ESET MAIL SECURITY Installation Manual and User Guide (intended for product version 4.
Contents 1. Introduction ..................................................................3 1.1 1.2 Main functionality .........................................................................................3 Key features of the system .........................................................................................3 2. Terminology ..................................................................5 and abbreviations 3. System .................................................................
1. Introduction Thank you for using ESET Mail Security - the premier security system for Linux, BSD and Solaris. ESET's state-of-the-art scanning engine has unsurpassed scanning speed and detection rates combined with a very small footprint that makes it the ideal choice for any server on Linux, BSD and Solaris. 1.1 Main functionality Post Office Protocol filter (POP3) The POP3 filter scans communication between POP3 clients and servers for viruses.
Multiple logging levels Multiple logging levels can be configured to get information about system activity and infiltrations. Web interface Configuration, administration and license management are offered through an intuitive and user-friendly web interface. Remote administration The system supports ESET Remote Administrator for management in large computer networks. No external libraries The ESET Mail Security installation does not require external libraries or programs except for LIBC.
2. Terminology and abbreviations In this section, we will review the terms and abbreviations used in this document. Note that boldface font is reserved for product component names and also for newly defined terms and abbreviations. Terms and abbreviations defined in this chapter are expanded on later in this document. ESETS ESET Security is a standard acronym for all security products developed by ESET, spol. s r. o. for Linux, BSD and Solaris operating systems.
3. System requirements The following hardware requirements must be met before the installation process in order to run ESET Mail Security properly: 250MB of hard-disk space 256MB of RAM glibc 2.3.6 or higher 2.6.x Linux OS kernel versions ESET Mail Security should work on most recent and frequently used open-source Linux distributions if the above criteria are met.
4. Installation After purchasing ESET Mail Security, you will receive your authorization data (Username, Password and license key). These credentials identify you as an ESET customer, and are required to download updates for ESET Mail Security. The Username/ Password data is also required for downloading the initial installation package from our web site. ESET Mail Security is distributed as a binary file: esets.arch.ext.
Enter your Username and Password information into the global section of the ESET configuration file using a text editor: vi @ETCDIR@/esets.cfg Edit the ESETS Update options section of the ESETS configuration file. av_update_username = "EAV-12345678" av_update_password = "yourpassword" Start main daemon service: Linux OS: BSD OS: /etc/init.d/esets start /usr/local/etc/rc.d/esets.
5. Architecture Overview Once ESET Mail Security is successfully installed, you should become familiar with its architecture. Figure 4-1. Structure of ESET Mail Security. The structure of ESET Mail Security is shown in Figure 4-1. The system is comprised of the following parts: CORE The core of ESET Mail Security is the ESETS daemon (esets_daemon). The daemon uses ESETS API library libesets.so and ESETS loading modules em00X_xx.
@ETCDIR@/license This directory is used to store the product(s) license key(s) you have acquired from your vendor. Note that the ESETS daemon will check only this directory for a valid license key. @ETCDIR@/scripts/license_warning_script If enabled by the Scheduler task named Threat notification, this script will be executed 30 days (once per day) before product license expiration, sending an email notification about the expiration status to the system administrator.
6. Integration with Email Messaging System This chapter describes the integration of ESET Mail Security with a variety of known email messaging systems. It is extremely important to understand the basic principles of an email messaging system (see figure 5-1) and how ESET Mail Security integrates with it. Figure 5-1. Scheme of UNIX OS email messaging system. MTA - Mail Transport Agent A program (e.g., sendmail, postfix, qmail, exim, etc.
6.1 Bi-directional email message scanning in MTA Bi-directional email message scanning mode allows the user to scan inbound and outbound email messages with the same implementation algorithm. The bi-directional content filter method is MTA dependent. ESET Mail Security comes with five content filters that are built for the most common MTA programs, such as MTA Sendmail, Postfix, Exim, QMail and ZMailer and GroupWise Internet Agent (GWIA). Check that your MTA is properly configured and running.
approval. The backup configuration files should be reimplemented after uninstalling. Detailed steps for all possible scenarios are described in appendix A of this documentation. 6.5 Alternative methods of content filtering 6.5.1 Scanning email messages in CommuniGate Pro CommuniGate Pro is the powerful and reliable Unified Communications server and esets_cgp is used for content filtering (antivirus and antispam filtering). Esets_cgp only allows incoming email message scanning.
Figure 5-3. Rule Settings. 6.5.2 Scanning email messages using AMaViS AMaViS (A Mail Virus Scanner) is a tool that interfaces your MTA with several antivirus scanners. It supports various MTAs and comes in three branches: amavis, amavisd and amavisd-new. Only the amavisd-new branch is supported. AMaViS cooperates with ESET Mail Security by using esets_cli. Before explaining the AMaViS configurations, the impact of the ESET Mail Security functionality method is described.
6.5.3 Scanning email messages using Novell GroupWise Novell GroupWise is a messaging and collaborative software platform that also supports email management. The platform consists of the client and server software, available for various platforms (i.e. Linux). The module esets_gwia only allows the scanning of incoming email messages.
7. Important ESET Mail Security mechanisms 7.1 Handle Object Policy The Handle Object Policy (see figure 6-1) mechanism provides filtering for scanned objects based on their status. This functionality is based on the following configuration options: action_av action_av_infected action_av_notscanned action_av_deleted For detailed information on these options, please refer to the esets.cfg(5) man page. Figure 6-1. Scheme of Handle Object Policy mechanism.
[smtp] agent_enabled = yes listen_addr = "localhost" listen_port = 2526 server_addr = "localhost" server_port = 2525 action_av = "scan" To provide individual parameter settings, define a ‘user_config’ parameter with the path to the special configuration file where the individual setting will be stored. In the example below, we create a reference to the special configuration file ‘esets_smtp_spec.cfg’, which is located in the ESETS configuration directory.
directory. Regular updates of the anti-spam database can be administered using tasks in Scheduler. Anti-spam functionality can also be configured using the following configuration file: @ETCDIR@/anti-spam/spamcatcher.conf Note: SpamCatcher is a tool for spam detection. It tracks all email communication on its own server and monitors messages rejected by users.
ignored_ip_list List of ignored IP addresses. You can specify IPs that should be ignored during Real-time Blackhole List (RBL) checks. You should include all internal IP addresses within the firewall not directly accessible from the Internet. Doing so prevents unnecessary checks and helps identify actual connecting IP addresses. Internal IP addresses are already skipped by the engine (192.168.x.y and 10.x). rbl_list List of Realtime Blackhole servers to be used when evaluating messages.
Value from 0 to 100. Influences overall spam score. Standard value is 100, i.e. in case of a positive check the message is assigned the spam score of 100 and is evaluated as spam. Negative values lower the overall spam score of a message. DNSBL checks can have negative influence on server performance due to the fact that every domain/IP address from the message body is checked against all defined DNSBL servers and every single check requires processing a DNS server request.
Other settings enable_spf This option enables/disables validation by SPF (Sender Policy Framework). This validation method checks the public rules of a domain - domain policy to determine whether a sender is authorized to send messages from that domain. enable_all_spf This option is to determine whether domains not on the ‘spf_list’ or Mailshell file can bypass the SPF validation. For this option to work correctly, the ‘enable_realtime_spf’ parameter must be set to yes.
The following event names can be used in place of the datespec option: start – Daemon startup. startonce – Daemon startup but at most once a day. engine – Successful engine update. login – Web interface logon startup. threat – Threat detected. notscanned – Not scanned email or file. licexp – 30 days before license expiration. To display the current scheduler configuration, use the Web interface or run the following command: cat @ETCDIR@/esets.
Important: Make sure you click the Save changes button after making any changes in the Configuration section of the web interface to save your new settings. To apply your settings you will need to restart the ESETS daemon by clicking Apply changes on the left pane. 7.7.1 License management You can upload a new license using the web interface, as shown in Figure 6-2.
Using the web interface: Figure 6-3. ESETS - Configuration > SMTP Agent. Always remember to save your new configuration by clicking Save changes. To apply your new changes, click the Apply changes button in the Configuration sections panel. There are various scanner options you can use to customize the scanning environment: actions, limits, modification masks, targets.
7.7.3 Scheduler You can manage the scheduler tasks either via ESET configuration file (see chapter Scheduler) or using the web interface. Figure 6-5. ESETS - Global > Scheduler. Click the checkbox to enable/disable a scheduled task. By default, the following scheduled tasks are displayed: Log maintenance – The program automatically deletes older logs in order to save hard disk space. The Scheduler will start defragmenting logs. All empty log entries will be removed during this process.
7.7.4 Statistics You can view statistics for all of active ESETS agents here. The Statistics summary refreshes every 10 seconds. Figure 6-6. ESETS - Control > Statistics. 7.8 Remote Administration ESETS supports ESET Remote Administration for mail security management in large computer networks.
7.8.1 Remote Administration usage example Before commencing any remote administration process, ensure your system fulfills the three following prerequisites: Running ERA Server Running ERA Console Enable RA Client in the ESETS daemon. Ensure that firewall settings do not block traffic to ERA Server or vice versa. To setup the basics, specify the address of your ERA Server in the ‘racl_server_addr’ parameter first.
Figure 6-8. ERA Configuration Editor. The New Task context menu contains On-demand scanning options (enabled/disabled cleaning). You can select the desired product that you wish to set the task for in the On-Demand Scan pop-up window in the Configuration Section drop-down menu. Make sure that you select the On-demand Scan task for Unix ESET Security Product option (i.e. the product that is installed on your target workstation). Figure 6-9. ERA On-demand scan.
7.9 Logging ESETS provides system daemon logging via syslog. Syslog is a standard for logging program messages and can be used to log system events such as network and security events. Messages refer to a facility: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7 Messages are assigned a priority/level by the sender of the message: Error, Warning, Summall, Summ, Partall, Part, Info, Debug This section describes how to configure and read the logging output of syslog.
The following commands are available only for ESET Mail Security. esets_cgp External filter plug-in for CommuniGate Pro, which reads e-mail filenames from standard input, requests esets_daemon to scan it and responds with status. Usage: @BINDIR@/esets_cgp [OPTIONS..] esets_cli ESET’S Command Line Interface module, the role of which is to scan all file system objects that are defined as a command line argument(s). Usage: @BINDIR@/esets_cli [OPTIONS..] FILES..
8. ESET Security system update 8.1 ESETS update utility To maintain the effectiveness of ESET Mail Security, the virus signature database must be kept up to date. The esets_update utility has been developed specifically for this purpose. See the esets_update(8) man page for details. To launch an update, the configuration options ‘av_update_username’ and ‘av_update_password’ must be defined in the [global] section of the ESETS configuration file.
9. Let us know We hope this guide has provided you with a thorough understanding of the requirements for ESET Mail Security installation, configuration and maintenance. It is our goal to continually improve the quality and effectiveness of our documentation. For additional assistance with your ESET product, please visit our online Knowledgebase at the following URL: http://kb.eset.
10. Appendix A. ESETS setup and configuration 10.1 Setting ESETS for MTA Postfix Inbound email message scanning Warning: This installation is not compatible with SELinux. Either disable SELinux or proceed to the next section. The objective of this installation is to insert esets_mda before the original Postfix MDA. The MDA to be used (with arguments) is set in the Postfix parameter ‘mailbox_command’. Note: If the ‘mailbox_command‘ value is empty, Postfix alone is delivering mail .
10.2 Setting ESETS for MTA Sendmail Inbound email message scanning Warning: This installation is not compatible with SELinux. Either disable SELinux or proceed to the next section. The objective of this installation is to insert esets_mda before Sendmail’s original MDA. Note: On FreeBSD, Sendmail may be communicating with MDA using LMTP. However, esets_mda does not understand LMTP. If you have FEATURE(local_lmtp) in ‘hostname’.mc, comment it out now and recreate sendmail.cf.
This will start Qmail using esets_mda for local deliveries. However, the original delivery specification is passed to qmail-local through esets_mda. Note that in this configuration esets_mda will use Qmail’s recognized exit codes (see the qmail-command(8) man page). Lastly, replace qmail-start using commands: mv /var/qmail/bin/qmail-start /var/qmail/bin/qmail-start.orig ln -s qmail-start.esets /var/qmail/bin/qmail-start Restart Qmail.
or, if you are using FreeBSD, this parameter: mda_path = "/usr/local/sbin/exim" where /usr/sbin/exim (or /usr/local/sbin/exim) is the full path to the Exim binary. Then restart the ESETS daemon.
Note: According to the Handle Object Policy, configuration options in [gwia] section such as ‘action_av’, ‘action_av_infected’, ‘action_as’ and their actions ‘defer’ and ‘reject’ will be changed to ‘discard’. These events will be logged into syslog. Ensure that these parameters were set using esets_setup installer in gwia.cfg (located in /opt/novell/groupwise/agents/share/) configuration file: --home /opt/novell/groupwise/wpgate/gwia --dhome /var/spool/gwia/queues --smtphome /var/spool/gwia/esets 10.
10.10 Setting ESETS for scanning of IMAP communication The IMAP communication scanning is performed using the esets_imap daemon. In the [imap] section of the ESETS configuration file, set these parameters: agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8143 where ‘listen_addr’ is the address of the local network interface named if0. Then restart the ESETS daemon. The next step is to redirect all IMAP requests to esets_imap.
11. Appendix B. PHP License The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
