User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances Published: January 5, 2017 Revised: January 4, 2018 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED ORIMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances © 2017-2018 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Getting Started with the Cisco Email Security Appliance 1-1 What’s New in This Release 1-1 What’s New in AsyncOS 10.0.1 1-2 What’s New in AsyncOS 10.0 1-3 Where to Find More Information 1-6 Documentation 1-6 Training 1-7 Cisco Notification Service 1-7 Knowledge Base 1-7 Cisco Support Community 1-7 Cisco Customer Support 1-8 Third Party Contributors 1-8 Cisco Welcomes Your Comments 1-8 Registering for a Cisco Account 1-8 Cisco Email Security Appliance Overview 1-9 Supported Languages 1-10 CHAPTER 2 Accessing the Appliance 2-1 Web-based Graphical User Interface (GUI) 2-1 Browser Requirements 2-1 Accessing the GUI 2-1 Changing Configuration Settings 2-2 Configuration Changes 2-3 Commit or Abandoning Changes 2-3 Command Line Interface (CLI) 2-3 CHAPTER 3 Setup and Installation 3-1 Installation Planning 3-1 Review Information That Impacts Planning Decisions 3-1 Plan to Place the Email Security Appliance at the Perimeter of Your Network 3-1 Register the Email Security Appliance in DNS 3-2 Installation Scenarios 3-3 Physically Connecting the Email Security Appliance to the Network 3-5 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances iii Contents Configuration Scenarios 3-5 Preparing for System Setup 3-8 Determine Method for Connecting to the Appliance 3-8 Determining Network and IP Address Assignments 3-9 Gathering the Setup Information 3-11 Using the System Setup Wizard 3-13 Accessing the Web-Based Graphical User Interface (GUI) 3-14 Defining Basic Configuration Using the Web-Based System Setup Wizard 3-14 Setting up the Connection to Active Directory 3-22 Proceeding to the Next Steps 3-22 Accessing the Command Line Interface (CLI) 3-22 Running the Command Line Interface (CLI) System Setup Wizard 3-23 Configuring your system as an Enterprise Gateway 3-36 Verifying Your Configuration and Next Steps 3-36 CHAPTER 4 Understanding the Email Pipeline 4-1 Overview of the Email Pipeline 4-1 Email Pipeline Flows 4-1 Incoming / Receiving 4-4 Host Access Table (HAT), Sender Groups, and Mail Flow Policies 4-5 Received: Header 4-5 Default Domain 4-5 Bounce Verification 4-5 Domain Map 4-6 Recipient Access Table (RAT) 4-6 Alias Tables 4-6 LDAP Recipient Acceptance 4-6 SMTP Call-Ahead Recipient Validation 4-6 Work Queue / Routing 4-7 Email Pipeline and Security Services 4-7 LDAP Recipient Acceptance 4-7 Masquerading or LDAP Masquerading 4-8 LDAP Routing 4-8 Message Filters 4-8 Email Security Manager (Per-Recipient Scanning) 4-8 Quarantines 4-10 Delivery 4-10 Virtual gateways 4-11 Delivery Limits 4-11 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances iv Contents Domain-Based Limits 4-11 Domain-Based Routing 4-11 Global Unsubscribe 4-11 Bounce Limits 4-12 CHAPTER 5 Configuring the Gateway to Receive Email 5-1 Overview of Configuring the Gateway to Receive Email 5-1 Working with Listeners 5-2 Configuring Global Settings for Listeners 5-5 Settings for Messages Containing Multiple Encodings 5-6 Listening for Connection Requests by Creating a Listener Using Web Interface 5-7 Partial Domains, Default Domains, and Malformed MAIL FROMs 5-11 Listening for Connection Requests by Creating a Listener Using CLI 5-12 Advanced HAT Parameters 5-13 Enterprise Gateway Configuration 5-14 CHAPTER 6 Sender Reputation Filtering 6-1 Overview of Sender Reputation Filtering 6-1 SenderBase Reputation Service 6-1 SenderBase Reputation Score (SBRS) 6-2 How SenderBase Reputation Filters Work 6-3 Recommended Settings for Different Sender Reputation Filtering Approaches 6-4 Editing Sender Reputation Filtering Score Thresholds for a Listener 6-5 Testing Sender Reputation Filtering Using the SBRS 6-6 Monitoring the Status of the SenderBase Reputation Services 6-7 Entering Low SBRS Scores in the Message Subject 6-7 CHAPTER 7 Defining Which Hosts Are Allowed to Connect Using the Host Access Table (HAT) 7-1 Overview of Defining Which Hosts Are Allowed to Connect 7-1 Default HAT Entries 7-2 Defining Remote Hosts into Sender Groups 7-3 Sender Group Syntax 7-4 Sender Groups Defined by Network Owners, Domains, and IP Addresses 7-4 Defining Sender Groups by SenderBase Reputation Score 7-6 Sender Groups Defined by Querying DNS Lists 7-7 Defining Access Rules for Email Senders Using Mail Flow Policies 7-8 HAT Variable Syntax 7-9 Understanding Predefined Sender Groups and Mail Flow Policies 7-10 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances v Contents Handling Messages from a Group of Senders in the Same Manner 7-12 Creating a Sender Group for Message Handling 7-13 Adding a Sender to an Existing Sender Group 7-13 Rearranging the Order of the Rules to Perform for Incoming Connections 7-14 Searching for Senders 7-14 Defining Rules for Incoming Messages Using a Mail Flow Policy 7-15 Defining Default Values for Mail Flow Policies 7-20 Working with the Host Access Table Configuration 7-20 Exporting the Host Access Table Configuration to an External File 7-20 Importing the Host Access Table Configuration from an External File 7-21 Using a List of Sender Addresses for Incoming Connection Rules 7-21 SenderBase Settings and Mail Flow Policies 7-22 Timeouts for SenderBase Queries 7-23 HAT Significant Bits Feature 7-23 Verifying Senders 7-24 Sender Verification: Host 7-25 Sender Verification: Envelope Sender 7-26 Implementing Sender Verification — Example Settings 7-28 Sender Verification and Logging 7-30 7-31 CHAPTER 8 Accepting or Rejecting Connections Based on Domain Name or Recipient Address 8-1 Overview of Accepting or Rejecting Connections Based on the Recipient’s Address 8-1 Overview of the Recipient Access Table (RAT) 8-2 Accessing the RAT 8-2 Editing the Default RAT Entry 8-2 Domains and Users 8-3 Adding Domains and Users For Which to Accept Messages 8-3 Rearranging the Order of Domains and Users in the Recipient Access Table 8-5 Exporting the Recipient Access Table to an External File 8-5 Importing the Recipient Access Table from an External File 8-6 CHAPTER 9 Using Message Filters to Enforce Email Policies 9-1 Overview 9-1 Components of a Message Filter 9-2 Message Filter Rules 9-2 Message Filter Actions 9-2 Message Filter Example Syntax 9-3 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances vi Contents Message Filter Processing 9-4 Message Filter Order 9-4 Message Header Rules and Evaluation 9-5 Message Bodies vs. Message Attachments 9-5 Thresholds for Matches in Content Scanning 9-6 AND Test and OR Tests in Message Filters 9-9 Message Filter Rules 9-10 Filter Rules Summary Table 9-10 Regular Expressions in Rules 9-17 Smart Identifiers 9-21 Description and Examples of Message Filter Rules 9-22 Message Filter Actions 9-52 Filter Actions Summary Table 9-52 Action Variables 9-60 Matched Content Visibility 9-62 Description and Examples of Message Filter Actions 9-62 Attachment Scanning 9-82 Message Filters for Scanning Attachments 9-83 Image Analysis 9-84 Configuring the Image Analysis Scanning Engine 9-85 Configuring the Message Filter to Perform Actions Based on Image Analysis Results 9-86 Notifications 9-88 Examples of Attachment Scanning Message Filters 9-89 Using the CLI to Manage Message Filters 9-92 Creating a New Message Filter 9-93 Deleting a Message Filter 9-94 Moving a Message Filter 9-94 Activating and Deactivating a Message Filter 9-94 Importing Message Filters 9-98 Exporting Message Filters 9-99 Viewing Non-ASCII Character Sets 9-99 Displaying a Message Filter List 9-99 Displaying Message Filter Details 9-99 Configuring Filter Log Subscriptions 9-99 Changing Message Encoding 9-101 Sample Message Filters 9-103 Message Filter Examples 9-110 Open-Relay Prevention Filter 9-110 Policy Enforcement Filters 9-110 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances vii Contents Routing and Domain Spoofing 9-114 Configuring Scan Behavior 9-118 CHAPTER 10 Mail Policies 10-1 Overview of Mail Policies 10-1 How to Enforce Mail Policies on a Per-User Basis 10-2 Handling Incoming and Outgoing Messages Differently 10-3 Matching Users to a Mail Policy 10-4 First Match Wins 10-4 Examples of Policy Matching 10-4 Message Splintering 10-6 Managed Exceptions 10-7 Configuring Mail Policies 10-8 Configuring the Default Mail Policy for Incoming or Outgoing Messages 10-8 Creating a Mail Policy for a Group of Senders and Recipients 10-8 Finding Which Policies Apply to a Sender or Recipient 10-11 CHAPTER 11 Content Filters 11-1 Overview of Content Filters 11-1 How Content Filters Work 11-1 How to Scan Message Content Using a Content Filter 11-2 Content Filter Conditions 11-2 Content Filter Actions 11-10 Action Variables 11-16 How to Filter Messages Based on Content 11-17 Creating a Content Filter 11-18 Enabling Content Filters for All Recipients by Default 11-19 Applying the Content Filter to Messages for a Certain User Group 11-19 Notes on Configuring Content Filters in the GUI 11-20 CHAPTER 12 Anti-Virus 12-1 Anti-Virus Scanning Overview 12-1 Evaluation Key 12-2 Scanning Messages with Multiple Anti-Virus Scanning Engines 12-2 Sophos Anti-Virus Filtering 12-2 Virus Detection Engine 12-3 Virus Scanning 12-3 Detection Methods 12-3 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances viii Contents Virus Descriptions 12-4 Sophos Alerts 12-4 When a Virus is Found 12-4 McAfee Anti-Virus Filtering 12-5 Pattern-Matching Virus Signatures 12-5 Encrypted Polymorphic Virus Detection 12-5 Heuristics Analysis 12-5 When a Virus is Found 12-6 How to Configure the Appliance to Scan for Viruses 12-6 Enabling Virus Scanning and Configuring Global Settings 12-7 Configuring Virus Scanning Actions for Users 12-7 Configuring the Anti-Virus Policies for Different Groups of Senders and Recipients 12-13 Notes on Anti-Virus Configurations 12-14 Flow Diagram for Anti-Virus Actions 12-15 Sending an Email to the Appliance to Test Anti-Virus Scanning 12-16 Updating Virus Definitions 12-18 About Retrieving Anti-Virus Updates via HTTP 12-18 Configuring Update Server Settings 12-18 Monitoring and Manually Checking for Anti-Virus Updates 12-18 Verifying Anti-Virus Files Have Updated on the Appliance 12-19 CHAPTER 13 Anti-Spam 13-1 Overview of Anti-Spam Scanning 13-1 Anti-Spam Solutions 13-2 How to Configure the Appliance to Scan Messages for Spam 13-2 IronPort Anti-Spam Filtering 13-3 Evaluation Key 13-3 Cisco Anti-Spam: an Overview 13-4 Configuring IronPort Anti-Spam Scanning 13-5 Cisco Intelligent Multi-Scan Filtering 13-6 Configuring Cisco Intelligent Multi-Scan 13-7 Defining Anti-Spam Policies 13-7 Understanding Positive and Suspect Spam Thresholds 13-10 Configuration Examples: Actions for Positively Identified versus Suspected Spam 13-11 Unwanted Marketing Messages From Legitimate Sources 13-11 Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example 13-11 Enabling Different Anti-Spam Scanning Engines in Different Mail Policies: Configuration Example 13-12 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances ix Contents Protecting Appliance-Generated Messages From the Spam Filter 13-14 Headers Added During Anti-Spam Scanning 13-14 Reporting Incorrectly Classified Messages to Cisco 13-15 How to Report Incorrectly Classified Messages to Cisco 13-15 How to Track Your Submissions 13-19 Determining Sender IP Address In Deployments with Incoming Relays 13-19 Example Environments with Incoming Relays 13-19 Configuring the Appliance to Work with Incoming Relays 13-21 How Incoming Relays Affect Functionality 13-25 Configuring Logs to Specify Which Headers Are Used 13-27 Monitoring Rules Updates 13-27 Testing Anti-Spam 13-28 Sending an Email to the Appliance to Test Cisco Anti-Spam 13-29 Ways Not to Test Anti-Spam Efficacy 13-29 CHAPTER 14 Managing Graymail 14-1 Overview of Graymail 14-1 Graymail Management Solution in Email Security Appliance 14-1 Graymail Classification 14-2 How Graymail Management Solution Works 14-3 How Safe Unsubscribing Works 14-4 Configuring Graymail Detection and Safe Unsubscribing 14-5 Requirements for Graymail Detection and Safe Unsubscribing 14-6 Graymail Detection and Safe Unsubscribing in Cluster Configurations 14-6 Enable Graymail Detection and Safe Unsubscribing 14-6 Configuring the Incoming Mail Policy for Graymail Detection and Safe Unsubscribing 14-6 Bypassing Graymail Actions using Message Filters 14-8 Monitoring Graymail 14-8 Updating Graymail Rules 14-9 Customizing the Appearance of Unsubscribe Page for End Users 14-9 End-User Safelist 14-10 Viewing Logs 14-10 Troubleshooting Graymail Detection and Safe Unsubscribing 14-10 Unable to Perform Safe Unsubscribing 14-10 CHAPTER 15 Outbreak Filters 15-1 Overview of Outbreak Filters 15-1 How Outbreak Filters Work 15-2 User Guide for AsyncOS 10.0.1 for Cisco Email Security Appliances x
Description: