ePrism Email Security Appliance User Guide Software Version: 6.5.2 Last Revision: 5/25/07 Preface 7 CHAPTER 1 ePrism Overview 11 What’s New in ePrism 6.5 12 ePrism Overview 14 ePrism Deployment 20 How Messages are Processed by ePrism 22 CHAPTER 2 Administering ePrism 27 Connecting to ePrism 28 Configuring the Admin User 32 Web Server Options 35 Customizing the ePrism Interface 36 CHAPTER 3 Configuring Mail Delivery Settings 37 Network Settings 38 Virtual Interfaces 42 Static Routes 45 Mail Routing 46 Mail Delivery Settings 48 Mail Aliases 53 Mail Mappings 55 Virtual Mappings 57 CHAPTER 4 Directory Services 59 Directory Service Overview 60 Directory Servers 61 Directory Users and Groups 63 LDAP Aliases 67 LDAP Mappings 69 LDAP Recipients 71 LDAP Relay 73 LDAP Routing 76 CHAPTER 5 Mail Security and Encryption 79 SMTP Mail Access 80 Anti-Virus 82 Threat Outbreak Control 85 External Email Message Encryption 90 Encrypting Mail Delivery Sessions 94 SSL Certificates 97 3 CHAPTER 6 Message Content Scanning 101 Content Scanning Overview 102 Attachment Control 103 Attachment Content Scanning 106 Objectionable Content Filter 110 Pattern Based Message Filtering (PBMF) 112 Malformed Mail 121 Dictionaries 123 Message Archiving 125 CHAPTER 7 Intercept Anti-Spam 131 Intercept Anti-Spam Feature Overview 132 Trusted and Untrusted Mail Sources 134 Configuring Intercept Anti-Spam 136 Intercept Components 139 Intercept Advanced Features 177 Trusted and Blocked Senders 181 Spam Quarantine 187 CHAPTER 8 User Accounts and Remote Authentication 195 POP3 and IMAP Access 196 Local User Mailboxes 197 Mirror Accounts 199 Strong Authentication 200 Remote Accounts and Directory Authentication 202 Relocated Users 205 Vacation Notification 206 Tiered Administration 209 CHAPTER 9 Secure WebMail and ePrism Mail Client 211 Secure WebMail 212 ePrism Mail Client 216 CHAPTER 10 Policy Management 219 Policy Overview 220 Creating Policies 223 Domain Policies 224 Group Policies 226 User Policies 231 Managing Policies 233 Policy Diagnostics 234 4 CHAPTER 11 Threat Prevention 237 Threat Prevention Overview 238 Configuring Threat Prevention 239 Creating Threat Prevention Rules 241 Static Address Lists 251 Dynamic Address Lists 253 F5 Blocking 256 Cisco Blocking 261 Threat Prevention Status 264 CHAPTER 12 HALO (High Availability and Load Optimization) 265 HALO Overview 266 Configuring Clustering 268 Cluster Management 274 Configuring the F5 Load Balancer 278 Queue Replication 279 CHAPTER 13 Reporting 283 Viewing and Generating Reports 284 Viewing the Mail History Database 294 Viewing the System History Database 296 Report Configuration 299 CHAPTER 14 System Management 301 System Status and Utilities 302 Mail Queue Management 305 Quarantine Management 306 License Management 308 Software Updates 311 Security Connection 312 Reboot and Shutdown 313 Backup and Restore 314 Centralized Management 321 Problem Reporting 326 Health Check 327 CHAPTER 15 Monitoring System Activity 329 Activity Screen 330 System Log Files 332 Offloading Log Files 335 SNMP (Simple Network Management Protocol) 337 Alarms 340 5 CHAPTER 16 Troubleshooting Mail Delivery 343 Troubleshooting Mail Delivery 344 Troubleshooting Tools 345 Examining Log Files 346 Network and Mail Diagnostics 355 Troubleshooting Content Issues 360 APPENDIX A Using the ePrism System Console 363 APPENDIX B Restoring ePrism to Factory Default Settings 367 APPENDIX C Message Processing Order 369 APPENDIX D Customizing Notification and Annotation Messages 371 APPENDIX E Performance Tuning 375 Setting Default Performance Settings 376 Advanced Settings 377 APPENDIX F SNMP MIBS 383 MIB Files Summary 383 MIB Files 387 MIB OID Values 411 APPENDIX G Third Party Copyrights and Licenses 417 6 Preface Preface This User Guide provides detailed information on how to configure and manage your ePrism Email Security Appliance, and contains the following topics: • Chapter 1 — “ePrism Overview” on page 11 • Chapter 2 — “Administering ePrism” on page 27 • Chapter 3 — “Configuring Mail Delivery Settings” on page 37 • Chapter 4 — “Directory Services” on page 59 • Chapter 5 — “Mail Security and Encryption” on page 79 • Chapter 6 — “Message Content Scanning” on page 101 • Chapter 7 — “Intercept Anti-Spam” on page 131 • Chapter 8 — “User Accounts and Remote Authentication” on page 195 • Chapter 9 — “Secure WebMail and ePrism Mail Client” on page 211 • Chapter 10 — “Policy Management” on page 219 • Chapter 11 — “Threat Prevention” on page 237 • Chapter 12 — “HALO (High Availability and Load Optimization)” on page 265 • Chapter 13— “Reporting” on page 283 • Chapter 14 — “System Management” on page 301 • Chapter 15 — “Monitoring System Activity” on page 329 • Chapter 16 — “Troubleshooting Mail Delivery” on page 343 The following sections contain supplemental information for the ePrism Email Security Appliance: • Appendix A — “Using the ePrism System Console” on page 363 • Appendix B — “Restoring ePrism to Factory Default Settings” on page 367 • Appendix C — “Message Processing Order” on page 369 • Appendix D — “Customizing Notification and Annotation Messages” on page 371 • Appendix E — “Performance Tuning” on page 375 • Appendix F — “SNMP MIBS” on page 383 • Appendix G — “Third Party Copyrights and Licenses” on page 417 7 Related Documentation If Release Notes are included with your product package, please read them for the latest information on installing and managing ePrism. The following documents are included as part of the ePrism documentation set: TABLE 1. ePrism Documentation Document Description Release Notes Provides up to date information on the product, including new features, improvements, bug fixes, and any known issues. If instructions in the Release Notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes. Installation Provides detailed information on how to install and provide the initial Guide configuration for the ePrism Email Security Appliance. User Guide Provides detailed information on how to configure, administer, and troubleshoot the ePrism Email Security Appliance. Intercept Anti- Describes the basic configuration details and recommended Spam Quick strategies for ePrism’s Intercept Anti-Spam features. Start Guide Conventions The following typographical conventions are used in this guide: TABLE 2. Typographical Conventions Typeface or Symbol Description Example italic Screen name or data field names Activity Screen, or SMTP Port bold Button names, Menu items, and Select Basic Config ➝ Network Screen names on the menu and click the Apply button courier Text displayed on the screen and File backup/backup.gzip font and Directory Names Bold Text entered by the user Enter: example.com courier Information that describes important Please see the following section features or instructions for more details Information that alerts you to potential Use caution when enabling this problems and issues feature 8 Preface Contacting Technical Support St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST) 15015 Avenue of Science San Diego, CA 92128 Main: 858.676.2277 FAX: 858.676.2299 Technical Support: 858.676.5050 Technical Support Email: [email protected] Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ Main: 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support Email: [email protected] Copyright Information © 2003-2007 St. Bernard Software, Inc. All rights reserved. St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged. Information in this document is subject to change without notice. 9 ePrism Overview CHAPTER 1 This chapter provides an overview of the architecture and features of the ePrism Email Security Appliance, and contains the following topics: • “What’s New in ePrism 6.5” on page 12 • “ePrism Overview” on page 14 • “ePrism Deployment” on page 20 • “How Messages are Processed by ePrism” on page 22 11 ePrism Overview What’s New in ePrism 6.5 The ePrism Email Security Appliance version 6.5 adds several new features while considerably improving the functionality of existing features. Blocked Senders List The Blocked Senders List allows end users to specify a list of addresses from which they do not want to receive mail. These senders will be blocked from sending mail to that specific user via ePrism. If a sender is on the Blocked Senders List, the message can either be rejected with notification or discarded by ePrism. Blocked Senders are configured via Mail Delivery ➝ Anti-Spam ➝ Trusted/Blocked Senders on the menu. Virtual Interfaces Virtual Interfaces are used by ePrism to define additional interfaces and IP addresses to send and receive mail for specific domains. These Virtual Interfaces are associated with the existing physical network interfaces on ePrism. ePrism will send all outbound email for a specific domain using its specified IP address in the Virtual Interfaces configuration. ePrism selects the Virtual Interface to use for outgoing mail by matching the sender's domain to the domains associated with the configured Virtual Interfaces. Virtual Interfaces are configured via Basic Config ➝ Virtual Interfaces on the menu. Image Spam Analysis An Image Spam email message typically consists of random text or no text body and contains an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature that performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to ePrism's other Anti-Spam features that detect spam characteristics in the text of a message, the Image Spam Detection feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages. The Image Spam Detection feature uses the Token Analysis feature to analyze image spam messages. Token Analysis must be enabled for Image Spam detection to work. Enable the Image Analysis option via Mail Delivery ➝ Anti-Spam ➝ Intercept ➝ Token Analysis ➝ Advanced on the menu. 12