ePrism User Guide - Anti-Phishing | EdgeWave · 2016. 10. 3. · ePrism User Guide M1000, M2000, M3000. 1 Preface 5 CHAPTER 1 ePrism Overview 7 What’s New in ePrism 5.0 8 ePrism

ePrism User Guide

M 1 0 0 0 , M 2 0 0 0 , M 3 0 0 0

Preface 5

CHAPTER 1 ePrism Overview 7What’s New in ePrism 5.0 8ePrism Overview 10ePrism Deployment 17How Messages are Processed by ePrism 19

CHAPTER 2 Administering ePrism 23Connecting to ePrism 24Configuring the Admin User 28Web Server Options 31Customizing the ePrism Interface 32

CHAPTER 3 Configuring Mail Delivery Settings 33Network Settings 34Static Routes 38Mail Routing 39Mail Delivery Settings 41Mail Aliases 46Mail Mappings 48Virtual Mappings 50

CHAPTER 4 Directory Services 53Directory Service Overview 54Directory Servers 56Directory Groups 58Directory Users 61LDAP Aliases 65LDAP Mappings 67LDAP Recipients 69LDAP Relay 71LDAP Routing 74

CHAPTER 5 Configuring Email Security 77SMTP Mail Access 78Anti-Virus 80

1

2

Malformed Messages 83Attachment Control 85SPF (Sender Policy Framework) 88Encryption and Certificates 90

CHAPTER 6 Anti-Spam Features 97Anti-Spam Feature Overview 98Email Spam Processing 99ePrism Anti-Spam Controls 102Specific Access Patterns 104Pattern Based Message Filtering 107Objectionable Content Filtering 115RBL (Real-time Blackhole List) 117DCC (Distributed Checksum Clearinghouse) 119STA (Statistical Token Analysis) 123Trusted Senders 133Spam Quarantine 136Spam Options 141

CHAPTER 7 User Accounts and Remote Authentication 143POP3 and IMAP Access 144Local User Mailboxes 145Mirror Accounts 147Strong Authentication 148Remote Accounts and Directory Authentication 150Relocated Users 153Vacation Notification 154Tiered Administration 157

CHAPTER 8 Secure WebMail and ePrism Mail Client 159Secure WebMail 160ePrism Mail Client 164

CHAPTER 9 Policy Management 167Policy Overview 168Creating Policies 171

CHAPTER 10 System Management 177System Status and Utilities 178Mail Queue Management 181Quarantine Management 182License Management 184Software Updates 186Security Connection 187Reboot and Shutdown 188Backup and Restore 189Centralized Management 197Problem Reporting 202

CHAPTER 11 HALO (High Availability and Load Optimization) 203HALO Overview 204Configuring Clustering 206Cluster Management 212Configuring the F5 Load Balancer 216Queue Replication 217

CHAPTER 12 Reporting 221Viewing and Generating Reports 222Viewing the Mail History Database 231Viewing the System History Database 234Report Configuration 237

CHAPTER 13 Monitoring System Activity 239Activity Screen 240System Log Files 242SNMP (Simple Network Management Protocol) 245Alarms 248

CHAPTER 14 Troubleshooting Mail Delivery 251Troubleshooting Mail Delivery 252Troubleshooting Tools 253Examining Log Files 254Network and Mail Diagnostics 258Troubleshooting Content Issues 263

3

4

APPENDIX A Using the ePrism System Console 265

APPENDIX B Restoring ePrism to Factory Default Settings 269

APPENDIX C Message Processing Order 271

APPENDIX D Customizing Notification and Annotation Messages 273

APPENDIX E Performance Tuning 275Setting Default Performance Settings 276Advanced Settings 277

APPENDIX F SNMP MIBS 283MIB Files Summary 283MIB OID Values 287

APPENDIX G Third Party Copyrights and Licenses 291

Preface

Preface

This ePrism User Guide provides detailed information on how to configure and manage your ePrism Email Security Appliance, and contains the following topics:

• Chapter 1 — “ePrism Overview” on page 7• Chapter 2 — “Administering ePrism” on page 23• Chapter 3 — “Configuring Mail Delivery Settings” on page 33• Chapter 4 — “Directory Services” on page 53• Chapter 5 — “Configuring Email Security” on page 77• Chapter 6 — “Anti-Spam Features” on page 97• Chapter 7 — “User Accounts and Remote Authentication” on page 143• Chapter 8 — “Secure WebMail and ePrism Mail Client” on page 159• Chapter 9 — “Policy Management” on page 167• Chapter 10 — “System Management” on page 177• Chapter 11 — “HALO (High Availability and Load Optimization)” on page 203• Chapter 12— “Reporting” on page 221• Chapter 13 — “Monitoring System Activity” on page 239• Chapter 14 — “Troubleshooting Mail Delivery” on page 251

The following Appendices contain supplemental information for ePrism:

• Appendix A — “Using the ePrism System Console” on page 265• Appendix B — “Restoring ePrism to Factory Default Settings” on page 269• Appendix C — “Message Processing Order” on page 271• Appendix D — “Customizing Notification and Annotation Messages” on page 273• Appendix E — “Performance Tuning” on page 275• Appendix F — “SNMP MIBS” on page 283• Appendix G — “Third Party Copyrights and Licenses” on page 291

Related Documentation

If release notes are included with your product package, please read them for the latest information on installing and managing your ePrism.

The following documents are included as part of the ePrism documentation set:

• Release Notes — Provides up to date information on the product, including any known issues. If instructions in the release notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes.

5

6

• ePrism Installation Guide — Provides instructions on how to install and provide the initial configuration for the ePrism Email Security Appliance.

• ePrism User Guide — Provides detailed information on how to configure and administer the ePrism Email Security Appliance.

Contacting Technical Support

St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)

15015 Avenue of Science San Diego, CA 92128 Main: 858.676.2277 FAX: 858.676.2299 Technical Support: 858.676.5050 Technical Support Email: [email protected]

Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ

Main: 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support Email: [email protected]

Copyright Information

© 2003-2005 St. Bernard Software, Inc. All rights reserved.

St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged.

Information in this document is subject to change without notice.

CHAPTER 1 ePrism Overview

This chapter provides an overview of the architecture and features of the ePrism Email Security Appliance, and contains the following topics:

• “What’s New in ePrism 5.0” on page 8• “ePrism Overview” on page 10• “ePrism Deployment” on page 17• “How Messages are Processed by ePrism” on page 19

7

ePrism Overview

8

What’s New in ePrism 5.0

The ePrism Email Security Appliance 5.0 release contains the following new features and improvements:

New User Interface

The ePrism user interface has been redesigned for easier navigation and more efficient administration of ePrism’s powerful features.

Improved Performance

ePrism 5.0 improves its current performance with a 30% or greater improvement in mail processing. ePrism's security and spam filtering techniques have been improved to provide greater mail processing efficiency.

Directory Services Improvements

ePrism 5.0 adds significant improvements to its Directory Services integration, enhancing support for OpenLDAP, iPlanet, and Active Directory LDAP implementations. The following new features have been added:

• LDAP Recipients — This feature is used in conjunction with the Reject on Unknown Recipient Anti-Spam feature. LDAP Recipients performs real-time direct LDAP lookups to verify the existence of recipients.

• LDAP Domain Routing — This feature is used to perform an LDAP search to find the mail route host for a domain. This is a preferred method for mail routing for organizations with a large amount of domains.

• LDAP SMTP Relay Authentication — This feature is used in conjunction with the SMTP Relay Authentication to allow clients to be authenticated via LDAP for SMTP relay purposes.

Select Basic Config -> Directory Services on the menu to configure all LDAP directory features.

OCF (Objectionable Content Filter)

The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message. This feature is useful for organizations that need to manage their email in accordance with regulatory requirements. The Objectionable Content Filter provides enhanced content filtering functionality and flexibility, allowing users to restrict content of any form including objectionable words or phrases, offensive content and/or confidential information.

The OCF list can be updated and customized to meet the specific needs of any organization. Rules can also be applied to both inbound and outbound messages preventing unwanted content

What’s New in ePrism 5.0

from entering an organization and prohibiting the release of sensitive information. OCF can be configured via Mail Delivery -> Anti-Spam -> OCF.

Large MTU Support

In Basic Config -> Network, in the Network Interface section, you can enable the Large MTU (Maximum Transfer Unit) parameter which sets the MTU of the interface to 1500. This may improve performance connecting to servers on a local network. The default MTU is 576.

Configurable Content Reject Message (SMTP)

In Mail Delivery -> Delivery Settings -> Advanced, there is a new option to configure the content rejection message that appears in the SMTP 552 error message.

9

ePrism Overview

10

ePrism Overview

ePrism is a dedicated Mail Firewall designed for deployment between internal mail servers and the Internet. ePrism supports the standard mail protocols for processing email messages, while offering a secure method for their processing and delivery. ePrism has been designed specifically to resist operating system attacks and protect your mail servers from direct SMTP and HTTP connections.

Firewall-Level Network and System Security

ePrism delivers the most complete security available for email systems. ePrism runs on S-Core, St. Bernard’s customized and hardened Unix operating system. S-Core is field tested for over 10 years as the operating system for the St. Bernard Firewall Server. S-Core does not allow uncontrolled access to the system. There is no command line access and the system runs as a "closed" system, preventing accidental or deliberate misconfiguration by administrators, which is a common cause of security vulnerabilities.

ePrism has been awarded Common Criteria EAL 4+ certification. EAL 4+ indicates that ePrism has passed all of the requirements needed to gain Evaluation Assurance Level 4 (EAL 4) and has passed some additional modules that elevate the certification above the standard EAL4 to include EAL5 vulnerability testing.

ePrism Overview

ePrism Deployment

ePrism is generally configured to accept all mail for a domain or sub-domain, store and process mail according to specified policies, and deliver the mail to one or more internal mail servers for collection by users.

ePrism is ideally suited for deployment in parallel with an existing firewall, on a DMZ, or on an internal network.

See “ePrism Deployment” on page 17 for more detailed information on deploying ePrism.

Mail Delivery Security

ePrism has a sophisticated mail delivery system with several security features and benefits to ensure that the identifying information about your company's email infrastructure remains private.

• For a company with multiple domain names, ePrism can accept, process and deliver mail to private email servers.

• For a company with multiple private email servers, the ePrism can route mail based on the domain or subdomain to separate groups of email users.

• Security features such as mail mappings and address masquerading allow the ability to hide references to internal host names.

Content Filtering

ePrism implements attachment controls and content filtering based on pattern and text matching. These controls prevent the following issues:

• Breaches of confidentiality• Legal liability from offensive content• Personal abuse of company resources

Attachment controls are based on the following characteristics:

• File Extension Suffix — The suffix of the file is checked to determine the attachment type, such as .exe, or .jpg.

• MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to identify the content type of the message.

• Content Analysis — The file is analyzed from the beginning to look for characteristics that can identify the file type. This analysis ensures that the attachment controls are not circumvented by simply renaming a file.

11

ePrism Overview

12

Virus Scanning

The ePrism Email Security Appliance features optional virus scanning based on Kaspersky Anti-Virus. Messages in both inbound and outbound directions can be scanned for viruses and malicious programs. ePrism’s high performance virus scanning provides a vital layer of protection against viruses for your entire organization. Automatic pattern file updates ensure that the latest viruses are detected.

Malformed Message Protection

Similar to malformed data packets used to subvert networks, malformed messages allow viruses to avoid detection, crash systems, and lock up mail servers. ePrism ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients, and improves the effectiveness of existing virus scanning implementations.

Anti-Spam Features

The ePrism Email Security Appliance provides a complete and robust set of anti-spam features specifically designed to protect against the full spectrum of current and evolving spam threats.

ePrism’s anti-spam features are based on the following features:

ePrism’s Anti-Spam Features

• Realtime Blackhole Lists (RBL) to reject known spam sources• Distributed Checksum Clearinghouse (DCC) to control bulk mail• Statistical Token Analysis (STA) for advanced statistical analysis

Trusted Senders List

This feature, accessed via WebMail/ePrism Mail Client, allows users to create their own personal Trusted Senders List based on a sender’s email address. These email addresses will be exempt from ePrism’s spam controls.

Spam Quarantine

The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to connect to ePrism to view and manage their own quarantined spam. Messages can be deleted, or moved to the user's local mail folders. Automatic notification emails can be sent to end users notifying them of the existence of messages in their personal quarantine area.

ePrism Overview

Secure WebMail

ePrism’s Secure WebMail provides remote access support for internal mail servers. With Secure WebMail, users can access their mailboxes using email web clients such as Outlook® Web Access, Lotus iNotes, or ePrism’s own web mail client, ePrism Mail Client.

ePrism addresses the security issues currently preventing deployment of web mail services by providing the following protection:

• Strong authentication (including integration with Active Directory)• Encrypted sessions• Advanced session control to prevent information leaks on workstations

Authentication

ePrism supports the following authentication methods for administrators, WebMail users, Trusted Senders List, and Spam Quarantine purposes:

• User ID and Password • RADIUS and LDAP

• RSA SecurID® tokens• SafeWord tokens• CRYPTOCard tokens

Encryption

All mail delivered to and from ePrism can be encrypted using TLS (Transport Layer Security). This includes connections to remote systems, local internal mail systems, or internal mail clients. Encrypted messages are delivered with complete confidentiality both locally and remotely.

Encryption can be used for the following:

• Secure mail delivery on the Internet to prevent anyone from viewing your email while in transit.• Secure mail delivery across your LAN to prevent malicious users from viewing email other than

their own.• Create policies for secure mail delivery to branch offices, remote users and business partners.

ePrism supports TLS/SSL encryption for all user and administrative sessions. TLS/SSL may also be used to encrypt SMTP sessions, effectively preventing eavesdropping and interception.

13

ePrism Overview

14

HALO (High Availability and Load Optimization)

All systems can be clustered together to increase additional capacity, throughput, or provide load balancing and optional high availability.

ePrism is the first email firewall to provide enterprises with a carrier-grade failsafe clustering architecture for high availability. HALO ensures email is never lost due to individual system failure through its unique security, cluster management, load balancing and optimization, and "stateful failover" queue replication capabilities.

Cluster Management

The cluster management feature allows administrators to manage ePrism clusters and to synchronize configuration settings across all systems in the cluster. Combined reports and email database searches may be derived from clustered systems. Specific features include:

• Configuration Cloning — This function allows systems to be added to clusters and to assume the configuration of a defined "master" Cluster Console system.

• Cluster Synchronization — Systems within a cluster can be synchronized to the defined "master" system. Any changes to the configuration of the Cluster Console master are reflected in the configuration of all systems in the cluster.

• Cluster Reporting — ePrism reports can be generated for a single system or for all systems in a cluster. The email database can be searched by system or by cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message.

Load Balancing and Optimization

A basic requirement of high availability is to have an automated or semi-automated mechanism for switching the mail stream between available systems in the cluster, depending on their individual availability or health.

Utilizing DNS round-robin techniques, or dedicated load balancing hardware, email can be directed to ePrism systems in a cluster depending on their availability and current load.

Queue Replication

To prevent the loss of email messages during a system failure, ePrism has created a unique solution to this problem with "stateful failover" queue replication technology that replicates queues and intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a cluster should fail, and there exists undelivered mail in its queue, a mirror system can take ownership of that queue’s messages and successfully process and deliver them.

ePrism Overview

Policy Controls

Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment control to be customized and applied based on the group or domain membership of the recipient. User groups can be imported from an LDAP-based directory, and then policies can be created to apply customized settings to these groups.

For example, you can set up an Attachment Control Policy to allow your Development group to accept and send executable files (.exe), while configuring your attachment control settings for all your other departments to block this file type to prevent the spread of viruses among the general users.

LDAP Directory Service Support

ePrism integrates with LDAP (Lightweight Directory Access Protocol) directory services such as Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:

• LDAP lookup prior to internal delivery — You can configure ePrism to check for the existence of an internal user via LDAP before delivering a message. This feature allows you to reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries of spam messages for unknown local addresses.

• Group/User Imports — An LDAP lookup will determine the group membership of a user when applying policy-based controls. LDAP users can also be imported and mirrored on ePrism to be used for services such as the Spam Quarantine.

• Authentication — LDAP can be used for authenticating IMAP access, user mailbox, and WebMail logins.

• SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP Relay.• Mail Routing — LDAP can be used to lookup Mail Routes for a domain to deliver mail to its

destination server.

Local User Mailboxes

ePrism can host user mailboxes and act as a fully functioning mail server for small offices. ePrism fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for retrieving and sending mail.

Manageability

ePrism provides a complete range of monitoring and diagnostics tools to monitor the system and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, and comprehensive logs record all mail activity.

• Web Browser-based Management — The web browser management interface displays a live view of system activity and traffic flows. The management interface can be configured to

15

ePrism Overview

16

display this information for one or many systems, either systems in a local cluster or systems that are being centrally managed.

• Reporting and Auditing — The reporting and audit features deliver a comprehensive set of statistics that may be generated at any time or scheduled for automatic delivery. ePrism includes a wide range of predefined reports, including information on system health, mail processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily create customized reports.

• Enterprise integration with SNMP — Using SNMP (Simple Network Management Protocol), ePrism can generate both information and traps to be used by tools like HP OpenView, Tivoli, BMC Patrol and CA Unicenter. This extends the administrator’s view of ePrism and allows an instant view of significant system events, including traffic flows and system failures.

• Alarms — ePrism can generate system alarms that can automatically notify the administrator via email and console alerts of a system condition that requires attention.

Security Connection

Unique to St. Bernard, the Security Connection provides an automated software update service. By enabling the Security Connection, you are automatically notified of any new patches and updates. St. Bernard continuously monitors for new vulnerabilities and issues new updates to defend against them, ensuring that you have them as soon as they are available.

Internationalization

ePrism supports internationalization for annotations, notification messages, and mail database views.

ePrism Deployment

ePrism DeploymentePrism is designed to be situated between your mail servers and the Internet so that there are no direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers.

ePrism is typically installed in one of three locations:

• In parallel with the firewall• On your DMZ (Demilitarized Zone)• Behind the existing firewall on the Internal network

SMTP port 25 traffic is redirected from either the external interface of the firewall, or from the external router to ePrism. When the mail is accepted and processed, ePrism initiates an SMTP connection to the internal mail server to deliver the mail.

ePrism in Parallel with the Firewall

The preferred deployment strategy for ePrism is to be situated in parallel with an existing network Firewall. ePrism's inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of your network. This parallel deployment eliminates any mail traffic on the firewall and decreases its overall load.

17

ePrism Overview

18

ePrism on the DMZ

Deploying ePrism on the DMZ is an equally secure method of deployment configuration. This type of deployment prevents any direct connection from the Internet to the internal servers, but does not ease the existing load on the firewall.

ePrism on the Internal Network

You can also deploy ePrism on the Internal Network. Although this configuration allows a direct connection from the Internet into the internal network, it is a perfectly legitimate configuration when dictated by existing network resources.

How Messages are Processed by ePrism

How Messages are Processed by ePrismThe following sections describe the sequence in which the various ePrism security features are applied to any inbound mail messages and how these settings affect their delivery.

SMTP Connection

An SMTP connection request is made from another system. ePrism accepts the connection request unless one of the following checks (if enabled) is triggered:

• Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This stops messages from bulk mail software that use SMTP command pipelining improperly to speed up deliveries.

• Reject on unknown sender domain — Rejects mail when the sender mail address has no DNS A or MX record.

• Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. This setting is rarely used because many servers on the Internet do not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate sources.

• Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM command is not in fully-qualified domain form (FQDN).

• Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The system will perform an LDAP lookup on the recipient's address to ensure they exist before delivering the message.

• Specific Access Pattern (Reject) — The server address or other envelope field matches a Specific Access Pattern that is set to reject the message.

Mail Header and Message Properties

The connection is now accepted. The message will be accepted for processing unless one of the following occurs:

• Reject on missing addresses — Rejects mail when no recipients in the To: field, or no senders in the From: field were specified in the message headers.

• Maximum number of recipients — Rejects mail if the number of recipients exceeds the specified maximum (default = 1000).

• Maximum message size — Rejects mail if the message size exceeds the maximum.

19

ePrism Overview

20

Malformed Content, Virus Checking, and Attachment Control

Messages are scanned for malformed messages, viruses, and specific attachments. If there is a problem, ePrism can be configured with a variety of actions, such as sending the message to a Quarantine folder.

OCF (Objectionable Content Filter)

Messages are scanned for objectionable content and a configurable action is taken.

Pattern Based Message Filters and Specific Access Patterns

The messages are scanned to see if they match any existing Pattern Based Message Filters (PBMF), or Specific Access Patterns (SAP) set to Trust or Allow Relaying. Senders in the Trusted Sender list are excluded from processing (for low priority PBMFs only.)

SPF (Sender Policy Framework)

If enabled, the message is checked to see if it passes an SPF DNS lookup.

Anti-Spam Processing

If the message arrives from an "untrusted" source, it will be processed for spam as follows:

• If RBL is enabled, rejects mail if the server address is in an RBL. This can be overridden with a Pattern Based Message Filter.

• If DCC is enabled, the message will be examined for identification as "bulk" mail.• If STA is enabled, the message will be examined for identification as "spam" mail.

Mail Mappings

The message is now accepted for processing, and the following occurs:

• If the recipient address is not for a domain or sub-domain for which ePrism is configured to accept mail (either as an inbound mail route or a virtual domain) then the message is rejected.

• If the recipient address is mapped in the Mail Mappings table, then the "To" field in the message header will be modified as required.

Virtual Mappings

The message is now examined for a match in the Virtual Mapping table. If such a mapping is found, the envelope-header recipient field will be modified as required. LDAP virtual mappings will then be processed.

Virtual mappings are useful for the following:

How Messages are Processed by ePrism

• Acting as a wildcard mail mapping, such as everything for example.com goes to exchange.example.com. You can create exceptions to this rule in the mail mappings for particular users.

• ISPs who need to accept mail for several domains and the envelope-header recipient field needs to be rewritten for further delivery.

• To deliver to internal servers, use Mail Delivery -> Mail Routing.

Note: In all cases, mappings rely on successful DNS lookups for an MX record.

Relocated Users

When mail is sent to an address that is listed in the relocated user table, the message is bounced back with a message informing the sender of the relocated user's new contact information.

Mail Aliases

When mail needs to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. An alias results in the creation of a new mail message to be created for the named address or addresses. This mail message is then entered back into the system to be mapped, routed, and so on. This process also occurs with local user accounts for whom a "forwarder address" has been configured. Local user accounts will be treated like aliases in this case.

Local aliases are typically used to implement distribution lists or to direct mail for standard aliases such as mail to the "postmaster" account.

LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on directory services such as Active Directory.

Mail Routing

During the mail routing process, there is no modification made to the mail header or the envelope.

A mail route specifies two things:

• Which domains ePrism will accept mail for (other than itself).• Which hosts the mail should be delivered to.

The message is now delivered to its destination.

See “Message Processing Order” on page 271 for a summary of the message processing order.

21

ePrism Overview

22

CHAPTER 2 Administering ePrism

This chapter describes how to administer and configure basic settings for the ePrism Email Security Appliance, and contains the following topics:

• “Connecting to ePrism” on page 24• “Configuring the Admin User” on page 28• “Web Server Options” on page 31• “Customizing the ePrism Interface” on page 32

23

Administering ePrism

24

Connecting to ePrism

Web Browser Administrative Interface

To administer ePrism using the web browser administrative interface, launch a web browser on your computer and enter the IP address or hostname for ePrism as the URL in the location bar. Your system must be listed in your DNS server to be able to connect via the hostname.

Supported web browsers:

• Microsoft Internet Explorer 6 and greater• Firefox 1.0 and greater• Mozilla 1.0 and greater• Netscape 6.0 and greater• Safari 1.0 and greater

The login screen will then appear. Enter your admin ID and password.

When logged in, the main ePrism Email Security Appliance Activity screen and main menu will appear.


Navigating the Main Menu

The main menu consists of the following main categories:

Activity — The Activity screen provides you with a variety of information on mail processing activity, such as the number of messages in the mail queue, the number of different types of messages received and sent, and current message activity. If you are running a HALO cluster, you will also have a Cluster Activity option that will show you the activity statistics for the entire cluster.

Basic Config — The Basic Config menu allows you to configure some of the basic settings for ePrism including:

• Admin Account• Alarms• Customization• Directory Services (LDAP)• Network settings• Performance settings• Static Routes• SNMP Configuration• Web Server Configuration

Mail Delivery — The Mail Delivery menu allows you to configure the features that affect mail delivery, including all mail security and anti-spam settings. It includes the following features:

• Anti-Spam

25


26

• Anti-Virus• Attachment Control• Delivery Settings• Mail Access Filtering• Mail Aliases• Mail Mapping• Mail Routing• Malformed Mail• Policy Settings• Relocated Users• SMTP Security• SPF• Vacation Notifications• Virtual Mappings

User Accounts — The User Account menu allows you to create local accounts on the ePrism and enable POP and IMAP access. Management of mirrored user accounts created by LDAP, Remote Authentication, and Secure WebMail/ePrism Mail Client are also configured here. It includes the following features:

• Local Accounts• Mirrored Accounts (Only displayed if mirrored accounts exist)• Remote Authentication• POP3 and IMAP• Secure WebMail• SecureID Configuration

HALO — The HALO (High Availability and Load Optimization) screen is used to configure and manage clustered ePrism systems, and includes the following features:

• Cluster Administration• Queue Replication• F5 Integration

Status/Reporting — The Status/Reporting menu allows you to view the current status of system services, and manage your mail queue and the quarantine area. The Reporting and logging features of ePrism are also configured here. The menu includes the following features:

• Status & Utility• Mail Queue• Quarantine


• Reporting• System Logs

Management — The Management menu contains options for various ePrism system administration tasks such as backup and restore, license management, and software updates. The menu includes the following features:

• Backup & Restore• Centralized Management• Daily Backup• License Management• Problem Reporting• Reboot & Shutdown• Software Updates• Security Connection• SSL Certificates

ePrism System Console

You can access the ePrism system console by connecting a monitor and keyboard to ePrism. The system console provides a limited subset of administrative tasks, and is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the web browser administration interface. When accessing the system console, you will be prompted for the UserID and Password for the administrative user.

See “Using the ePrism System Console” on page 265 for more detailed information on using the system console.

27


28

Configuring the Admin User

The primary admin account is created during the ePrism installation. Select Basic Config -> Admin Account from the menu to modify the password or strong authentication methods for the admin user.

Note: It is recommended that you create additional admin users and use those accounts to manage ePrism instead of the primary admin account. The primary admin account password should then be written down and stored in a safe and secure place.

Strong Authentication

You can also configure strong authentication for the admin user. These methods of authentication require a hardware token that provides a response to the login challenge.

You can choose between the following types of secure authentication tokens:

• CRYPTOCard

• SafeWord

• SecurID

Once selected, a configuration wizard will guide you through the steps to configure the token for the specified authentication method.

See “Strong Authentication” on page 148 for more information on strong authentication methods.

Configuring the Admin User

Adding Additional Administrative Users

There is only one primary admin user account, but you can add additional administrative users via Tiered Administration. This allows you to configure another user with Full Admin rights, or with granular permissions that only give admin rights to certain ePrism options. For example, you may want to add a user who can administer reports or vacation notifications, but not have any other admin access.

Granting full or partial admin access to one or more user accounts allows actions taken by administrators to be logged because they have an identifiable UserID that can be tracked by the system.

Note: A user with Full Admin privileges cannot modify the profile of the Admin user. They can, however, edit others users with Full Admin privileges.

Add an administrative user as follows:

1. From the Basic Config -> Admin Account screen, click the Add Admin User button.

2. Enter a UserID, an optional email address to forward mail to, and a password. You can also set strong authentication methods, if required.

3. At the bottom of the Add a New User screen is a section for Administrator Privileges.

29


30

4. Select the required administrative access for the user:• Full Admin — The user has administrative privileges equivalent to the admin user.• Administer Aliases — The user can add, edit, remove, upload and download aliases (not

including LDAP aliases.)• Administer Filter Patterns — The user can add, edit, remove, upload and download

Pattern Based Message Filters and Specific Access Patterns.• Administer Mail Queue — The user can administer mail queues.• Administer Quarantine — The user can view, delete, and send quarantined files.• Administer Reports — The user can view, configure and generate reports, and view system

activity.• Administer Users — The user can add, edit, and relocate user mailboxes (except the Full

Admin users), including uploading and downloading user lists. User vacation notifications can also be configured.

• Administer Vacations — The user can edit local user’s vacation notification settings and other global vacation parameters.

• View Activity — The user can view the Activity page and start and stop mail services. Individual emails can only be viewed if View Email Database is also enabled.

• View Email Database — The user can view the email database history.• View System Logs — The user can view all system logs files.

See “Tiered Administration” on page 157 for more information on configuring admin access.

Note: WebMail access must be enabled on the network interface that will be used by tiered administration users. This is set in the Basic Config -> Network screen.

Web Server Options

Web Server OptionsThe ePrism Web Server Options screen defines the settings used for connecting to ePrism via the web browser administrative interface. By default, ePrism’s web server uses port 80 for HTTP request and port 443 for HTTPS requests. For secure WebMail and administration sessions, it is recommended that you leave the default SSL encryption enabled to force a connecting web browser to use HTTPS.

Select Basic Config -> Web Server on the menu to configure your web server settings.

• Admin HTTP Port — The default port for HTTP requests. The default port 80 can be changed via the system console.

• Admin HTTPS Port — The default port for HTTPS requests. The default port 443 can be changed via the system console.

• Require SSL encryption — Requires SSL encryption for all user and administrator web sessions.

• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES ciphers with a key length of 64 bits, for encrypted user and administrator web sessions.

• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2 contains known security issues.

• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.• Character set encoding — Select the type of character encoding used for HTML data.

31


32

Customizing the ePrism Interface

The ePrism interface logos can be easily customized by uploading your own company’s custom logos to replace the ePrism logo on the main login screen, the administration screen logo, and the ePrism Mail Client logo.

Customize a logo as follows:

1. Select Basic Config -> Customization on the menu to customize the ePrism logos.2. Click Browse to choose a file, and then click Next to upload the file.

You can always revert to the ePrism graphic by selecting the Default Logo button.

Most graphic formats are supported, but it is recommended that you use graphics suitable for web page viewing, such as GIF and JPEG. The maximum file size is 32k.

TABLE 1. Recommended Image Sizes

Logo Type Size in Pixels

Main Screen Logo 285 x 85 pixels

Admin Screen Small Logo 191 x 57 pixels

ePrism Mail Client Logo 94 x 28 pixels

CHAPTER 3 Configuring Mail Delivery Settings

This chapter describes how to configure network and mail delivery settings for the ePrism Email Security Appliance, and contains the following topics:

• “Network Settings” on page 34• “Static Routes” on page 38• “Mail Routing” on page 39• “Mail Delivery Settings” on page 41• “Mail Aliases” on page 46• “Mail Mappings” on page 48• “Virtual Mappings” on page 50

33

Configuring Mail Delivery Settings

34

Network Settings

The basic networking information to get ePrism up and running on the network is configured during installation time. To perform more advanced network configuration and to configure other network interfaces, you must use the Basic Config -> Network settings screen.

From the network settings screen you can modify the following items:

• Hostname and Domain information• Default Gateway• Syslog Host• DNS and NTP servers• Network Interface IP Address and feature access settings• Clustering and Queue Replication interface configuration• Support Access settings

Note: If you make any modifications to your network settings, you must reboot ePrism. The system will prompt you to restart after clicking the Apply button.

Configuring Network Settings

Select Basic Config -> Network on the menu to configure ePrism's network settings.

• Hostname — Enter the hostname (not the full domain name) of the ePrism Email Security Appliance, such as mail in the domain name mail.example.com.

• Domain — Enter the domain name, such as example.com.

Network Settings

• Gateway — Enter the IP address of the default route for ePrism. This is typically the external router connected to the Internet.

• Syslog Host — ePrism can log to a specific syslog host. A syslog host collects and stores log files from many sources. Enter the IP address of the syslog server that will receive all logs from ePrism.

• Name Server — At least one DNS name server must be configured for hostname resolution, and it is recommended that secondary name servers be specified in the event the primary DNS server is unavailable.

• NTP Server — NTP is critical for accurate timekeeping for the ePrism Email Security Appliance. Entering a valid NTP server will ensure that the server time is synchronized. It is recommended that secondary NTP servers be specified in the event the primary NTP server is unavailable.

Network Interfaces

Enter the required settings for each network interface. You can enter information for up to four interfaces.

• IP Address — Enter an IP address for this interface, such as 192.168.1.104.• Netmask — Enter the netmask for this interface, such as 255.255.255.0.• Media — Select the type of network card. Use Auto select for automatic configuration.• Large MTU — Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve

performance connecting to servers on the local network. The default is 576 bytes.

35


36

• Respond to Ping — Allows ICMP ping requests to this interface. This will allow you to perform network connectivity tests to this interface, but will cause this interface to be more susceptible to denial of service ping attacks.

• Trusted Subnet — If selected, all hosts on this subnet are considered trusted for relaying and anti-spam processing.

• Admin Login — Allows access to this interface for administrative purposes.• WebMail — Allows access to WebMail via this interface.• IMAPS Server — Allows secure access to ePrism’s internal IMAP server via this interface.• IMAP Server — Allows access to ePrism’s internal IMAP server via this interface.• POP3S Server — Allows secure access to ePrism’s internal POP3 server via this interface.• POP3 Server — Allows access to ePrism’s internal POP3 server via this interface.

Note: POP and IMAP settings are only displayed if enabled in User Accounts -> POP3 and IMAP.

• SNMP Agent — Allows access to the SNMP agent via this interface.

Advanced Parameters

The following advanced networking parameters are TCP extensions that improve the performance and reliability of communications.

• Enable RFC 1323 — Enable TCP extensions to improve performance and to provide reliable operations of high-speed paths. This is enabled by default, and should only be disabled if you experiencing networking problems with certain hosts.

• Enable RFC 1644 — Enable an experimental TCP extension for efficient transaction oriented (request/response) service.

Clustering

The Clustering section is used to enable clustering on a specific network interface. See “HALO (High Availability and Load Optimization)” on page 203 for more information on configuring clustering.

• Enable Clustering — Select the check box to enable clustering on this ePrism system.• Cluster Interface — Select the interface to enable clustering on.

Network Settings

Support Access

Enable Support Access, if required, which allows St. Bernard Technical Support to connect to this system from the specified IP address. This setting does not need to be enabled during normal usage, and should only be enabled if requested by St. Bernard Technical Support.

Note: This option only appears if you have installed the Support Access patch in Management -> Software Updates.

For security reasons, Support Access communications use SSH (Secure Shell) to establish a secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network port. Support Access will only allow a connection to be made from the St. Bernard network.

37


38

Static Routes

Static routes are required if the mail servers to which mail must be relayed are located on another network, such as behind an internal firewall or accessed via a VPN.

Select Basic Config -> Static Routes to configure your static routes.

To add a new static route, enter the network address, netmask and gateway for the route, and then click New Route.

Mail Routing

Mail RoutingePrism, by default, accepts mail addressed directly to it and delivers it to local ePrism mailboxes. You can configure additional domains for ePrism to accept and route mail for using the Mail Routing menu.

Select Mail Delivery -> Mail Routing from the menu to set up mail routes.

• Sub — Select this check box to accept and relay mail for subdomains of the specified domain.• Domain — Enter the domain for which mail is to be accepted, such as example.com.• Route-to — Enter the address for the server to which mail will be delivered. • MX — (Optional) Select the MX check box if you need to look up the mail routes in DNS

before delivery. If this is not enabled, MX records will be ignored. Generally, you do not need to select this item unless you are using multiple mail server DNS entries for load balancing/failover purposes. By checking the MX record, DNS will be able to send the request to the next mail server in the list.

• KeepOpen — (Optional) Select the KeepOpen check box to ensure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred. This setting ensures that local mail servers receive high priority. Note: The KeepOpen option should only be used for domains that are usually very reliable. If the domain is unavailable, it may cause system performance problems due to excessive error conditions and deferred mail.

A list of domains can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open]

For example:

example.com,10.10.1.1,25,on,off,off

The file (domains.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

39


40

LDAP Routing

Click the LDAP Routing button to define mail routes using an LDAP directory server. This is the preferred method for mail routing for organizations with a large amount of domains.

See “LDAP Routing” on page 74 for more detailed information on using LDAP for mail routing.

Mail Delivery Settings

Mail Delivery SettingsThe Mail Delivery settings screen allows you to configure parameters related to accepting, relaying and delivery mail messages.

Select Mail Delivery -> Delivery Settings on the menu to configure the following parameters.

Delivery Settings

• Maximum time in mail queue — Enter the number of days for a message to stay in the queue before being returned to the sender as "undeliverable".

• Time before delay warning — Number of hours before issuing the sender a notification that mail is delayed.

• Time to retain undelivered MAILER-DAEMON mail — The number of hours to keep undelivered mail addressed to MAILER-DAEMON.

Gateway Features

• Masquerade Addresses — Masquerades internal hostnames by rewriting headers to only include the address of the ePrism.

• Strip Received Headers — Strip all Received headers from outgoing messages.

41


42

Default Mail Relay

• Relay To — (Optional) Enter an optional hostname or IP address of a mail server (not this ePrism system) to relay mail to for all email with unspecified destinations. A recipient’s email domain will be checked against the Mail Routing table, and if the destination is not specified the email will be sent to the Default Mail Relay server for delivery. This option is usually used when the ePrism cannot deliver email directly to remote mail servers. If you are setting up this mail server as a dedicated ePrism Mail Client system, and all mail originating from this system should be forwarded to another mail server for delivery, then specify the destination mail server here. Do NOT enter the name of your ePrism system.

• Ignore MX record — Enable this option to prevent an MX record lookup for this host to force relay settings.

• Enable Client Authentication — Enable client SMTP authentication for relaying mail to another mail server. This option is only used in conjunction with the default mail relay feature. This allows ePrism to authenticate to a server that it is using to relay mail. With this configuration, connections to the default mail relay are authenticated, while connections to other mail routes are not.

• User ID — Enter a User ID to login to the relay mail server.• Password — Enter and confirm a password for the specified User ID.

BCC All Mail

ePrism offers an archiving feature for organizations that require storage of all email that passes through their corporate mail servers. This option sends a blind carbon copy (BCC) of each message that passes through ePrism to the specified address. This address can be local or on any other system. Once copied, the mail can be effectively managed and archived from this account. You must also specify an address that will receive error messages if there are problems delivering the BCC mail.


Annotations and Delivery Warnings

In the Annotations section, you can enable Annotations that are appended to all emails, and customize Delivery Failure and Delivery Delay warning messages.

Note: Separate annotations can be enabled for different groups and domains of users using LDAP and policies. See “Policy Management” on page 167 for information on creating policies and configuring separate group and domain annotations.

The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system settings that are automatically substituted at the time the message is sent. See “Customizing Notification and Annotation Messages” on page 273 for a full list of variables that can be included.

Note: Some mail clients will display notifications and annotations as attachments to a message rather than in the message body.

43


44

Advanced Delivery Options

Click the Advanced button on the Mail Delivery -> Delivery Settings screen to reveal advanced options for Advanced SMTP Settings, SMTP notifications, and actions for Very Malformed Mail messages.

Advanced SMTP Settings

The following settings are used to disable advanced SMTP delivery functions.

• SMTP Pipelining — Select the check box to disable SMTP Pipelining when delivering mail. Some mail servers may experience problems with SMTP command pipelining, and you may have to disable this feature if required.

• ESMTP — Select the check box to disable ESMTP (Extended SMTP) when delivery mail. Some mail servers may not support ESMTP, and you may have to disable this option if experiencing problems. Disabling ESMTP will disable TLS encryption on outgoing connections.

• HELO required — Enable this option to require clients to initiate their SMTP session with a standard HELO/EHLO sequence. It is recommended that you leave this feature enabled. It should only be disabled when experiencing problems with sending hosts that do not use a standard HELO message.

• Content Reject Message — This is the text part of the SMTP 552 error message reported to clients when message content is rejected.


SMTP Notification

In this section, you can select the type of notifications that are sent to the postmaster account. Serious problems such as Resource or Software issues are selected by default for notification.

• Resource — Mail not delivered due to resource problems, such as queue file write errors.• Software — Mail not delivered due to software problems.• Bounce — Send postmaster copies of undeliverable mail. If mail is undeliverable, a single

bounce message is sent to the postmaster with a copy of the message that was not delivered. For privacy reasons, the postmaster copy is truncated after the original message headers. If a single bounce message is undeliverable, the postmaster receives a double bounce message with a copy of the entire single bounce message.

• Delay — Inform the postmaster of delayed mail. In this case, the postmaster receives message headers only.

• Policy — Inform the postmaster of client requests that were rejected because of (UCE) policy restrictions. The postmaster will receive a transcript of the entire SMTP session.

• Protocol — Inform the postmaster of protocol errors (client or server), or attempts by a client to execute unimplemented commands. The postmaster will receive a transcript of the entire SMTP session.

• Double Bounce — Send double bounces to the postmaster.

Very Malformed Mail

Specify the action to be performed when a very malformed message is detected by the system. A very malformed message may cause scanning engine latency.

Possible actions:

• Just log — Log the event and take no further action.• Quarantine mail — The message is placed into quarantine.• Temporarily Reject Mail — Returns an error to the sending server and doesn't accept the

mail. The mail delivery can be attempted again after a period of time. • Reject mail — The message is rejected with notification to the sending system.• Discard mail — The message is discarded without notification to the sending system.

Select the Notify check box to allow notifications using the malformed notification settings when the action specified above is triggered (except for Just log.)

Caution: Mail that is very malformed has not been virus scanned, or filtered for attachments and spam.

45


46

Mail Aliases

When mail is to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and so on. This process also occurs for local user accounts with a specified "forwarder address". Local user accounts are treated as aliases in this case.

Local aliases are typically used to implement distribution lists, or to direct mail for standard aliases such as postmaster to real user mailboxes.

For example, the alias postmaster could resolve to the local mailboxes [email protected], and [email protected]. For distribution lists, an alias called [email protected] can be created that points to all members of the sales organization of a company.

Configuring Mail Aliases

Click Mail Delivery -> Mail Aliases on the menu to configure aliases. Click on an entry to edit a current alias.

Adding a Mail Alias

Click the Add Alias button to add a new alias.

Mail Aliases

The specified alias name must be a valid local mailbox on this ePrism system. Enter the corresponding mail address for the alias. Click the Add More Addresses button to enter multiple addresses for this alias.

Uploading Alias Lists

A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[alias],[mail_address]

For example:

sales,[email protected]

info,[email protected]

The file (alias.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the mail alias file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

LDAP Aliases

Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for mail aliases.

See See “LDAP Aliases” on page 65 for more information on LDAP Aliases.

47


48

Mail Mappings

Mail Mappings are used to map an external address to a different internal address and vice versa. This is useful for hiding internal mail server addresses from external users. For mail originating externally, the mail mapping translates the address in the To: and CC: mail header field into a corresponding internal address to be delivered to a specific internal mailbox.

For example, mail addressed to [email protected] can be redirected to the internal mail address [email protected]. This enables the message to be delivered to the user’s preferred mailbox.

Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender: header modified by a mail mapping so it appears to have come from the preferred external form of the mail address, [email protected].

Configuring Mail Mappings

Click Mail Delivery -> Mail Mapping on the menu to configure mail address mappings. Click on an entry to edit a current mapping.

Adding a New Mapping

Click the Add button from the Mail Mappings screen to add a new mapping.

Mail Mappings

• External mail address — Enter the external mail address that you want to be converted to the specified internal email address for incoming mail. The specified internal address will be converted to this external address for outgoing mail.

• Internal mail address — Enter the internal mail address that you want external addresses to be mapped to for incoming mail. The internal address will be converted to the specified external address for outgoing mail.

• Extra internal addresses — Enter any additional internal mappings which will be included in the outgoing mail conversion. Click the Add button for each entry.

When you have completed entering your addresses, click Apply to create the mail mapping.

Uploading Mapping Lists

A list of mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[type ("sender" or "recipient")],[map_in],[map_out],[value ("on" or "off")]

For example:

sender,[email protected],[email protected],on

The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the mail mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Access Control via Mail Mappings

You can configure ePrism to block all incoming and outgoing mail messages that do not match a configured mail mapping. Mail Mappings are used to map an external address to an internal address and vice versa.

Click the Preferences button to enable Mail Mapping Access Control.

Note: If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a mapping listed in the mail mappings table.

49


50

Virtual Mappings

Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address.

For example, ePrism can be configured to accept mail for the domain @example.com and deliver it to @sales.example.com. This allows ePrism to distribute mail to multiple internal servers based on the Recipient: address of the incoming mail.

Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for example.com is sent to exchange.example.com. You can create exceptions to this rule in the Mail Mappings for particular users. Virtual mappings are also useful for ISPs who need to accept mail for several domains, and situations where the envelope-recipient header needs to be rewritten for further delivery.

Note: You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may be more appropriate for delivering mail to internal mail servers.

Configuring Virtual Mappings

Click on Mail Delivery -> Virtual Mapping on the menu to configure mappings. Click on an entry to edit a current mapping.

Virtual Mappings

Adding a Virtual Mapping

Click the Add Virtual Mapping button from the Virtual Mappings screen to add a new mapping.

First, enter the domain or address to which incoming mail is directed in the Input box, such as @example.com. Then enter the domain or address to which mail should be redirected to, such as @sales.example.com in the Output box.

Uploading Virtual Mapping Lists

A list of virtual mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:

[map_in],[map_out]

For example:

[email protected],user [email protected],[email protected] @example.com,@sales.example.com

The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the virtual mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button.

Note: The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record to connect to this ePrism Email Security Appliance.

LDAP Virtual Mappings

Click the LDAP Virtual Mappings button to configure and search for virtual mappings using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual mappings. See “LDAP Mappings” on page 67 for more information on configuring LDAP virtual mappings.

51


52

CHAPTER 4 Directory Services

This chapter describes how to integrate your existing directory services such as LDAP with ePrism, and contains the following topics:

• “Directory Service Overview” on page 54• “Directory Servers” on page 56• “Directory Groups” on page 58• “Directory Users” on page 61• “LDAP Aliases” on page 65• “LDAP Mappings” on page 67• “LDAP Recipients” on page 69• “LDAP Relay” on page 71• “LDAP Routing” on page 74

53

Directory Services

54

Directory Service Overview

ePrism can utilize LDAP (Lightweight Directory Access Protocol) services for accessing directories (such as Active Directory, OpenLDAP, and iPlanet) for user and group information. LDAP can be used with ePrism for mail routing, group lookups for policies, user lookups for mail delivery, alias and virtual mappings, and the Spam Quarantine.

LDAP was designed to provide a standard for efficient access to directory services using simple data queries. Most major directory services such as Active Directory support LDAP, but each differs in their interpretation and naming convention syntax. Other types of supported LDAP services include OpenLDAP and iPlanet.

Naming Conventions

The method for which data is arranged in the directory service hierarchy is a unique Distinguished Name. The following is an example of a Distinguished Name in Active Directory:

In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The user, jsmith, is in the users container. The domain component is analogous to the FQDN domain name, in this case, example.com.

Note: For all LDAP Directory features, you must ensure you enter values specific to your LDAP environment and schema.

Directory Service Overview

Active Directory LDAP Results Limit

Active Directory has a default limit of 1000 entries that can be returned from an LDAP query. With large queries, the results may be truncated. It is recommended that you modify the default maximum page size to ensure that LDAP Group and User imports will work successfully.

Use the following procedure to modify the default maximum page size limit in Active Directory:

1. Login to the Active Directory system as an administrator.2. Open a command prompt, and enter the following commands (in bold):

c:\>ntdsutil.exe ntdsutil: ldap policies ldap policy: connections server connections: Connect to server [Servername] Binding to [Servername] ... Connected to [Servername] using credentials of locally logged on user server connections: q ldap policy: Show Values

Policy Current(New)

MaxPoolThreads 8 MaxDatagramRecv 1024 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxActiveQueries 20 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5

ldap policy: set Maxpagesize to 50000 ldap policy: commit Changes ldap policy: q ntdsutil: q Disconnecting from [Servername]

55

Directory Services

56

Directory Servers

The first step in configuring Directory Services on ePrism is to define and configure your Directory Servers.

Select Basic Config -> Directory Services -> Directory Servers on the menu to configure your LDAP servers that will be used for ePrism’s LDAP functions such as user and group membership lookups, authentication, routing, and so on.

Click Add to configure a new LDAP server, or click Edit to modify an existing server:

• Server URI — Enter the server URI (Uniform Resource Identifier) address, such as ldaps://10.10.4.84.

• Label — An optional label or alias for the LDAP server.

Directory Servers

• Type — Select the type of LDAP server, such as Active Directory, or choose Others for OpenLDAP or iPlanet.

• Bind — Select this check box to bind to the LDAP server with the Bind DN and password below.

• Bind DN — Enter the DN (Distinguished Name) for the user to bind to the LDAP server, such as cn=Admin,cn=users,dc=example,dc=com.

• Bind Password — Enter the bind password for the LDAP server.• Search Base — Specify a default starting point for lookups, such as dc=example,dc=com.• Timeout — The maximum interval, in seconds, to wait for the search to complete.• Chase Referrals — Specifies how alias dereferencing is performed during a search:

Never: Aliases are never dereferenced.Searching: Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search.Finding: Aliases are only derferenced when locating the base object of the search.Always: Aliases are dereferenced when searching and locating the base object of the search.

Click the Test button to test your LDAP settings and send a test query to the LDAP server.

When finished, click the Apply button to add the LDAP server.

57

Directory Services

58

Directory Groups

When you have a Directory server configured, you can import group membership information from the server to ePrism. Importing user’s group membership information is used for determining membership for group policies. See “Policy Management” on page 167 for more information on configuring Policies.

Note: Policies must be enabled before Groups can be imported. LDAP Groups has been tested only with Active Directory. Examples used are for Active Directory implementations.

Configuring Directory Groups

Select Basic Config -> Directory Services -> Directory Groups on the menu.

Directory Group

• Directory Server — Select an directory server to perform the search.• Search Base — Enter the starting base point to start the search from, such as

dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.

Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Query Filter — Enter the appropriate query filter, such as (objectCategory=group) for Active Directory LDAP implementations.

Directory Groups

To specify one specific group, use (&(objectCategory=group)(name=groupname)), inserting the group you are using for "groupname".

• Timeout — The maximum interval, in seconds, to wait for the search to complete.

Result Attributes

This section specifies the fields to return during the LDAP query. LDAP queries can return a lot of information that is not required, and the Result Attributes are used to filter only the data needed.

• Group name attribute — Enter the appropriate group name attribute, such as name for Active Directory LDAP implementations, that identifies the group name.

• Group display name attribute — Enter the appropriate group display name attribute, such as displayName for Active Directory implementations.

Click the Test button to test your directory server group settings. Click Apply when finished.

Import Settings

You can configure ePrism to automatically import LDAP group data on a scheduled basis. This allows you to stay synchronized with the LDAP directory.

To import LDAP groups:

Click the Import Settings button in the Basic Config -> Directory Services -> Directory Groups screen.

• Import Group Data — Select the check box to enable automatic import of LDAP group data. Enabling automatic import ensures that your imported LDAP data remains current with the information on the LDAP directory server.

• Frequency — Select the frequency of LDAP imports. You can choose between Hourly, Every 3 Hours, Daily, Weekly, and Monthly.

59

Directory Services

60

• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to schedule an import at 11pm for the period specified in the Frequency field.

Click Apply to save the settings. Click Import Now to immediately begin the import of LDAP groups.

View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages

Directory Users

Directory UsersThe Directory Users screen is used to import user account data from LDAP-based directory servers. This information is used provide LDAP lookups for valid email addresses for the Reject on Unknown Recipient anti-spam option.

Local mirror accounts can also be created to allow directory-based users to log in locally to ePrism to view quarantined mail for the Spam Quarantine feature.

Select Basic Config -> Directory Services -> Directory Users to import users from a directory.

Click the Add button to add a new directory user import configuration.


dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.

61

Directory Services

62


• Query Filter — Enter the appropriate query filter, such as (|(objectCategory=group)(objectCategory=person)) for Active Directory LDAP implementations.If you use Exchange public folders for email, include the following to your query filter: (objectCategory=publicFolder)

For example,(|(|(objectCategory=group)(objectCategory=person))(objectCategory=publicFolder))

For iPlanet and OpenLDAP, use: (objectClass=person).


Result Attributes

This section specifies the fields to return during the LDAP query. LDAP queries can return a lot of information that is not required, and the Result Attributes are used to filter only the data needed.

• Email attribute — The name of the attribute that identifies the user’s email address. For Active Directory, iPlanet, and OpenLDAP, use mail.

• Email alias attribute — The name of the attribute that identifies the user’s alternate email addresses. In Active Directory, the default is proxyAddresses. For iPlanet, use Email. For OpenLDAP, leave this attribute blank.

• Member of attribute — The name of the attribute that identifies the group(s) that the user belongs to. This information is used for Policy controls. In Active Directory, the default is memberOf. For iPlanet, use Member. For OpenLDAP, leave this blank.

• Account Name attribute — This is the name of the attribute that identifies a user’s account name for login. In Active Directory, the default is sAMAccountName. For iPlanet, use uid. For OpenLDAP, use cn.

Click the Test button to test your LDAP settings. Click Apply when finished.

Directory Users

Import Settings

You can configure ePrism to automatically import LDAP user data on a scheduled basis. This allows you to stay synchronized with the LDAP directory.

To import LDAP users:

Click the Import Settings button in the Basic Config -> Directory Services -> Directory Users screen.

• Import User Data — Select the check box to enable automatic import of LDAP user data. Enabling automatic import ensures that your imported LDAP data remains current with the information on the LDAP directory server.

• Frequency — Select the frequency of LDAP imports. You can choose between Hourly, Every 3 Hours, Daily, Weekly, and Monthly.

• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to schedule an import at 11pm for the period specified in the Frequency field.

Click Apply to save the settings. Click Import Now to immediately begin the import of users.

View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages

63

Directory Services

64

Mirror LDAP Accounts as Local Users

To provide local account access for the Spam Quarantine feature, you can mirror the LDAP accounts which creates a local account on ePrism for each user imported. This provides a simple method for allowing directory-based users to log in to the ePrism to view quarantined messages if you have enabled the Spam Quarantine feature.

Note: These local mirror accounts cannot be used as local mail accounts. They can only be used for the Spam Quarantine.

See “Spam Quarantine” on page 136 for more information on configuring the user-based Spam Quarantine.

To create mirrored LDAP users:

1. Select the Mirror accounts option.2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the LDAP

directory for the specified period of time, the local mirrored account will be deleted. Note that this only applies to a local mirrored account, not accounts used for the Reject on Unknown Recipients feature.

Click Apply to save the settings. Click Import Now to immediately begin the import of users and create mirrored accounts.

View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages.

Mirrored accounts can be viewed via User Accounts -> Mirrored Accounts on the menu.

LDAP Aliases

LDAP AliasesLDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and so on.

Note: LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations.

See “Mail Aliases” on page 46 for more information on Mail Aliases.

Select Basic Config -> Directory Services -> LDAP Aliases to configure LDAP Aliases.

Click the Add button to add a new LDAP alias search.


cn=users,dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.

65

Directory Services

66


• Alias Attribute — Enter the Alias Attribute that defines the alias mail addresses for a user, such as (proxyAddresses=smtp:%s@*) for Active Directory implementations.

• EMail — Enter the attribute that returns the user’s email address, such as mail for Active Directory implementations.


Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the settings.

LDAP Mappings

LDAP MappingsLDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.

Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address.

Note: LDAP Virtual Mappings have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations.

See “Virtual Mappings” on page 50 for more information on Virtual Mappings.

Select Basic Config -> Directory Services -> LDAP Mappings to configure LDAP Virtual Mappings.

Click the Add button to add a new LDAP Virtual Mapping search.

• Directory Server — Select an directory server to perform the search.

67

Directory Services

68

• Search Base — Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com.

• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.

• Alias Attribute — Enter the Incoming Address attribute that defines the virtual mapping for a user, such as (proxyAddresses=smtp:%s) for Active Directory implementations.

• EMail — Enter the attribute that returns the user’s email address, such as mail for Active Directory implementations.


Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to save the settings.

LDAP Recipients

LDAP RecipientsThe LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient feature configured in Mail Delivery -> Anti-Spam. You must have Reject on Unknown Recipient enabled for this feature to work.

When a mail message is received by ePrism, this feature searches an LDAP directory for the existence of a recipient’s email address. If that user address does not exist in the LDAP directory, the mail is rejected.

This feature differs from the LDAP Users lookup option which searches for a user using the imported locally-cached LDAP users database. The LDAP recipients feature performs a direct lookup on a configured LDAP directory server for each address.

If both LDAP Users and LDAP Recipients are enabled with Reject on Unknown Recipient, the system will lookup the local and mirrored LDAP Users first, and then use the direct query to an LDAP server.

Select Basic Config -> Directory Services -> LDAP Recipients on the menu to configure your LDAP recipient lookups.

Click Add to add a new LDAP Recipients search.

69

Directory Services

70


cn=users,dc=example,dc=com.• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.


• Query Filter — Enter the Query Filter for the LDAP Recipients lookup, such as (&(objectClass=person)(mail=%s)) for Active Directory implementations.For OpenLDAP and iPlanet, use (&(objectClass=person)(uid=%s)).

• Result Attribute — Enter the attribute that returns the user’s email address, such as mail for Active Directory implementations. For OpenLDAP, and iPlanet, you can also use mail.


Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save the settings.

LDAP Relay

LDAP RelayThe LDAP SMTP Authenticated relay feature allows authenticated clients to use this ePrism as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this ePrism system.

These client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP relay authentication to authenticate the user to an LDAP directory server.

Configuring LDAP Authenticated SMTP Relay

1. Select Mail Delivery -> Mail Access on the menu.2. Enable the Permit SMTP Authenticated Relay check box, and also the LDAP

Authenticated Relay check box.

71

Directory Services

72

3. Select Basic Config -> Directory Services -> LDAP Relay on the menu.

There are two different ways to provide LDAP support for SMTP authentication, using Bind, or querying the LDAP server directly.

Note: The Bind method will only work with Active Directory and iPlanet implementations. The Query Direct method will only wor

Documents

ePrism User Guide - Anti-Phishing | EdgeWave · 2016. 10. 3. · ePrism User Guide M1000, M2000, M3000. 1 Preface 5 CHAPTER 1 ePrism Overview 7 What’s New in ePrism 5.0 8 ePrism