once created, each type is used in a different way.
Chapter 21 Text Resources Using Text Resources Adding Disclaimer Text via a Listener Once you have disclaimer text resources created, select which text strings will be appended to messages received by the listener. You can add disclaimer text above or below a message. This feature is available on both public (inbound) and private (outbound) listeners.
Chapter 21 Text Resources Using Text Resources The following variables are available for the Disclaimer Template: Table 21-3 Anti-Virus Notification Variables Variable Substituted With $To Replaced by the message To: header (not the Envelope Recipient). $From Replaced by the message From: header (not the Envelope Sender). $Subject Replaced by the subject of the original message. $Date Replaced by the current date, using the format MM/DD/YYYY.
Chapter 21 Text Resources Using Text Resources Table 21-3 Anti-Virus Notification Variables (continued) Variable Substituted With $MatchedContent Returns the content that triggered a scanning filter rule (including filter rules such as body-contains and content dictionaries). $DLPPolicy Replaced by the name of the email DLP policy violated. $DLPSeverity Replaced by the severity of violation. Can be “Low,” “Medium,” “High,” or “Critical.
Chapter 21 Text Resources Using Text Resources - NEW - Create a new text resource. - IMPORT - Import a text resource from a file. - EXPORT - Export text resource to a file. - PRINT - Display the content of a resource. - EDIT - Modify a resource. - DELETE - Remove a resource from the system. []> mail3.example.com>commit Now, use the new disclaimer in a filter Add-Timestamp: if (mail-from-group == 'Legal') { add-footer('legal.
Chapter 21 Text Resources Using Text Resources Example.zip Second attachment part The message body after the first blank line may contain many MIME parts. The second and following parts are often called “attachments,” while the first is often called the “body” or “text.” A disclaimer can be included in an email as either an attachment (above) or as part of the body To: joe@example.com From: mary@example.com Headers Subject: Hi! Hello! Body part This message has been scanned...
Chapter 21 Text Resources Using Text Resources If a header is modified, encode the new header in the same encoding as the message body? (Some MUAs incorrectly handle headers encoded in a different encoding than the body. However, encoding a modified header in the same encoding as the message body may cause certain characters in the modified header to be lost.
Chapter 21 Text Resources Using Text Resources body and footer or heading encodings Choose the operation you want to perform: - SETUP - Configure multi-lingual settings. For more information about the localeconfig command, see the “Configuring the Appliance to Receive Mail” chapter. Notification Templates Notification templates are used with the notify() and notify-copy() filter actions.
Chapter 21 Text Resources Using Text Resources Figure 21-2 Notify Example in a Content Filter Anti-Virus Notification Templates There are two types of anti-virus notification templates: • anti-virus notification template. The anti-virus notification template is used when the original message is not attached to the virus notification. • anti-virus container template. The container template is used when the original message is sent as an attachment.
Chapter 21 Text Resources Using Text Resources Figure 21-3 Anti-Virus Container Template Notification Example in a Mail Policy Related Topics • Anti-Virus Notification Variables, page 21-22 Anti-Virus Notification Variables When creating an anti-virus notification, you can use any of the notification variables listed in Table 21-4: Table 21-4 Anti-Virus Notification Variables Variable Substituted With $To Replaced by the message To: header (not the Envelope Recipient).
Chapter 21 Text Resources Using Text Resources Table 21-4 Note Anti-Virus Notification Variables (continued) Variable Substituted With $AV_ENCRYPTED_PARTS Replaced by the list of filenames or parts that were encrypted. $AV_INFECTED_PARTS Replaced by a comma-separated list of filenames for the files that contained a virus. $AV_UNSCANNABLE_PARTS Replaced by the list of filenames or parts that were unscannable. $Date Replaced by the current date, using the format MM/DD/YYYY.
Chapter 21 Text Resources Using Text Resources Bounce and Encryption Failure Notification Templates Bounce and encryption failure notification templates are used in basically the same way as notification templates except that they are used with bounce notifications and message encryption failure notifications. You can specify a custom bounce notification to send while editing a bounce profile and a custom message encryption failure notification while editing an encryption profile.
Chapter 21 Text Resources Using Text Resources Table 21-5 Bounce Notification Variables (continued) Variable Substituted With $MID Replaced by the Message ID, or “MID” used internally to identify the message. Not to be confused with the RFC822 “Message-Id” value (use $Header to retrieve that). $BouncedRecipient Bounced recipient address $BounceReason Reason for this notification $remotehost Replaced by the hostname of the system that sent the message to the Email Security appliance.
CH A P T E R 22 Validating Recipients Using an SMTP Server • Overview of SMTP Call-Ahead Recipient Validation, page 22-1 • SMTP Call-Ahead Recipient Validation Workflow, page 22-1 • How to Validate Recipients Using an External SMTP Server, page 22-3 • Enabling a Listener to Validate Incoming Mail Via the SMTP Server, page 22-6 • Configuring LDAP Routing Query Settings, page 22-6 • SMTP Call-Ahead Query Routing, page 22-7 • Bypassing SMTP Call-Ahead Validation for Certain Users or Groups, page
Chapter 22 Validating Recipients Using an SMTP Server SMTP Call-Ahead Recipient Validation Workflow Figure 22-1 SMTP Call Ahead Server Conversation Workflow MAIL FROM: user@sender.com RCPT TO: validuser@recipient.com START HERE Sending MTA 1 4 2 Email Security Conversation with sending MTA 3 Conversation with Call-Ahead Server SMTP Server 1. The sending MTA initiates an SMTP conversation. 2.
Chapter 22 Validating Recipients Using an SMTP Server How to Validate Recipients Using an External SMTP Server How to Validate Recipients Using an External SMTP Server Table 22-1 How to Validate Recipients Using an External SMTP Server Do This More Info Step 1 Determine how the appliance connects to the SMTP server and interprets the server’s responses.
Chapter 22 Validating Recipients Using an SMTP Server How to Validate Recipients Using an External SMTP Server Table 22-2 SMTP Call-Ahead Server Profile Settings Setting Description Profile Name Name of the call-ahead server profile. Call-Ahead Server Type Choose from one of the following methods for connecting to the call-ahead server: • Use Delivery Host. Select this option to specify that the host for the delivery email address is used for the SMTP call-ahead query.
Chapter 22 Validating Recipients Using an SMTP Server How to Validate Recipients Using an External SMTP Server Table 22-3 describes the SMTP Call-Ahead Server Profile advanced settings: Table 22-3 SMTP Call-Ahead Server Profile Advanced Settings Setting Description Interface The interface used to initiate the SMTP conversation with the SMTP server. Choose to use the Management interface or Auto. When you select Auto, the Email Security appliance attempts to automatically detect an interface to use.
Chapter 22 Validating Recipients Using an SMTP Server Enabling a Listener to Validate Incoming Mail Via the SMTP Server • 4xx: An SMTP code starting with a 4 means that a temporary failure has occurred in processing the SMTP request. A retry may later be processed successfully. For example, a response of 451 means the requested action was aborted or there was a local error in processing. • 5xx: An SMTP code starting with 5 means a permanent failure in processing the SMTP request occurred.
Chapter 22 Validating Recipients Using an SMTP Server SMTP Call-Ahead Query Routing Figure 22-2 LDAP Routing Query Configured for SMTP Call-Ahead: In this query, the {d} represents the domain part of the recipient address, and the SMTP Call-Ahead Server Attribute returns the values for the call-ahead servers and the port that should be used for the query: smtp2.mydomain.com, smtp3.mydomain.com on port 9025.
Chapter 22 Validating Recipients Using an SMTP Server Bypassing SMTP Call-Ahead Validation for Certain Users or Groups • If the LDAP routing query returns a single hostname with a port, the SMTP route is used, but the port returned by the LDAP query is used over any ports specified in SMTP routes. If the SMTP routes only lists the destination host as the hostname, a DNS lookup is performed to obtain the IP address of the SMTP server.
CH A P T E R 23 Encrypting Communication with Other MTAs • Overview of Encrypting Communication with Other MTAs, page 23-1 • Obtaining Certificates, page 23-2 • Enabling TLS on a Listener’s HAT, page 23-6 • Enabling TLS and Certificate Verification on Delivery, page 23-10 • Managing Lists of Certificate Authorities, page 23-16 • Enabling a Certificate for HTTPS, page 23-18 Overview of Encrypting Communication with Other MTAs Enterprise Gateways (or Message Transfer Agents, i.e.
Chapter 23 Encrypting Communication with Other MTAs Obtaining Certificates How to Encrypt SMTP Conversations using TLS Table 23-1 How to Encrypt SMTP Conversations using TLS Do This More Info Step 1 Obtain an X.509 certificate and private key from a recognized certificate authority.
Chapter 23 Encrypting Communication with Other MTAs Obtaining Certificates Caution Your appliance ships with a demonstration certificate to test the TLS and HTTPS functionality, but enabling either service with the demonstration certificate is not secure and is not recommended for general use. When you enable either service with the default demonstration certificate, a warning message is printed in the CLI.
Chapter 23 Encrypting Communication with Other MTAs Obtaining Certificates Step 2 Click Add Certificate. Step 3 Select Create Self-Signed Certificate. Figure 23-1 shows the Add Certificate page with the Create Self-Signed Certificate option selected. Figure 23-1 Step 4 Step 5 Add Certificate Page Enter the following information for the self-signed certificate: Common Name The fully qualified domain name. Organization The exact legal name of the organization.
Chapter 23 Encrypting Communication with Other MTAs Obtaining Certificates Figure 23-2 View Certificate Page Step 6 Enter a name for the certificate. AsyncOS assigns the common name previously entered by default. Step 7 If you want to submit a CSR for the self-signed certificate to a certificate authority, click Download Certificate Signing Request to save the CSR in PEM format to a local or network machine. Step 8 Submit and commit your changes.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS on a Listener’s HAT Step 8 Submit and commit your changes. Creating a Self-Signed Certificate or Importing a Certificate using the CLI To create a self-signed certificate or import a certificate using the CLI, use the certconfig command. Exporting a Certificate Using the GUI AsyncOS also allows you to export certificates and save them in the PKCS #12 format. Procedure Step 1 Navigate to the Network > Certificates page.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS on a Listener’s HAT Table 23-2 TLS Settings for a Listener TLS Setting Meaning 2. Preferred TLS is allowed for incoming connections to the listener from MTAs. 3. Required TLS is allowed for incoming connections to the listener from MTAs, and until a STARTTLS command is received, the appliance responds with an error message to every command other than NOOP, EHLO, or QUIT.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS on a Listener’s HAT Assigning a Certificate to a Public or Private Listener for TLS Connections Using the CLI Procedure Step 1 Use the listenerconfig -> edit command to choose a listener you want to configure. Step 2 Use the certificate command to see the available certificates. Step 3 Choose the certificate you want to assign to the listener when prompted.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS on a Listener’s HAT CLI Example: Changing the TLS Setting for Listener’s HAT Procedure Step 1 Use the listenerconfig -> edit command to choose a listener you want to configure. Step 2 Use the hostaccess -> default command to edit the listener’s default HAT settings. Step 3 Change the TLS setting by entering one of the following choices when you are prompted with the following questions: Do you want to allow encrypted TLS connections? 1.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery Enabling TLS and Certificate Verification on Delivery You can require that TLS is enabled for email delivery to specific domains using the Destination Controls page or the destconfig command. In addition to TLS, you can require that the domain’s server certificate is verified. This domain verification is based on a digital certificate used to establish the domain’s credentials.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery Table 23-3 TLS Settings for Delivery TLS Setting Meaning 3. Required TLS is negotiated from the Email Security appliance interface to MTA(s) for the domain. No attempt is made to verify the domain’s certificate. If the negotiation fails, no email is sent through the connection. If the negotiation succeeds, the mail is delivered via an encrypted session. 4.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery Related Topics • Enabling TLS Connection Alerts Using the GUI, page 23-12 • Enabling TLS Connection Alerts Using the CLI, page 23-12 Enabling TLS Connection Alerts Using the GUI Procedure Step 1 Navigate to the Mail Policies Destination Controls page. Step 2 Click Edit Global Settings. Step 3 Click Enable for “Send an alert when a required TLS connection fails.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery There is currently 1 entry configured. Choose the operation you want to perform: - SETUP - Change global settings. - NEW - Create a new entry. - DELETE - Remove an entry. - DEFAULT - Change the default. - LIST - Display a summary list of all entries. - DETAIL - Display details for one destination or all entries. - IMPORT - Import tables from a file. - EXPORT - Export tables to a file.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery - DEFAULT - Change the default. - LIST - Display a summary list of all entries. - DETAIL - Display details for one destination or all entries. - IMPORT - Import tables from a file. - EXPORT - Export tables to a file. []> new Enter the domain you wish to limit. []> partner.com Do you wish to configure a concurrency limit for partner.
Chapter 23 Encrypting Communication with Other MTAs Enabling TLS and Certificate Verification on Delivery You have chosen to enable TLS. Please use the 'certconfig' command to ensure that there is a valid certificate configured. Do you wish to apply a specific bounce verification address tagging setting for this domain? [N]> n Do you wish to apply a specific bounce profile to this domain? [N]> n There are currently 2 entries configured.
Chapter 23 Encrypting Communication with Other MTAs Managing Lists of Certificate Authorities Choose the operation you want to perform: - SETUP - Change global settings. - NEW - Create a new entry. - EDIT - Modify an entry. - DELETE - Remove an entry. - DEFAULT - Change the default. - LIST - Display a summary list of all entries. - DETAIL - Display details for one destination or all entries. - CLEAR - Remove all entries. - IMPORT - Import tables from a file. - EXPORT - Export tables to a file.
Chapter 23 Encrypting Communication with Other MTAs Managing Lists of Certificate Authorities Related Topics • Viewing the Pre-Installed list of Certificate Authorities, page 23-17 • Disabling the System Certificate Authority List, page 23-17 • Importing a Custom Certificate Authority List, page 23-17 • Exporting a Certificate Authorities List, page 23-18 Viewing the Pre-Installed list of Certificate Authorities Procedure Step 1 Navigate to the Network > Certificates page.
Chapter 23 Encrypting Communication with Other MTAs Enabling a Certificate for HTTPS Step 5 Submit and commit your changes. Exporting a Certificate Authorities List If you want to use only a subset of the trusted certificate authorities in the system or edit an existing custom list, you can export the list to a .txt file and edit it to add or remove certificate authorities. After you have finished editing the list, import the file back onto the appliance as a custom list.
Chapter 23 Encrypting Communication with Other MTAs Enabling a Certificate for HTTPS After the changes from this command are committed, users can access the Graphical User Interface (GUI) using the URL for secure HTTPS: https://192.168.2.1 mail3.example.com> interfaceconfig Currently configured interfaces: 1. Management (192.168.42.42/24: mail3.example.com) 2. PrivateNet (192.168.1.1/24: mail3.example.com) 3. PublicNet (192.168.2.1/24: mail3.example.
Chapter 23 Encrypting Communication with Other MTAs Enabling a Certificate for HTTPS Would you like to configure an IPv6 address for this interface (y/n)? [N]> Ethernet interface: 1. Data 1 2. Data 2 3. Management [2]> Hostname: [mail3.example.
Chapter 23 Encrypting Communication with Other MTAs Enabling a Certificate for HTTPS The "Demo" certificate is currently configured. You may use "Demo", but this will not be secure. To assure privacy, run "certconfig" first. Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]> Currently configured interfaces: 1. Management (192.168.42.42/24: mail3.example.com) 2. PrivateNet (192.168.1.1/24: mail3.example.com) 3. PublicNet (192.168.2.1/24: mail3.
Chapter 23 Enabling a Certificate for HTTPS AsyncOS 9.1.
CH A P T E R 24 Configuring Routing and Delivery Features • Routing Email for Local Domains, page 24-1 • Rewriting Addresses, page 24-6 • Creating Alias Tables, page 24-7 • Configuring Masquerading, page 24-16 • The Domain Map Feature, page 24-28 • Directing Bounced Email, page 24-35 • Controlling Email Delivery Using Destination Controls, page 24-42 • Bounce Verification, page 24-51 • Set Email Delivery Parameters, page 24-56 • Configuring Mail Gateways for all Hosted Domains Using Vir
Chapter 24 Configuring Routing and Delivery Features Routing Email for Local Domains • SMTP Routes Limits, page 24-3 • SMTP Routes and DNS, page 24-3 • SMTP Routes and Alerts, page 24-4 • SMTP Routes, Mail Delivery, and Message Splintering, page 24-4 • SMTP Routes and Outbound SMTP Authentication, page 24-4 • Managing SMTP Routes to Send Outbound Email Using the GUI, page 24-4 SMTP Routes Overview SMTP Routes allow you to redirect all email for a particular domain to a different mail exchange
Chapter 24 Configuring Routing and Delivery Features Routing Email for Local Domains Defining an SMTP Route Use the Network > SMTP Routes page (or the smtproutes command) to construct routes. When you create a new route, you first specify the domain or partial domain for which you want to create a permanent route. You then specify destination hosts. Destination hosts can be entered as fully-qualified hostnames or as IP addresses.
Chapter 24 Configuring Routing and Delivery Features Routing Email for Local Domains SMTP Routes and Alerts Alerts sent from the appliance to addresses specified in the System Administration > Alerts page (or the alertconfig command) follow SMTP Routes defined for those destinations.
Chapter 24 Configuring Routing and Delivery Features Routing Email for Local Domains Step 4 If you add multiple destination hosts, enter an integer between 0 and 65535 to assign priority to the hosts. 0 is the highest priority. See Defining an SMTP Route, page 24-3 for more information. Step 5 Submit and commit your changes. Exporting SMTP Routes Similar to the Host Access Table (HAT) and the Recipient Access Table (RAT), you can also modify SMTP routes mappings by exporting and importing a file.
Chapter 24 Configuring Routing and Delivery Features Rewriting Addresses Figure 24-1 SMTP Routes Defined for a Public Listener SMTP Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED The smtproutes command was used to route mail accepted on the public listener InboundMail for example.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables Table 24-1 provides an overview of the various features used for rewriting sender and recipient email addresses.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables A domain context is a list of one or more domains or partial domains, separated by commas and enclosed in square brackets ('[' and ']'). A domain is a string containing letters, digits hyphens, and periods as defined in RFC 1035, section 2.3.1., “Preferred name syntax.” A partial domain, such as .example.com is a domain that begins with a period.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables Remember to issue the commit command after you import an alias table file so that the configuration changes take effect. Deleting Entries from the Alias Table If you delete entries from the alias table from the command line interface (CLI), you are prompted to choose a domain group first. Choose the “ALL (any domain)” entry to see a numbered list of aliases that apply to all domains.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables # The following aliases apply to recipients @ironport.com and # any subdomain within .example.com because the domain context # is specified. # # Email to joe@ironport.com or joe@foo.example.com will # be delivered to joseph@example.com. # # Similarly, email to fred@mx.example.com will be # delivered to joseph@example.com # # [ironport.com, .example.com] # # joe, fred: joseph@example.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables # In this example, mail to nobody@example.com is dropped. # # nobody@example.com: /dev/null # # "Chains" may be created, but they must end in an email address. # For example, email to "all" will be sent to 9 addresses: # # [example.com] # # all: sales, marketing, engineering # sales: joe@example.com, fred@example.com, mary@example.com # marketing:bob@example.com, advertising # engineering:betty@example.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables How do you want your aliases to apply? 1. Globally 2. Add a new domain context [1]> 2 Enter new domain context. Separate multiple domains with commas. Partial domains such as .example.com are allowed. []> example.com Enter the alias(es) to match on. Separate multiple aliases with commas. Allowed aliases: - "user" - This user in this domain context. - "user@domain" - This email address.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables - EDIT - Modify an entry. - DELETE - Remove an entry. - PRINT - Display the table. - IMPORT - Import aliases from a file. - EXPORT - Export table to a file. - CLEAR - Clear the table. []> new How do you want your aliases to apply? 1. Globally 2. Add a new domain context 3. example.com [1]> 1 Enter the alias(es) to match on. Separate multiple aliases with commas. Allowed aliases: - "user@domain" - This email address.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables Do you want to add another alias? [N]> n There are currently 2 mappings defined. Choose the operation you want to perform: - NEW - Create a new entry. - EDIT - Modify an entry. - DELETE - Remove an entry. - PRINT - Display the table. - IMPORT - Import aliases from a file. - EXPORT - Export table to a file. - CLEAR - Clear the table. []> print admin: administrator@example.com [ example.com ] customercare: bob@example.
Chapter 24 Configuring Routing and Delivery Features Creating Alias Tables - CLEAR - Clear the table. []> At this point, our Email Gateway configuration looks like this: AsyncOS 9.1.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading Figure 24-2 Alias Tables Defined for the Appliance SMTP Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED Recipient Access Table (RAT): IP interface: PublicNet (e.g. 192.168.2.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading Note The Masquerading feature is configured on a per-listener basis, as opposed to the Alias Tables functionality, which is configured for the entire system. Note A listener checks the masquerading table for matches and modifies the recipients while the message is in the work queue, immediately after LDAP recipient acceptance queries and before LDAP routing queries. See the “Understanding the Email Pipeline” chapter.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading A domain masquerading table is constructed as follows: Table 24-3 Masquerading Table Syntax Left-hand Side (LHS) Separator a list of one or more usernames and/or whitespace (space or tab domains to match character) Right-hand Side (RHS) the rewritten username and/or domain The following table lists valid entries in the masquerading table: Left-hand Side (LHS) Right-hand Side (RHS) username username@domain This entry s
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading Sample Masquerading Table for a Private Listener # sample Masquerading file @.example.com @example.com # Hides local subdomains in the header sales sales_team@success.com @techsupport tech_support@biggie.com user@localdomain user@company.com ALL @bigsender.com Importing a Masquerading Table A traditional sendmail /etc/mail/genericstable file can be imported.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading 1. InboundMail (on PublicNet, 192.168.2.1) SMTP TCP Port 25 Public 2. OutboundMail (on PrivateNet, 192.168.1.1) SMTP TCP Port 25 Private Choose the operation you want to perform: - NEW - Create a new listener. - EDIT - Modify a listener. - DELETE - Remove a listener. - SETUP - Change global settings. []> edit Enter the name or number of the listener you wish to edit.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading - LIMITS - Change the injection limits. - SETUP - Configure general options. - HOSTACCESS - Modify the Host Access Table. - BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener. - MASQUERADE - Configure the Domain Masquerading Table. - DOMAINMAP - Configure domain mappings. - LDAPACCEPT - Configure an LDAP query to determine whether a recipient address should be accepted or bounced/dropped.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading []> new Enter the source address or domain to masquerade. Usernames like "joe" are allowed. Full addresses like "user@example.com" are allowed. Full addresses with subdomain wildcards such as "username@.company.com" are allowed. Domains like @example.com and @.example.com are allowed. Hosts like @training and @.sales are allowed. []> @.example.com Enter the masqueraded address or domain. Domains like @example.com are allowed.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading []> new Enter the source address or domain to masquerade. Usernames like "joe" are allowed. Full addresses like "user@example.com" are allowed. Full addresses with subdomain wildcards such as "username@.company.com" are allowed. Domains like @example.com and @.example.com are allowed. Hosts like @training and @.sales are allowed. []> joe Enter the masqueraded address. Only full addresses such as user@example.com are allowed.
Chapter 24 Configuring Masquerading @.example.com joe @example.com joe@example.com Domain Masquerading Table There are currently 2 entries. Masqueraded headers: To, From, Cc Choose the operation you want to perform: - NEW - Create a new entry. - DELETE - Remove an entry. - PRINT - Display all entries. - IMPORT - Import all entries from a file. - EXPORT - Export all entries to a file. - CONFIG - Configure masqueraded headers. - CLEAR - Remove all entries.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading - NEW - Create a new entry. - DELETE - Remove an entry. - PRINT - Display all entries. - IMPORT - Import all entries from a file. - EXPORT - Export all entries to a file. - CONFIG - Configure masqueraded headers. - CLEAR - Remove all entries.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading - DELETE - Remove an entry. - PRINT - Display all entries. - IMPORT - Import all entries from a file. - EXPORT - Export all entries to a file. - CONFIG - Configure masqueraded headers. - CLEAR - Remove all entries. []> Name: OutboundMail Type: Private Interface: PrivateNet (192.168.1.
Chapter 24 Configuring Routing and Delivery Features Configuring Masquerading - MASQUERADE - Configure the Domain Masquerading Table. - DOMAINMAP - Configure domain mappings. - LDAPACCEPT - Configure an LDAP query to determine whether a recipient address should be accepted or bounced/dropped. - LDAPROUTING - Configure an LDAP query to reroute messages. - LDAPGROUP - Configure an LDAP query to determine whether a sender or recipient is in a specified group. - SMTPAUTH - Configure an SMTP authentication.
Chapter 24 Configuring Routing and Delivery Features The Domain Map Feature Figure 24-3 Masquerading Defined for a Private Listener SMTP Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED Recipient Access Table (RAT): IP interface: PublicNet (e.g. 192.168.2.
Chapter 24 Configuring Routing and Delivery Features The Domain Map Feature Note The processing of the domain map feature happens immediately before the RAT and right after Default Domain is evaluated. See the “Understanding the Email Pipeline” chapter. A common implementation of the domain map feature is to accept incoming mail for more than one legacy domain.
Chapter 24 The Domain Map Feature - NEW - Create a new listener. - EDIT - Modify a listener. - DELETE - Remove a listener. - SETUP - Change global settings. []> edit Enter the name or number of the listener you wish to edit. []> 1 Name: InboundMail Type: Public Interface: PublicNet (192.168.2.
Chapter 24 Configuring Routing and Delivery Features The Domain Map Feature - RCPTACCESS - Modify the Recipient Access Table. - BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener. - MASQUERADE - Configure the Domain Masquerading Table. - DOMAINMAP - Configure domain mappings. []> domainmap Domain Map Table There are currently 0 Domain Mappings. Domain Mapping is: disabled Choose the operation you want to perform: - NEW - Create a new entry.
Chapter 24 The Domain Map Feature Domain Map Table There are currently 1 Domain Mappings. Domain Mapping is: enabled Choose the operation you want to perform: - NEW - Create a new entry. - EDIT - Modify an entry. - DELETE - Remove an entry. - PRINT - Display all domain mappings. - IMPORT - Import domain mappings from a file. - EXPORT - Export domain mappings to a file. - CLEAR - Clear all domain mappings. []> print @.oldcompanyname.com --> @example.
Chapter 24 Configuring Routing and Delivery Features The Domain Map Feature - EXPORT - Export domain mappings to a file. - CLEAR - Clear all domain mappings. []> Name: InboundMail Type: Public Interface: PublicNet (192.168.2.
Chapter 24 Configuring Routing and Delivery Features The Domain Map Feature - DOMAINMAP - Configure domain mappings. []> Related Topics • Importing and Exporting a Domain Map Table, page 24-34 Importing and Exporting a Domain Map Table To import or export a domain map table, first see Appendix A, “FTP, SSH, and SCP Access” to ensure that you can access the appliance. Create a text file of entries of domains to map. Separate the entries with white space (either a tab character or spaces).
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Figure 24-4 Domain Map Defined for a Public Listener Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED Recipient Access Table (RAT): example.com newcompanyname.
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Related Topics • Handling Undeliverable Email, page 24-36 • Creating a New Bounce Profile, page 24-40 • Applying Bounce Profiles to Listeners, page 24-41 Handling Undeliverable Email The AsyncOS operating system classifies undeliverable email, or “bounced messages,” into the following categories: “Conversational” bounces: The remote domain bounces the message during the initial SMTP conversation.
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email • By default, the system generates a bounce message and sends it to the original sender for each hard bounced recipient. (The message is sent to the address defined in the Envelope Sender address of the message envelope. Envelope From is also commonly referred to as the Envelope Sender.) You can disable this feature and instead rely on log files for information about hard bounces. (See the “Logging” chapter.
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Table 24-5 Bounce Profile Parameters (continued) Use DomainKeys You can select a DomainKeys profile to use for signing bounce and delay signing for bounce and messages. For information on DomainKeys, see DomainKeys and DKIM delay messages Authentication, page 20-1.
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Example Bounce Profiles Consider these two examples using different bounce profile parameters: Table 24-6 Example 1: Bounce Profile Parameters Parameter Value Max number of retries 2 Max number of seconds in queue 259,200 seconds (72 hours) Initial number of seconds before retrying 60 seconds Max number of seconds to wait before retrying 60 seconds In Example 1, the first recipient delivery attempt is made at t=0, imm
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Delay Warning Messages Time in Queue Messages (delay notification messages) generated by the system also use the DSN format. Change the default parameters by using the Bounce Profiles page on the Network menu (or the bounceconfig command) to edit existing or create new bounce profiles and change the default values for: • The minimum interval between sending delay warning messages.
Chapter 24 Configuring Routing and Delivery Features Directing Bounced Email Applying Bounce Profiles to Listeners Once you have created a bounce profile, you can apply that profile to a listener using the Network > Listeners page or the listenerconfig command. In the following example, the bouncepr1 profile is applied to the OutgoingMail listener. At this point, our Email Gateway configuration looks like this: AsyncOS 9.1.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls Figure 24-5 Applying a Bounce Profile to a Private Listener Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: Note: This public listener remains unchanged. REJECT REJECT TCPREFUSE RELAY $ACCEPTED Recipient Access Table (RAT): example.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls • TLS, page 24-43 • Bounce Verification, page 24-43 • Bounce Profile, page 24-43 • Concurrent Connections: number of simultaneous connections to remote hosts the appliance will attempt to open. • Maximum Messages Per Connection: number of messages your appliance will send to a destination domain before the appliance initiates a new connection.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls In greater detail: local addresses are identified by applying the interface netmask to the interface IP address. Both of these are set via the Network > Interfaces page or by the interfaceconfig command (or during system setup). If the address space overlaps, the most specific netmask is used. If a destination is local, packets are sent via the appropriate local interface.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls Controlling the Number of Connections, Messages, and Recipients to a Domain You may want to limit how your appliance will deliver email to avoid overwhelming remote hosts or your own internal groupware servers with email from your appliance.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls Table 24-8 Values in the Destination Controls Table (continued) Field Description Apply Limits Specifies whether the limit will be applied (enforces) to the entire domain or to each mail exchange IP address specified for that domain. (Many domains have multiple MX records.) This setting applies to connection, message, and recipient limits.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls Controlling Bounce Verification Tagging You can specify whether or not mail sent is tagged for bounce verification. You can specify this for the default, as well as specific destinations. Cisco suggests enabling bounce verification for the default, and then creating new destinations for specific exclusions. See Bounce Verification, page 24-51 for more information.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls You can define any of the following parameters for a domain in the configuration file. All parameters are required for the [DEFAULT] section except for the bounce_profile parameter: Table 24-9 Destination Control Configuration File Parameters Parameter Name Description ip_sort_pref Specifies the Internet Protocol version for the domain.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls Table 24-9 Destination Control Configuration File Parameters Parameter Name Description table_tls Specifies the TLS setting for the domain. See Enabling TLS and Certificate Verification on Delivery, page 23-10 for more information.
Chapter 24 Configuring Routing and Delivery Features Controlling Email Delivery Using Destination Controls limit_apply = VG table_tls = off bounce_validation = 0 send_tls_req_alert = 0 certificate = example.com [example1.com] ip_sort_pref = PREFER_V6 recipient_minutes = 60 recipient_limit = 100 table_tls = require_verify limit_apply = VG bounce_profile = tls_failed limit_type = host [example2.
Chapter 24 Configuring Routing and Delivery Features Bounce Verification TLS: Required (Verify) Bounce Profile: tls_failed example2.com IP Address Preference: IPv6 Preferred Maximum messages per connection: Default Rate Limiting: Default TLS: Preferred Bounce Profile: tls_failed Use the Import Table button on the Destination Controls page or the destconfig -> import command to import a configuration file.
Chapter 24 Configuring Routing and Delivery Features Bounce Verification Note that you can use Bounce Verification to manage incoming bounce messages based on your outgoing mail. To control how your appliance generates outgoing bounces (based on incoming mail), see Directing Bounced Email, page 24-35.
Chapter 24 Configuring Routing and Delivery Features Bounce Verification Fri Jul 21 16:03:51 2006 Info: Message aborted MID 26603 Receiving aborted by sender Fri Jul 21 16:03:51 2006 Info: Message finished MID 26603 aborted Note When delivering non-bounce mail to your own internal mail server (Exchange, etc.), you should disable Bounce Verification tagging for that internal domain. AsyncOS considers bounces as mail with a null Mail From address (<>).
Chapter 24 Configuring Routing and Delivery Features Bounce Verification Figure 24-6 The Consider Untagged Bounces to be Valid HAT Parameter Preventing a Bounced Message Storm Using Bounce Verification Procedure Step 1 Enter a tagging key. For more information, see Configuring Bounce Verification Address Tagging Keys, page 24-55. Step 2 Edit the bounce verification settings. For more information, see Configuring Bounce Verification Settings, page 24-55.
Chapter 24 Configuring Routing and Delivery Features Bounce Verification Configuring Bounce Verification Address Tagging Keys The Bounce Verification Address Tagging Keys listing shows your current key and any unpurged keys you have used in the past. To add a new key: Procedure Step 1 On the Mail Policies > Bounce Verification page, click New Key. Step 2 Enter a text string and click Submit. Step 3 Commit your changes.
Chapter 24 Configuring Routing and Delivery Features Set Email Delivery Parameters Set Email Delivery Parameters The deliveryconfig command sets parameters to be used when delivering email from the appliance. The appliance accepts email using multiple mail protocols: SMTP and QMQP. However, all outgoing email is delivered using SMTP, which is why the deliveryconfig command does not require that the protocol be specified.
Chapter 24 Configuring Routing and Delivery Features Set Email Delivery Parameters Default Maximum Concurrency You also specify the default maximum number of concurrent connections the appliance makes for outbound message delivery. (The system-wide default is 10,000 connections to separate domains.
Chapter 24 Set Email Delivery Parameters mail3.example.com> Our Email Gateway configuration now looks like this: AsyncOS 9.1.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology Figure 24-8 Setting Destination and Delivery Parameters Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED Recipient Access Table (RAT): example.com newcompanyname.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology The Cisco Virtual Gateway technology allows you to configure enterprise mail gateways for all domains you host — with distinct IP addresses, hostname and domains — and create separate corporate email policy enforcement and anti-spam strategies for those domains, while hosted within the same physical appliance.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology • altsrchost Limits, page 24-64 • Example Text File with Valid Mappings for the altsrchost Command, page 24-64 • Adding an altsrchost Mapping through the CLI, page 24-64 Creating New IP Interfaces for Use with Virtual Gateways After the IP addresses and hostnames have been established, the first step in configuring the Virtual Gateway addresses is to create new IP i
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology Figure 24-10 Adding Another Public Interface IP interface: PublicNet2 192.168.2.2 IP interface: PublicNet 192.168.2.1 Ethernet interface: Data 2 IronPort Email Security appliance Ethernet interface: Data 1 IP interface: PrivateNet (e.g. 192.168.1.1) Using Virtual Gateway addresses, a configuration like the one shown in Figure 24-11 is also possible.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology To specify which IP interface or interface group the system will deliver email from, you create mapping keys that pair either the sender’s IP address or the Envelope Sender address to an IP interface or interface group (specified by interface name or group name). AsyncOS will compare both the IP address and Envelope Sender address to the mapping keys.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology Step 5 Use the import subcommand of altsrchost to import the edited file. altsrchost Limits You can define up to 1,000 altsrchost entries. Example Text File with Valid Mappings for the altsrchost Command # Comments to describe the file @example.com DemoInterface paul@ PublicInterface joe@ PublicInterface 192.168.1.5, DemoInterface steve@example.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology []> new Enter the Envelope From address or client IP address for which you want to set up a Virtual Gateway mapping. Partial addresses such as "@example.com" or "user@" are allowed. []> @exchange.example.com Which interface do you want to send messages for @exchange.example.com from? 1. PublicNet2 (192.168.2.2/24: mail4.example.com) 2. Management (192.168.42.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology Which interface do you want to send messages for 192.168.35.35 from? 1. PublicNet2 (192.168.2.2/24: mail4.example.com) 2. Management (192.168.42.42/24: mail3.example.com) 3. PrivateNet (192.168.1.1/24: mail3.example.com) 4. PublicNet (192.168.2.1/24: mail4.example.com) [1]> 1 Mapping for 192.168.35.35 on interface PublicNet2 created.
Chapter 24 Configuring Routing and Delivery Features Configuring Mail Gateways for all Hosted Domains Using Virtual Gateway™ Technology - CLEAR - Remove all mappings. []> mail3.example.
Chapter 24 Configuring Routing and Delivery Features Using Global Unsubscribe The statistics returned are grouped into two categories: counters and gauges. In addition, other data returned include: last activity, MX records, and last 5XX error. Managing Delivery Connections per Virtual Gateway Address Certain system parameters require settings at the system and Virtual Gateway address levels. For example, some recipient ISPs limit the number of connections they allow for each client host.
Chapter 24 Configuring Routing and Delivery Features Using Global Unsubscribe Table 24-10 Global Unsubscribe Syntax (continued) @example.com Domain The domain syntax is used to block all recipients destined for a particular domain. The syntax is the specific domain, preceded by an at sign (@). @.example.com Partial Domain The partial domain syntax is used to block all recipients destined for a particular domain and all its subdomains. 10.1.28.
Chapter 24 Configuring Routing and Delivery Features Using Global Unsubscribe []> user@example.net Email Address 'user@example.net' added. Global Unsubscribe is enabled. Choose the operation you want to perform: - NEW - Create a new entry. - DELETE - Remove an entry. - PRINT - Display all entries. - IMPORT - Import entries from a file. - EXPORT - Export all entries to a file. - SETUP - Configure general settings. - CLEAR - Remove all entries.
Chapter 24 Configuring Routing and Delivery Features Using Global Unsubscribe - EXPORT - Export all entries to a file. - SETUP - Configure general settings. - CLEAR - Remove all entries. []> mail3.example.com> commit Please enter some comments describing your changes: []> Added username “user@example.
Chapter 24 Configuring Routing and Delivery Features Using Global Unsubscribe Step 4 Save the file and place it in the configuration directory for the interface so that it can be imported. (See Appendix A, “FTP, SSH, and SCP Access” for more information.) Step 5 Use the import subcommand of unsubscribe to import the edited file. Our Email Gateway configuration now looks like this: AsyncOS 9.1.
Chapter 24 Configuring Routing and Delivery Features Review: Email Pipeline Figure 24-13 Global Unsubscribe Example Public Listener: InboundMail Host Access Table (HAT): WHITELIST: $TRUSTED BLACKLIST: $BLOCKED SUSPECTLIST: $THROTTLED UNKNOWNLIST: $ACCEPTED spamdomain.com .spamdomain.com 251.192.1. 169.254.10.10 ALL: REJECT REJECT TCPREFUSE RELAY $ACCEPTED A global unsubscribe entry for the address user@example.net was created.
Chapter 24 Configuring Routing and Delivery Features Review: Email Pipeline Note Table 24-11 For outgoing mail, RSA Email Data Loss Prevention scanning takes place after the Outbreak Filters stage.
Chapter 24 Configuring Routing and Delivery Features Review: Email Pipeline Table 24-12 Email Pipeline for the Email Security Appliance: Routing and Delivery Features LDAP Recipient Acceptance LDAP validation for recipient acceptance occurs within the work queue. If the recipient is not found in the LDAP directory, the message is dropped or bounced. LDAP validation can be configured to occur within the SMTP conversation instead.
Chapter 24 Review: Email Pipeline AsyncOS 9.1.
CH A P T E R 25 LDAP Queries • Overview of LDAP Queries, page 25-1 • Working with LDAP Queries, page 25-12 • Using Acceptance Queries For Recipient Validation, page 25-19 • Using Routing Queries to Send Mail to Multiple Target Addresses, page 25-20 • Using Masquerading Queries to Rewrite the Envelope Sender, page 25-21 • Using Group LDAP Queries to Determine if a Recipient is a Group Member, page 25-23 • Using Domain-based Queries to Route to a Particular Domain, page 25-26 • Using Chain Qu
Chapter 25 LDAP Queries Overview of LDAP Queries • Creating LDAP Server Profiles to Store Information About the LDAP Server, page 25-5 • Testing LDAP Servers, page 25-6 • Enabling LDAP Queries to Run on a Particular Listener, page 25-7 • Enhanced Support for Microsoft Exchange 5.
Chapter 25 LDAP Queries Overview of LDAP Queries • External Authentication. You can configure your appliance to use your LDAP directory to authenticate users logging in to the appliance. For more information, see Configuring External LDAP Authentication for Users, page 25-40. • Spam Quarantine End-User Authentication. You can configure your appliance to validate users when they log in to the end-user quarantine. For more information, see Authenticating End-Users of the Spam Quarantine, page 25-43.
Chapter 25 LDAP Queries Overview of LDAP Queries 3.
Chapter 25 LDAP Queries Overview of LDAP Queries Note When you configure a group query, you need to take additional steps to configure AsyncOS to work with the LDAP server. For information on configuring a group query, see Using Group LDAP Queries to Determine if a Recipient is a Group Member, page 25-23. When you configure an end-user authentication or spam notification consolidation query, you must enable LDAP end-user access to the Spam Quarantine.
Chapter 25 LDAP Queries Overview of LDAP Queries If you configure the LDAP server profile for load balancing, these connections are distributed among the listed LDAP servers. For example, if you configure 10 simultaneous connections and load balance the connections over three servers, AsyncOS creates 10 connections to each server, for a total of 30 connections. Note The maximum number of simultaneous connections includes LDAP connections used for LDAP queries.
Chapter 25 LDAP Queries Overview of LDAP Queries Enabling LDAP Queries to Run on a Particular Listener To allow the appliance to run LDAP queries when you receive or send messages, you must enable the LDAP query on the appropriate listener.
Chapter 25 LDAP Queries Overview of LDAP Queries Figure 25-2 Configuring an LDAP Server Profile (1 of 2) First, the nickname of “PublicLDAP” is given for the myldapserver.example.com LDAP server. The number of connections is set to 10 (the default), and the multiple LDAP server (hosts) load balance option is left as the default. You can specify multiple hosts here by providing a comma separated list of names. Queries are directed to port 3268 (the default).
Chapter 25 LDAP Queries Overview of LDAP Queries Figure 25-4 Enabling Acceptance and Routing Queries on a Listener Enabling LDAP Queries on a Private Listener In this example, the private listener “OutboundMail” is updated to use LDAP queries for masquerading. The masqueraded fields include: From, To, CC, and Reply-To. Figure 25-5 Enabling a Masquerading Query on a Listener Enhanced Support for Microsoft Exchange 5.5 AsyncOS includes a configuration option to provide support for Microsoft Exchange 5.
Chapter 25 Overview of LDAP Queries 1. PublicLDAP: (ldapexample.com:389) Choose the operation you want to perform: - NEW - Create a new server configuration. - EDIT - Modify a server configuration. - DELETE - Remove a server configuration. []> edit Enter the name or number of the server configuration you wish to edit. []> 1 Name: PublicLDAP Hostname: ldapexample.
Chapter 25 LDAP Queries Overview of LDAP Queries Base: dc=ldapexample,dc=com Microsoft Exchange 5.5 Compatibility Mode: Disabled Choose the operation you want to perform: - NAME - Change the name of this configuration. - HOSTNAME - Change the hostname used for this query. - PORT - Configure the port. - AUTHTYPE - Choose the authentication type. - BASE - Configure the query base. - COMPATIBILITY - Set LDAP protocol compatibility options. []> compatibility Would you like to enable Microsoft Exchange 5.
Chapter 25 LDAP Queries Working with LDAP Queries - BASE - Configure the query base. - COMPATIBILITY - Set LDAP protocol compatibility options. []> Working with LDAP Queries You create an entry in the LDAP server profile for each type of LDAP query you want to perform. When you create LDAP queries, you must enter the query syntax for your LDAP server.
Chapter 25 LDAP Queries Working with LDAP Queries • SMTP authentication. For more information, see Configuring AsyncOS for SMTP Authentication, page 25-32. • External authentication. For more information, Configuring External LDAP Authentication for Users, page 25-40. • Spam quarantine end-user authentication query. For more information, see Authenticating End-Users of the Spam Quarantine, page 25-43. • Spam quarantine alias consolidation query.
Chapter 25 LDAP Queries Working with LDAP Queries Note The {f} token is valid in acceptance queries only. For example, you might use the following query to accept mail for an Active Directory LDAP server: (|(mail={a})(proxyAddresses=smtp:{a})) Note Cisco Systems strongly recommends using the Test feature of the LDAP page (or the test subcommand of the ldapconfig command) to test all queries you construct and ensure that expected results are returned before you enable LDAP functionality on a listener.
Chapter 25 LDAP Queries Working with LDAP Queries Specific permissions must be made to a Microsoft Exchange 2000 server in order to allow “anonymous” or “anonymous bind” authentication for the purpose of querying user email addresses. This can be very useful when an LDAP query is used to determine the validity of an income email message to the SMTP gateway.
Chapter 25 LDAP Queries Working with LDAP Queries – Click to select the Allow check box for the Permission permission. Step 3 Configure the Cisco Messaging Gateway Use ldapconfig on the Command Line Interface (CLI) to create an LDAP server entry with the following information.
Chapter 25 LDAP Queries Working with LDAP Queries – Click the User Object ANONYMOUS LOGON, and then click OK. – Click the Permission Type tab. – Click Inheritance from the Apply onto box. – Click to select the Allow check box for the Permission permission. Step 3 Configure the Cisco Messaging Gateway Use the System Administration > LDAP page (or ldapconfig in the CLI) to create an LDAP server entry with the following information.
Chapter 25 LDAP Queries Working with LDAP Queries If you entered multiple hosts in the Host Name field of the LDAP server attributes, the appliance tests the query on each LDAP server. Table 25-1 Testing LDAP Queries Query type If a recipient matches (PASS)... If a recipient does not match (FAIL)... Recipient Acceptance (Accept, ldapaccept) Accept the message. Invalid Recipient: Conversation or delayed bounce or drop the message per listener settings. DHAP: Drop.
Chapter 25 LDAP Queries Using Acceptance Queries For Recipient Validation Note that a server may be unreachable because the wrong port was entered in the server configuration, or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389. Active Directory uses port 3268 to access the global catalog used in multi-server environments (See the “Firewall Information” appendix for more information.) In AsyncOS 4.
Chapter 25 LDAP Queries Using Routing Queries to Send Mail to Multiple Target Addresses Table 25-2 Example LDAP Query Strings for Common LDAP Implementations: Acceptance (continued) Query for: Recipient validation SunONE Directory Server (mail={a}) (mailAlternateAddress={a}) (mailEquivalentAddress={a}) (mailForwardingAddress={a}) (mailRoutingAddress={a}) Lotus Notes Lotus Domino (|(|(mail={a})(uid={u}))(cn={u})) (|(ShortName={u})(InternetAddress={a})(FullNa me={u})) You can also validate on the u
Chapter 25 LDAP Queries Using Masquerading Queries to Rewrite the Envelope Sender Related Topics • Sample Routing Queries, page 25-21 Sample Routing Queries Table 25-3 Example LDAP Query Strings for Common LDAP Implementations: Routing Query for: Route to another mailhost OpenLDAP (mailLocalAddress={a}) Microsoft Active Directory Address Book May not be applicablea Microsoft Exchange SunONE Directory Server (mail={a}) (mailForwardingAddress={a}) (mailEquivalentAddress={a}) (mailRoutingAddress={
Chapter 25 LDAP Queries Using Masquerading Queries to Rewrite the Envelope Sender Sample Masquerading Queries Table 25-4 Example LDAP Query Strings for Common LDAP Implementation: Masquerading Query for: Masquerade OpenLDAP (mailRoutingAddress={a}) Microsoft Active Directory Address Book (proxyaddresses=smtp:{a}) SunONE Directory Server (mail={a}) (mailAlternateAddress={a}) (mailEquivalentAddress={a}) (mailForwardingAddress={a}) (mailRoutingAddress={a}) Masquerading “Friendly Names” In some use
Chapter 25 LDAP Queries Using Group LDAP Queries to Determine if a Recipient is a Group Member Using Group LDAP Queries to Determine if a Recipient is a Group Member You can define a query to your LDAP servers to determine if a recipient is a member of a group as defined by your LDAP directory. Procedure Step 1 Create a message filter that uses a rcpt-to-group or mail-from-group rule to act upon the message.
Chapter 25 LDAP Queries Using Group LDAP Queries to Determine if a Recipient is a Group Member Procedure Step 1 First, a message filter is created to act upon messages that match positively for group membership. In this example, a filter is created that uses the mail-from-group rule. All messages whose Envelope Sender is found to be in the LDAP group “marketing-group1” will be delivered with an alternate delivery host (the filters alt-mailhost action).
Chapter 25 LDAP Queries Using Group LDAP Queries to Determine if a Recipient is a Group Member - LOGCONFIG - Configure log subscriptions used by filters. - ROLLOVERNOW - Roll over a filter log file. []> For more information on the mail-from-group and rcpt-to-group message filter rules, see Message Filter Rules, page 9-2. Step 2 Next, the Add LDAP Server Profile page is used to define an LDAP server for the appliance to bind to, and an initial query for a group membership is configured.
Chapter 25 LDAP Queries Using Domain-based Queries to Route to a Particular Domain You then enable this query on a listener so that when a message is received by the listener, the group query is triggered. To skip virus and spam filtering for members of the IT group, you create the following message filter to check incoming messages against LDAP groups. []> - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end.
Chapter 25 LDAP Queries Using Domain-based Queries to Route to a Particular Domain creates domain-based queries. This allows MyCompany.example.com to accept emails for Mycompany.example.com, HisCompany.example.com, and HerCompany.example.com on the same listener. Procedure Step 1 Create a server profile for each of the domains you want to use in the domain-based queries. For each of the server profiles, configure the queries you want to use for a domain-based query (acceptance, routing, etc.).
Chapter 25 LDAP Queries Using Chain Queries to Perform a Series of LDAP Queries Step 8 You can enter a default query to run if all other queries fail. If you do not want to enter a default query, select None. Step 9 Test the query by clicking the Test Query button and entering a user login and password or an email address to test in the Test Parameters fields. The results appear in the Connection Status field.
Chapter 25 LDAP Queries Using LDAP For Directory Harvest Attack Prevention Procedure Step 1 From the LDAP Server Profiles page, click Advanced. Step 2 Click Add Chain Query. Step 3 Add a name for the chain query. Step 4 Select the query type. When you create chain queries, you cannot select different types of queries. Once you select a query type, the appliance populates the query field with queries of that type from available server profiles. Step 5 Select a query to add to the chain query.
Chapter 25 LDAP Queries Using LDAP For Directory Harvest Attack Prevention Figure 25-7 Configuring the Acceptance Query in the SMTP Conversation Once you configure LDAP acceptance queries for the listener, you must configure DHAP settings in the mail flow policy associated with the listener.
Chapter 25 LDAP Queries Using LDAP For Directory Harvest Attack Prevention Directory Harvest Attack Prevention within the Work Queue You can prevent most DHAs by entering only domains in the Recipient Access Table (RAT), and performing the LDAP acceptance validation within the work queue. This technique prevents the malicious senders from knowing if the recipient is valid during the SMTP conversation.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Enter the maximum number of invalid recipients per hour from a remote host. [25]> This feature is also displayed when editing any mail flow policy in the GUI, providing that LDAP queries have been configured on the corresponding listener: Figure 25-10 DHAP Prevention Feature in GUI Entering a number of invalid recipients per hour enables DHAP for that mail flow policy.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Related Topics • Configuring SMTP Authentication, page 25-33 • Configuring an SMTP Authentication Query, page 25-34 • SMTP Authentication via Second SMTP Server (SMTP Auth with Forwarding), page 25-35 • SMTP Authentication with LDAP, page 25-36 • Authenticating SMTP Sessions Using Client Certificates, page 25-39 • Outgoing SMTP Authentication, page 25-39 • Logging and SMTP Authentication, page 25-40 Configuring SMTP Authenti
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Configuring an SMTP Authentication Query Table 25-6 SMTP Auth LDAP Query Fields Name A name for the query. Query String You can select whether to authenticate via LDAP bind or by fetching the password as an attribute. Bind: Attempt to log into the LDAP server using the credentials supplied by the client (this is called an LDAP bind). Specify the maximum number of concurrent connections to be used by the SMTP Auth query.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Figure 25-12 SMTP Authentication Query When an SMTPAUTH profile has been configured, you can specify that the listener uses that query for SMTP authentication. SMTP Authentication via Second SMTP Server (SMTP Auth with Forwarding) You can configure the appliance to verify the username and password that have been provided to another SMTP authenticated conversation with a different SMTP server.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication SMTP Authentication with LDAP To create an LDAP-based SMTP Authentication profile, you must have previously created an SMTP Authentication query in conjunction with an LDAP server profile using the System Administration > LDAP page. You can then use this profile to create an SMTP Authentication profile. For more information about creating an LDAP profile, see Understanding LDAP Queries, page 25-2.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Figure 25-13 Selecting an SMTP Authentication Profile via the Edit Listener page Once a listener is configured to use the profile, the Host Access Table default settings can be changed so that the listener allows, disallows, or requires SMTP Authentication: Figure 25-14 Enabling SMTP Authentication on a Mail Flow Policy 1 2 Number Description 1. The SMTP Authentication field provides listener-level control for SMTP authentication.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication HAT Delayed Rejection When HAT Delayed Rejection is configured, connections that would get dropped based on the HAT Sender Group and Mail Flow Policy configuration can still authenticate successfully and get the RELAY mail flow policy granted. You can configure delayed rejection using the listenerconfig --> setup CLI command. This behavior is disabled by default. The following table shows how to configure delayed rejection for HAT.
Chapter 25 LDAP Queries Configuring AsyncOS for SMTP Authentication Do you want to modify the SMTP RCPT TO reject response in this case? [N]> y Enter the SMTP code to use in the response. 550 is the standard code. [550]> 551 Enter your custom SMTP response. Press Enter on a blank line to finish. Sender rejected due to local mail policy. Contact your mail admin for assistance.
Chapter 25 LDAP Queries Configuring External LDAP Authentication for Users Step 6 Enter an authentication username and password for the authentication profile. Step 7 Click Finish. Step 8 Choose Network > SMTP Routes. Step 9 Click the All Other Domains link in the Receiving Domain column of the table. Step 10 Enter the name of the Destination Host for the SMTP route. This is the hostname of your external mail relay used to deliver outgoing mail.
Chapter 25 LDAP Queries Configuring External LDAP Authentication for Users Note Use the Test Query button on the LDAP page (or the ldaptest command) to verify that your queries return the expected results. For more information, see Testing LDAP Queries, page 25-17.
Chapter 25 LDAP Queries Configuring External LDAP Authentication for Users CLI), you assign user roles to the groups in your LDAP directory. User roles determine the permissions that users have in the system, and for externally authenticated users, the roles are assigned to directory groups instead of individual users. For example, you can assign users in the IT directory group the Administrator role and users in the Support directory group to the Help Desk User role.
Chapter 25 LDAP Queries Authenticating End-Users of the Spam Quarantine Authenticating End-Users of the Spam Quarantine Spam quarantine end-user authentication queries validate users when they log in to the Spam Quarantine. The token {u} specifies the user (it represents the user’s login name). The token {a} specifies the user’s email address. The LDAP query does not strip "SMTP:" from the email address; AsyncOS strips that portion of the address.
Chapter 25 LDAP Queries Spam Quarantine Alias Consolidation Queries Sample OpenLDAP End-User Authentication Settings This section shows sample settings for an OpenLDAP server and the end-user authentication query. This example uses anonymous authentication for the OpenLDAP server, the mail and mailLocalAddress email attributes, and the default query string for end-user authentication for OpenLDAP servers.
Chapter 25 LDAP Queries Identifying a Sender’s User Distinguished Name for RSA Enterprise Manager Sample Active Directory Alias Consolidation Settings This section shows sample settings for an Active Directory server and the alias consolidation query. This example uses anonymous authentication for the Active Directory server, a query string for alias consolidation for Active Directory servers, and the mail email attribute.
Chapter 25 LDAP Queries Identifying a Sender’s User Distinguished Name for RSA Enterprise Manager Related Topics • Sample User Distinguished Name Settings, page 25-46 • Configuring AsyncOS To Work With Multiple LDAP Servers, page 25-46 • Testing Servers and Queries, page 25-47 • Failover, page 25-47 • Load Balancing, page 25-48 Sample User Distinguished Name Settings This section shows sample settings for an Active Directory server and the user distinguished name query.
Chapter 25 LDAP Queries Identifying a Sender’s User Distinguished Name for RSA Enterprise Manager Testing Servers and Queries Use the Test Server(s) button on the Add (or Edit) LDAP Server Profile page (or the test subcommand in the CLI) to test the connection to an LDAP server. If you use multiple LDAP servers, AsyncOS tests each server and displays individual results for each server. AsyncOS will also test the query on each LDAP server and display the individual results.
Chapter 25 LDAP Queries Identifying a Sender’s User Distinguished Name for RSA Enterprise Manager Load Balancing To distribute LDAP connections among a group of LDAP servers, you can configure your LDAP profile for load balancing. When you configure your LDAP profile for load balancing, the appliance distributes connections among the LDAP servers listed. If a connection fails or times out, the appliance determines which LDAP servers are available and reconnects to available servers.
CH A P T E R 26 Authenticating SMTP Sessions Using Client Certificates • Overview of Certificates and SMTP Authentication, page 26-49 • Checking the Validity of a Client Certificate, page 26-51 • Authenticating a User Using an LDAP Directory, page 26-52 • Authenticating an SMTP Connection Over TLS Using a Client Certificate, page 26-52 • Establishing a TLS Connection from the Appliance, page 26-53 • Updating a List of Revoked Certificates, page 26-54 Overview of Certificates and SMTP Authentic
Chapter 26 Authenticating SMTP Sessions Using Client Certificates Overview of Certificates and SMTP Authentication How to Authenticate a User with a Client Certificate Table 26-1 How to Authenticate a User with a Client Certificate Do This More Info Step 1 Define a certificate query for your LDAP server. Checking the Validity of a Client Certificate, page 26-51 Step 2 Create a certificate-based SMTP authentication Authenticating an SMTP Connection Over TLS Using a profile.
Chapter 26 Authenticating SMTP Sessions Using Client Certificates Checking the Validity of a Client Certificate Table 26-3 How to Authenticate a User with a Client Certificate or an LDAP SMTP Authentication Query Do This More Info Step 3 Create a certificate-based SMTP authentication Authenticating an SMTP Connection Over TLS Using a profile Client Certificate, page 26-52 Step 4 Create an LDAP SMTP authentication profile.
Chapter 26 Authenticating SMTP Sessions Using Client Certificates Authenticating a User Using an LDAP Directory Authenticating a User Using an LDAP Directory The SMTP Authentication LDAP query has an Allowance Query String that allows the Email Security appliance to check whether the user’s mail client is allowed to send mail through the appliance based on the user’s record in the LDAP directory.
Chapter 26 Authenticating SMTP Sessions Using Client Certificates Establishing a TLS Connection from the Appliance Procedure Step 1 Select Network > SMTP Authentication. Step 2 Click Add Profile. Step 3 Enter the name for the SMTP authentication profile. Step 4 Select Certificate for the Profile Type. Step 5 Click Next. Step 6 Enter the profile name. Step 7 Select the certificate LDAP query you want to use with this SMTP authentication profile.
Chapter 26 Authenticating SMTP Sessions Using Client Certificates Updating a List of Revoked Certificates • Require SMTP Authentication • Require TLS to Offer SMTP Authentication Updating a List of Revoked Certificates The Email Security appliance checks a list of revoked certificates (called a Certificate Revocation List) as part of its certificate verification to make sure that the user’s certificate hasn’t been revoked.
CH A P T E R 27 FIPS Management • FIPS Management Overview, page 27-1 • Configuration Changes in FIPS Mode, page 27-1 • Switching the Appliance to FIPS Mode, page 27-2 • Encrypting Sensitive Data in FIPS Mode, page 27-3 • Checking FIPS Mode Compliance, page 27-4 • Managing Certificates and Keys, page 27-4 • Managing Keys for DKIM Signing and Verification, page 27-5 FIPS Management Overview The Federal Information Processing Standard (FIPS) 140 is a publicly announced standard developed joint
Chapter 27 FIPS Management Switching the Appliance to FIPS Mode To be FIPS Level 1 compliant, the Email Security appliance makes the following changes to your configuration: • SMTP receiving and delivery. Incoming and outgoing SMTP conversations over TLS between a public listener on the Email Security appliance and a remote host use TLS version 1 and FIPS cipher suites. You can modify the cipher suites using sslconfig when in FIPS mode. TLS v1 is the only version of TLS supported in FIPS mode.
Chapter 27 FIPS Management Encrypting Sensitive Data in FIPS Mode Procedure mail.example.com> fipsconfig FIPS mode is currently disabled. Choose the operation you want to perform: - SETUP - Configure FIPS mode. - FIPSCHECK - Check for FIPS mode compliance. []> setup To finalize FIPS mode, the appliance will reboot immediately. No commit will be required.
Chapter 27 FIPS Management Checking FIPS Mode Compliance Procedure mail.example.com> fipsconfig FIPS mode is currently enabled. Choose the operation you want to perform: - SETUP - Configure FIPS mode. - FIPSCHECK - Check for FIPS mode compliance. []> setup To finalize FIPS mode, the appliance will reboot immediately. No commit will be required.
Chapter 27 FIPS Management Managing Keys for DKIM Signing and Verification The appliance will not import certificates that do not use one of these algorithms. It also cannot be switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an error message instead. A Non-FIPS status for a certificate will be displayed in both the CLI and the GUI when the appliance is in FIPS mode.
Chapter 27 FIPS Management Managing Keys for DKIM Signing and Verification DKIM Verification The appliance requires a message to use a FIPS-compliant key in order to verify a DKIM signature. If the signature does not use a FIPS-compliant key, the appliance returns a permanent failure. AsyncOS 9.1.
CH A P T E R 28 Using Email Security Monitor • Email Security Monitor Overview, page 28-1 • Email Security Monitor Pages, page 28-2 • Reporting Overview, page 28-35 • Managing Reports, page 28-36 • Troubleshooting Email Reports, page 28-39 Email Security Monitor Overview The Email Security Monitor feature collects data from every step in the email delivery process.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages See Chapter 13, “Anti-Spam” for more information on Anti-Spam scanning and Chapter 12, “Anti-Virus” for more information on anti-virus scanning. The Email Security Monitor feature also captures information on which content filter a particular message triggers, including the internal user (email recipient) to or from which the message was sent.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages These pages help you classify mail relative to the appliance, and also relative to the services that exist beyond the scope of the gateway, such as the SenderBase Reputation Service, the Anti-Spam scanning service, the Anti-Virus scanning security services, content filters, and Outbreak Filters. You can generate a printer-friendly formatted .
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Message Filters Page, page 28-32 • Retrieving CSV Data, page 28-33 Searching and Email Security Monitor Many of the Email Security Monitor pages include a search form.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages My Reports Page You can create a custom report page by assembling charts (graphs) and tables from existing report pages. To Add modules to your custom report page Do This 1. Go to Monitor > My Reports and delete any sample modules that you do not need by clicking the [X] in the top right corner of the module. 2.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Overview Page The Overview page provides a synopsis of the message activity of your appliance, including an overview of your quarantines and Outbreak Filters status (in the System Overview section of the page). The Overview page also includes graphs and detailed message counts for incoming and outgoing messages. You can use this page to monitor the flow of all mail into and out of your gateway.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Offline See the Chapter 34, “Managing and Monitoring Using the CLI” for more information. Incoming Messages: The average rate of incoming mail per hour. Work Queue: The number of messages awaiting processing in the work queue. Click the System Status Details link to navigate to the System Status page.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Notes on Counting Messages in Email Security Monitor The method Email Security Monitor uses to count incoming mail depends on the number of recipients per message. For example, an incoming message from example.com sent to three recipients would count as three messages coming from that sender.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Note Messages that match a message filter and are not dropped or bounced by the filter are treated as clean. Messages dropped or bounced by a message filter are not counted in the totals. How Messages are Categorized As messages proceed through the email pipeline, they can apply to multiple categories. For example, a message can be marked as spam or virus positive, it can also match a content filter.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Drill down on specific senders to obtain more information about a sender from the SenderBase Reputation Service, including a sender’s SenderBase Reputation Score and which sender group the domain matched most recently. Add senders to sender groups. • Drill down on a specific sender who sent a high volume of spam or virus email, as determined by the anti-spam or anti-virus security services.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Table 28-1 Time Ranges Available in the Email Security Monitor Feature (continued) This time range selected in the GUI ...is defined as: Previous Calendar Month 00:00 of the first day of the month to 23:59 of the last day of the month Custom Range the range enclosed by the start date and hour and the end date and hour that you specify The time range options that you see will differ if you have enabled Centralized Reporting.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Stopped by Recipient Throttling: This is a component of Stopped by Reputation Filtering. It represents the number of recipient messages stopped because any of the following HAT limits have been exceeded: maximum recipients per hour, maximum recipients per message, or maximum messages per connection.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages The Sender Profile pages displayed for IP addresses, network owners, and domains vary slightly. For each, the page contains a graph and summary table for incoming mail from this sender.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages From a domain profile page, you can drill down to a specific IP address, or drill up to view an organization profile page. You can also display the DNS Verified status, SBRS (SenderBase Reputation Score), and Last Sender Group for each sender address in the IP Addresses table by clicking the Columns link at the bottom of that table. You can also hide any columns in that table.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • How much of that mail is clean, spam-positive, virus-positive, or stopped by a content filter? • How many messages are delivered and how many messages are hard-bounced by the destination server? Outgoing Senders The Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network. You can view the results by domain or IP address when you view this page.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Note Any activity for a recipient domain results in that domain being “active” and thus present in the overview page. For example, if mail remains in the outbound queue due to delivery problems, that recipient domain continues to be listed in the outgoing mail overview.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Who is triggering which content filters? • Whose email is getting caught by content filters? Inbound Internal Users are the users for which you received email, based on the Rcpt To: address. Outbound Internal Users are based on the Mail From: address and are useful when tracking the types of email that senders on your internal network are sending. Note that some outbound mail (like bounces) have a null sender.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Who is sending these messages? The DLP Incidents page is comprised of two main sections: • the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches, and • the DLP Incidents Details listing. You can select a time range on which to report, such as an hour, a week, or a custom range.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Which content filter is being triggered the most by incoming or outgoing mail? • Who are the top users sending or receiving mail that is triggering a particular content filter? You can click the name of the content filter in the listing to view more information about that filter on the Content Filter detail page.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages The Past Year Outbreak Summary lists global as well as local outbreaks over the past year, allowing you to compare local network trends to global trends. The listing of global outbreaks is a superset of all outbreaks, both viral and non-viral, whereas local outbreaks are limited to virus outbreaks that have affected your appliance. Local outbreak data does not include non-viral threats.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • How many messages are being quarantined and what type of threats were they? • How much lead time has the Outbreak Filter feature been providing for virus outbreaks? • How do my local virus outbreaks compare to the global outbreaks? Virus Types Page The Virus Types page provides an overview of the viruses entering and being sent from your network.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages URLs in whitelists used in individual filters are included in reports. • Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Suspicious URLs are those that Outbreak Filters have determined to require click-time protection. Suspicious URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Inbound SMTP Authentication Page The Inbound SMTP Authentication page shows the use of client certificates and the SMTP AUTH command to authenticate SMTP sessions between the Email Security appliance and users’ mail clients. If the appliance accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which the client will use to send a message.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • Sources of large-volume inbound email traffic that might not otherwise be considered spam. Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders) measure only the number of messages sent; they do not identify senders of a few messages to a large number of recipients.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Related Topics • System Capacity- Workqueue, page 28-25 • System Capacity- Incoming Mail, page 28-26 • System Capacity-Outgoing Mail, page 28-27 • System Capacity-System Load, page 28-28 • Note about Memory Page Swapping, page 28-29 • System Capacity- All, page 28-30 System Capacity- Workqueue The Workqueue page shows the average time a message spends in the work queue, excluding any time spent in the Spam quarantine or in a
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Figure 28-1 System Capacity - Workqueue System Capacity- Incoming Mail The incoming mail page shows incoming connections, the total number of incoming messages, the average message size, and the total incoming message size. You can limit the results to the time range that you specify. It is important to have an understanding of the trends of normal message volume and spikes in your environment.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Figure 28-2 System Capacity - Incoming Mail (Page 1 of 2) Figure 28-3 System Capacity - Incoming Mail (Page 2 of 2) System Capacity-Outgoing Mail The outgoing mail page shows outgoing connections, the total number of outgoing messages, the average message size, and the total outgoing message size. You can limit the results to the time range that you specify.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Figure 28-4 System Capacity - Outgoing Mail (page 1 of 2) Figure 28-5 System Capacity - Outgoing Mail (page 2 of 2) System Capacity-System Load The system load report shows the overall CPU usage on your appliance. AsyncOS is optimized to use idle CPU resources to improve message throughput. High CPU usage may not indicate a system capacity problem.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Figure 28-6 System Capacity - System Load Note about Memory Page Swapping The system is designed to swap memory regularly, so some memory swapping is expected and is not an indication of problems with your appliance. Unless the system consistently swaps memory in high volumes, memory swapping is normal and expected behavior (especially on C170 and C190 appliances).
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Figure 28-7 System Capacity - System Load (System Under Heavy Load) System Capacity- All The All page consolidates all the previous system capacity reports onto a single page so you can view the relationship between the different reports. For example, you might view the message queue is high at the same time that excessive memory swapping takes place. This might be an indication that you have a capacity problem.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Related Topics • Mail System Status, page 28-31 • Version Information, page 28-31 Mail System Status The Mail System Status section includes: • System Status (for more information about system status, see Status, page 28-6) • The last time the status was reported. • The uptime for the appliance. • The oldest message in the system, including messages that have not yet been queued for delivery.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages Counters You can reset the cumulative email monitoring counters for system statistics and view the last time the counters were reset. The reset affects system counters as well as per-domain counters. The reset does not affect the counters on messages in the delivery queue related to retry schedules. Note Only user accounts that are in the administrator or operator group have access to reset the counters.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format by clicking the Printable (PDF) link. Retrieving CSV Data You can retrieve the data used to build the charts and graphs in the Email Security Monitor in CSV format.
Chapter 28 Using Email Security Monitor Email Security Monitor Pages • The CSV download returns the rows of data in the table ordered by timestamp and key. You can perform further sorting in a separate step such as via a spreadsheet application. • The first row contains column headers that match the display names shown in the report. Note that timestamps (see Timestamps, page 28-34) and keys (see Keys, page 28-34) also appear.
Chapter 28 Using Email Security Monitor Reporting Overview Streaming Most exports stream their data back to the client because the amount of data is potentially very large. However, some exports return the entire result set rather than streaming data. This is typically the case when report data is aggregated with non-report data (e.g. Outbreaks Detail.) Reporting Overview Reporting in AsyncOS involves three basic actions: • You can create Scheduled Reports to be run on a daily, weekly, or monthly basis.
Chapter 28 Using Email Security Monitor Managing Reports • Outbreak Filters • Virus Types Each of the reports consists of a summary of the corresponding Email Security Monitor page. So, for example, the Content Filters report provides a summary of the information displayed on the Monitor > Content Filters page. The Executive Summary report is based on the Monitor > Overview page.
Chapter 28 Using Email Security Monitor Managing Reports Your appliance ships with a default set of scheduled reports —you can use, modify, or delete any of them. Related Topics • Scheduling a Report to be Generated Automatically, page 28-37 • Editing Scheduled Reports, page 28-37 • Deleting Scheduled Reports, page 28-38 Scheduling a Report to be Generated Automatically Procedure Step 1 On the Monitor > Scheduled Reports page, click Add Scheduled Report. Step 2 Select a report type.
Chapter 28 Using Email Security Monitor Managing Reports Step 3 Submit and commit your changes. Deleting Scheduled Reports Procedure Step 1 On the Services > Centralized Reporting page, select the check boxes corresponding to the reports that you want to delete. Select the All check box to remove all scheduled reports. Note Step 2 Click Delete. Step 3 Confirm the deletion and then commit your changes. Any archived versions of deleted reports are not automatically deleted.
Chapter 28 Using Email Security Monitor Troubleshooting Email Reports If you create a custom range, the range will appear as a link. To modify the range, click the link. Step 4 Select a format for the report. • PDF. Create a formatted PDF document for delivery, archival, or both. You can view the report as a PDF file immediately by clicking Preview PDF Report. For information about generating PDFs in languages other than English, see the “Notes on Reports” section on page 28-36. • CSV.
Chapter 28 Troubleshooting Email Reports AsyncOS 9.1.
CH A P T E R 29 Tracking Messages • Message Tracking Overview, page 29-1 • Enabling Message Tracking, page 29-1 • Searching for Messages, page 29-2 • Working with Message Tracking Search Results, page 29-4 • Checking Message Tracking Data Availability, page 29-6 • Troubleshooting Message Tracking, page 29-7 Message Tracking Overview Message tracking helps resolve help desk calls by giving a detailed view of message flow.
Chapter 29 Tracking Messages Searching for Messages Procedure Step 1 Click Services > Centralized Services > Message Tracking. Use this path even if you do not plan to centralize this service. Step 2 Select Enable Message Tracking Service. Step 3 If you are enabling message tracking for the first time after running the System Setup Wizard, review the end-user license agreement, and click Accept.
Chapter 29 Tracking Messages Searching for Messages Option Description Envelope Sender Select Begins With, Is, or Contains, then enter an email address, username, or domain of a message sender to find. You can enter any character(s). No validation of your entry is performed. Envelope Recipient Select Begins With, Is, or Contains, and enter an email address, username, or domain of a message recipient to find. You can enter any character(s). No validation of your entry is performed.
Chapter 29 Tracking Messages Working with Message Tracking Search Results Step 3 Click Search to submit the query. The query results are displayed at the bottom of the page. Related Topics • Working with Message Tracking Search Results, page 29-4 Working with Message Tracking Search Results Keep the following points in mind: • Search results depend on your configuration. For example, if you search for messages in a URL Category for which you have not filtered, you will find no results.
Chapter 29 Tracking Messages Working with Message Tracking Search Results Message Details Item Description Envelope and Header Summary section: Received Time Time that the Email Security appliance received the message. Dates and times are displayed using the local time configured on the Email Security appliance. MID Unique IronPort message ID. Message Size Message size. Subject Subject line of the message.
Chapter 29 Tracking Messages Checking Message Tracking Data Availability Item Description SBRS Score SenderBase reputation score. The range is from 10 (likely a trustworthy sender) to -10 (apparent spammer). A score of “None” indicates that there was no information about this host at the time the message was processed. For more information about SBRS, see Chapter 6, “Sender Reputation Filtering.
Chapter 29 Tracking Messages Troubleshooting Message Tracking Troubleshooting Message Tracking Related Topics • Attachments Do Not Appear in Search Results, page 29-7 • Expected Messages Are Missing from Search Results, page 29-7 Attachments Do Not Appear in Search Results Problem Attachment names are not found and displayed in search results. Solution See configuration requirements at Enabling Message Tracking, page 29-1.
Chapter 29 Troubleshooting Message Tracking AsyncOS 9.1.
CH A P T E R 30 Policy, Virus, and Outbreak Quarantines • Overview of Policy, Virus, and Outbreak Quarantines, page 30-1 • Managing Policy, Virus, and Outbreak Quarantines, page 30-3 • Working with Messages in Policy, Virus, or Outbreak Quarantines, page 30-10 Overview of Policy, Virus, and Outbreak Quarantines “Policy, virus and outbreak quarantines” includes all non-spam quarantines, including the File Analysis quarantine.
Chapter 30 Policy, Virus, and Outbreak Quarantines Overview of Policy, Virus, and Outbreak Quarantines Quarantine Types Quarantine Quarantine Type Name Advanced Malware Protection File Analysis Created by the System by Default? Description Yes Holds messages that are sent for file analysis, until a verdict is returned.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines • Disk Space Allocation for Policy, Virus, and Outbreak Quarantines, page 30-3 • Retention Time for Messages in Quarantines, page 30-3 • Default Actions for Automatically Processed Quarantined Messages, page 30-4 • Checking the Settings of System-Created Quarantines, page 30-5 • Configuring Policy, Virus, and Outbreak Quarantines, page 30-5 • About
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines Note • The normal retention time for messages in the Outbreak Filters quarantine is configured in the Outbreak Filters section of each mail policy, not in the outbreak quarantine. For information, see Chapter 14, “Outbreak Filters.” Early Expiration—messages are forced from quarantines before the configured retention time is reached.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines In addition, messages released before their expected retention time has passed can have additional operations performed on them, such as adding an X-Header. For more information, see Configuring Policy, Virus, and Outbreak Quarantines, page 30-5.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines Option Information Modify Subject Type the text to add and specify whether to add it to the beginning or the end of the original message subject. For example, you might want to warn the recipient that the message may contain inappropriate content. Note Add X-Header In order for a subject with non-ASCII characters to display correctly it must be represented according to RFC 2047.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines • See also Effects of Time Adjustments on Retention Time, page 30-4. To change quarantine settings, choose Monitor > Policy, Virus, and Outbreak Quarantines, and then click the name of a quarantine.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines Monitoring Quarantine Status, Capacity, and Activity To View Do This Currently available space for all non-spam quarantines Choose Monitor > Policy, Virus, and Outbreak Quarantines and look just below the table. Total amount of space currently used by all quarantines Choose Monitor > System Status and look for Queue Space Used by Quarantine.
Chapter 30 Policy, Virus, and Outbreak Quarantines Managing Policy, Virus, and Outbreak Quarantines Alerts About Quarantine Disk-Space Usage An alert is sent whenever the total size of the policy, virus, and outbreak quarantine reaches or passes 75 percent, 85 percent, and 95 percent of its capacity. The check is performed when a message is placed in the quarantine. For example, if adding a message to a quarantine increases the size to or past 75 percent of the total capacity, an alert is sent.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines Which User Groups Can Access Policy, Virus, and Outbreak Quarantines When you allow administrative users to access a quarantine, the actions that they can perform depend on their user group: • Users in the Administrators group can create, configure, delete, and centralize quarantines and can manage quarantined messages.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines Viewing Messages in Quarantines To Do This View all messages in a quarantine Choose Monitor > Policy, Virus, and Outbreak Quarantines. In the row for the relevant quarantine, click the blue number in the Messages column of the table. View messages in the Outbreak quarantine • Choose Monitor > Policy, Virus, and Outbreak Quarantines.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines Tip For the Outbreak Quarantine, you can also find all messages quarantined by each outbreak rule: Click the Manage by Rule Summary link in the Outbreak table row, and then click the relevant rule. Step 3 Select the quarantines in which to search. Step 4 (Optional) Enter other search criteria. • For Envelope Sender and Envelope Recipient: You can enter any character(s).
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines • Choosing an option from the pick list at the top of the list of messages. • Selecting the check box beside each message listed on a page. • Selecting the check box in the table heading at the top of a list of messages. This applies the action to all messages visible on the screen. Messages on other pages are not affected.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines Viewing Matched Content When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines Figure 30-1 Matched Content Viewed in the Policy Quarantine Downloading Attachments You can download a message attachment by clicking the attachment’s file name in the Message Parts or Matched Content section. AsyncOS displays a warning that attachments from unknown sources may contain viruses and asks you if you want to continue.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines About Rescanning of Quarantined Messages When a message is released from all queues in which is has been quarantined, the following rescanning occurs, depending on the features enabled for the appliance and for the mail policy that originally quarantined the message: • Messages released from Policy and Virus quarantines are rescanned by the anti-virus engine.
Chapter 30 Policy, Virus, and Outbreak Quarantines Working with Messages in Policy, Virus, or Outbreak Quarantines If anti-spam and anti-virus are enabled on the appliance, the scanning engines scan every message released from the Outbreak quarantine based on the mail flow policy that applies to the message. Manage by Rule Summary Link Click the Manage by Rule Summary link next to the Outbreak quarantine in the quarantine listing to view the Manage by Rule Summary page.
CH A P T E R 31 Spam Quarantine • Overview of the Spam Quarantine, page 31-1 • Local Versus External Spam Quarantine, page 31-1 • Setting Up the Local Spam Quarantine, page 31-2 • Using Safelists and Blocklists to Control Email Delivery Based on Sender, page 31-7 • Configuring Spam Management Features for End Users, page 31-14 • Managing Messages in the Spam Quarantine, page 31-22 • Disk Space for the Spam Quarantine, page 31-24 • About Disabling the Spam Quarantine, page 31-24 • Troubles
Chapter 31 Spam Quarantine Setting Up the Local Spam Quarantine • You want a centralized location to store and manage spam from multiple Email Security appliances. • You want to store more spam than the Email Security appliance can hold. • You want to regularly back up the spam quarantine and its messages.
Chapter 31 Spam Quarantine Setting Up the Local Spam Quarantine Enabling and Configuring the Spam Quarantine Note If you use an external spam quarantine, you will configure the settings described in this section on the Security Management appliance. Procedure Step 1 Select Monitor > Spam Quarantine. Step 2 If you have not previously enabled the spam quarantine, select Enable Spam Quarantine.
Chapter 31 Spam Quarantine Setting Up the Local Spam Quarantine What To Do Next • Return to Setting Up the Local Spam Quarantine, page 31-2. Configuring the IP Interface for Browser Access to the Spam Quarantine When administrators and end users access the spam quarantine, a separate browser window opens. Procedure Step 1 Choose Network > IP Interfaces. Step 2 Click the interface name (for this example, we will use the Management interface).
Chapter 31 Spam Quarantine Setting Up the Local Spam Quarantine Procedure Step 1 Step 2 If you are not already editing the spam quarantine settings page: a. Select Monitor > Spam Quarantine. b. Click the Spam Quarantine link in the Quarantine Name column of the Spam Quarantine section. Click the link for the type of user to add: local, externally authenticated, or custom role. If you have already added users or roles, click a username or role to view all eligible users or roles.
Chapter 31 Spam Quarantine Setting Up the Local Spam Quarantine Ensuring That Message Text Displays Correctly AsyncOS attempts to determine the character set of a message based on the encoding that is specified in the message headers. However, if the encoding specified in the headers does not match that of the actual text, the message will not be displayed properly when viewed in the spam quarantine. This situation is more likely to occur with spam messages.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender Using Safelists and Blocklists to Control Email Delivery Based on Sender Administrators and end users can use safelists and blocklists to help determine which messages are spam. Safelists specify senders and domains that are never treated as spam. Blocklists specify senders and domains that are always treated as spam.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender blocklist action is configured to quarantine, the message is scanned and eventually quarantined. If the blocklist action is configured to delete, the message is dropped immediately after safelist/blocklist scanning. Because safelists and blocklists are maintained in the spam quarantine, delivery behavior is also contingent on other anti-spam settings.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender Adding Senders and Domains to Safelists and Blocklists (Administrators) Manage safelists and blocklists via the spam quarantine interface. You can also see whether many recipients (end users in your organization) have whitelisted or blacklisted a particular sender or domain. Administrators see and work with the superset of the same entries that each end user sees and works with.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender To Do This Add multiple senders for a recipient 1. Select View by: Recipient 2. Click Add, or click Edit for a recipient. 3. Enter or edit the recipient email address. 4. Enter sender email addresses and domains. Put each entry on a separate line, or separate each entry with a comma. Add multiple recipients for a sender 5. Click Submit. 1. Select View by: Sender 2.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender • user@[ipv6:2001:db8::1] An identical entry, such as a sender address or a domain, cannot be included on both the safelist and the blocklist at the same time. However, a domain can be on a safelist while an email address for a sender belonging to that domain is on the blocklist (or vice versa), and both rules apply. For example, if example.com is on the safelist, george@example.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender The envelope sender and the from header for the specified mail are both added to the safelist, and the released messages proceed directly to the destination queue, skipping any further work queue processing in the email pipeline. Adding Senders to the Safelist Without a Quarantined Message Procedure Step 1 Access the spam quarantine via browser.
Chapter 31 Spam Quarantine Using Safelists and Blocklists to Control Email Delivery Based on Sender Backing Up and Restoring the Safelist/Blocklist Before you upgrade your appliance or run the installation wizard, you should back up the safelist/blocklist database. Safelist/blocklist information is not included in the main XML configuration file that contains your appliance configuration settings.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users Related Topics • Message from Safelisted Sender Was Not Delivered, page 31-14 Message from Safelisted Sender Was Not Delivered Problem Message from a safelisted sender was not delivered. Solution Possible causes: • The message was dropped for malware or content violations. See Message Processing of Safelists and Blocklists, page 31-7.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users Authentication Options for End Users Accessing Spam Management Features Note Mailbox authentication does not allow users to view messages addressed to an email alias. For End-User Spam Quarantine Access Do This Directly via web browser, authentication required 1. In the End User Quarantine Access settings, choose LDAP or Mailbox (IMAP/POP). and 2.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users 4. Messages are stored in the spam quarantine using the recipient's envelope address. After a user's password is validated against LDAP, the spam quarantine then retrieves the “Primary Email Attribute” from the LDAP record to determine which envelope address they should show quarantined messages for.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users Do This More Information Step 3 Configure end-user access to the spam Configuring End-User Access to the Spam quarantine. Quarantine, page 31-17 Step 4 Determine the URL for end-user access to the spam quarantine.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users Select This Option Mailbox (IMAP/POP) More Information For sites without an LDAP directory to use for authentication, the quarantine can validate user email addresses and passwords against a standards-based IMAP or POP server that holds their mailbox. When logging in to the spam quarantine, end users enter their full email address and mailbox password.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users If the authentication method is IMAP/POP, or the user accesses the quarantine directly via a notification, then the quarantine will display only messages for that user’s email address (or the address to which the notification was sent). For information about messages that are sent to aliases of which the user is a member, see Recipient Email Mailing List Aliases and Spam Notifications, page 31-20.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users • Days Until Message Expires (%days_until_expire%) • Quarantine URL (%quarantine_url%) — URL to log in to the quarantine and view messages. • Username (%username%) • New Message Table (%new_quarantine_messages%) — A list of the user’s new messages in the quarantine.
Chapter 31 Spam Quarantine Configuring Spam Management Features for End Users Table 31-2 Notifications per Address/Alias User Email Addresses Aliases Notifications Mary mary@example.com dev@example.com 4 qa@example.com pm@example.com Joe joe@example.com, admin@example.com hr@example.com 3 If you use LDAP authentication, you can choose not to send notifications to mailing list aliases.
Chapter 31 Spam Quarantine Managing Messages in the Spam Quarantine • The user is a member of one or more email aliases that received the spam message. To minimize duplications, and for more information, see Recipient Email Mailing List Aliases and Spam Notifications, page 31-20. Recipient Does Not Receive Notifications Problem Recipient is not receiving spam notifications.
Chapter 31 Spam Quarantine Managing Messages in the Spam Quarantine Step 3 Enter a date range to search through. Click the calendar icons to select a date. Step 4 Specify a From: address, and select whether the search results should contain, match exactly, start with, or end with the value you entered. Step 5 Click Search. Messages matching your search criteria are displayed below the Search section of the page.
Chapter 31 Spam Quarantine Disk Space for the Spam Quarantine Click the checkbox in the heading row to automatically select all messages currently displayed on the page. Released messages proceed directly to the destination queue, skipping any further work queue processing in the email pipeline. Deleting Messages from the Spam Quarantine The spam quarantine can be configured to automatically delete messages after a certain amount of time.
Chapter 31 Spam Quarantine Troubleshooting Spam Quarantine Features • Ensuring That Message Text Displays Correctly, page 31-6 AsyncOS 9.1.
Chapter 31 Troubleshooting Spam Quarantine Features AsyncOS 9.1.
CH A P T E R 32 Distributing Administrative Tasks • Working with User Accounts, page 32-1 • Managing Custom User Roles for Delegated Administration, page 32-7 • Passwords, page 32-16 • Configuring Access to the Email Security Appliance, page 32-24 • Managing Secure Shell (SSH) Keys, page 32-28 • Viewing Active Administrator Sessions, page 32-30 Working with User Accounts The Cisco appliance provides two methods for adding user accounts: creating user accounts on the Cisco appliances itself, an
Chapter 32 Distributing Administrative Tasks Working with User Accounts User Roles Table 32-1 User Roles Listing User Role Description admin The admin user is the default user account for the system and has all administrative privileges. The admin user account is listed here for convenience, but it cannot be assigned via a user role, and it cannot be edited or deleted, aside from changing the password. Only the admin user can issue the resetconfig and revert commands.
Chapter 32 Distributing Administrative Tasks Working with User Accounts Table 32-1 User Roles Listing User Role Description Read-Only Operator User accounts with the Read-Only Operator role have access to view configuration information. Users with the Read-Only Operator role can make and submit changes to see how to configure a feature, but they cannot commit them. Users with this role can manage messages in quarantines, if access is enabled in a quarantine.
Chapter 32 Distributing Administrative Tasks Working with User Accounts • Force users to change their passwords. See Force Users To Change Their Passwords, page 32-5. • Configure user account and password settings for local accounts. For more information, see Configuring Restrictive User Account and Password Settings, page 32-17. • Enable the appliance to use an LDAP or RADIUS directory to authenticate users. For more information, see External Authentication, page 32-20 for more information.
Chapter 32 Distributing Administrative Tasks Working with User Accounts Step 4 Submit and commit your changes. Force Users To Change Their Passwords Procedure Step 1 Choose System Administration > Users. Step 2 Select the users from the Users listing. Step 3 Click Enforce Password Change. Step 4 Choose whether the users must change the password during the next login or after a specified duration (in days).
Chapter 32 Distributing Administrative Tasks Working with User Accounts Procedure Step 1 Go to the System Administration > Users page. Step 2 Under DLP Tracking Privileges, click Edit Settings. Step 3 Select the roles for which you want to grant access to DLP data in Message Tracking. Custom roles without access to Message Tracking can never view this information and thus are not listed. Step 4 Submit and commit your changes.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration • The last command displays which users have recently logged into the appliance. The IP address of the remote host, and the login, logout, and total time are also displayed. mail3.example.com> last Username Remote Host Login Time Logout Time Total Time ======== =========== ================ ================ ========== admin 10.1.3.67 Sat May 15 23:42 still logged in 15m admin 10.1.3.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration You should make sure when creating a custom user role so that its responsibilities don’t overlap too much with the responsibilities of other delegated administrators.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Figure 32-2 shows an Account Privileges page for a delegated administrator with access to mail policies, email reporting, message tracking, and quarantines. Figure 32-2 Account Privileges Page for a Delegated Administrator Assigning Access Privileges When creating a custom user role, you define the levels of access to the security features for which delegated administrators are responsible.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Related Topics • Mail Policies and Content Filters, page 32-10 • DLP Policies, page 32-11 • Email Reporting, page 32-12 • Message Tracking, page 32-12 • Trace, page 32-13 • Quarantines, page 32-13 • Encryption Profiles, page 32-13 Mail Policies and Content Filters The Mail Policies and Content Filters access privileges define a delegated administrator’s level of access to the incoming and ou
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration • View all, edit assigned: Delegated administrators can view all mail policies and content filters on the appliance, but they can only edit the ones assigned to the custom user role.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Email Reporting The Email Reporting access privileges define which reports and Email Security Monitor pages a delegated administrator can view, depending on the custom user role’s access to mail policies, content filters, and RSA Email DLP policies.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Trace The Trace access privileges define whether delegated administrators assigned to the custom user role can use Trace to debug the flow of messages through the system. Delegated administrators with access can run Trace and view all of the generated output. Trace results are not filtered based on the delegated administrator’s mail or DLP policy privileges.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Step 6 Submit and commit your changes. Defining a Custom User Role When Adding a User Account You can create a new custom user role when adding or editing a local user account on the Email Security appliance. See Managing Users, page 32-3 for more information on adding a user account. Procedure Step 1 Go to the System Administration > Users page. Step 2 Click Add User.
Chapter 32 Distributing Administrative Tasks Managing Custom User Roles for Delegated Administration Figure 32-3 DLP Policies Available for Delegated Administrators Procedure Step 1 Go to the System Administration > User Roles page. Step 2 Click the name of the access privilege for the custom user role you want to update.
Chapter 32 Distributing Administrative Tasks Passwords Step 3 Change the name of the custom user role. Step 4 Make any access privilege changes required for the new custom user role. Step 5 Submit and commit your changes. Deleting a Custom User Role When a custom role is deleted, users become unassigned and do not have access to the appliance. If you delete a custom user role that is assigned to one or more users, you do not receive a warning message.
Chapter 32 Distributing Administrative Tasks Passwords Locking and Unlocking a User Account Locking a user account prevents a local user from logging into the appliance. A user account can be locked in one of the following ways: • AsyncOS locks a user account if the user exceeded the maximum number of failed login attempts defined in the Local User Account & Password Settings section. • Administrators can manually lock user accounts for security purposes using the System Administration > Users page.
Chapter 32 Distributing Administrative Tasks Passwords Step 4 Configure the settings as described below. Setting Description User Account Lock Choose whether or not to lock the user account after the user fails to login successfully. Specify the number of failed login attempts that cause the account locking. You can enter any number from one (1) to 60. Default is five (5). When you configure account locking, enter the message to be displayed to the user attempting to login.
Chapter 32 Distributing Administrative Tasks Passwords Setting Description Password Rules: Enter the minimum number of characters that a password may contain. Require at least characters. Enter any number between 0 and 128. Default is 8 characters. Passwords can have more characters than the number you specify here. Password Rules: Require at least one number (0-9). Password Rules: Require at least one special character. Choose whether or not the passwords must contain at least one number.
Chapter 32 Distributing Administrative Tasks Passwords Setting Description Password Rules: You can create a list of words to disallow in passwords. List of words to disallow in passwords Make this file a text file with each forbidden word on a separate line. Save the file with the name forbidden_password_words.txt and use SCP or FTP to upload the file to the appliance. If this restriction is selected but no word list is uploaded, this restriction is ignored.
Chapter 32 Distributing Administrative Tasks Passwords When external authentication is enabled and a user logs into the Email Security appliance, the appliance first determines if the user is the system defined “admin” account. If not, then the appliance checks the first configured external server to determine if the user is defined there. If the appliance cannot connect to the first external server, the appliance checks the next external server in the list.
Chapter 32 Distributing Administrative Tasks Passwords Step 10 Optionally, click Add Row to add another directory group. Repeat steps 9 and 10 for each directory group that the appliance authenticates. Step 11 Submit and commit your changes. Enabling RADIUS Authentication You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco roles.
Chapter 32 Distributing Administrative Tasks Passwords Step 9 Configure Group Mapping: Setting Description Map externally authenticated users to multiple local roles. AsyncOS assigns RADIUS users to appliance roles based on the RADIUS CLASS attribute.
Chapter 32 Distributing Administrative Tasks Configuring Access to the Email Security Appliance Configuring Access to the Email Security Appliance AsyncOS provides administrators controls to manage users’ access to the Email Security appliance, including a timeout for Web UI session and an access list that specifies the IP addresses from which users and your organization’s proxy servers can access the appliance.
Chapter 32 Distributing Administrative Tasks Configuring Access to the Email Security Appliance Note AsyncOS supports only IPv4 addresses in the x-forwarded-for header. Creating the Access List You can create the network access list either via the Network Access page in the GUI or the adminaccessconfig > ipaccess CLI command. AsyncOS offers four different modes of control for the access list: • Allow All. This mode allows all connections to the appliance. This is the default mode of operation.
Chapter 32 Distributing Administrative Tasks Configuring Access to the Email Security Appliance Step 5 Step 6 If connecting through a proxy is allowed, enter the following information: • The IP addresses of the proxies allowed to connect to the appliance. Use commas to separate multiple entries. • The name of the origin IP header that the proxy sends to the appliance, which contains the IP addresses of the remote user’s machine and the proxy servers that forwarded the request.
Chapter 32 Distributing Administrative Tasks Configuring Access to the Email Security Appliance Note Any uncommitted configuration changes at the time of CLI session timeout will be lost. Make sure that you commit the configuration changes as soon as they are made. Procedure Step 1 Select System Administration > Network Access. Step 2 Click Edit Settings. Step 3 In the CLI Inactivity Timeout field, enter the number of minutes users can be inactive before being logged out.
Chapter 32 Distributing Administrative Tasks Managing Secure Shell (SSH) Keys Managing Secure Shell (SSH) Keys Use the sshconfig command to: • Add or delete secure shell (SSH) public User keys to the authorized_keys file of user accounts that have been configured on the system, including the admin account. This allows authentication to user accounts using SSH keys rather than password challenge.
Chapter 32 Distributing Administrative Tasks Managing Secure Shell (SSH) Keys - SSHD - Edit SSH server settings. - USERKEY - Edit SSH User Key settings []> Example: Edit SSH Server Configuration The following example shows how to edit the SSH server configuration. mail.example.com> sshconfig Choose the operation you want to perform: - SSHD - Edit SSH server settings.
Chapter 32 Distributing Administrative Tasks Viewing Active Administrator Sessions Enter the MAC Methods do you want to use [hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.
CH A P T E R 33 System Administration Note Several of the features or commands described in this section will affect, or be affected by routing precedence. Please see IP Addresses, Interfaces, and Routing, page B-2 for more information.
Chapter 33 System Administration Management of the Appliance • resume • resetconfig • version • updateconfig • upgrade Shutting Down or Rebooting the Appliance After you shut down or reboot, you may restart the appliance later without losing any messages in the delivery queue. You can use the shutdown or reboot command in the CLI, or use the GUI: Procedure Step 1 Select System Administration > Shutdown/Suspend.
Chapter 33 System Administration Management of the Appliance Step 4 Enter number of seconds to wait to allow open connections to complete before forcing them to close. If there are no open connections, the system goes offline immediately. The default delay is 30 seconds. Step 5 Click Commit. What To Do Next When you are ready to resume suspended services, see Resuming Suspended Email Receiving and Delivery, page 33-3.
Chapter 33 System Administration Management of the Appliance Resetting to Factory Defaults When physically transferring the appliance, you may want to start with factory defaults. The Reset Configuration section of the System Administration > Configuration File page, or the r esetconfig command, resets all AsyncOS configuration values to factory defaults.
Chapter 33 System Administration Feature Keys The resetconfig Command mail3.example.com> offline Delay (seconds, minimum 30): [30]> 45 Waiting for listeners to exit... Receiving suspended. Waiting for outgoing deliveries to finish... Mail delivery suspended. mail3.example.com> resetconfig Are you sure you want to reset all configuration values? [N]> Y All settings have been restored to the factory default.
Chapter 33 System Administration Feature Keys Step 2 Perform actions: To Do This View the status of active feature keys Look at the Feature Keys for section. View feature keys that have been issued for your appliance but are not yet activated Look at the Pending Activation section. If you have enabled automatic download and activation, feature keys will never appear in this list.
Chapter 33 System Administration Cisco Email Security Virtual Appliance License Expired Feature Keys If the feature key for the feature you are trying to access (via the GUI) has expired, please contact your Cisco representative or support organization. Cisco Email Security Virtual Appliance License To set up and license an Email Security Virtual appliance, see the Cisco Content Security Virtual Appliance Installation Guide.
Chapter 33 System Administration Managing the Configuration File • You can upload entire configuration file via FTP access, or you can paste portions of or an entire configuration file directly into the CLI. • Because the file is in XML format, an associated DTD (document type definition) that describes all of the XML entities in the configuration file is also provided. You can download the DTD to validate an XML configuration file before uploading it.
Chapter 33 System Administration Managing the Configuration File You can encrypt the user’s passwords by clicking the Encrypt passwords in the Configuration Files checkbox. The following are the critical security parameters in the configuration file that will be encrypted.
Chapter 33 System Administration Managing the Configuration File The closing tag should follow your configuration information. The values in XML syntax are parsed and validated against the DTD (document type definition) located in the configuration directory on your appliance. The DTD file is named config.dtd. If validation errors are reported at the command line when you use the loadconfig command, the changes are not loaded.
Chapter 33 System Administration Managing the Configuration File is considered ambiguous and is not allowed, even though it is “complete” syntax. Caution When uploading or pasting a configuration file or subsections of a configuration file, you have the potential to erase uncommitted changes that may be pending.
Chapter 33 System Administration Managing the Configuration File Resetting the Current Configuration Resetting the current configuration causes your appliance to revert back to the original factory defaults. You should save your configuration prior to resetting it. Resetting the configuration via this button in the GUI is not supported in a clustering environment. See Resetting to Factory Defaults, page 33-4.
Chapter 33 System Administration Managing the Configuration File Model Number: model number Version: version of AsyncOS installed Serial Number: serial number Current Time: current time and date [The remainder of the configuration file is printed to the screen.] Use the mailconfig command to email the current configuration to a user. A configuration file in XML format named config.xml will be attached to the message. mail3.example.
Chapter 33 System Administration Managing the Configuration File The loadconfig Command Use the loadconfig to load new configuration information into the appliance. You can load information in one of two methods: • Placing information in the configuration directory and uploading it. • Pasting configuration information directly into the CLI. See Loading a Configuration File, page 33-9 for more information.
Chapter 33 System Administration Managing the Configuration File In this example, a new configuration file is pasted directly at the command line. (Remember to type Control-D on a blank line to end the paste command.) Then, the system setup wizard is used to change the default hostname, IP address, and default gateway information. (For more information, see Using the System Setup Wizard, page 3-14.) Finally, the changes are committed. mail3.example.com> loadconfig 1. Paste via CLI 2.
Chapter 33 System Administration Managing Disk Space Managing Disk Space (Virtual Appliances Only) Increasing Available Disk Space For virtual appliances running ESXi 5.5 and VMFS 5, you can allocate more than 2TB of disk space. For appliances running ESXi 5.1, the limit is 2 TB. To add disk space to the virtual appliance instance: Note ESX does not support disk space reduction. See the VMWare documentation for information. Before You Begin Carefully determine the disk space increase needed.
Chapter 33 System Administration Service Updates Managing Disk Space for the Miscellaneous Quota The Miscellaneous quota includes System data and User data. You cannot delete System data. User data that you can manage includes the following types of files: To Manage Do this Log files Go to System Administration > Log Subscriptions and: • Look to see which log directories consume the most disk space. • Verify that you need all of the log subscriptions that are being generated.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates Note • URL categories (Used for URL filtering features. For details, see Future URL Category Set Changes, page 15-22) • Enrollment client (Used for updating certificates needed for communication with cloud-based services used for URL filtering features. For information, see About the Connection to Cisco Web Security Services, page 15-3.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates Configuring Your Network to Download Upgrades and Updates from the Cisco Servers The appliance connect directly to the Cisco update servers to find and download upgrades and updates: Streaming Update Method Your IronPort Appliance HTTP connection through firewall IronPort Systems Update Servers 370566 Figure 33-1 Cisco update servers use dynamic IP addresses.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates Use a local server if your appliance does not have access to the internet, or if your organization restricts access to mirror sites used for downloads. Downloading AsyncOS upgrades to each appliance from a local server is generally faster than downloading from the Cisco IronPort servers. Note Cisco recommends using a local server only for AsyncOS upgrades.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates Note For this release, if you need to configure a firewall setting to allow HTTP access to this address, you must configure it using the DNS name and not a specific IP address.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates You can use the same or different settings for AsyncOS upgrades and for service updates. Before You Begin Determine whether the appliance will download upgrades and updates directly from Cisco, or whether you will host these images from a local server on your network instead. Then set up your network to support the method you choose. See all topics under Setting Up to Obtain Upgrades and Updates, page 33-18.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates Setting Description Automatic Updates Enable automatic updates and the update interval (how often the appliance checks for updates) for Sophos and McAfee Anti-Virus definitions, Cisco Anti-Spam rules, Cisco Intelligent Multi-Scan rules, PXE Engine updates, Outbreak Filter rules, and time zone rules. Include a trailing s, m, or h to indicate seconds, minutes, or hours. Enter 0 (zero) to disable automatic updates.
Chapter 33 System Administration Setting Up to Obtain Upgrades and Updates -----------------------------------------------------------------------------------------Feature Key updates http://downloads.ironport.
Chapter 33 System Administration Upgrading AsyncOS []> Configuring the Appliance to Trust Proxy Server Communication If you are using a non-transparent proxy server, you can add the CA certificate used to sign the proxy certificate to the appliance. By doing so, the appliance trusts the proxy server communication. Use the updateconfig command to configure this option. The following example shows how to configure this option. mail.example.com> updateconfig ... ... ...
Chapter 33 System Administration Upgrading AsyncOS About Upgrading Clustered Systems If you are upgrading clustered machines, please see Upgrading Machines in a Cluster, page 39-12. About Batch Commands for Upgrade Procedures Batch commands for upgrade procedures are documented in the Cisco AsyncOS CLI Reference Guide at http://www.cisco.com/en/US/products/ps10154/prod_command_reference_list.html.
Chapter 33 System Administration Upgrading AsyncOS Procedure Step 1 Save the XML configuration file off-box. If you need to revert to the pre-upgrade release for any reason, you will need this file. Step 2 If you are using the Safelist/Blocklist feature, export the list off-box. Step 3 Suspend all listeners. If you perform the upgrade from the CLI, use the suspendlistener command. If you perform the upgrade from the GUI, listener suspension occurs automatically. Step 4 Wait for the queue to empty.
Chapter 33 System Administration Upgrading AsyncOS To Do This Download and install the upgrade in a single operation Click Download and Install. Download an upgrade installer If you have already downloaded an installer, you will be prompted to overwrite the existing download. Click Download only. If you have already downloaded an installer, you will be prompted to overwrite the existing download. The installer downloads in the background without interrupting service.
Chapter 33 System Administration Enabling Remote Power Management When you are ready to install the upgrade, follow these instructions from the beginning, including the prerequisites in the Before You Begin section, but choose the Install option. • If you installed the upgrade: – Re-enable (resume) the listeners. – Save a configuration file for the new system. For information, see Managing the Configuration File, page 33-7. • After upgrade is complete, re-enable listeners.
Chapter 33 System Administration Reverting to a Previous Version of AsyncOS • This feature requires a unique IPv4 address for the dedicated Remote Power Control interface. This interface is configurable only via the procedure described in this section; it cannot be configured using the ipconfig command. • In order to cycle appliance power, you will need a third-party tool that can manage devices that support the Intelligent Platform Management Interface (IPMI) version 2.0.
Chapter 33 System Administration Reverting to a Previous Version of AsyncOS Caution You must have a configuration file for the version you wish to revert to. Configuration files are not backwards-compatible. Reverting AsyncOS on Virtual Appliances May Impact the License If you revert from AsyncOS 9.0 for Email to AsyncOS 8.5 for Email, the license does not change. If you revert from AsyncOS 9.0 for Email to AsyncOS 8.
Chapter 33 System Administration Reverting to a Previous Version of AsyncOS WARNING: Reverting the appliance is extremely destructive.
Chapter 33 System Administration Configuring the Return Address for Appliance Generated Messages Available version Install date 1. 5.5.0-236 Tue Aug 28 11:03:44 PDT 2007 2. 5.5.0-330 Tue Aug 28 13:06:05 PDT 2007 3. 5.5.0-418 Wed Sep 5 11:17:08 PDT 2007 Please select an AsyncOS version: 2 You have selected "5.5.0-330". The system will now reboot to perform the revert operation. Step 7 Wait for the appliance to reboot twice.
Chapter 33 System Administration Alerts You can modify the return address for system-generated email messages in the GUI or in the CLI using the addressconfig command. Procedure Step 1 Navigate to the System Administration > Return Addresses page. Step 2 Click Edit Settings. Step 3 Make changes to the address or addresses you want to modify Step 4 Submit and commit your changes.
Chapter 33 System Administration Alerts Because alert messages can be used to inform you of problems within your appliance, they are not sent using AsyncOS’s normal mail delivery system. Instead, alert messages pass through a separate and parallel email system designed to operate even in the face of significant system failure in AsyncOS.
Chapter 33 System Administration Alerts Example Alert Message Date: 23 Mar 2005 21:10:19 +0000 To: joe@example.com From: IronPort C60 Alert [alert@example.com] Subject: Critical-example.com: (Anti-Virus) update via http://newproxy.example.com failed The Critical message is: update via http://newproxy.example.com failed Version: 4.5.0-419 Serial Number: XXXXXXXXXXXX-XXXXXXX Timestamp: Tue May 10 09:39:24 2005 For more information about this error, please see http://support.ironport.
Chapter 33 System Administration Alerts Step 4 (Optional) If you want to receive software release and critical support notification alerts from Cisco Support, check the Release and Support Notifications checkbox. Step 5 Select the alert types and severities that this recipient will receive. Step 6 Submit and commit your changes. Configuring Alert Settings The following settings apply to all alerts.
Chapter 33 System Administration Alerts Sending Duplicate Alerts You can specify the initial number of seconds to wait before AsyncOS will send a duplicate alert. If you set this value to 0, duplicate alert summaries are not sent and instead, all duplicate alerts are sent without any delay (this can lead to a large amount of email over a short amount of time). The number of seconds to wait between sending duplicate alerts (alert interval) is increased after each alert is sent.
Chapter 33 System Administration Alerts Table 33-1 Listing of Possible Anti-Spam Alerts (continued) Alert Name Message and Description AS.TOOL.INFO_ALERT Update - $engine - $message AS.TOOL.ALERT Update - $engine - $message Parameters ‘engine’ - The anti-spam engine name Information. Sent when there is a problem with the anti-spam engine. ’message’ - The message ‘engine’ - The anti-spam engine name Critical.
Chapter 33 System Administration Alerts Table 33-2 Listing of Possible Anti-Virus Alerts (continued) Alert Name Message and Description Parameters MAIL.SCANNER. MID $mid is malformed and cannot be scanned by $engine. ‘mid’ - MID PROTOCOL_MAX_RETRY Critical. The scanning engine attempted to scan the message ’engine’ - The engine being unsuccessfully because the message is malformed.
Chapter 33 System Administration Alerts Table 33-4 Listing of Possible Hardware Alerts (continued) Alert Name Message and Description Parameters SYSTEM.RAID_EVENT_ ALERT A RAID-event has occurred: $error ‘error’ - The text of the RAID error. Warning. Sent when a critical RAID-event occurs. SYSTEM.RAID_EVENT_ ALERT_INFO A RAID-event has occurred: $error Information. Sent when a RAID-event occurs. ‘error’ - The text of the RAID error.
Chapter 33 System Administration Alerts Table 33-5 Listing of Possible Spam Quarantine Alerts (continued) Alert Name Message and Description Parameters ISQ.MSG_RLS_FAILED_ UNK_RCPTS ISQ: Failed to release MID $mid: $reason ‘mid’ - MID ISQ.NO_EU_PROPS ISQ: Could not retrieve $user’s properties. Setting defaults ’user’ - end user name Warning. Sent when a message is not successfully released ’reason’ - Why the message because the recipient is unknown. was not released Information.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters COMMON.KEY_EXPIRED_ALERT Your "$feature" key has expired. Please contact your authorized Cisco sales representative. ’feature’ - The name of the feature that is about to expire. Warning. Sent when a feature key has expired. COMMON.KEY_EXPIRING_ALERT Your "$feature" key will expire in under $days day(s).
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters INTERFACE. FAILOVER.FAILURE_ BACKUP_RECOVERED Standby port $port on $pair_name okay ’port’ - Failed port Information. Sent when a NIC pair failover is recovered. ’pair_name’ - Failover pair name. Port $port failure on $pair_name, switching to $port_other ’port’ - Failed port. Critical.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters LDAP.HARD_ERROR LDAP: work queue processing error in $name reason $why ’name’ - The name of the query. Critical. Sent when an LDAP query fails completely (after trying all servers). LOG.ERROR.* Critical. Various logging errors. MAIL.FILTER.RULE_MATCH_ALERT MID $mid matched the $rule_name rule. \n Details: $details Information.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters MAIL.RES_CON_START_ ALERT.QUEUE This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical system resources. Queue utilization for this system has exceeded the resource conservation threshold of $queue_threshold_start%.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters QUARANTINE.ADD_DB_ ERROR Unable to quarantine MID $mid - quarantine system unavailable ’mid’ - MID Critical. Sent when a message cannot be sent to a quarantine. QUARANTINE.DB_ UPDATE_FAILED Unable to update quarantine database (current version: $version; target $target_version) ’version’ - The schema version detected. Critical.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description REPORTING.CLIENT. JOURNAL.FULL Reporting Client: The reporting system is unable to maintain the rate of data being generated. Any new data generated will be lost. Parameters Critical. Sent if the reporting engine is unable to store new data. REPORTING.CLIENT. JOURNAL.FREE Reporting Client: The reporting system is now able to handle new data. Information.
Chapter 33 System Administration Alerts Table 33-7 Listing of Possible System Alerts (continued) Component/Alert Name Message and Description Parameters SYSTEM. Error updating recipient validation data: $why RCPTVALIDATION.UPDATE_FAILED ’why’ - The error message. Critical. Sent when a recipient validation update failed. SYSTEM.SERVICE_ TUNNEL.DISABLED Tech support: Service tunnel has been disabled SYSTEM.SERVICE_ TUNNEL.
Chapter 33 System Administration Alerts Table 33-8 Listing of Possible Updater Alerts (continued) Alert Name Message and Description Parameters UPDATER.UPDATERD.RELEASE_N OTIFICATION $mail_text ‘mail_text’ - The notification text. Warning. Release notification. UPDATER.UPDATERD.UPDATE_FAI Unknown error occured: $traceback LED Critical. Failed to run an update. ‘notification_subject’ - The notification text. ‘traceback’ - The traceback.
Chapter 33 System Administration Alerts Table 33-10 Listing of Possible Clustering Alerts (continued) Alert Name Message and Description CLUSTER.CC_ERROR.DROPPED Error connecting to cluster machine $name at IP $ip ’name’ - The hostname - $error - $why$error:=Existing connection dropped and/or serial number of the Warning. Sent when the connection to the cluster was machine. dropped. Parameters ’ip’ - The IP of the remote host. ’why’ - Detailed text about the error. CLUSTER.CC_ERROR.
Chapter 33 System Administration Alerts Table 33-10 Listing of Possible Clustering Alerts (continued) Alert Name Message and Description CLUSTER.CC_ERROR.TIMEOUT Error connecting to cluster machine $name at IP $ip ’name’ - The hostname - $error - $why$error:=Operation timed out and/or serial number of the machine. Warning. Sent when the specified operation timed out. Parameters ’ip’ - The IP of the remote host. ’why’ - Detailed text about the error. CLUSTER.
Chapter 33 System Administration Changing Network Settings Table 33-10 Listing of Possible Clustering Alerts (continued) Alert Name Message and Description CLUSTER.CC_ERROR_ NOIP.SSH_KEY Error connecting to cluster machine $name - $error - ’name’ - The hostname $why$error:=Invalid host key and/or serial number of the Critical. Sent when the machine was unable to obtain machine.
Chapter 33 System Administration Changing Network Settings The sethostname Command oldname.example.com> sethostname [oldname.example.com]> mail3.example.com oldname.example.com> For the hostname change to take effect, you must enter the commit command. After you have successfully committed the hostname change, the new name appears in the CLI prompt: oldname.example.
Chapter 33 System Administration Changing Network Settings AsyncOS supports “splitting” DNS servers when not using the Internet’s DNS servers. If you are using your own internal server, you can also specify exception domains and associated DNS servers. When setting up “split DNS,” you should set up the in-addr.arpa (PTR) entries as well. So, for example, if you want to redirect “.eng” queries to the nameserver 1.2.3.4 and all the .eng entries are in the 172.16 network, then you should specify “eng,16.172.
Chapter 33 System Administration Changing Network Settings Reverse DNS Lookup Timeout The appliance attempts to perform a “double DNS lookup” on all remote hosts connecting to a listener for the purposes of sending or receiving email. [That is: the system acquires and verifies the validity of the remote host's IP address by performing a double DNS lookup.
Chapter 33 System Administration Changing Network Settings Note You can enter multiple domains for a single DNS server by using commas to separate domain names. You can also enter multiple DNS servers by using commas to separate IP addresses. Step 6 Choose an interface for DNS traffic. Step 7 Enter the number of seconds to wait before cancelling a reverse DNS lookup. Step 8 You can also clear the DNS cache by clicking Clear Cache. Step 9 Submit and commit your changes.
Chapter 33 System Administration Changing Network Settings Configuring SSL Settings You can configure the SSL settings for the appliance using SSL Configuration Settings page or sslconfig command. Procedure Step 1 Click System Administration > SSL Configuration Settings. Step 2 Click Edit Settings. Step 3 Depending on your requirements, do the following: • Set GUI HTTPS SSL settings. Under GUI HTTPS, specify the SSL methods and ciphers that you want to use. • Set Inbound SMTP SSL settings.
Chapter 33 System Administration System Time Choose the service to toggle SSLv3 settings: 1. EUQ Service 2. LDAP Service 3. Updater Service 4. Web Security Service [1]> Do you want to enable SSLv3 for EUQ Service ? [Y]>n Choose the operation you want to perform: - SETUP - Toggle SSLv3 settings.
Chapter 33 System Administration Customizing Your View Editing Time Settings You can edit the time settings for the appliance using one of the following methods: • Using the Networking Time Protocol (NTP) • Manually Setting Appliance System Time Using the Network Time Protocol (NTP) Procedure Step 1 Navigate to the System Administration > Time Settings page. Step 2 Click Edit Settings. Step 3 In the Time Keeping Method section, select Use Network Time Protocol.
Chapter 33 System Administration Customizing Your View To Do This Add pages to your favorites list Navigate to the page to add, then choose Add This Page To My Favorites from the My Favorites menu near the top right corner of the window. No commit is necessary for changes to My Favorites. Reorder favorites Choose My Favorites > View All My Favorites and drag favorites into the desired order. Delete favorites Choose My Favorites > View All My Favorites and delete favorites.
Chapter 33 System Administration Overriding Internet Explorer Compatibility Mode Step 6 Click the Return to previous page link at the bottom of the page. Overriding Internet Explorer Compatibility Mode For better web interface rendering, Cisco recommends that you enable Internet Explorer Compatibility Mode Override. Note If enabling this feature is against your organizational policy, you may disable this feature. Procedure Step 1 Click System Administration > General Settings.
CH A P T E R 34 Managing and Monitoring Using the CLI • Overview of Managing and Monitoring Using the CLI, page 34-1 • Monitoring Using the CLI, page 34-6 • Managing the Email Queue, page 34-22 • Monitoring System Health and Status with SNMP, page 34-36 Overview of Managing and Monitoring Using the CLI Managing and monitoring the Email Security appliance using the CLI includes these types of tasks: • Monitoring message activity.
Chapter 34 Managing and Monitoring Using the CLI Reading the Available Components of Monitoring Reading the Available Components of Monitoring • Reading the Available Components of Monitoring, page 34-2 • Reading the Event Counters, page 34-2 • Reading the System Gauges, page 34-4 • Reading the Rates of Delivered and Bounced Messages, page 34-6 Reading the Event Counters Counters provide a running total of various events in the system.
Chapter 34 Managing and Monitoring Using the CLI Reading the Available Components of Monitoring Table 34-1 Counters (continued) Statistic Description Rejection Rejected Recipients Recipients that have been denied receiving into the delivery queue due to the Recipient Access Table (RAT), or unexpected protocol negotiation including premature connection termination.
Chapter 34 Managing and Monitoring Using the CLI Reading the Available Components of Monitoring Table 34-1 Counters (continued) Statistic Description Injection Connection ID (ICID) The last Injection Connection ID to have been assigned to a connection to a listener interface. The ICID rolls over (resets to zero) at 231. Delivery Connection ID (DCID) The last Delivery Connection ID to have been assigned to a connection to a destination mail server. The DCID rolls over (resets to zero) at 2 31.
Chapter 34 Managing and Monitoring Using the CLI Reading the Available Components of Monitoring Table 34-2 Gauges (continued) Statistic Description Connections Gauges Current Inbound Connections Current inbound connections to the listener interfaces. Current Outbound Connections Current outbound connections to destination mail servers. Queue Gauges Active Recipients Message recipients in the delivery queue. Total of Unattempted Recipients and Attempted Recipients.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Reading the Rates of Delivered and Bounced Messages All rates are shown as the average rate an event occurs per hour at the specific point in time the query is made. Rates are calculated for three intervals, the average rate per hour over the past one (1) minute, the past five (5) minutes, and the past fifteen (15) minutes.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Monitoring the Email Status You may want to monitor the status of email operations on the Cisco appliance. The status command returns a subset of the monitored information about email operations. The statistics returned displayed in one of two fashions: counters and gauges. Counters provide a running total of various events in the system.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Dropped Messages 11,606,037 219 11,606,037 2,334,552 13,598 2,334,552 50,441,741 332,625 50,441,741 Queue Soft Bounced Events Completion Completed Recipients Current IDs Message ID (MID) 99524480 Injection Conn. ID (ICID) 51180368 Delivery Conn. ID (DCID) 17550674 Gauges: Current Connections Current Inbound Conn. Current Outbound Conn.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI the query is made. Rates are calculated for three intervals, the average rate per hour over the past one (1) minute, the past five (5) minutes, and the past fifteen (15) minutes. For a description of each item, see Overview of Managing and Monitoring Using the CLI, page 34-1. Example mail3.example.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI DNS Hard Bounces 199 0 3,235 5XX Hard Bounces 2,151 0 4,520 119 0 120 Filter Hard Bounces 0 0 0 Other Hard Bounces 0 0 0 Delivered Recipients 2,589,270 49,095 3,137,126 1 0 1 Global Unsub. Hits 0 0 0 DomainKeys Signed Msgs 10 9 10 Expired Hard Bounces Deleted Recipients Current IDs Message ID (MID) 7615199 Injection Conn. ID (ICID) 3263654 Delivery Conn.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI CPU Utilization MGA 0% AntiSpam 0% AntiVirus 0% Disk I/O Utilization Resource Conservation 0% 0 Connections Current Inbound Conn. 0 Current Outbound Conn.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Data returned is cumulative since the last resetcounters command. The statistics returned are displayed in two categories: counters and gauges. For a description of each item, see Overview of Managing and Monitoring Using the CLI, page 34-1. In addition, these other data are returned specific to the hoststatus command.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Example mail3.example.com> hoststatus Recipient host: []> aol.com Host mail status for: 'aol.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Connections Current Outbound Connections 0 Pending Outbound Connections 0 Oldest Message No Messages Last Activity Tue Mar 02 15:17:32 2010 Ordered IP addresses: (expiring at Tue Mar 02 16:17:32 2010) Preference IPs 15 64.12.137.121 64.12.138.89 64.12.138.120 15 64.12.137.89 64.12.138.152 152.163.224.122 15 64.12.137.184 64.12.137.89 64.12.136.57 15 64.12.138.57 64.12.136.153 205.188.156.122 15 64.12.138.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Last TLS Error: Required - Verify ---------TLS required, STARTTLS unavailable (at Tue Mar 02 15:17:32 2010 GMT) IP: 10.10.10.10 Virtual gateway information: ============================================================ example.com (PublicNet_017): Note Host up/down: up Last Activity Wed June 22 13:47:02 2005 Recipients 0 The Virtual Gateway address information only appears if you are using the altsrchost feature.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI 4. Soft Bounced Events 5. Hard Bounced Recipients [1]> 1 Status as of: Mon Nov 18 22:22:23 2003 Active Conn. Deliv. Soft Hard Bounced # Recipient Host Recip Out Recip. Bounced 1 aol.com 365 10 255 21 8 2 hotmail.com 290 7 198 28 13 3 yahoo.com 134 6 123 11 19 4 excite.com 98 3 84 9 4 5 msn.com 84 2 76 33 29 mail3.example.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Example mail3.example.com> rate Enter the number of seconds between displays. [10]> 1 Hit Ctrl-C to return to the main prompt.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Table 34-8 Data in the hostrate Command Statistic Description Hard Bounced Recipients Delta Difference in the total number of hard bounced recipients to the specific host in queue since the last known host status. Soft Bounce Events Delta Difference in the total number of soft bounced recipients to the specific host in queue since the last known host status. Use Control-C to stop the hostrate command. Example mail3.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Monitoring Inbound Email Connections You may want to monitor hosts that are connecting to the Cisco appliance to identify the large volume senders or to troubleshoot inbound connections to the system. The topin command provides a snapshot of the remote hosts connecting to the system. It displays a table with one row for each remote IP address connecting to a specific listener.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI 8 mail.remotedomain08.com 172.16.0.9 Incoming01 3 9 mail.remotedomain09.com 172.16.0.10 Incoming01 3 10 mail.remotedomain10.com 172.16.0.11 Incoming01 2 11 mail.remotedomain11.com 172.16.0.12 Incoming01 2 12 mail.remotedomain12.com 172.16.0.13 Incoming02 2 13 mail.remotedomain13.com 172.16.0.14 Incoming01 2 14 mail.remotedomain14.com 172.16.0.15 Incoming01 2 15 mail.remotedomain15.com 172.16.0.
Chapter 34 Managing and Monitoring Using the CLI Monitoring Using the CLI Table 34-10 Data in the dnsstatus Command (continued) Statistic Description Cache Exceptions A request to the DNS cache where the record was found but the domain was unknown. A request to the DNS cache where the record was found in the cache, considered for use, and discarded because it was too old. Cache Expired Many entries can exist in the cache even though their time to live (TTL) has been exceeded.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Example mail3.example.com> resetcounters Counters reset: Mon Jan 01 12:00:01 2003 Identifying Active TCP/IP Services To identify active TCP/IP services used by your Email Security appliance, use the tcpservices command in the command line interface. Managing the Email Queue Cisco AsyncOS allows you to perform operations on messages in the email queue. You can delete, bounce, suspend, or redirect messages in the email queue.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Example mail3.example.com> deleterecipients Please select how you would like to delete messages: 1. By recipient host. 2. By Envelope From address. 3. All. [1]> The Cisco appliance gives you various options to delete recipients depending upon the need. The following example show deleting recipients by recipient host, deleting by Envelope From Address, and deleting all recipients in the queue.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Delete by Envelope From Address Please enter the Envelope From address for the messages you wish to delete. []> mailadmin@example.com Are you sure you want to delete all messages with the Envelope From address of "mailadmin@example.com"? [N]> Y Deleting messages, please wait. 100 messages deleted.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Example mail3.example.com> bouncerecipients Please select how you would like to bounce messages: 1. By recipient host. 2. By Envelope From address. 3. All. [1]> Recipients to be bounced are identified by either the destination recipient host or the message sender identified by the specific address given in the Envelope From line of the message envelope. Alternately, all messages in the delivery queue can be bounced at once.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Bounce All Are you sure you want to bounce all messages in the queue? [N]> Y Bouncing messages, please wait. 1000 messages bounced. Redirecting Messages in Queue The redirectrecipients commands allow you to redirect all messages in the email delivery queue to another relay host.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Showing Messages Based on Recipient in Queue Use the showrecipients command to show messages from the email delivery queue by recipient host or Envelope From address. You can also show all messages in the queue. Example The following example shows messages in the queue for all recipient hosts. mail3.example.com> showrecipients Please select how you would like to show messages: 1. By recipient host. 2. By Envelope From address. 3.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue 1532 1230 user123456@ironport.com Testing [0] [0] 1820@example.com 1531 1230 user123456@ironport.com Testing [0] [0] 9595@example.com 1518 1230 user123456@ironport.com Testing [0] [0] 8778@example.com 1535 1230 user123456@ironport.com Testing [0] [0] 1703@example.com 1533 1230 user123456@ironport.com Testing [0] [0] 3052@example.com 1536 1230 user123456@ironport.com Testing [0] [0] 511@example.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Note The “delivery suspend” state is preserved across system reboots. If you use the suspenddel command and then reboot the appliance, you must resume delivery after the reboot using the resumedel command. Example mail3.example.com> suspenddel Enter the number of seconds to wait before abruptly closing connections. [30]> Waiting for outgoing deliveries to finish... Mail delivery suspended.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Syntax suspendlistener mail3.example.com> suspendlistener Choose the listener(s) you wish to suspend. Separate multiple entries with commas. 1. All 2. InboundMail 3. OutboundMail [1]> 1 Enter the number of seconds to wait before abruptly closing connections. [30]> Waiting for listeners to exit... Receiving suspended. mail3.example.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue 3. OutboundMail [1]> 1 Receiving resumed. mail3.example.com> Resuming Delivery and Receiving of Email The resume command resumes both delivery and receiving. Syntax resume mail3.example.com> resume Receiving resumed. Mail delivery resumed. mail3.example.com> Scheduling Email for Immediate Delivery Recipients and hosts that are scheduled for later delivery can be immediately retried by using the delivernow command.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue [1]> 1 Please enter the domain to schedule for immediate delivery. []> recipient.example.com Rescheduling all messages to recipient.example.com for immediate delivery. mail3.example.com> Pausing the Work Queue Processing for LDAP recipient access, masquerading, LDAP re-routing, Message Filters, anti-spam, and the anti-virus scanning engine are all performed in the “work queue.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue - PAUSE - Pause the work queue - RATE - Display work queue statistics over time []> pause Manually pause work queue? This will only affect unprocessed messages. [N]> y Reason for pausing work queue: []> checking LDAP server Status as of: Status: Sun Aug 17 20:04:21 2003 GMT Paused by admin: checking LDAP server Messages: 1243 Note Entering a reason is optional.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue Status: Operational Messages: 1243 Locating and Archiving Older Messages Sometimes older messages remain in the queue because they could not be delivered. You may want to remove and archive these messages. To do this, use the showmessage CLI command to to display the message for the given message ID. Use the oldmessage CLI command to display the oldest non-quarantine message on the system.
Chapter 34 Managing and Monitoring Using the CLI Managing the Email Queue by example.com with SMTP; 14 Feb 2007 22:11:37 -0800 From: user123@example.com To: 4031@test.example2.com Subject: Testing Message-Id: <20070215061136.68297.16346@example.com> Tracking Messages Within the System The findevent CLI command simplifies the process of tracking messages within the system using the onbox mail log files.
Chapter 34 Managing and Monitoring Using the CLI Monitoring System Health and Status with SNMP 1. All available log files 2. Select log files by date list 3. Current log file [3]> 3 The following matching message IDs were found. Please choose one to show additional log information: 1. MID 4 (Tue Jul 31 17:37:35 2007) sales: confidential [1]> 1 Tue Jul 31 17:37:32 2007 Info: New SMTP ICID 2 interface Data 1 (172.19.1.86) address 10.251.20.
Chapter 34 Managing and Monitoring Using the CLI Monitoring System Health and Status with SNMP • If you use only SNMPv1 or SNMPv2, you must set a community string. The community string does not default to public. • For SNMPv1 and SNMPv2, you must specify a network from which SNMP GET requests are accepted. • To use traps, an SNMP manager (not included in AsyncOS) must be running and its IP address entered as the trap target.
Chapter 34 Managing and Monitoring Using the CLI Monitoring System Health and Status with SNMP To see the available traps and threshold values on your appliance, run the snmpconfig command from the command-line interface. Note that failure condition alarm traps represent a critical failure of the individual component, but may not cause a total system failure. For example, a single fan or power supply can fail on an appliance with multiple fans or power supplies and the appliance will continue to operate.
Chapter 34 Managing and Monitoring Using the CLI Monitoring System Health and Status with SNMP Enter the SNMPv3 []> Please enter the []> Enter the SNMPv3 []> Please enter the []> authentication passphrase. SNMPv3 authentication passphrase again to confirm. privacy passphrase. SNMPv3 privacy passphrase again to confirm. Service SNMP V1/V2c requests? [N]> Y Enter the SNMP V1/V2c community string.
Chapter 34 Managing and Monitoring Using the CLI Monitoring System Health and Status with SNMP What threshold would you like to set for memory utilization? [95]> Enter the System Location string. [Unknown: Not Yet Configured]> Network Operations Center - west; rack #30, position 3 Enter the System Contact string. [snmp@localhost]> esa-admin@example.com Current SNMP settings: Listening on interface "Management" 198.51.100.1 port 161. SNMP v3: Enabled.
CH A P T E R 35 SenderBase Network Participation • Overview of SenderBase Network Participation, page 35-1 • Sharing Statistics with SenderBase, page 35-1 • Frequently Asked Questions, page 35-2 Overview of SenderBase Network Participation SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers.
Chapter 35 SenderBase Network Participation Frequently Asked Questions Frequently Asked Questions Cisco recognizes that privacy is important to you, so we design and operate our services with the protection of your privacy in mind. If you enroll in SenderBase Network Participation, Cisco will collect aggregated statistics about your organization’s email traffic; however, we do not collect or use any personally identifiably information.
Chapter 35 SenderBase Network Participation Frequently Asked Questions Table 35-1 Statistics Shared Per Cisco Appliance (continued) Item Sample Data Count of Outbreak quarantine messages broken down by what action was taken upon leaving quarantine 10 messages had attachments stripped after leaving quarantine Sum of time messages were held in quarantine 20 hours Table 35-2 Statistics Shared Per IP Address Item Sample Data Message count at various stages within the appliance Seen by Anti-Virus e
Chapter 35 SenderBase Network Participation Frequently Asked Questions Table 35-2 Statistics Shared Per IP Address Item Sample Data (continued) Correlation of extension and true file type with attachment size 30 attachments were “.
Chapter 35 SenderBase Network Participation Frequently Asked Questions • Data sent from your Cisco appliances will be sent to the Cisco SenderBase Network servers using the secure protocol HTTPS. • All customer data will be handled with care at Cisco. This data will be stored in a secure location and access to the data will be limited to employees and contractors at Cisco who require access in order to improve the company's email security products and services or provide customer support.
Chapter 35 Frequently Asked Questions AsyncOS 9.1.
CH A P T E R 36 Other Tasks in the GUI The graphical user interface (GUI) is the web-based alternative to some command line interface (CLI) commands for system monitoring and configuration. The GUI enables you to monitor the system using a simple Web-based interface without having to learn the AsyncOS command syntax.
Chapter 36 Other Tasks in the GUI The Graphical User Interface (GUI) In addition, all users (see Working with User Accounts, page 32-1) who attempt to access the GUI on this interface (either via HTTP or HTTPS) must authenticate themselves via a standard username and password login page. Note You must save the changes by using the commit command before you are able to access the GUI. In the following example, the GUI is enabled for the Data 1 interface.
Chapter 36 Other Tasks in the GUI The Graphical User Interface (GUI) Would you like to configure an IPv4 address for this interface (y/n)? [Y]> IPv4 Address (Ex: 192.168.1.2): [192.168.1.1]> Netmask (Ex: "255.255.255.0" or "0xffffff00"): [24]> Would you like to configure an IPv6 address for this interface (y/n)? [N]> Ethernet interface: 1. Data 1 2. Data 2 3. Management [1]> Hostname: [mail3.example.
Chapter 36 The Graphical User Interface (GUI) Which port do you want to use for HTTPS? [443]> 443 You have not entered a certificate. To assure privacy, run 'certconfig' first. You may use the demo certificate to test HTTPS, but this will not be secure. Do you really wish to use a demo certificate? [N]> y Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]> y Currently configured interfaces: 1. Data 1 (192.168.1.1/24 on Data 1: mail3.example.
Chapter 36 Other Tasks in the GUI System Information in the GUI Do you want to save the current configuration for rollback? [Y]> n Changes committed: Fri May 23 11:42:12 2014 GMT System Information in the GUI • On the System Overview page, you can: – View historical graphs and tables showing some of the key system status and performance information. – View the version of the AsyncOS operating system installed on the appliance. – View a subset of key statistics.
Chapter 36 Gathering XML status from the GUI AsyncOS 9.1.
CH A P T E R 37 Advanced Network Configuration This chapter includes information about advanced network configuration generally available via the etherconfig command, such as NIC pairing, VLANs, Direct Server Return, and more.
Chapter 37 Advanced Network Configuration Media Settings on Ethernet Interfaces Example of Editing Media Settings mail3.example.com> etherconfig Choose the operation you want to perform: - MEDIA - View and edit ethernet media settings. - PAIRING - View and configure NIC Pairing. - VLAN - View and configure VLANs. - LOOPBACK - View and configure Loopback. - MTU - View and configure MTU. []> media Ethernet interfaces: 1. Data 1 (Autoselect: <100baseTX full-duplex>) 00:06:5b:f3:ba:6d 2.
Chapter 37 Advanced Network Configuration Network Interface Card Pairing/Teaming 6. 1000baseTX half-duplex 7. 1000baseTX full-duplex [1]> 5 Ethernet interfaces: 1. Data 1 (Autoselect: <100baseTX full-duplex>) 00:06:5b:f3:ba:6d 2. Data 2 (100baseTX full-duplex: <100baseTX full-duplex>) 00:06:5b:f3:ba:6e 3. Management (Autoselect: <100baseTX full-duplex>) 00:02:b3:c7:a2:da Choose the operation you want to perform: - EDIT - Edit an ethernet interface.
Chapter 37 Advanced Network Configuration Network Interface Card Pairing/Teaming You can create more than one NIC pair, providing you have enough data ports. When creating pairs, you can combine any two data ports. For example: • Data 1 and Data 2 • Data 3 and Data 4 • Data 2 and Data 3 • etc. Some Cisco appliances contain a fiber optic network interface option.
Chapter 37 Advanced Network Configuration Network Interface Card Pairing/Teaming - MTU - View and configure MTU. []> pairing Paired interfaces: Choose the operation you want to perform: - NEW - Create a new pairing. []> new Please enter a name for this pair (Ex: "Pair 1"): []> Pair 1 Warning: The backup (Data 2) for the NIC Pair is currently configured with one or more IP addresses. If you continue, the Data 2 interface will be deleted.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) Choose the operation you want to perform: - DELETE - Delete a pairing. - STATUS - Refresh status. []> Virtual Local Area Networks (VLANs) VLANs are virtual local area networks bound to physical data ports. You can configure VLANs to increase the number of networks the appliance can connect to beyond the number of physical interfaces included.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) Figure 37-1 Using VLANs to increase the number of networks available on the appliance IronPort appliance configured for VLAN1, VLAN2, VLAN3 VLAN “Router” DMZ NOC VLAN1 VLAN2 VLAN3 VLANs can be used to segment networks for security purposes, to ease administration, or increase bandwidth.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) Figure 37-2 Using VLANs to Facilitate Communication Between Appliances IronPort appliance configured for VLAN1, VLAN2, VLAN3 Data 2 interface VLAN “Switch” or “Router” VLAN1 Sales server VLAN3 VLAN2 Internet Finance server Managing VLANs You can create, edit and delete VLANs via the etherconfig command. Once created, a VLAN can be configured via the Network -> Interfaces page or the interfaceconfig command in the CLI.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) Choose the operation you want to perform: - NEW - Create a new VLAN. []> new VLAN ID for the interface (Ex: "34"): []> 34 Enter the name or number of the ethernet interface you wish bind to: 1. Data 1 2. Data 2 3. Management [1]> 1 VLAN interfaces: 1. VLAN 34 (Data 1) Choose the operation you want to perform: - NEW - Create a new VLAN. - EDIT - Edit a VLAN. - DELETE - Delete a VLAN.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) [1]> 1 VLAN interfaces: 1. VLAN 31 (Data 1) 2. VLAN 34 (Data 1) Choose the operation you want to perform: - NEW - Create a new VLAN. - EDIT - Edit a VLAN. - DELETE - Delete a VLAN. []> Choose the operation you want to perform: - MEDIA - View and edit ethernet media settings. - PAIRING - View and configure NIC Pairing. - VLAN - View and configure VLANs. - LOOPBACK - View and configure Loopback.
Chapter 37 Advanced Network Configuration Virtual Local Area Networks (VLANs) Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - GROUPS - Define interface groups. - DELETE - Remove an interface. []> new Please enter a name for this IP interface (Ex: "InternalNet"): []> InternalVLAN31 Would you like to configure an IPv4 address for this interface (y/n)? [Y]> IPv4 Address (Ex: 10.10.10.10): []> 10.10.31.10 Netmask (Ex: "255.255.255.
Chapter 37 Virtual Local Area Networks (VLANs) Hostname: []> mail31.example.com Do you want to enable SSH on this interface? [N]> Do you want to enable FTP on this interface? [N]> Do you want to enable HTTP on this interface? [N]> Do you want to enable HTTPS on this interface? [N]> Currently configured interfaces: 1. Data 1 (10.10.1.10/24: example.com) 2. InternalVLAN31 (10.10.31.10/24: mail31.example.com) 3. Management (10.10.0.10/24: example.
Chapter 37 Advanced Network Configuration Direct Server Return Figure 37-3 Using a VLAN when Creating a New IP Interface via the GUI Direct Server Return Direct Server Return (DSR) is a way of providing support for a light-weight load balancing mechanism to load balance between multiple Email Security appliances sharing the same Virtual IP (VIP). DSR is implemented via an IP interface created on the “loopback” ethernet interface on the appliance.
Chapter 37 Advanced Network Configuration Direct Server Return Figure 37-4 Using DSR to Load Balance Between Multiple Email Security Appliances on a Switch Default Gateway Switch Load Balancer VIP 1.1.1.1 IronPort Appliance 1 VIP 1.1.1.1/32 A:B:C:D:E:1 IronPort Appliance 2 VIP 1.1.1.1/32 A:B:C:D:E:2 Enabling the Loopback Interface via the etherconfig Command Once enabled, the loopback interface is treated like any other interface (e.g. Data 1): mail3.example.
Chapter 37 Advanced Network Configuration Direct Server Return Currently configured loopback interface: 1. Loopback Choose the operation you want to perform: - DISABLE - Disable Loopback Interface. []> Choose the operation you want to perform: - MEDIA - View and edit ethernet media settings. - PAIRING - View and configure NIC Pairing. - VLAN - View and configure VLANs. - LOOPBACK - View and configure Loopback. - MTU - View and configure MTU.
Chapter 37 Advanced Network Configuration Direct Server Return []> new Please enter a name for this IP interface (Ex: "InternalNet"): []> LoopVIP Would you like to configure an IPv4 address for this interface (y/n)? [Y]> IPv4 Address (Ex: 10.10.10.10): []> 10.10.1.11 Netmask (Ex: "255.255.255.0" or "0xffffff00"): [255.255.255.0]> 255.255.255.255 Would you like to configure an IPv6 address for this interface (y/n)? [N]> Ethernet interface: 1. Data 1 2. Data 2 3. Loopback 4. Management 5.
Chapter 37 Advanced Network Configuration Direct Server Return Do you want to enable FTP on this interface? [N]> Do you want to enable HTTP on this interface? [N]> Do you want to enable HTTPS on this interface? [N]> Currently configured interfaces: 1. Data 1 (10.10.1.10/24: example.com) 2. InternalV1 (10.10.31.10/24: mail31.example.com) 3. LoopVIP (10.10.1.11/24: example.com) 4. Management (10.10.0.10/24: example.com) Choose the operation you want to perform: - NEW - Create a new interface.
Chapter 37 Advanced Network Configuration Ethernet Interface’s Maximum Transmission Unit Figure 37-5 Creating a Listener on the New Loopback IP Interface Ethernet Interface’s Maximum Transmission Unit The maximum transmission unit (MTU) is the largest unit of data that an ethernet interface will accept. You can decrease the MTU for an ethernet interface using the etherconfig command. The default MTU size is 1500 bytes, which is the largest MTU that the ethernet interface can accept.
Chapter 37 Advanced Network Configuration Ethernet Interface’s Maximum Transmission Unit Choose the operation you want to perform: - EDIT - Edit an ethernet interface. []> edit Enter the name or number of the ethernet interface you wish to edit. []> 2 Please enter a non-default (1500) MTU value for the Data 2 interface. []> 1200 Ethernet interfaces: 1. Data 1 mtu 1400 2. Data 2 mtu 1200 3. Management default mtu 1500 Choose the operation you want to perform: - EDIT - Edit an ethernet interface.
Chapter 37 Ethernet Interface’s Maximum Transmission Unit AsyncOS 9.1.
CH A P T E R 38 Logging • Overview, page 38-1 • Log Types, page 38-8 • Log Subscriptions, page 38-38 • Understanding Log Files and Log Subscriptions, page 38-1 • Log Types, page 38-1 • Log Retrieval Methods, page 38-6 Overview Understanding Log Files and Log Subscriptions Logs are a compact, efficient method of gathering critical information about the email operations of AsyncOS. These logs record information regarding activity on your appliance.
Chapter 38 Logging Overview AsyncOS for Email generates the following log types: Table 38-1 Log Types Log Description Text Mail Logs Text mail logs record information regarding the operations of the email system. For example, message receiving, message delivery attempts, open and closed connections, bounces, TLS connections, and others.
Chapter 38 Logging Overview Table 38-1 Log Types (continued) Log Description GUI Logs See HTTP Logs. HTTP Logs HTTP logs record information about the HTTP and/or secure HTTP services enabled on the interface. Because the graphical user interface (GUI) is accessed via HTTP, the HTTP logs are ostensibly the GUI equivalent of the CLI Audit logs. Session data (new session, session expired) and pages accessed in the GUI are recorded.
Chapter 38 Logging Overview Table 38-1 Log Types (continued) Log Description SMTP Conversation Logs The SMTP conversation log records all parts of incoming and outgoing SMTP conversations. Safe/Block Lists Logs Safelist/blocklist logs record data about the safelist/blocklist settings and database. Reporting Logs Reporting logs record actions associated with the processes of the centralized reporting service.
Chapter 38 Logging Overview Log Type Characteristics Table 38-2 summarizes the different characteristics of each log type.
Chapter 38 Logging Overview Table 38-2 Log Type Comparison (continued) Safe/Block Lists • Logs • Reporting Logs • • • Reporting Query • Logs • • Updater Logs • Tracking Logs • Authentication Logs • • Configuration History Logs • • API Logs • • Configuration Information Delivery SMTP Conversation Header Logging Injection SMTP Conversation Individual Soft Bounces Individual Hard Bounces Delivery Information Message Receiving Information Periodic Status Information Recorded
Chapter 38 Logging Overview Table 38-3 Manually Download Log Transfer Protocols This method lets you access log files at any time by clicking a link to the log directory on the Log Subscriptions page, then clicking the log file to access. Depending on your browser, you can view the file in a browser window, or open or save it as a text file. This method uses the HTTP(S) protocol and is the default retrieval method.
Chapter 38 Logging Log Types Logs Enabled by Default Your Email Security appliance is pre-configured with many log subscriptions enabled by default (other logs may be configured depending on which license keys you have applied). By default, the retrieval method is “Manually Download.” All pre-configured log subscriptions have a Log Level of 3, except for error_logs which is set at 1 so that it will contain only errors. See Log Levels, page 38-39 for more information.
Chapter 38 Logging Log Types • Anti-Virus log • LDAP log • System log • Mail log Using Text Mail Logs They contain details of email receiving, email delivery and bounces. Status information is also written to the mail log every minute. These logs are a useful source of information to understand delivery of specific messages and to analyze system performance. These logs do not require any special configuration.
Chapter 38 Logging Log Types Table 38-5 Text Mail Log Detail (continued) 5 Mon Apr 17 19:59:52 2003 Info: MID 6 ready 100 bytes from 6 Mon Apr 17 19:59:59 2003 Info: ICID 5 close 7 Mon Mar 31 20:10:58 2003 Info: New SMTP DCID 8 interface 192.168.42.42 address 10.5.3.
Chapter 38 Logging Log Types Wed Jun 16 21:42:36 2004 Info: MID 200257070 ICID 282204970 RID 0 To: Wed Jun 16 21:42:38 2004 Info: MID 200257070 Message-ID '<37gva9$5uvbhe@mail.example.com>' Wed Jun 16 21:42:38 2004 Info: MID 200257070 Subject 'Hello' Wed Jun 16 21:42:38 2004 Info: MID 200257070 ready 24663 bytes from
Chapter 38 Logging Log Types Mon Mar 31 20:00:27 2003 Info: Bounced: DCID 3 MID 4 to RID 1 - 5.1.0 - Unknown address error ('550', ['... Relaying denied']) [] Mon Mar 31 20:00:32 2003 Info: DCID 3 close Soft Bounce Followed by Successful Delivery A message is injected into the Email Security appliance. On the first delivery attempt, the message soft bounces and is queued for future delivery. On the second attempt, the message is successfully delivered.
Chapter 38 Logging Log Types Tue Aug 3 16:36:29 2004 Info: Message aborted MID 256 Dropped by antivirus Tue Aug 3 16:36:29 2004 Info: Message finished MID 256 done The following example shows the Text Mail log with scanconfig set to drop. Tue Aug 3 16:38:53 2004 Info: Start MID 257 ICID 44785 Tue Aug 3 16:38:53 2004 Info: MID 257 ICID 44785 From: test@virus.org Tue Aug 3 16:38:53 2004 Info: MID 257 ICID 44785 RID 0 To: Tue Aug 3 16:38:53 2004 Info: MID 257 Message-ID '<392912.@virus.
Chapter 38 Logging Log Types Sat Apr 23 05:05:42 2011 Info: MID 44 interim verdict using engine: CASE spam negative Sat Apr 23 05:05:42 2011 Info: MID 44 using engine: CASE spam negative Sat Apr 23 05:05:43 2011 Info: MID 44 attachment 'Banner.gif' Sat Apr 23 05:05:43 2011 Info: MID 44 attachment '=D1=82=D0=B5=D1=81=D1=82.rst' Sat Apr 23 05:05:43 2011 Info: MID 44 attachment 'Test=20Attachment.
Chapter 38 Logging Log Types Wed Feb 14 12:11:40 2007 Info: MID 2317877 Subject 'Envision your dream home - Now make it a reality' Wed Feb 14 12:11:40 2007 Info: MID 2317877 ready 15731 bytes from
Chapter 38 Logging Log Types Table 38-7 Delivery Log Statistics (continued) Statistic Description Code SMTP response code from recipient host Reply SMTP response message from recipient host Rcpt Rid Recipient ID.
Chapter 38 Logging Log Types Successful Message Delivery Delivery Status Bounce PAGE 1017Chapter 38 Logging Log Types Table 38-10 Bounce Log Statistics (continued) Statistic Description To Envelope To Reason RFC 1893 Enhanced Mail Status Code interpretation of the SMTP response during the delivery Response SMTP response code and message from recipient host In addition, if you have specified message size to log or setup logheaders (see Logging Message Headers, page 38-42), the message and header information will appear after the bounce information: Table 38-11 Bounce Log Header Inf
Chapter 38 Logging Log Types Examples of Bounce Log Entries Soft-Bounced Recipient (Bounce Type = Delayed) Thu Dec 26 18:37:00 2003 Info: Delayed: 44451135:0 From: To: Reason: "4.1.0 - Unknown address error" Response: "('451', [' Automated block triggered by suspicious activity from your IP address (10.1.1.1). Have your system administrator send e-mail to postmaster@sampledomain.
Chapter 38 Log Types Reading Status Logs Table 38-12 table shows the status log labels and the matching system statistics.
Chapter 38 Logging Log Types Table 38-12 Status Log Statistics (continued) Statistic Description CchEct Cache Exceptions CchExp Cache Expired CPUTTm Total CPU time used by the application CPUETm Elapsed time since the application started MaxIO Maximum disk I/O operations per second for the mail process RamUsd Allocated memory in bytes SwIn Memory swapped in. SwOut Memory swapped out. SwPgIn Memory paged in. SwPgOut Memory paged out.
Chapter 38 Logging Log Types Status Log Example Fri Feb 24 15:14:39 2006 Info: Status: CPULd 0 DskIO 0 RAMUtil 2 QKUsd 0 QKFre 8388608 CrtMID 19036 CrtICID 35284 CrtDCID 4861 InjMsg 13889 InjRcp 14230 GenBncRcp 12 RejRcp 6318 DrpMsg 7437 SftBncEvnt 1816 CmpRcp 6813 HrdBncRcp 18 DnsHrdBnc 2 5XXHrdBnc 15 FltrHrdBnc 0 ExpHrdBnc 1 OtrHrdBnc 0 DlvRcp 6793 DelRcp 2 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 143736 NetReq 224227 CchHit 469058 CchMis 504791 CchEct 15395 CchExp 55
Chapter 38 Logging Log Types Domain Debug Log Example Sat Dec 21 02:37:22 2003 Info: 102503993 Sent: 'MAIL FROM:' Sat Dec 21 02:37:23 2003 Info: 102503993 Rcvd: '250 OK' Sat Dec 21 02:37:23 2003 Info: 102503993 Sent: 'RCPT TO:' Sat Dec 21 02:37:23 2003 Info: 102503993 Rcvd: '250 OK' Sat Dec 21 02:37:23 2003 Info: 102503993 Sent: 'DATA' Sat Dec 21 02:37:24 2003 Info: 102503993 Rcvd: '354 START MAIL INPUT, END WITH ".
Chapter 38 Logging Log Types Injection Debug Log Example Wed Apr 2 14:30:04 2003 Info: 6216 Sent to '172.16.0.22': '220 postman.example.com ESMTP\015\012' Wed Apr 2 14:30:04 2003 Info: 6216 Rcvd from '172.16.0.22': 'HELO mail.remotehost.com\015\012' Wed Apr 2 14:30:04 2003 Info: 6216 Sent to '172.16.0.22': '250 postman.example.com\015\012' Wed Apr 2 14:30:04 2003 Info: 6216 Rcvd from '172.16.0.22': 'MAIL FROM:\015\012' Wed Apr 2 14:30:04 2003 Info: 6216 Sent to '172.16.0.
Chapter 38 Logging Log Types Wed Sep 8 18:02:45 2004 Info: Version: 4.0.
Chapter 38 Logging Log Types Using FTP Server Logs Table 38-17 FTP Server Log Statistics Statistic Description Timestamp Time that the bytes were transmitted ID Connection ID. A separate ID for each FTP connection Message The message section of the log entry can be logfile status information, or FTP connection information (login, upload, download, logout, etc.) FTP Server Log Example In this example, the FTP Server log records a connection (ID:1).
Chapter 38 Logging Log Types Using HTTP Logs Table 38-18 HTTP Log Statistics Statistic Description Timestamp Time that the bytes were transmitted ID Session ID req IP address of machine connecting user Username of user connecting Message Information regarding the actions performed. May include GET or POST commands or system status, etc. HTTP Log Example In this example, the HTTP log shows the admin user’s interaction with the GUI (running the System Setup Wizard, etc.).
Chapter 38 Logging Log Types Using NTP Logs Table 38-19 NTP Log Statistics Statistic Description Timestamp Time that the bytes were transmitted Message The message consists of either a Simple Network Time Protocol (SNTP) query to the server, or an adjust: message NTP Log Example In this example, the NTP log shows the appliance polling the NTP host twice. Thu Sep 9 07:36:39 2004 Info: sntp query host 10.1.1.
Chapter 38 Logging Log Types Using Anti-Spam Logs Table 38-21 Anti-Spam Log Statistics Statistic Description Timestamp Time that the bytes were transmitted Message The message consists of the check for the anti-spam updates, as well as the results (whether an update of the engine or the anti-spam rules was needed, etc.
Chapter 38 Logging Log Types You can temporarily set this to DEBUG level to help diagnose why the anti-virus engine returns a particular verdict for a given message. The DEBUG logging information is verbose; use with caution. Using Spam Quarantine Logs Table 38-23 Spam Log Statistics Statistic Description Timestamp Time that the bytes were transmitted Message The message consists of actions taken (messages quarantined, released from quarantine, etc.).
Chapter 38 Logging Log Types Fri Aug 11 22:08:35 2006 Info: login:admin user:pqufOtL6vyI5StCqhCfO session:10.251.23.228 Fri Aug 11 22:08:44 2006 Info: Authentication OK, user admin Using LDAP Debug Logs Table 38-25 LDAP Debug Log Statistics Statistic Description Timestamp Time that the bytes were transmitted Message LDAP Debug message LDAP Debug Log Example Note Individual lines in log files are NOT numbered.
Chapter 38 Logging Log Types Use as a guide to reading the preceding log file. Table 38-26 Line Number Detail of LDAP Debug Log Example Description 1. The log file is initialized. 2. The listener is configured to use LDAP for masquerading, specifically with the LDAP query named “sun.masquerade.” 3. 4. The address employee@routing.qa is looked up in the LDAP server, a match is found, and the resulting masquerade address is employee@mail.
Chapter 38 Logging Log Types Safelist/Blocklist Log Example In this example, the safelist/blocklist log shows the appliance creating database snapshots every two hours. It also shows when senders were added to the database. Fri Sep 28 14:22:33 2007 Info: Begin Logfile Fri Sep 28 14:22:33 2007 Info: Version: 6.0.0-425 SN: XXXXXXXXXXXX-XXX Fri Sep 28 14:22:33 2007 Info: Time offset from UTC: 10800 seconds Fri Sep 28 14:22:33 2007 Info: System is coming up.
Chapter 38 Logging Log Types Wed Oct 3 13:40:53 2007 Info: Period day using 2768 (KB) Wed Oct 3 13:40:53 2007 Info: Period minute using 0 (KB) Wed Oct 3 13:40:53 2007 Info: Period month using 1328 (KB) Wed Oct 3 13:40:53 2007 Info: HELPER checkpointed in 0.00580507753533 seconds Wed Oct 3 13:41:02 2007 Info: Update 2 registered appliance at 2007-10-03-13-41 Wed Oct 3 13:41:53 2007 Info: Pages found in cache: 1304704 (99%).
Chapter 38 Logging Log Types PIENTS_PROCESSED'] for rollup period "day" with interval range 2007-08-29 to 2007-10-01 with key constraints None sorting on ['MAIL_OUTGOING_TRAFFIC_SUMMARY.DETECTED_SPAM'] returning results from 0 to 2 sort_ascendin g=False. Tue Oct 2 11:30:02 2007 Info: Query: Closing query handle 302610229. Tue Oct 2 11:30:02 2007 Info: Query: Merge query with handle 302610230 for ['MAIL_OUTGOING_TRAFFIC_SUMMARY. TOTAL_HARD_BOUNCES', 'MAIL_OUTGOING_TRAFFIC_SUMMARY.
Chapter 38 Logging Log Types Fri Sep 19 11:07:52 2008 Info: Scheduled next update to occur at Fri Sep 19 11:12:52 2008 Fri Sep 19 11:08:12 2008 Info: mcafee started decrypting files Fri Sep 19 11:08:12 2008 Info: mcafee decrypting file "mcafee/dat/5388" with method "des3_cbc" Fri Sep 19 11:08:17 2008 Info: mcafee started decompressing files Fri Sep 19 11:08:17 2008 Info: mcafee started applying files Fri Sep 19 11:08:17 2008 Info: mcafee applying file "mcafee/dat/5388" Fri Sep 19 11:08:18 2008 Info: mcaf
Chapter 38 Logging Log Types Using Authentication Logs The authentication log records successful user logins and unsuccessful login attempts. Table 38-31 Authentication Log Statistics Statistic Description Timestamp Time that the bytes were transmitted. Message The message consists of the username of a user who attempted to log in to the appliance and whether the user was authenticated successfully.
Chapter 38 Log Subscriptions User: admin Configuration are described as: This table defines which local users are allowed to log into the system. Product: Cisco IronPort M160 Messaging Gateway(tm) Appliance Model Number: M160 Version: 6.7.
Chapter 38 Logging Log Subscriptions Configuring Log Subscriptions Use the Log Subscriptions page on the System Administration menu (or the logconfig command in the CLI) to configure a log subscription. Log subscriptions create log files that store information about AsyncOS activity, including errors. A log subscription is either retrieved or delivered (pushed) to another computer.
Chapter 38 Logging Log Subscriptions Table 38-33 Log Levels (continued) Log Level Description Debug Use the Debug log level when you are trying to discover the cause of an error. Use this setting temporarily, and then return to the default level. This log level is equivalent to the syslog level “Debug.” Trace The Trace log level is recommended only for developers. Using this level causes a serious degradation of system performance and is not recommended.
Chapter 38 Logging Log Subscriptions • Whether to record the remote response status code. • Whether to record the subject header of the original message. • A list of headers that should be logged for each message. All logs optionally include the following three pieces of data: 1. Message-ID When this option is configured, every message will have its Message ID header logged, if it is available.
Chapter 38 Logging Log Subscriptions Logging Message Headers In some cases, it is necessary to record the presence and contents of a message’s headers as they pass through the system. You specify the headers to record in the Log Subscriptions Global Settings page (or via the logconfig -> logheaders subcommand in the CLI). The Email Security appliance records the specified message headers in the Text Mail Logs, the Delivery Logs, and the Bounce Logs.
Chapter 38 Logging Log Subscriptions Rolling Over Log Subscriptions To prevent log files on the appliance from becoming too large, AsyncOS performs a “rollover” and archives a log file when it reaches a user-specified maximum file size or time interval and creates a new file for incoming log data. Based on the retrieval method defined for the log subscription, the older log file is stored on the appliance for retrieval or delivered to an external computer.
Chapter 38 Logging Log Subscriptions • Weekly Rollover. AsyncOS performs a rollover on one or more days of the week at a specified time. For example, you can set up AsyncOS to rollover the log file every Wednesday and Friday at midnight. To configure a weekly rollover, choose the days of the week to perform the rollover and the time of day in the 24-hour format (HH:MM).
Chapter 38 Logging Log Subscriptions Rolling Over Log Subscriptions on Demand To roll over log subscriptions immediately using the GUI: Procedure Step 1 On the System Administration > Log Subscriptions page, mark the checkbox to the right of the logs you wish to roll over. Step 2 Optionally, you can select all logs for rollover by marking the All checkbox. Step 3 Once one or more logs have been selected for rollover, the Rollover Now button is enabled.
Chapter 38 Logging Log Subscriptions 1. "antispam" Type: "Anti-Spam Logs" Retrieval: Manual Download 2. "antivirus" Type: "Anti-Virus Logs" Retrieval: Manual Download 3. "asarchive" Type: "Anti-Spam Archive" Retrieval: Manual Download 4. "authentication" Type: "Authentication Logs" Retrieval: Manual Download 5. "avarchive" Type: "Anti-Virus Archive" Retrieval: Manual Download 6. "bounces" Type: "Bounce Logs" Retrieval: Manual Download 7. "cli_logs" Type: "CLI Audit Logs" Retrieval: Manual Download 8.
Chapter 38 Logging Log Subscriptions Mon Feb 21 12:25:10 2011 Info: PID 274: User system commit changes: Automated Update for Quarantine Delivery Host Mon Feb 21 23:18:10 2011 Info: PID 19626: User admin commit changes: Mon Feb 21 23:18:10 2011 Info: PID 274: User system commit changes: Updated filter logs config Mon Feb 21 23:46:06 2011 Info: PID 25696: User admin commit changes: Receiving suspended. ^Cmail3.example.
Chapter 38 Log Subscriptions [ list of logs ] Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []> hostkeyconfig Currently installed host keys: 1. mail3.example.com ssh-dss [ key displayed ] Choose the operation you want to perform: - NEW - Add a new key. - EDIT - Modify a key. - DELETE - Remove a key.
Chapter 38 Logging Log Subscriptions 1. SSH1:rsa 2. SSH2:rsa 3. SSH2:dsa 4. All [4]> SSH2:dsa mail3.example.com ssh-dss [ key displayed ] SSH2:rsa mail3.example.com ssh-rsa [ key displayed ] SSH1:rsa mail3.example.com 1024 35 [ key displayed ] Add the preceding host key(s) for mail3.example.com? [Y]> Currently installed host keys: 1. mail3.example.com ssh-dss [ key displayed ] 2. mail3.example.com ssh-rsa [ key displayed ] 3. mail3.example.
Chapter 38 Log Subscriptions - SCAN - Automatically download a host key. - PRINT - Display a key. - HOST - Display system host keys. - FINGERPRINT - Display system host key fingerprints. - USER - Display system user keys. []> Currently configured logs: [ list of configured logs ] Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log.
CH A P T E R 39 Centralized Management Using Clusters • Overview of Centralized Management Using Clusters, page 39-1 • Cluster Requirements, page 39-2 • Cluster Organization, page 39-2 • Creating and Joining a Cluster, page 39-4 • Managing Clusters, page 39-10 • Administering a Cluster from the GUI, page 39-15 • Cluster Communication, page 39-18 • Loading a Configuration in Clustered Appliances, page 39-22 • Best Practices and Frequently Asked Questions, page 39-24 Overview of Centralize
Chapter 39 Centralized Management Using Clusters Cluster Requirements Cluster Requirements • Machines in a cluster must have resolvable hostnames in DNS. Alternatively, you can use IP addresses instead, but you may not mix the two. See DNS and Hostname Resolution, page 39-18. Cluster communication is normally initiated using the DNS hostnames of the machines. • A cluster must consist entirely of machines running the same version of AsyncOS.
Chapter 39 Centralized Management Using Clusters Cluster Organization Figure 39-1 Cluster Level Hierarchy Cluster Level americas Group Level usa canada Machine Level newyork.example.com losangeles.example.com toronto.example.com Within each level there will be one or more specific members for which settings may be configured; these are referred to as modes. A mode refers to a named member at a specified level. For example, the group “usa” represents one of two group modes in the diagram.
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster Now, imagine that you create new LDAP query settings for the group. The result will be something like this: Cluster (ldap queries: a, b, c) Group (ldap queries: None) Machine The group-level settings now override the cluster-level setting; however, the new group settings are initially empty. The group mode does not actually have any LDAP queries of its own configured.
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster 2. Create a new cluster. 3. Join an existing cluster over SSH. 4. Join an existing cluster over CCS. [1]> 2 Enter the name of the new cluster. []> americas New cluster committed: Wed Jun 22 10:02:04 2005 PDT Creating a cluster takes effect immediately, there is no need to commit. Cluster americas Choose the operation you want to perform: - ADDGROUP - Add a cluster group.
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster Joining an Existing Cluster From the host you want to add to the cluster, issue the clusterconfig command to join the existing cluster. You can choose to join the cluster over SSH or over CCS (cluster communication service).
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster []> IP address is entered Enter the remote port to connect to. The must be the normal admin ssh port, not the CCS port. [22]> 22 Enter the admin password for the cluster.
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster []> (Cluster americas)> Joining an Existing Cluster over CCS Use CCS instead of SSH if you cannot use SSH. The only advantage of CCS is that only cluster communication happens over that port (no user logins, SCP, etc). To add another machine to an existing cluster via CCS, use the prepjoin subcommand of clusterconfig to prepare the machine to be added to the cluster.
Chapter 39 Centralized Management Using Clusters Creating and Joining a Cluster []> new Enter the hostname of the system you want to add. []> losangeles.example.com Enter the serial number of the host mail3.example.com. []> unique serial number is added Enter the user key of the host losangeles.example.com. This can be obtained by typing "clusterconfig prepjoin print" in the CLI on mail3.example.com. Press enter on a blank line to finish.
Chapter 39 Centralized Management Using Clusters Managing Clusters - SETGROUP - Set the group that machines are a member of. - RENAMEGROUP - Rename a cluster group. - DELETEGROUP - Remove a cluster group. - REMOVEMACHINE - Remove a machine from the cluster. - SETNAME - Set the cluster name. - LIST - List the machines in the cluster. - LISTDETAIL - List the machines in the cluster with detail. - DISCONNECT - Temporarily detach machines from the cluster.
Chapter 39 Centralized Management Using Clusters Managing Clusters Use the clustermode command to switch between different modes. Table 39-1 Administering Clusters Command Example Description clustermode Prompt to switch cluster mode clustermode group northamerica Switch to group mode for the group “northamerica” clustermode machine losangeles.example.com Switch to machine mode for the machine “losangeles” The prompt in the CLI changes to indicate your current mode.
Chapter 39 Centralized Management Using Clusters Managing Clusters The following example shows the steps to change a listener setting on one machine and then publish the setting to the rest of the cluster when ready. Because listeners are normally configured at the cluster level, the example starts by pulling the configuration down to machine mode on one machine before making and testing the changes.
Chapter 39 Centralized Management Using Clusters Managing Clusters Note If you use the upgrade command before disconnecting the individual machine from the cluster, AsyncOS disconnects all the machines in the cluster. Cisco Systems recommends that you disconnect each machine from the cluster before upgrading it. Then, other machines can continue working as a cluster until each is disconnected and upgraded. Procedure Step 1 On a machine in the cluster, use the disconnect operation of clusterconfig.
Chapter 39 Centralized Management Using Clusters Managing Clusters The commit and clearchanges Commands commit The commit command commits all changes for all three levels of the cluster, regardless of which mode you are currently in. commitdetail The commitdetail command provides details about configuration changes as they are propagated to all machines within a cluster.
Chapter 39 Centralized Management Using Clusters Administering a Cluster from the GUI • In the CLI, use the clustermode command to switch modes. Table 39-2 Commands Restricted to Cluster Mode clusterconfig sshconfig clustercheck userconfig passwd If a you try to run one of these commands in group or machine mode, you will be given a warning message and the opportunity to switch to the appropriate mode. Note The passwd command is a special case because it needs to be usable by guest users.
Chapter 39 Centralized Management Using Clusters Administering a Cluster from the GUI The Incoming Mail Overview page is an example of a command that is restricted to the login host, because the Mail Flow Monitoring data you are viewing is stored on the local machine. To view the Incoming Mail Overview reports for another machine, you must log into the GUI for that machine. Note the URL in the browser’s address field when clustering has been enabled on an appliance.
Chapter 39 Centralized Management Using Clusters Administering a Cluster from the GUI Figure 39-3 Centralized Management Feature in the GUI: Create New Settings Alternatively, as shown in Figure 39-2, you can also navigate to modes where this configuration setting is already defined. The modes are listed in the lower half of the centralized management box, under “Settings for this feature are currently defined at:”. Only those modes where the settings are actually defined will be listed here.
Chapter 39 Centralized Management Using Clusters Cluster Communication Some pages within certain tabs are restricted to machine mode. However, unlike the Incoming Mail Overview page (which is restricted to the current login host), these pages can be used for any machine in the cluster. Figure 39-7 Centralized Management Feature: Machine Restricted Choose which machine to administer from the Change Mode menu. You will see a brief flashing of the text to remind you that you have changed modes.
Chapter 39 Centralized Management Using Clusters Cluster Communication Cluster Communication Security Cluster Communication Security (CCS) is a secure shell service similar to a regular SSH service. Cisco implemented CCS in response to concerns regarding using regular SSH for cluster communication. SSH communication between two machines opens regular logins (admin, etc.) on the same port. Many administrators prefer not to open regular logins on their clustered machines.
Chapter 39 Centralized Management Using Clusters Cluster Communication If all attempts to communicate with a particular machine fail, then the machine that has been trying to communicate will log a message saying that the remote host has disconnected. The system will send an alert to the administrator that the remote host went down. Even if a machine is down, the verification pings will continue to be sent.
Chapter 39 Centralized Management Using Clusters Cluster Communication 1. Force entire cluster to use test.example.com version. 2. Force entire cluster to use mail3.example.com version. 3. Ignore. [1]> If you choose not to discard your changes, they are still intact (but uncommitted). You can review your changes against the current settings and decide how to proceed. You can also use the clustercheck command at any time to verify that the cluster is operating correctly.
Chapter 39 Centralized Management Using Clusters Loading a Configuration in Clustered Appliances Restricted commands, on the other hand, are commands that only apply to a specific mode. For example, users cannot be configured for specific machines — there must be only one user set across the whole cluster. (Otherwise, it would be impossible to login to remote machines with the same login.
Chapter 39 Centralized Management Using Clusters Loading a Configuration in Clustered Appliances • If an appliance in a cluster is down or needs to be retired and you want to load the configuration from this appliance to a new appliance that you plan to add to the cluster. • If you are adding more appliances to your cluster and you want to load the configuration from one of the existing appliances in the cluster to the newly added appliances.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions c. Choose the appliance configuration from the loaded configuration and the intended appliance in the cluster to which you want to load the configuration. Use the drop-down lists. d. Click OK. e. Click Continue. f. To load the appliance configuration to more appliances, repeat Step a through Step e. Step 4 Review the network settings of the clustered appliances, and commit your changes.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions Good CM Design Practices When you LIST your CM machines, you want to see something like this: cluster = CompanyName Group Main_Group: Machine lab1.example.com (Serial #: XXXXXXXXXXXX-XXXXXXX) Machine lab2.example.com (Serial #: XXXXXXXXXXXX-XXXXXXX) Group Paris: Machine lab3.example.com (Serial #: XXXXXXXXXXXX-XXXXXXX) Machine lab4.example.com (Serial #: XXXXXXXXXXXX-XXXXXXX) Group Rome: Machine lab5.example.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions machine only-settings like IP address). The clusterconfig command cannot be used to join a remote machine to the cluster — you must use the CLI on the remote machine and run clusterconfig (“join an existing cluster”). In our example above we log in to lab1, run clusterconfig and create a cluster called CompanyName.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions Now you can edit the Paris group-level DNS settings, and other machines in the Paris group will inherit them. Non-Paris machines will inherit the cluster settings, unless they have machine-specific settings. Besides DNS settings, it is common to create group level settings for SMTPROUTES.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions A. When a machine joins a cluster, all of that machine's clusterable settings will be inherited from the cluster level. Upon joining a cluster, all locally configured non-network settings will be lost, overwritten with the settings of the cluster and any associated groups. (This includes the user/password table; passwords and users are shared within a cluster). Q.
Chapter 39 Centralized Management Using Clusters Best Practices and Frequently Asked Questions Q. I would like to reconfigure the IP address and hostname on one of my clustered appliances. If I do this, will I lose my GUI/CLI session before being able to run the reboot command? Follow these steps: a. Add the new IP address b. Move the listener onto the new address c. Leave the cluster d. Change the hostname e.
Chapter 39 Best Practices and Frequently Asked Questions Use the saveconfig command to keep records of settings. AsyncOS 9.1.
CH A P T E R 40 Testing and Troubleshooting Note • Debugging Mail Flow Using Test Messages: Trace, page 40-1 • Using the Listener to Test the Appliance, page 40-12 • Troubleshooting the Network, page 40-16 • Troubleshooting the Listener, page 40-22 • Troubleshooting Email Delivery From the Appliance, page 40-23 • Troubleshooting Performance, page 40-26 • Responding to Alerts, page 40-27 • Troubleshooting Hardware Issues, page 40-27 • Remotely Resetting Appliance Power, page 40-27 • Wo
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace The Trace page (and trace CLI command) prompts you for the input parameters listed in Table 40-1. Table 40-1 Input for the Trace page Value Description Example Source IP address Type the IP address of the remote client to mimic the 203.45.98.109 source of the remote domain. This can be an Internet 2001:0db8:85a3::8a2e:0 Protocol version 4 (IPv4) or version 6 (IPv6) address.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace After you have entered the values, click Start Trace. A summary of all features configured on the system affecting the message is printed. You can upload message bodies from your local file system. (In the CLI, you can test with message bodies you have uploaded to the /configuration directory. See FTP, SSH, and SCP Access for more information on placing files for import onto the Cisco appliance.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Masquerading If you specified that the Envelope Sender of a message should be transformed, the change is noted here. You enable masquerading for the Envelope Sender on private listeners using the listenerconfig -> edit -> masquerade -> config subcommands. For more information, see Configuring Routing and Delivery Features.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Virtual Gateways The altsrchost command assigns messages to a specific interface, based on a match of the Envelope Sender’s full address, domain, or name, or IP address. If an Envelope Sender matches entries from the altsrchost command, that information is printed in this section.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Work Queue Operations The following group of functions are performed on messages in the work queue. This occurs after the message has been accepted from the client, but before the message is enqueued for delivery on a destination queue. “Messages in Work Queue” is reported by the status and status detail commands.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Anti-Spam This section notes messages that are not flagged to be processed by anti-spam scanning. If messages are to be processed by anti-spam scanning for the listener, the message is processed and the verdict returned is printed.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Footer Stamping This section notes whether a footer text resource was appended to the message. The name of the text resource is displayed. See Message Disclaimer Stamping, page 21-2 in Text Resources. AsyncOS 9.1.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Table 40-2 Viewing Output When Performing a Trace (continued) trace Command Section Output Delivery Operations The following sections note operations that occur when a message is delivered. The trace command prints “Message Enqueued for Delivery” before this section.
Chapter 40 Debugging Mail Flow Using Test Messages: Trace GUI Example of the Trace Page Figure 40-1 Input for the Trace Page AsyncOS 9.1.
Chapter 40 Testing and Troubleshooting Debugging Mail Flow Using Test Messages: Trace Figure 40-2 Output for the Trace Page (1 of 2) AsyncOS 9.1.
Chapter 40 Testing and Troubleshooting Using the Listener to Test the Appliance Figure 40-3 Output for the Trace Page (2 of 2) Using the Listener to Test the Appliance “Black hole” listeners allow you to test your message generation systems and to also get a rough measure of receiving performance. Two types of black hole listeners are queueing and non-queueing. • The queueing listener saves the message to the queue, but then immediately deletes it.
Chapter 40 Testing and Troubleshooting Using the Listener to Test the Appliance Figure 40-4 Black Hole Listener for an Enterprise Gateway IronPort Email Security Appliance Firewall A SMTP C B Groupware Server (Exchange™, Domino™, Groupwise™) Groupware Client In the following example, the listenerconfig command is used to create a black hole queueing listener named BlackHole_1 on the Management interface.
Chapter 40 Testing and Troubleshooting Using the Listener to Test the Appliance - SETUP - Change global settings. []> new Please select the type of listener you want to create. 1. Private 2. Public 3. Blackhole [2]> 3 Do you want messages to be queued onto disk? [N]> y Please create a name for this listener (Ex: "OutboundMail"): []> BlackHole_1 Please choose an IP interface for this Listener. 1. Management (192.168.42.42/24: mail3.example.com) 2. PrivateNet (192.168.1.1/24: mail3.example.com) 3.
Chapter 40 Testing and Troubleshooting Using the Listener to Test the Appliance Hostnames such as "example.com" are allowed. Partial hostnames such as ".example.com" are allowed. IP addresses, IP address ranges, and partial IP addressed are allowed. Separate multiple entries with commas. []> yoursystem.example.com, 10.1.2.29, badmail.tst, .tst Do you want to enable rate limiting per host? (Rate limiting defines the maximum number of recipients per hour you are willing to receive from a remote domain.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network Currently configured listeners: 1. BlackHole_1 (on Management, 192.168.42.42) SMTP Port 25 Black Hole Queuing 2. InboundMail (on PublicNet, 192.1681.1) SMTP Port 25 Public 3. OutboundMail (on PrivateNet, 192.168.1.1) SMTP Port 25 Private Choose the operation you want to perform: - NEW - Create a new listener. - EDIT - Modify a listener. - DELETE - Remove a listener. - SETUP - Change global settings.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network AsyncOS x.x for Cisco Welcome to the Cisco Messaging Gateway Appliance(tm) Step 2 Use the status or status detail commands. mail3.example.com> status or mail3.example.com> status detail The status command returns a subset of the monitored information about email operations. The statistics returned are grouped into two categories: counters and gauges.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network Troubleshooting After you have confirmed that the appliance is active on the network, use the following commands to pinpoint any network problems.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network 64 bytes from 10.19.0.31: icmp_seq=9 ttl=64 time=0.133 ms 64 bytes from 10.19.0.31: icmp_seq=10 ttl=64 time=0.115 ms ^C --- anotherhost.example.com ping statistics --11 packets transmitted, 11 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.115/0.242/1.421/0.373 ms Note You must use Control-C to end the ping command.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network • Use the nslookup command to check the DNS functionality. The nslookup command can confirm that the appliance is able to reach and resolve hostnames and IP addresses from a working DNS (domain name service) server. mail3.example.com> nslookup Please enter the host or IP to resolve. []> example.com Choose the query type: 1. A 2. CNAME 3. MX 4. NS 5. PTR 6. SOA 7. TXT [1]> A=192.0.34.
Chapter 40 Testing and Troubleshooting Troubleshooting the Network The tophosts command returns a list of the top 20 recipient hosts in queue. This command can help you determine if network connectivity problems are isolated to a single host or group of hosts to which you are attempting to send email. (For more information, see “Determining the Make-up of the Mail Queue” on page 49.) mail3.example.com> tophosts Sort results by: 1. Active Recipients 2. Connections Out 3. Delivered Recipients 4.
Chapter 40 Testing and Troubleshooting Troubleshooting the Listener • Check firewall permissions. The appliance may need all of the following ports to be opened in order to function properly: ports 20, 21, 22, 23, 25, 53, 80, 123, 443, and 628. (See Firewall Information.) • Send email from the appliance on your network to dnscheck@ironport.com Send an email from within your network to dnscheck@ironport.com to perform basic DNS checks on your system.
Chapter 40 Testing and Troubleshooting Troubleshooting Email Delivery From the Appliance 2. Management (192.168.42.42/24: mail3.example.com) 3. PrivateNet (192.168.1.1/24: mail3.example.com) 4. PublicNet (192.168.2.1/24: mail3.example.com) [1]> 3 Enter the remote hostname or IP. []> 193.168.1.1 Enter the remote port. [25]> 25 Trying 193.168.1.1... Connected to 193.168.1.1. Escape character is '^]'.
Chapter 40 Testing and Troubleshooting Troubleshooting Email Delivery From the Appliance When you sort by Connections Out, does any one domain reach the maximum connections specified for a listener? The default maximum number of connections for a listener is 600. The default maximum system-wide number of connections if 10,000 (set by the deliveryconfig command).
Chapter 40 Testing and Troubleshooting Troubleshooting Email Delivery From the Appliance Enter the remote hostname or IP. []> problemdomain.net Enter the remote port. [25]> 25 • You can use the tlsverify command to establish an outbound TLS connection on demand and debug any TLS connection issues concerning a destination domain. To create the connection, specify the domain to verify against and the destination host. AsyncOS checks the TLS connection based on the Required (Verify) TLS setting. mail3.
Chapter 40 Testing and Troubleshooting Troubleshooting Performance TLS successfully connected to mxe.example.com. TLS verification completed. Troubleshooting Performance If you suspect that there are there are performance problems with the appliance, utilize the following strategies: • Use the rate and hostrate commands to check the current system activity. The rate command returns real-time monitoring information about email operations.
Chapter 40 Testing and Troubleshooting Responding to Alerts – redirectrecipients – suspenddel / resumedel – suspendlistener / resumelistener Use the tophosts command to check the number of soft and hard bounces. Sort by “Soft Bounced Events” (option 4) or “Hard Bounced Recipients” (option 5). If the performance for a particular domain is problematic, use the commands above to manage the delivery to that domain.
Chapter 40 Testing and Troubleshooting Working with Technical Support Restrictions • Remote power management is available only on certain hardware. For specifics, see Enabling Remote Power Management, page 33-29. • If you want be able to use this feature, you must enable it in advance, before you need to use it. For details, see Enabling Remote Power Management, page 33-29.
Chapter 40 Testing and Troubleshooting Working with Technical Support Opening or Updating a Support Case From the Appliance Before You Begin • If your issue is urgent, do not use this method. Instead, contact support using one of the other methods listed in Cisco Customer Support, page 1-3. Use the following procedure only for issues such as a request for information or a problem for which you have a workaround, but would like an alternate solution.
Chapter 40 Testing and Troubleshooting Working with Technical Support • Checking the Status of the Support Connection, page 40-31 Enabling Remote Access to Appliances With an Internet Connection Support accesses the appliance through an SSH tunnel that this procedure creates between the appliance and the upgrades.ironport.com server. Before You Begin Identify a port that can be reached from the internet.
Chapter 40 Testing and Troubleshooting Working with Technical Support Procedure Step 1 From the command-line interface of the appliance requiring support, enter the techsupport command. Step 2 Enter sshaccess. Step 3 Follow the prompts.
Chapter 40 Testing and Troubleshooting Working with Technical Support Step 2 Enter status. Running a Packet Capture Packet Capture allows support personnel to see the TCP/IP data and other packets going into and out of the appliance. This allows Support to debug the network setup and to discover what network traffic is reaching the appliance or leaving the appliance. Procedure Step 1 Choose Help and Support > Packet Capture. Step 2 Specify packet capture settings: a.
Chapter 40 Testing and Troubleshooting Working with Technical Support • Use FTP or SCP to access the file in the captures subdirectory on the appliance. What To Do Next Make the file available to Support: • If you allow remote access to your appliance, technicians can access the packet capture files using FTP or SCP. See Enabling Remote Access for Cisco Technical Support Personnel, page 40-29. • Email the file to Support. AsyncOS 9.1.
Chapter 40 Working with Technical Support AsyncOS 9.1.
CH A P T E R 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode • Feature Summary: D-Mode for Optimized Outbound Delivery, page 41-1 • Setting Up the Appliance for Optimized Outbound Mail Delivery, page 41-3 • Sending Bulk Mail Using IronPort Mail Merge (IPMM), page 41-4 Feature Summary: D-Mode for Optimized Outbound Delivery D-Mode is a feature key-enabled feature that optimizes certain Email Security appliances for outbound email delivery.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Feature Summary: D-Mode for Optimized Outbound Delivery Standard Features Disabled in D-Mode-Enabled Appliances • IronPort anti-spam scanning and on or off box spam quarantining — Because anti-spam scanning pertains mostly to incoming mail, the IronPort Anti-Spam scanning engine is disabled. The Anti-Spam chapter is, therefore, not applicable.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Setting Up the Appliance for Optimized Outbound Mail Delivery Table 41-1 AsyncOS Features Included in D-Mode Enabled Appliances (continued) Feature More Information VLAN, NIC-pairing See Chapter 37, “Advanced Network Configuration.” Optional Anti-virus engine You can add optional anti-virus scanning to ensure the integrity of your outbound messages. See Anti-Virus Scanning Overview, page 12-1.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) Example of Enabling Resource-Conserving Bounce Settings mail3.example.com> bounceconfig Choose the operation you want to perform: - NEW - Create a new profile. - EDIT - Modify a profile. - DELETE - Remove a profile. - SETUP - Configure global bounce settings.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) Benefits of the Mail Merge Function • Ease of use for the mail administrator. The complexities of creating personalized messages for each recipient are removed, as IPMM provides variable substitution and an abstracted interface in many common languages. • Reduced load on message generation systems.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) Variable Substitution Any part of the message body, including message headers, can contain variables for substitution. Variables can appear in HTML messages, as well. Variables are user-defined and must begin with the ampersand (&) character and end with the semi-colon character (;). Variable names beginning with an asterisk (*) are reserved and cannot be used.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) • Name-value pairs for the variable substitution Part Assembly Where SMTP uses a single DATA command for each message body, IPMM uses one or many XPRT commands to comprise a message. Parts are assembled based upon the order specified per-recipient. Each recipient can receive any or all of the message parts. Parts can be assembled in any order.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) Command Descriptions When a client injects IPMM messages to the listener, it uses extended SMTP with the following key commands. XMRG FROM Syntax: XMRG FROM: This command replaces the SMTP MAIL FROM: command and indicates that what follows is an IPMM message. An IPMM job is initiated with the XMRG FROM: command.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) • You can escape special characters using the forward slash “/” character when defining variables key-value pairs. This is useful if your message body contains HTML character entities that might be mistakenly replaced with variable definitions. (For example, the character entity ™ defines the HTML character entity for a trademark character.
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) RCPT TO: 250 recipient ok Next, part 1 is transmitted: XPRT 1 [Note: This replaces the DATA SMTP command.] 354 OK, send part From: Mr. Spacely To: &first_name; &last_name; &*TO; Subject: Thanks for Being an Example.Com Customer &*DATE; Dear &first_name;, Thank you for purchasing a &color; sprocket. .
Chapter 41 Optimizing the Appliance for Outbound Mail Delivery Using D-Mode Sending Bulk Mail Using IronPort Mail Merge (IPMM) message date Dear Jane, Thank you for purchasing a red sprocket. Please accept our offer for 10% off your next sprocket purchase. Recipient Joe User will receive this message: From: Mr. Spacely To: Joe User Subject: Thanks for Being an Example.Com Customer message date Dear Joe, Thank you for purchasing a black sprocket.
Chapter 41 Sending Bulk Mail Using IronPort Mail Merge (IPMM) AsyncOS 9.1.
CH A P T E R 42 Centralizing Services on a Cisco Content Security Management Appliance • Overview of Cisco Content Security Management Appliance Services, page 42-1 • Network Planning, page 42-2 • Working with an External Spam Quarantine, page 42-2 • About Centralizing Policy, Virus, and Outbreak Quarantines, page 42-5 • Configuring Centralized Reporting, page 42-10 • Configuring Centralized Message Tracking, page 42-11 • Using Centralized Services, page 42-11 Overview of Cisco Content Secur
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance Network Planning Network Planning The Cisco Content Security Management appliance lets you separate the end-user interfaces (such as mail applications) from the more secure gateway systems residing in your various DMZs. Using a two-layer firewall can provide you with flexibility in network planning so that end users do not connect directly to the outer DMZ.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance Working with an External Spam Quarantine Messages that are released from the external quarantine on the Security Management appliance are returned to the originating Email Security appliance for delivery.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance Working with an External Spam Quarantine Before You Begin • Review the information in Mail Flow and the External Spam Quarantine, page 42-2. • Review and take action on the information in Migrating from a Local Spam Quarantine to an External Quarantine, page 42-3. • Configure the Security Management appliance to support the centralized spam quarantine and safelist/blocklist features.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance About Centralizing Policy, Virus, and Outbreak Quarantines Before You Begin Follow all directions, including information in the Before You Begin section, in Enabling an External Spam Quarantine and External Safelist/Blocklist, page 42-3. Procedure Step 1 Select Monitor > Spam Quarantine. Step 2 In the Spam Quarantine section, click the Spam Quarantine link. Step 3 Deselect Enable Spam Quarantine.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance About Centralizing Policy, Virus, and Outbreak Quarantines • Centralized quarantines can be backed up using the standard backup functionality on the Security Management appliance. For complete information, see the user guide or online help for your Security Management appliance.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance About Centralizing Policy, Virus, and Outbreak Quarantines Note • A message that was in multiple quarantines before migration will be in the corresponding centralized quarantines after migration. • Migration happens in the background. The amount of time it takes depends on the size of your quarantines and on your network.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance About Centralizing Policy, Virus, and Outbreak Quarantines Step 4 To receive notification when migration is complete, enter one or more email addresses. Step 5 Verify the information about quarantines to be migrated to be sure that this is what you want. Step 6 If you are completing a Custom migration, note any quarantines that will be deleted when you commit the changes in this procedure.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance About Centralizing Policy, Virus, and Outbreak Quarantines • System-created quarantines and quarantines that are referenced by message filters, content filters, and DLP message actions are automatically created on the Email Security appliance. The Virus, Outbreak, and Unclassified quarantines are created with the same settings that they had before quarantines were centralized, including assigned user roles.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance Configuring Centralized Reporting Configuring Centralized Reporting Before You Begin • Enable and configure centralized reporting on a Security Management appliance. See prerequisites and instructions in the Cisco Content Security Management Appliance User Guide. • Ensure that sufficient disk space is allocated to the reporting service on the Security Management appliance.
Chapter 42 Centralizing Services on a Cisco Content Security Management Appliance Configuring Centralized Message Tracking Configuring Centralized Message Tracking Note You cannot enable both centralized and local tracking on an Email Security appliance. Procedure Step 1 Click Security Services > Message Tracking. Step 2 In the Message Tracking Service section, click Edit Settings. Step 3 Select the Enable Message Tracking Service check box. Step 4 Select the Centralized Tracking option.
Chapter 42 Using Centralized Services AsyncOS 9.1.
A P P E N D I X A FTP, SSH, and SCP Access You can access any interface you create on the appliance through a variety of services. • IP Interfaces, page A-1 • Configuring FTP Access to the Email Security Appliance, page A-2 • Secure Copy (scp) Access, page A-5 • Accessing the Email Security appliance via a Serial Connection, page A-5 IP Interfaces An IP interface contains the network configuration data needed for an individual connection to the network.
Appendix A FTP, SSH, and SCP Access Configuring FTP Access to the Email Security Appliance Joining or grouping Virtual Gateways is useful for load-balancing large email campaigns across several interfaces. You can also create VLANs, and configure them just as you would any other interface (via the CLI). For more information, see Chapter 37, “Advanced Network Configuration.
Appendix A FTP, SSH, and SCP Access Configuring FTP Access to the Email Security Appliance Figure A-1 Note Step 2 Edit IP Interface Page Remember to commit your changes before moving on to the next step. Access the interface via FTP. Ensure you are using the correct IP address for the interface. For example: $ ftp 192.168.42.42 Note Step 3 Many browsers also allow you to access interfaces via FTP. Browse to the directory for the specific task you are trying to accomplish.
Appendix A FTP, SSH, and SCP Access Configuring FTP Access to the Email Security Appliance Directory Name Description /configuration The directory where data from the following commands is exported to and/or imported (saved) from: • Virtual Gateway mappings (altsrchost) • configuration data in XML format (saveconfig, loadconfig) • Host Access Table (HAT) (hostaccess) • Recipient Access Table (RAT) (rcptaccess) • SMTP routes entries (smtproutes) • alias tables (aliasconfig) • masquerading tables (masqu
Appendix A FTP, SSH, and SCP Access Secure Copy (scp) Access Step 4 Use your FTP program to upload and download files to and from the appropriate directory. Secure Copy (scp) Access If your client operating system supports a secure copy (scp) command, you can copy files to and from the directories listed in the previous table. For example, in the following example, the file /tmp/test.txt is copied from the client machine to the configuration directory of the appliance with the hostname of mail3.example.
Appendix A FTP, SSH, and SCP Access Accessing the Email Security appliance via a Serial Connection Pinout Details for the Serial Port in 80- and 90- Series Hardware Pinout Details for the Serial Port in 70-Series Hardware Figure A-2 illustrates the pin numbers for the serial port connector, and Table A-2 defines the pin assignments and interface signals for the serial port connector.
A P P E N D I X B Assigning Network and IP Addresses This appendix describes general rules on networks and IP address assignments, and it presents some strategies for connecting the Cisco appliance to your network. • Ethernet Interfaces, page B-1 • Selecting IP Addresses and Netmasks, page B-1 • Strategies for Connecting Your Cisco Appliance, page B-3 Ethernet Interfaces For information about management and data ports on your appliance, see Hardware Ports, page 3-4.
Appendix B Assigning Network and IP Addresses Selecting IP Addresses and Netmasks Sample Interface Configurations This section shows sample interface configurations based on some typical networks. The example will use two interfaces called Int1 and Int2. In the case of the Cisco appliance, these interface names can represent any two interfaces out of the three Cisco interfaces (Management, Data1, Data2). Network 1: Separate interfaces must appear to be on separate networks.
Appendix B Assigning Network and IP Addresses Strategies for Connecting Your Cisco Appliance Ethernet IP data1 192.19.1.100 data2 192.19.2.100 And your Default gateway is 192.19.0.1. Now, if you perform an AsyncOS upgrade (or other command or function that allows you to select an interface) and you select the IP that is on data1 (192.19.1.100), you would expect all the TCP traffic to occur over the data1 ethernet interface.
Appendix B Strategies for Connecting Your Cisco Appliance AsyncOS 9.1.
A P P E N D I X C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies The following example demonstrates the features of mail policies by illustrating the following tasks: 1. Editing the anti-spam, anti-virus, Outbreak Filter, and Content Filters for the default Incoming Mail Policy. 2. Adding two new policies for different sets of users — the sales organization and the engineering organization — and then configuring different email security settings for each. 3.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies – Positively-identified spam: deliver, prepend the message subject – Suspected spam: deliver, prepend the message subject – Marketing email: scanning not enabled • Anti-Virus: Enabled, Scan and Repair viruses, include an X-header with anti-virus scanning results – Repaired messages: deliver, prepend the message subject – Encrypted messages: deliver, prepend the message subject – Unscannable messages: deliver, prep
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-2 Security Services Not Available Configuring the Default Anti-Spam Policies for Incoming Messages Each row in the mail policy table represents a different policy. Each column represents a different security service. • To edit the default policy, click any of the links for a security service in the bottom row of the incoming or outgoing mail policy table.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-3 Anti-Spam Settings Page Creating a Mail Policy for a Group of Sender and Recipients In this part of the example, you will create two new policies: one for the sales organization (whose members will be defined by an LDAP acceptance query), and another for the engineering organization.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Step 4 Define users for the policy. You define whether the user is a sender or a recipient. (See Examples of Policy Matching, page 10-4 for more detail.) The form shown in Figure C-4 defaults to recipients for incoming mail policies and to senders for outgoing mail policies. Users for a given policy can be defined in the following ways: – Full email address: user@example.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Use the Remove button to remove a defined user from the list of current users. Step 6 When you are finished adding users, click Submit. Note that all security services settings are set to use the default values when you first add a policy. Figure C-5 Step 7 Newly Added Policy — Sales Group Click the Add Policy button again to add another new policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-7 Note Newly Added Policy — Engineering Team At this point, both newly created policies have the same settings applied to them as those in the default policy. Messages to users of either policy will match; however, the mail processing settings are not any different from the default policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Because the policy was just added, the link is named: (use default). Figure C-8 Step 2 Editing the Anti-Spam Settings for the Sales Team Policy On the anti-spam security service page, change the value for “Enable Anti-Spam Scanning for this Policy” from “Use Default Settings” to “Use Anti-Spam service.” Choosing “Use Anti-Spam service” here allows you to override the settings defined in the default policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Procedure Step 1 Click the link for the Outbreak Filters feature security service (the Outbreak Filters column) in the engineering policy row. Because the policy was just added, the link is named: (use default).
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-11 Step 9 Outbreak Filters Settings Submit and commit your changes. Note that the shading shows that the policy is using different settings than the default policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-13 Finding Users in Policies Click the name of the policy to jump to the Edit Policy page to edit the users for that policy. Note that the default policy will always be shown when you search for any user, because, by definition, if a sender or recipient does not match any other configured policies, it will always match the default policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Filtering Messages Based on Content In this part of the example, you will create three new content filters to be used in the Incoming Mail Policy table. All of these content filters will be editable by delegated administrators belonging to the Policy Administration custom user role. You will create the following: 1. “scan_for_confidential” This filter will scan messages for the string “confidential.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Step 13 In the Subject field, type [message matched confidential filter]. Step 14 Click OK. The Add Content Filter page shows the action added. Step 15 Click Add Action. Step 16 Select Quarantine. Step 17 In the drop-down menu, select the Policy quarantine area. Step 18 Click OK. The Add Content Filter page shows the second action added. Step 19 Submit and commit your changes.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Bouncing Messages Sent to a Former Employee The third content filter example uses one condition and two actions. Procedure Step 1 Click the Add Filter button. Step 2 In the Name: field, type ex_employee as the name of the new filter. Step 3 Click the Editable By (Roles) link, select the Policy Administrator and click OK. Step 4 In the Description: field, type the description.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Applying Individual Content Filters to Different Groups of Recipients In the examples above, you created three content filters using the Incoming Content Filters pages. The Incoming Content Filters and Outgoing Content filters pages hold the “master lists” of all possible content filters that can be applied to a policy.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-16 Enabling Content Filters for the Policy and Selecting Specific Content Filters The content filters defined in the master list (which were created in Overview of Content Filters, page 11-1 using the Incoming Content Filters pages) are displayed on this page.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies The table on the Incoming Mail Policies page shows the names of the filters that have been enabled for the engineering policy. Figure C-19 Step 5 Updated Content Filters for Incoming Mail Policies Commit your changes. At this point, incoming messages that match the user list for the engineering policy will not have MP3 attachments stripped; however, all other incoming messages will have MP3 attachments stripped.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies Figure C-20 Choosing Any or All of the Following Conditions • You can test message splintering and content filters by creating “benign” content filters. For example, it is possible to create a content filter whose only action is “deliver.
Appendix C Example of Mail Policies and Content Filters Overview of Incoming Mail Policies – Korean (ISO 2022-KR) – Korean (KS-C-5601/EUC-KR) – Japanese (Shift-JIS (X0123)) – Japanese (ISO-2022-JP) – Japanese (EUC) You can mix and match multiple character sets within a single content filter. Refer to your web browser’s documentation for help displaying and entering text in multiple character encodings. Most browsers can render multiple character sets simultaneously.
Appendix C Overview of Incoming Mail Policies AsyncOS 9.1.
A P P E N D I X D Firewall Information The following table lists the possible ports that may need to be opened for proper operation of the Cisco appliance (these are the default values). Table D-1 Firewall Ports Port Protocol In/Out Hostname Description 20/21 TCP In or Out AsyncOS IPs, FTP Server FTP for aggregation of log files. Data ports TCP 1024 and higher must also all be open. For more information, search for FTP port information in the Knowledge Base. See Knowledge Base, page 1-3.
Appendix D Table D-1 Firewall Information Firewall Ports (continued) 82 HTTP In AsyncOS IPs Used for viewing the Cisco Anti-Spam quarantine. 83 HTTPS In AsyncOS IPs Used for viewing the Cisco Anti-Spam quarantine. 110 TCP Out POP Server POP authentication for end users for Cisco Spam Quarantine 123 UDP In & Out NTP Server NTP if time servers are outside firewall.
Appendix D Firewall Information Table D-1 Firewall Ports (continued) 1024 and higher — — — See information above for Port 21 (FTP.) 2222 CCS In & Out AsyncOS IPs Cluster Communication Service (for Centralized Management). 6025 TCP Out AsyncOS IPs Cisco Spam Quarantine 7025 TCP In & Out AsyncOS IPs Pass policy, virus, and outbreak quarantine data between Email Security appliances and the Cisco Content Security Management appliance when this feature is centralized.
Appendix D AsyncOS 9.1.
A P P E N D I X E End User License Agreement Cisco Systems End User License Agreement IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT (COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE PURPOSES OF THIS CISCO END USER LICENSE AGREEMENT.
Appendix E End User License Agreement Cisco Systems End User License Agreement INTEGRATOR IN ACCORDANCE WITH THE TERMS OF THE DISTRIBUTOR'S AGREEMENT WITH CISCO TO DISTRIBUTE / SELL THE CISCO EQUIPMENT, SOFTWARE AND SERVICES WITHIN YOUR TERRITORY TO END USERS.
Appendix E End User License Agreement Cisco Systems End User License Agreement (i) transfer, assign or sublicense its license rights to any other person or entity (other than in compliance with any Cisco relicensing/transfer policy then in force), or use the Software on Cisco equipment not purchased by the Customer from an Approved Source or on secondhand Cisco equipment, and Customer acknowledges that any attempted transfer, assignment, sublicense or use shall be void; (ii) make error corrections to or o
Appendix E End User License Agreement Cisco Systems End User License Agreement Customer Records. Customer grants to Cisco and its independent accountants the right to examine Customer's books, records and accounts during Customer's normal business hours to verify compliance with this Agreement. In the event such audit discloses non-compliance with this Agreement, Customer shall promptly pay to Cisco the appropriate license fees, plus the reasonable cost of conducting the audit.
Appendix E End User License Agreement Cisco Systems End User License Agreement error free or that Customer will be able to operate the Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack. Restrictions.
Appendix E End User License Agreement Cisco Systems End User License Agreement FOR SUCH OTHER PRODUCT. THIS LIMITATION OF LIABILITY FOR SOFTWARE IS CUMULATIVE AND NOT PER INCIDENT (I.E. THE EXISTENCE OF TWO OR MORE CLAIMS WILL NOT ENLARGE THIS LIMIT).
Appendix E End User License Agreement Cisco Systems End User License Agreement Customer acknowledges and agrees that Cisco has set its prices and entered into the Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the
Appendix E End User License Agreement Supplemental End User License Agreement for Cisco Systems Content Security Software Supplemental End User License Agreement for Cisco Systems Content Security Software IMPORTANT: READ CAREFULLY This Supplemental End User License Agreement ("SEULA") contains additional terms and conditions for the Software product licensed under the End User License Agreement ("EULA") between You ("You" as used herein means You and the business entity you represent or "Company") and C
Appendix E End User License Agreement Supplemental End User License Agreement for Cisco Systems Content Security Software McAfee Anti-Malware Cisco Email Reporting Cisco Email Message Tracking Cisco Email Centralized Quarantine Cisco Web Reporting Cisco Web Policy and Configuration Management Cisco Advanced Web Security Management with Splunk Email Encryption for Encryption Appliances Email Encryption for System Generated Bulk Email Email Encryption and Public Key Encryption for Encryption Appliances Larg
Appendix E End User License Agreement Supplemental End User License Agreement for Cisco Systems Content Security Software "Virtual Machine" means a software container that can run its own operating system and execute applications like a Server. Additional License Terms and Conditions LICENSE GRANTS AND CONSENT TO TERMS OF DATA COLLECTION License of Software.
GLOSSARY A Advanced Malware Protection File reputation and file analysis services. Allowed Hosts Computers that are allowed to relay email through the Cisco appliance via a private listener. Allowed hosts are defined by their hostnames or IP addresses. Anti-Virus Sophos and McAfee Anti-Virus scanning engines provide cross-platform anti-virus protection, detection and disinfection. through virus detection engines which scans files for viruses, Trojan horses and worms.
Glossary Content Matching Classifier The detection component of the RSA data loss prevention scanning engine. A classifier contains a number of rules for detecting sensitive data, along with context rules that search for supporting data. For example, a credit card classifier not only requires that the message contain a string that matches a credit card number, but that it also contains supporting information such as an expiration data, a credit card company name, or an address.
Glossary DoS attack Denial of Service attack, can also be in the form of DDos (Distributed Denial of Service Attack). An attack on a network or computer, the primary aim of which is to disrupt access to a given service. DSN Delivery Status Notification, a bounced message. E Email Security Manager A single, comprehensive dashboard to manage all email security services and applications on IronPort appliances.
Glossary I IDE File Virus Definition File. An IDE file contains signatures or definitions used by anti-virus software to detect viruses. L LDAP Lightweight Directory Access Protocol. A protocol used to access information about people (including email addresses), organizations, and other resources in an Internet directory or intranet directory. Listener A listener describes an email processing service that will be configured on a particular IP interface.
Glossary MTA Mail Transfer Agent, or Messaging Transfer Agent. The program responsible for accepting, routing, and delivering email messages. Upon receiving a message from a Mail User Agent or another MTA, the MTA stores a message temporarily locally, analyses the recipients, and routes it to another MTA (routing). It may edit and/or add to the message headers.
Glossary Q Queue In the Cisco appliance, you can delete, bounce, suspend, or redirect messages in the email queue. This email queue of messages for destination domains is also referred to as the delivery queue. The queue of messages waiting to be processed by IronPort Anti-Spam or message filter actions is referred to as the work queue. You can view the status of both queues using the status detail command. R RAT Recipient Access Table.
Glossary Spam Unwanted, Unsolicited Commercial bulk Email (UCE/UBE). Anti-spam scanning identifies email messages that are suspected to be spam, according to its filtering rules. STARTTLS Transport Layer Security (TLS) is an improved version of the Secure Socket Layer (SSL) technology. It is a widely used mechanism for encrypting SMTP conversations over the Internet. The IronPort AsyncOS operating system supports the STARTTLS extension to SMTP (Secure SMTP over TLS), described in RFC 2487.
Glossary AsyncOS 9.1.
INDEX address literals Symbols 5-10 address rewriting ) 13-23 24-7 address tagging key /dev/null, in alias tables 24-3, 24-8 purging 24-7 /etc/mail/aliases admin password 24-17 /etc/mail/genericstable $ACCEPTED mail flow policy changing 7-12 $BLOCKED mail flow policy $EnvelopeSender variable 24-55 Advanced Malware Protection 7-11, 7-12 alertlisting 7-30 $RELAYED mail flow policy $TRUSTED mail flow policy 3-17, 3-37 alerts 7-11 enabling for Outbreak Filters 7-11, 12-13 severiti
Index anti-spam archivemessage command HAT entry archiving reports 7-18 HAT parameter IronPort Anti-Spam AsyncOS upgrades 13-8 reporting false positives and negatives scanning appliance-generated messages scanning for large messages suspected spam threshold 13-14 13-12 Anti-Spam Archive Logs 12-2 38-3 available upgrades Base DN add custom header 12-11 advanced options 12-10 dropping attachments 12-11 12-8 body scanning Bounce Logs 7-18 modify message subject per-listener actions
Index hate speech C 15-17 health and nutrition call-ahead SMTP server routing 22-1 humor 22-7 canonicalization illegal drugs 2-5 25-13, 25-18 in message filters 9-19 3-27 categories internet telephony 15-14 nature 15-14 news 15-14 astrology auctions 15-14 cheating and plagiarism child abuse content computer security 15-15 15-15 15-19 15-19 15-19 15-16 filter avoidance 15-19 professional networking 15-16 15-16 15-20 15-20 15-20 15-20 search engines and portals freeware an
Index software updates sports and recreation 15-20 streaming audio 15-20 streaming video 15-20 tobacco Cisco Content Security Management Appliance.
Index conditions 11-2 example C-12, C-13, C-14 non-ascii character sets variables 34-31 23-2 deliveryconfig command 24-36 24-57 Delivery Connection ID (DCID) 34-4 CRAM-MD5 25-36 28-33 custom DLP dictionaries custom header Delivery Logs 38-2 delivery mode 41-1 delivery queue 34-22 delivery queue, monitoring 17-17 Delivery Status page demo certificate 7-30 custom user roles 3-28, 23-3 destconfig command Destination Controls D 28-16 28-15 demonstration certificate 32-7 34-4
Index Authentication-Results header DLP 20-21 double lookup 17-1 Assessment Wizard priority 17-7 content matching classifier dictionaries 17-31 false positives, minimizing 17-2, 17-10, 17-12, 17-13, 17-15, 17-19 17-26 message actions quarantines splitting 33-55 timeout for reverse DNS lookups RSA Email DLP 17-4 RSA Enterprise Manager DNS list 17-23 17-21 switching modes 34-20 33-54 33-56 9-34 DNS lookup 34-20 DNS servers 33-54 DNS settings 33-56 DNS TXT record 17-42 updati
Index testing a domain profile verification rewriting addresses 20-14 email address 20-1 verifying signatures source routing 20-2 DomainKey-Signature header email gateway 20-3 domain map 24-34 importing invalid entries 24-34 Email Security Monitor Items Displayed menu 24-28 summary table deleting all existing profiles 20-14 importing 20-14 28-7 enabling DomainKeys and DKIM signing on a mail flow policy 20-2 20-15 in disclaimers removing domain profiles encryption 20-14 21-16 5-
Index evaluation key for Outbreak Filters 3-23, 3-36 exception table 12-18 forward DNS lookup adding entries exit command explained forcing updates FTP 7-35 A-1, D-1 FTP Access 2-9 FTP Push 7-30 exporting A-2 38-7 FTP Server Logs HTML text resources text resources 38-2 fully-qualified domain name 21-11 enabling LDAP 25-40 G 32-21 enabling RADIUS 32-22 gateway configuration gauges getting started factory configuration global alias 3-15 featurekey command 3-38, 12-2, 13-3 Fe
Index enabling H GUI hard power reset HAT 33-29, 40-27 HTTP Logs 7-8 delayed rejections exporting 7-21 importing 7-21 HTTP proxy server 5-7 HTTPS GUI testing HAT variables 7-10 using HAT variables 7-10 using HAT variables - GUI example 7-10 5-7 image analysis 7-14 image verdicts 24-7, 24-16, 24-18 anti-spam headers, logging implementsv 18-11 9-68 2-9 5-11, 24-16 incoming messages, defined 7-14 Incoming Relay 5-6 28-9 10-3 13-15 incoming relay 7-1 custom header 7-28 sp
Index injection control periodicity 7-25 injection counters reset period Injection Debug Logs K 5-6 keys 38-2 FIPS management injector key size see listener insecure relay 18-11 L 3-1 reverting languages 33-30 interface command invalid recipient IP addresses defining default per user 24-56 user preferences 28-8 last command 28-13 IP interfaces LDAP assigning defining listeners on 31-15, 31-16, D-2 5-12 alias consolidation query 3-29 IP port alias expansion defining in list
Index testing servers test servers loadconfig command 25-6 log file type 25-6 user distinguished name query 38-1 logging 25-45 LDAP Accept during SMTP conversation overview 5-12 38-1 LDAP accept query 5-12 logging,headers LDAP Debug Logs 38-3 Logging Options LDAP errors 38-42 logical IP interface with SMTP call-ahead recipient validation 22-6 LDAPS certificate Anti-Virus Archive 25-14 24-64 altsrchost SMTP Routes link aggregation comparison listener definition add a default
Index IronPort Anti-Spam Sophos mail trend graph 13-9 malformed entries, in alias tables 12-11 log subscriptions defined 24-2 marketing messages 7-3, 7-28 loopback interface 12-2 mapping domains 7-3, 7-28 DNS PTR 24-8 malware 38-7 lookup DNS A 28-6 28-8 masquerade subcommand 37-13 24-19 masquerading and altsrchost command M commenting mailconfig command mailertable feature definition 24-1 mail flow policies $ACCEPTED 7-12 importing and exporting 24-19 importing invalid en
Index McAfee anti-virus engine memory message modification level threshold 12-5 message replication 34-5 message actions creating defined message actions for DLP message body scanning message encoding modifying and sensitive content 9-31 Incoming Relays 5-8, 9-96 13-22 message variables 5-8 spam quarantine notifications filter actions MIB file 9-48 message filter action variables using in disclaimers message filter for SBRS message filters monitoring 6-7 monitoring Virtual Gateway add
Index alerts non-viral threats 37-4 named on upgrade NIC teaming Outbreak rules defined 37-4 overview 37-3 non-conversationsal bounces No Subject rule skipping 40-20 NTP server updating rules 33-59 removing 14-3 14-15 using without anti-virus scanning 33-60 virus outbreaks 7-38 NXDOMAIN 14-23 threat categories 38-3 7-29, 7-38 Outgoing Destinations page 28-14 outgoing messages, defined 10-3 overflow offline command offline state 34-34 open relay, definition packet capture
Index pinout for serial connection retention time 3-9 30-3 policies, predefined 7-2 spam.
Index DLP R 17-15 rejected connections RADIUS external authentication RAM 32-22 relaying email 40-26 7-2 relaying messages RAM Utilization 34-4 remote RAT 8-5 8-5 reporting bypassing recipients (GUI) 8-5 DLP rate limiting 33-19 removemessage command bypassing recipients (CLI) rate command 34-17 Incoming Relays 7-12 archiving RBL 9-14 reputation filtering 9-10, 9-11, 11-8 file 8-3, 24-7 sender real-time monitoring 34-16 URL reboot command 33-2 5-11 8-5 resetting 5-1 res
Index RFC troubleshooting workqueue 31-13 1035 24-8 1065 34-36 sandboxing.
Index SenderBase Reputation Scores, syntax in CLI SenderBase Reputation Service conformance level 7-7 enabling 6-1, 28-1, 28-13 SenderBase Reputation Service Score 7-6 sender group adding via GUI size exceptions removing specific keys maximum recipients per time interval SMI file 7-17 sender verification SMTP malformed MAIL FROM and default domain sender verification exception table separate window icon 7-30 7-30 28-7 serial connection pinouts A-5 A-1 sethostname command 33-53 3-1
Index SMTP call-ahead recipient validation bypassing source routing 22-1 5-10 spam 22-8 conversation workflow 22-2 altering the subject line of SMTP server responses 22-5 archiving with LDAP routing query 13-9 including a custom header in 22-6 SMTP CAll-Ahead Server Profile creating testing 22-6 SMTP conversation 28-8 spam quarantine 22-2 SMTP daemon alias consolidation 31-21 see injector behavior when full 31-3 see listener deleting all messages SMTP HELO command disabling
Index testing 20-34 system clock 3-17, 3-37 38-2 SPFverification 9-11 System Logs square brackets 2-4 system monitoring through the GUI SSH 2-3, D-1 SSL 25-14 system quarantine.
Index Threat Operations Center (TOC) thresholds, in SenderBase Reputation Scores throttling unsolicited commercial email 14-6, 28-6 7-7 updates DLP engine and classifiers 6-1, 7-11 time, system 3-17, 3-37 update server time servers 3-17, 3-37 upgrades time zone time zone files 33-27, 33-29 33-18 obtaining via GUI updating remote 33-59 Time Zone page 33-18, 33-19 upgrade server certificates default required file reputation URL reputation 23-11 tlsverify command user accounts 40-2
Index virtual Email Security appliance loading the license Virtual Gateway™ technology Virtual Gateway addresses Virtual Gateway queue Virtual IP (VIP) virtual table X 3-8 24-59 9-67, 24-62 XML 33-23 28-8 virus quarantine. See quarantine virus. Virus Types page 28-21 virususerstable. See alias tables VLAN 37-6 37-7 VRT. See file analysis.
