Symantec Mail Security for
SMTP
Administration Guide
Symantec Mail Security for SMTP
Administration Guide
The software described in this book is furnished under a license agreement and
may be used only in accordance with the terms of the agreement.
April 27, 2006
Copyright notice
Copyright © 1998-2006 Symantec Corporation. All rights reserved. Symantec, the
Symantec logo, Brightmail, LiveUpdate, SESA, and Norton AntiVirus are U.S. registered
trademarks or registered trademarks of Symantec Corporation or its affiliates in other
countries. Other names may be trademarks of their respective owners.
Symantec Mail Security for SMTP 5.0 is protected under U.S. Patent Nos. 6,052,709;
5,999,932; and 6,654,787.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be “commercial computer
software” and “commercial computer software documentation” as defined in FAR
Sections 12.212 and DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com
Printed in the United States of America.
10987654321
Technical support
As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and Web support components that provide rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure
the highest level of protection
■ Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
for those customers enrolled in the Platinum Support Program
■ Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.
To receive the latest product information by email, go to:
http://www.symantec.com/techsupp/bulletin/enterprise.html
and join our support bulletin mailing list.
Licensing and registration
If the product that you are implementing requires registration and/or a license
key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,
select the product that you wish to register, and from the Product Home Page,
select the Licensing and Registration link.
Contacting Technical Support
Customers with a current support agreement may contact the Technical
Support group via phone or online at http://www.symantec.com/techsupp/
enterprise/ .
Customers with Platinum support agreements may contact Platinum Technical
Support via the Platinum Web site at http://www-secure.symantec.com/
platinum/ .
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Contents
Chapter 1 About Symantec Mail Security for SMTP
Key features ..........................................................................................................11
Functional overview ............................................................................................12
Architecture ..........................................................................................................13
Where to get more information .........................................................................14
Chapter 2 Configuring system settings
Configuring certificate settings ........................................................................17
Configuring host (Scanner) settings .................................................................20
Working with the Services page ................................................................20
HTTP proxies ................................................................................................21
SMTP Scanner settings ...............................................................................22
Advanced SMTP settings ............................................................................ 25
Configuring internal mail hosts ................................................................28
Testing Scanners .................................................................................................28
Configuring LDAP settings .................................................................................29
Replicating data to Scanners .............................................................................37
Starting and stopping replication .............................................................38
Replication status information ..................................................................38
Troubleshooting replication ......................................................................39
Configuring Control Center settings ................................................................ 40
Control Center administration .................................................................. 41
Control Center certificate ...........................................................................42
Configuring, enabling and scheduling Scanner replication .................. 42
SMTP host .....................................................................................................44
System locale ................................................................................................44
Chapter 3 Configuring email settings
Configuring address masquerading ..................................................................45
Importing masqueraded entries ................................................................46
Configuring aliases ..............................................................................................47
Importing aliases .........................................................................................49
Configuring local domains .................................................................................50
Importing local domains and email addresses ........................................51
6 Contents
Understanding spam settings ............................................................................ 51
Configuring suspected spam ...................................................................... 52
Choosing language identification type ..................................................... 52
Software acceleration .................................................................................53
Configuring spam settings ......................................................................... 53
Configuring virus settings ..................................................................................54
Configuring LiveUpdate ............................................................................. 54
Excluding files from virus scanning ......................................................... 55
Configuring general settings ..................................................................... 56
Configuring invalid recipient handling ............................................................ 56
Configuring scanning settings ..........................................................................57
Configuring container settings ..................................................................57
Configuring content filtering settings .....................................................58
Chapter 4 Configuring email filtering
About email filtering ...........................................................................................61
Notes on filtering actions ........................................................................... 66
Multiple actions ...........................................................................................67
Multiple policies ...........................................................................................69
Security risks ................................................................................................ 70
About precedence ........................................................................................ 71
Creating groups and adding members .............................................................72
Assigning filter policies to a group ................................................................... 75
Selecting virus policies for a group ...........................................................75
Selecting spam policies for a group .......................................................... 77
Selecting compliance policies for a group ............................................... 78
Enabling and disabling end user settings ................................................ 79
Allowing or blocking email based on language ....................................... 80
Managing Group Policies ....................................................................................81
Creating virus, spam, and compliance filter policies ..................................... 82
Creating virus policies ................................................................................ 83
Creating spam policies ................................................................................85
Creating compliance policies ..................................................................... 86
Managing Email Firewall policies ..................................................................... 93
Configuring attack recognition ................................................................. 94
Configuring sender groups .........................................................................95
Configuring Sender Authentication ...............................................................105
Managing policy resources ..............................................................................106
Annotating messages ................................................................................106
Archiving messages ...................................................................................109
Configuring attachment lists ...................................................................110
Configuring dictionaries ...........................................................................112
Adding and editing notifications .............................................................114
Chapter 5 Working with Spam Quarantine
About Spam Quarantine ...................................................................................117
Delivering messages to Spam Quarantine .....................................................117
Working with messages in Spam Quarantine for administrators .............118
Accessing Spam Quarantine ....................................................................118
Checking for new Spam Quarantine messages .....................................118
Administrator message list page .............................................................118
Administrator message details page .......................................................121
Searching messages ...................................................................................123
Configuring Spam Quarantine .........................................................................126
Delivering messages to Spam Quarantine from the Scanner ............. 126
Configuring Spam Quarantine port for incoming email .....................127
Configuring Spam Quarantine for administrator-only access ...........128
Configuring the Delete Unresolved Email setting ................................128
Configuring the login help .......................................................................128
Configuring recipients for misidentified messages .............................129
Configuring the user and distribution list notification digests ..........130
Configuring the Spam Quarantine Expunger ........................................135
Specifying Spam Quarantine message and size thresholds ................136
Troubleshooting Spam Quarantine ........................................................137
7Contents
Chapter 6 Working with Suspect Virus Quarantine
About Suspect Virus Quarantine .....................................................................143
Accessing Suspect Virus Quarantine ..............................................................143
Checking for new Suspect Virus Quarantine messages .......................144
Suspect Virus Quarantine messages page .............................................144
Searching messages ...................................................................................146
Configuring Suspect Virus Quarantine ..........................................................148
Configuring Suspect Virus Quarantine port for incoming email .......148
Configuring the size for Suspect Virus Quarantine .............................148
Chapter 7 Testing Symantec Mail Security for SMTP
Verifying normal delivery ................................................................................151
Verifying spam filtering ...................................................................................151
Testing antivirus filtering ................................................................................152
Verifying filtering to the Spam Quarantine ..................................................153
Chapter 8 Configuring alerts and logs
Configuring alerts ..............................................................................................155
Viewing logs ........................................................................................................157
Configuring logs .................................................................................................159
8 Contents
Chapter 9 Working with reports
About reports .....................................................................................................163
Choosing a report ..............................................................................................164
About charts and tables ....................................................................................172
Selecting report data to track ..........................................................................172
Setting the retention period for report data .................................................173
Running reports .................................................................................................173
Saving and editing Favorite Reports ..............................................................174
Running and deleting favorite reports ...........................................................175
Troubleshooting report generation ................................................................175
No data available for the report type specified .....................................175
Sender HELO domain or IP connection shows gateway
information .........................................................................................176
Reports presented in local time of Control Center ...............................176
By default, data are saved for one week .................................................176
Processed message count recorded per message, not per
recipient ..............................................................................................176
Recipient count equals message count ...................................................177
Deferred or rejected messages are not counted as received ...............177
Reports limited to 1,000 rows ..................................................................177
Printing, saving, and emailing reports ...........................................................177
Scheduling reports to be emailed ....................................................................178
Chapter 10 Administering the system
Getting status information ..............................................................................181
Overview of system information .............................................................182
Message status ...........................................................................................182
Host status ..................................................................................................186
LDAP synchronization ..............................................................................187
Log details ...................................................................................................188
Scanner replication ...................................................................................188
Version Information ..................................................................................188
Managing Scanners ...........................................................................................188
Editing Scanners ........................................................................................189
Enabling and disabling Scanners ............................................................189
Deleting Scanners ......................................................................................190
Administering the system through the Control Center ..............................191
Managing system administrators ...........................................................191
Managing software licenses .....................................................................192
Administering the Control Center ..................................................................193
Starting and stopping the Control Center .............................................193
Checking the Control Center error log ...................................................194
Increasing the amount of information in BrightmailLog.log .............195
Starting and stopping UNIX and Windows services ....................................196
Starting and stopping Windows services ...............................................196
Starting and stopping UNIX services .....................................................198
Periodic system maintenance ..........................................................................198
Backing up logs data ..................................................................................198
Backing up the Spam and Virus Quarantine databases .......................199
Maintaining adequate disk space ............................................................200
Appendix A Feature Cross-Reference
New features for all users .................................................................................202
Changes for Symantec Mail Security for SMTP users .................................203
New feature names ....................................................................................204
Discontinued features ...............................................................................204
Changes for Symantec Brightmail Antispam users .....................................205
About email filtering and message handling options ..................................206
9Contents
Appendix B Spam foldering and the Symantec Outlook Spam Plug-in
About foldering and the plug-in ......................................................................209
Installing the Symantec Outlook Spam Plug-in ............................................210
Usage scenarios ..........................................................................................210
End user experience ..................................................................................210
Software requirements .............................................................................212
Configuring automatic spam foldering ..........................................................217
Configuring the Symantec Spam Folder Agent for Exchange ............217
Configuring the Symantec Spam Folder Agent for Domino ...............218
Enabling automatic spam foldering ................................................................221
Enabling language identification ....................................................................222
Appendix C Integrating Symantec Mail Security with Symantec
Security Information Manager
About Symantec Security Information Manager ..........................................223
Interpreting events in the Information Manager .........................................224
Configuring data sources ..........................................................................225
Firewall events that are sent to the Information Manager .................226
Definition Update events that are sent to the Information
Manager ...............................................................................................226
Message events that are sent to the Information Manager ................227
Administration events that are sent to the Information Manager .... 228
10 Contents
Appendix D Editing antivirus notification messages
Modifying notification files .............................................................................231
Changing the notification file character set ..........................................232
Editing messages in the notification file ................................................232
Notification file contents .................................................................................233
Glossary
Index
Chapter
About Symantec Mail
Security for SMTP
This chapter includes the following topics:
■ Key features
■ Functional overview
1
■ Architecture
■ Where to get more information
Key features
Symantec Mail Security for SMTP offers enterprises an easy-to-deploy,
comprehensive gateway-based email security solution through the following:
■ Antispam technology – Symantec’s state-of-the-art spam filters assess and
■ Antivirus technology – Virus definitions and engines protect your users
■ Content Compliance – These features help administrators enforce corporate
■ Group policies and filter policies – An easy-to-use authoring tool lets
classify email as it enters your site.
from email-borne viruses.
email policies, reduce legal liability, and ensure compliance with regulatory
requirements.
administrators create powerful and flexible ad hoc filters for individuals and
groups.
12 About Symantec Mail Security for SMTP
Functional overview
Functional overview
You can deploy Symantec Mail Security for SMTP in different configurations to
best suit the size of your network and your email processing needs.
Each Symantec Mail Security for SMTP host can be deployed in the following
ways:
■ Scanner – Deployed as a Scanner, a Symantec Mail Security for SMTP host
filters email. Your installation can have one or many Scanners. Symantec
Mail Security for SMTP runs alongside your existing email or groupware
server(s).
■ Control Center – Deployed as a Control Center, a Symantec Mail Security for
SMTP host is a Web-based configuration and administration center. Use it to
configure and manage email filtering, SMTP routing, system settings, and
all other functions. Your enterprise-wide deployment of Symantec Mail
Security for SMTP can have multiple Scanners but only one Control Center,
from which you configure and monitor all the Scanner hosts.
The Control Center provides status for all Symantec Mail Security for SMTP
hosts in your system, system logs, and extensive customizable reporting.
Use it to configure both system-wide and host-specific details.
The Control Center provides the Setup Wizard, for initial configuration of
all Symantec Mail Security for SMTP instances at your site, and also the
Add Scanner Wizard, for adding new Scanners.
It also hosts the Spam and Suspect Virus Quarantines, for storage of spam
and virus messages respectively. End users can access the Control Center to
view their quarantined spam messages and set their preferences for
language filtering and blocked and allowed senders. Alternatively, you can
configure the Spam Quarantine for administrator-only access.
■ Scanner and Control Center – A single Symantec Mail Security for SMTP
host performs both functions.
Note: Symantec Mail Security for SMTP provides neither mailbox access for end
users nor message storage; it is not intended for use as the only MTA in your
email infrastructure.
Note: Symantec Mail Security for SMTP does not filter messages that don’t flow
through the SMTP gateway. For example, when two mailboxes reside on the
same MS Exchange Server, or on different MS Exchange Servers within an
Exchange organization, the messages will not pass through the Symantec Mail
Security for SMTP filters.
Architecture
Symantec Mail Security for SMTP processes a mail message as follows. For the
sake of discussion, our sample message passes through the Filtering Engine to
the Transformation Engine without being rejected.
13About Symantec Mail Security for SMTP
Architecture
■ The incoming connection arrives at the inbound MTA via TCP/IP.
■ The inbound MTA accepts the connection and moves the message to its
inbound queue.
■ The Filtering Hub accepts a copy of the message for filtering.
14 About Symantec Mail Security for SMTP
Where to get more information
■ The Filtering Hub consults the LDAP SyncService directory to expand the
message’s distribution list.
■ The Filtering Engine determines each recipient’s filtering policies.
■ The message is checked against Blocked/Allowed Senders Lists defined by
administrators.
■ Virus and configurable heuristic filters determine whether the message is
infected.
■ Content Compliance filters scan the message for restricted attachment types
or keywords, as defined in configurable dictionaries.
■ Spam filters compare message elements with current filters published by
Symantec Security Response to determine whether the message is spam. At
this point, the message may also be checked against end-user defined
Language settings.
■ The Transformation Engine performs actions per recipient based on
filtering results and configurable Group Policies.
Where to get more information
In addition to this Administration Guide, your Symantec Mail Security for SMTP
product comes with the following documentation:
■ Symantec Mail Security for SMTP Installation Guide
■ Symantec Mail Security for SMTP Planning Guide
■ Symantec Mail Security for SMTP Getting Started
Symantec Mail Security also includes a comprehensive help system that
contains conceptual and procedural information.
You can visit the Symantec Web site for more information about your product.
The following online resources are available:
Provides access to the technical support Knowledge
Base, newsgroups, contact information, downloads,
and mailing list subscriptions
Provides information about registration, frequently
asked questions, how to respond to error messages,
and how to contact Symantec License Administration
www.symantec.com/
techsupp/ent/
enterprise.html
www.symantec.com
/licensing/els/help/en/
help.html
Provides product news and updates www.enterprisesecurity.
symantec.com
Where to get more information
15About Symantec Mail Security for SMTP
Provides access to the Virus Encyclopedia, which
contains information about all known threats;
information about hoaxes; and access to white papers
about threats
www.symantec.com/
avcenter/global/index.html
16 About Symantec Mail Security for SMTP
Where to get more information
Chapter
Configuring system
settings
System settings apply to the Control Center and to attached and enabled
Scanners. This section explains the following:
■ Configuring certificate settings
2
■ Configuring host (Scanner) settings
■ Testing Scanners
■ Configuring LDAP settings
■ Replicating data to Scanners
■ Configuring Control Center settings
Configuring certificate settings
Manage your certificates using the Certificate Settings page.
The two types of certificates are as follows:
■ MTA TLS certificate—This is the TLS certificate used by the MTAs in each
Scanner. Every Scanner has separate MTAs for inbound messages, outbound
messages, and message delivery. Assign this certificate from the Inbound
Mail Settings and Outbound Mail Settings portions of the SMTP tab on the
Settings > Hosts page.
■ User interface HTTPS certificate—This is the HTTPS certificate used by the
Control Center for secure Web management. Assign this certificate from the
Settings > Certificates page.
18 Configuring system settings
Configuring certificate settings
You can add certificates to the certificate list in the following two ways:
■ Add a self-signed certificate by adding the certificate and filling out the
■ Add a Certification Authority Signed certificate by submitting a certificate
Manage certificates
Follow these steps to add either self-signed or Certification Authority Signed
certificates and to assign certificates.
To add a self-signed certificate to the list
1 In the Control Center, click Settings > Certificates.
2 Click Add.
requested information as presented to you at the time.
request to a Certification Authority. When you receive the certificate back
from the Certification Authority, you then import the certificate into the
Control Center.
3 In the Certificate type drop-down list, choose Self-Signed Certificate.
4 Complete the information on the Add Certificate page.
5 Click Create.
To add a Certification Authority Signed certificate to the list
1 In the Control Center, click Settings > Certificates.
2 Click Add.
3 In the Certificate type drop-down list, choose Certificate Authority Signed.
4 Fill in the information on the Add Certificate page.
5 Click Request.
A new page is displayed, showing the certificate information in a block of
text, designed for use by the Certification Authority.
6 Copy the block of text that appears and submit it to the Certification
Authority.
Each Certification Authority has its own set of procedures for granting
certificates. Consult your Certificate Authority for details.
7 When you receive the certificate file from the Certification Authority, place
the file in an easily accessed location on the computer from which you are
connecting to the Control Center.
8 On the Certificate Settings page, click Import.
Configuring certificate settings
9 On the Import Certificate page, type the full path and filename or click
Browse and choose the file.
10 Click Import.
To view or delete a certificate
1 In the Control Center, click Settings > Certificates.
2 Check the box next to the certificate to be viewed or deleted.
3 Click View to read the certificate.
4 Click Delete to remove the certificate.
To assign an MTA TLS certificate
1 In the Control Center, click Settings > Hosts.
2 Select a host and click Edit.
3 Click the SMTP tab.
19Configuring system settings
4 Check Accept TLS encryption as appropriate.
5 Choose the TLS certificate from the Certificate drop-down list for the
inbound or outbound MTA.
6 Click Save.
To assign a user interface HTTPS certificate
1 In the Control Center, click Settings > Control Center.
2 Select a certificate from the User interface HTTPS certificate drop-down
list.
3 Click Save.
20 Configuring system settings
Configuring host (Scanner) settings
Configuring host (Scanner) settings
The following sections describe changes that can be made to individual hosts.
Information is available on these topics:
■ Working with the Services page
■ HTTP proxies
■ SMTP Scanner settings
Working with the Services page
You can stop or start the following services on a Scanner.
■ Conduit
■ LiveUpdate
■ Filter Engine
■ MTA
Note: If you stop the filter-hub or the MTA service and wish to continue
receiving alerts, specify an operating MTA IP address in the settings for the
Control Center.
In addition, you can configure individual Scanner replication and MTA settings
that can help you take a Scanner offline on this page.
Work with the services page
Use the following procedures from the Services page to manage individual
Scanner services, replication, and stop the flow of messages through a Scanner.
To start and stop services
1 In the Control Center, click Settings > Hosts.
2 Check the Scanner to edit.
3 Click Edit.
4 Select the services to be started or stopped.
5 Click Stop to stop a running service or Start to start a stopped service.
To enable or disable Scanner replication for a host
1 In the Control Center, click Settings > Hosts.
2 Check the Scanner to edit.
Configuring host (Scanner) settings
3 Click Edit.
4 Using the Scanner Replication portion of the page, check Enable Scanner
Replication for this host to enable Scanner replication. (Replication is
enabled by default.)
5 Using the Scanner Replication portion of the page, uncheck Enable Scanner
Replication for this host to disable Scanner replication. The Control Center
will not update the directory for this Scanner when the box is not checked.
6 Click Save to store your changes.
To take a Scanner out of service
1 In the Control Center, click Settings > Hosts.
2 Check the Scanner to edit.
3 Click Edit.
4 On the MTA Operation portion of the page, check Do not accept incoming
messages.
All messages in Scanner queues are processed as needed, but no new
messages will be received.
21Configuring system settings
HTTP proxies
5 Click Save to store your changes.
The Conduit and Symantec LiveUpdate run on each Scanner, and receive filter
updates from Symantec. If you need to add proxy and/or other security settings
to your server definition, use the steps below.
To change or add proxy information
1 In the Control Center, click Settings > Hosts.
2 Check the Scanner to edit.
3 Click Edit.
4 Click the Proxy tab.
5 Check Use proxy server.
6 Specify the proxy host name and port on this panel. In addition to this
information, you can include a user name and password as needed.
7 Click Save to store your information.
22 Configuring system settings
Configuring host (Scanner) settings
SMTP Scanner settings
A full complement of SMTP settings has been provided to help you define
internal and external SMTP configurations for Scanners. Inbound SMTP
settings determine how the inbound MTA processes inbound messages.
Outbound SMTP settings determine how the outbound MTA processes outbound
messages. If you set up inbound or outbound SMTP filtering rather than using
Content Compliance filters, you can save resources because messages that do
not meet the SMTP criteria will be rejected before content filtering begins.
To modify SMTP settings for a Scanner
1 In the Control Center, click Settings > Hosts.
2 Check the Scanner to edit.
3 Click Edit.
4 Click SMTP.
5 As appropriate, complete the SMTP definition for the scanner.
The following parameters are included:
Setting Description
Scanner Role Determines if the Scanner is used for Inbound mail filtering only,
Outbound mail filtering only, or Inbound and outbound mail
filtering.
Setting Description
23Configuring system settings
Configuring host (Scanner) settings
Inbound Mail
Settings
*
Provides settings for inbound messages. In this area, you can provide
the following information:
■ Inbound mail IP address— Location at which inbound
messages will be received.
■ Inbound mail SMTP port—Port on which inbound mail is
received, typically port 25.
■ Accept TLS encryption—Indicates if TLS encryption is
accepted. Check the box to accept encryption. You must have a
certificate defined for MTA TLS certificate in Settings >
Certificates to accept TLS encryption.
■ Certificate—Specifies an available certificate for TLS
encryption.
■ Accept inbound mail connections from all IP addresses—
Indicates that all connections for inbound messages are
accepted when checked. This is the default.
■ Accept inbound mail connections from only the following IP
addresses and domains—Indicates that only the addresses or
domain names entered in the checked IP Address/Domains
box are accepted.
If you specify one or more IP addresses, you must include the IP
address of the Control Center so that Spam Quarantine and
Suspect Virus Quarantine can release messages. After you add
the first entry, the IP address of the Control Center is added
automatically and selected. If you are using a different IP
address for the Control Center, or have the Control Center and
Scanner installed on different machines, you must add the new
IP address and disable the one that was added automatically.
Relay local domain
mail to:
Warning: If you are deploying this Scanner behind a gateway,
and are specifying one or more IP addresses instead of All IP
addresses, you must add the IP addresses of ALL upstream
mail servers in use by your organization. Upstream mail
servers that are not specified here may be classified as spam
sources.
Gives the location where inbound mail is sent after being received on
the inbound port.
24 Configuring system settings
Configuring host (Scanner) settings
Setting Description
Outbound Mail
settings
*
Provides settings for outbound mail characteristics. In this area, you
can provide the following information:
■ Outbound mail IP address—Specifies the IP address on which
outbound messages are sent.
■ Outbound mail SMTP port—Specifies the port on which
outbound mail is sent, typically port 25.
■ Accept TLS encryption—Indicates if TLS encryption is
accepted. Check the box to accept encrypted information. You
must have a certificate defined for MTA TLS certificate in
Settings > Certificates to accept TLS encryption.
■ Certificate—Specifies an available certificate for TLS
encryption.
■ Accept outbound mail connections from the following IP
addresses and domains—Indicates that only the addresses
entered in the checked IP Address/Domains box are accepted.
If you specify one or more IP addresses, you must include the IP
address of the Control Center so that Spam Quarantine and
Suspect Virus Quarantine can release messages. After you add
the first entry, the IP address of the Control Center is added
automatically and selected. If you are using a different IP
address for the Control Center, or have the Control Center and
Scanner installed on different machines, you must add the new
IP address and disable the one that was added automatically.
If you specify one or more IP addresses, you must include the IP
address of the Control Center so that Spam Quarantine and
Suspect Virus Quarantine can release messages. After you add
the first entry, the IP address of the Control Center is added
automatically and selected. If you are using a different IP
address for the Control Center, or have the Control Center and
Scanner installed on different machines, you must add the new
IP address and disable the one that was added automatically.
Relay non-local
mail to:
Apply above
settings to all hosts
Advanced Settings Provides for inbound, outbound and delivery advanced settings. See
(*) Classless InterDomain Routing (CIDR) is supported for inbound and outbound mail
connection IP addresses.
6 Click Save to store your changes.
Specifies how outbound SMTP message relaying is routed. By
default, MX Lookup is used.
Indicates that when saved, all settings on this page are applied
immediately to all hosts.
“Advanced SMTP settings” on page 25 for details.
Advanced SMTP settings
Use the MTA Configuration portion of the page to specify the MTA host name.
The MTA Host Name gives you the ability to define the Hello banner during the
initial portion of the SMTP conversation.
Use the following advanced inbound SMTP settings to further define your SMTP
configuration:
Table 2-1 Inbound SMTP advanced setting descriptions
Item Description
25Configuring system settings
Configuring host (Scanner) settings
Maximum number of
connections
Maximum number of
connections from a single
IP address
Maximum message size in
bytes
Maximum number of
recipients per message
Insert RECEIVED header
to inbound messages
Enable reverse DNS
lookup
Sets the maximum number of simultaneous inbound
connections allowed. Additional attempted connections are
rejected. The default is 2,000 connections.
Sets the maximum number of simultaneous inbound
connections allowed from a single IP address. Additional
connections for the same IP address will be rejected. The
default is 20. You can also limit the number of connections
from a single IP address per time period. Click Policies >
Attacks in the Control Center.
Sets the maximum size of a message before it is rejected. The
default is 10,485,760 bytes.
Sets the maximum number of recipients for a message. The
default is 1,024 recipients.
Places a RECEIVED header in the message during inbound
SMTP processing.
Causes the system to perform reverse DNS lookup on the
SMTP client IP addresses to resolve the IP address to a name
when checked. This is the default condition. When
unchecked, reverse DNS lookup is not performed for inbound
messages.
Use the following advanced outbound SMTP settings to define further your
SMTP configuration:
Table 2-2 Outbound SMTP advanced setting descriptions
Item Description
Maximum number
of connections
Sets the maximum number of permissible simultaneous outbound
connections. Additional attempted connections are rejected. The
default is 2,000 connections.
26 Configuring system settings
Configuring host (Scanner) settings
Table 2-2 Outbound SMTP advanced setting descriptions
Item Description
Maximum message
size in bytes
Maximum number
of recipients per
message
Default domain for
sender addresses
with no domain
Insert RECEIVED
header
Strip pre-existing
RECEIVED headers
from outbound
messages
Sets the maximum size allowable for a message before it is
rejected. The default is 10,485,760 bytes.
Indicates the maximum number of recipients permitted to receive
this message. The default is 1,024 recipients.
Sets a default domain when none can be found in the message.
Places a RECEIVED header in the message during outbound SMTP
processing when checked. When unchecked, no RECEIVED header
is inserted during outbound SMTP processing. If Insert RECEIVED
header and Strip RECEIVED headers are both checked, the
outbound SMTP RECEIVED header remains when the message
goes to the delivery queue.
Removes all RECEIVED headers for the message when checked.
When headers are stripped, message looping can occur depending
on the settings of other MTAs. When unchecked, RECEIVED
headers remain in the message during outbound processing. The
RECEIVED header for outbound SMTP processing remains in the
message when Insert a RECEIVED header and Strip pre-existing
RECEIVED headers from outbound messages are checked.
Enable reverse DNS
lookup
Causes the system to perform reverse DNS lookup on the SMTP
client IP addresses to resolve the IP address to a name. when
checked. This is the default condition. When unchecked, reverse
DNS lookup is not allowed for outbound messages.
Settings also exist governing SMTP delivery configuration for your site.
Delivery configuration message settings are as follows:
Table 2-3 SMTP delivery advanced setting descriptions
Item Description
Maximum number
of external
connections
Maximum number
of external
connections to a
single IP address
Sets the maximum number of simultaneously allowed external
connections. Additional attempted connections are rejected. The
default is 100 connections.
Sets the maximum number of simultaneous connections allowed
to a single IP address. Additional connections to this IP address are
rejected. The default is 50 connections. You can also limit the
number of connections to a single IP address per time period.
Configuring host (Scanner) settings
Table 2-3 SMTP delivery advanced setting descriptions
Item Description
27Configuring system settings
Maximum number
of connections to all
internal mail servers
Maximum number
of connections per
single internal mail
server
Minimum retry
interval
Sent message timeout
Message delay time
in queue before
notification
Enable TLS
encryption
Sets the maximum number of connections allowed to all defined
internal mail servers. Any additional connection attempts are
rejected. The default is 100 internal mail server connections.
Sets the maximum number of connections to one internal mail
server. Any additional attempt to make a connection is rejected.
The default is 50 connections.
Sets the smallest interval the SMTP server waits before trying to
deliver a message again. The default is 15 minutes.
Sets the time after which a undelivered message times out and is
rejected from the queue. The default is 5 days.
Sets the time a message waits in the mail queue before notification
of nondelivery is sent. The default is 4 hours.
Allows TLS encryption when checked. If unchecked, TLS
encryption is not performed. By default, TLS encryption is not
enabled.
To set up the SMTP Advanced Configuration
1 From the Control Center, click Settings > Hosts.
2 Select a Scanner from the displayed list.
3 Click Edit.
4 Click the SMTP tab.
On this page, you will see some general-purpose settings described in
“SMTP Scanner settings” on page 22.
5 Click Advanced Settings.
On this page you will see some advanced Scanner configuration SMTP
settings. These settings are fully described in “Advanced SMTP settings” on
page 25.
6 As appropriate, modify the settings explained above.
7 Click Save to store your information.
You are returned to the main SMTP configuration page.
8 Click Save.
28 Configuring system settings
Testing Scanners
Configuring internal mail hosts
You can add or delete internal mail hosts at your site.
Configure internal mail hosts
Follow these procedures to add or delete internal mail hosts.
To add an internal mail host
1 From the Control Center, click Settings > Hosts.
2 Check the Scanner you want to configure.
3 Click Edit.
4 Click the Internal Mail Hosts tab.
5 Specify the IP address for an internal mail host.
6 Click Add.
7 Click Save to store the information.
To delete an internal mail host
1 From the Control Center, click Settings > Hosts.
2 Check the Scanner you want to configure.
3 Click Edit.
4 Click the Internal Mail Hosts tab.
5 Select an internal mail host.
6 Click Delete.
7 Click Save to store the information.
Testing Scanners
After adding or editing a Scanner, you can quickly test that the Scanner is
operating and that the Agent is able to make a connection. The Agent is a
component that facilitates communicating configuration information between
the Control Center and each Scanner.
To test a Scanner
1 In the Control Center, click Status > Host Details.
2 If only one Scanner is attached to your system, you can see a snapshot of
how it is currently functioning.
3 If more than one Scanner is attached, select the Scanner you want to test
from the drop-down list.
You will see a snapshot of its current status.
Configuring LDAP settings
The Control Center can optionally use directory information from LDAP servers
at your site for one or both of the following purposes:
■ Authentication—LDAP user and password data is used for Quarantine access
authentication and resolving email aliases for quarantined messages. The
Control Center reads user and password data directly from the LDAP server.
■ Synchronization—LDAP user and group data is used for group policies,
directory harvest attack recognition, distribution list expansion and
dropping messages for invalid recipients. User and group data is read from
the LDAP server and cached in the Control Center and Scanners, but not
written back to the LDAP server.
29Configuring system settings
Configuring LDAP settings
Symantec Mail Security for SMTP supports the following LDAP directory types:
■ Windows 2000 Active Directory
■ Windows 2003 Active Directory
■ Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)
■ Exchange 5.5
■ Lotus Domino LDAP Server 6.5
Note: If you are using version 5.2 of the SunOne LDAP server, you must update
to patch 4 to address some changelog issues that arose in patch 3.
Configure LDAP settings
Follow these procedures to configure LDAP settings.
To add an LDAP server
1 In the Control Center, click Settings > LDAP.
2 Click Add.
3 Complete the necessary fields presented for defining a new LDAP Server.
The values you complete will depend on your choice in the Usage drop-down
list.
4 Click Save.
30 Configuring system settings
Configuring LDAP settings
Note: When adding an LDAP server that performs synchronization, you can
replicate data from the Control Center to attached and enabled Scanners with
the Replicate now button. Begin this replication only after initial
synchronization has completed successfully as shown on the Status > LDAP
Synchronization page, and the number of rejected entries is 0 or stays constant
after successive synchronization changes. If synchronization has not completed
successfully, error messages will be shown on the Status > LDAP
Synchronization page. Alternatively, you can wait until the next scheduled
replication occurs at which time all Scanners will be fully updated by the LDAP
synchronization server.
Note: If you see the error during server creation, Failed to create user mappings
for source, and you have recently changed DNS servers, restart your LDAP
synchronization components. Windows users use the Services control panel to
first stop SMS Virtual Directory, then start SMS Sync Server. Dependencies are
automatically restarted. Alternatively, the host can be rebooted. Linux/Solaris
users issue the following command:
/etc/init.d/sms_ldapsync restart
Then, follow the above steps again.
The following table describes the available settings for LDAP authentication and
synchronization services when an LDAP server is being added to the Control
Center
Table 2-4 LDAP Server Parameters when adding a server
Item Description
Description Text describing the LDAP server being defined. Permissible
characters are any alphanumeric character (0-9, a-z, and A-Z), a space
( ), hyphen (-), or underline (_) character. Any other symbol will cause
the definition to fail.
Host Host name or IP address.
Port TCP/IP port for the server. The default port is 389.
Directory Type Specifies the type of directory used by the LDAP server. Available
choices are:
■ Active Directory
■ iPlanet/Sun ONE/Java Directory Server
■ Exchange 5.5
■ Domino
Configuring LDAP settings
Table 2-4 LDAP Server Parameters when adding a server
Item Description
Usage Describes how this LDAP server will be used. Available usage modes
are:
■ Authentication
■ Synchronization
■ Authentication and Synchronization
You can have only one authentication server defined in the Control
Center.
31Configuring system settings
Administrator
Credentials
Windows
Domain Names
(Active Directory
only)
Specifies login and usage information for the LDAP server as follows:
Anonymous bind—Allows you to login to an LDAP server without
providing specific user ID and password information. Before using
anonymous bind, configure your LDAP server to grant anonymous
access to the changelog and base DN. For the Domino Directory Type
using anonymous bind, group and dlist data are not retrieved.
■ Name (bind DN)—Login name allowing you to access the LDAP
server.
When entering the Name (bind DN) for an Exchange 5.5 server,
be sure to use the full DN such as
cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather
than a shortened form such as cn=Administrator to ensure
detection of all change events and guarantee full authentication
by the LDAP server.
For an Active Directory server, the full DN or logon name with
User Principal Name suffix can be required.
■ Password—Password information that allows you to access the
LDAP server.
■ Test Login—Verifies the anonymous bind connection or the user
id and password given for accessing the LDAP server.
Windows domain names you see in the Log on to dropdown list when
logging onto a Windows host. Use commas or semicolons to separate
multiple domain names.
Primary domain
(Domino only)
Domain aliases
(Domino only)
Internet domain to which mail is delivered.
Internet domain names that resolve to the primary domain. For
example, you could assign company.net to be an alias for
company.com. Use commas to separate multiple names.
32 Configuring system settings
Configuring LDAP settings
Table 2-4 LDAP Server Parameters when adding a server
Item Description
Authentication
Query Details
Synchronization
Configuration
Contains the following options:
■ Autofill—Places default values in the field for you to modify as
needed.
■ Query start (Auth base DN)—Designates the point in the
directory from which to start searching for entries to
authenticate. If an entry contains an ampersand, delimit the
ampersand as follows:
OU=Sales \& Marketing,OU=test,DC=domain,DC=com &
OU=test1,DC=domain,DC=com
■ Login attribute—Specifies the attribute that identifies a directory
entry representing a person.
■ Primary email attribute—Finds users based on the attribute
which represents a mailbox.
■ Email alias attribute—Finds users based on the attribute
representing an alternative address for entities’ mailbox.
■ Login query—Finds users based on their Login attributes.
■ Test—Attempts to execute the query as defined.
Note: For Exchange 5.5, the user directory Name (rdn) must be the
same as the alias (uid) for that user.
Allows for the following definitions governing synchronization
behavior:
■ Synchronize every—Specifies how often scheduled
synchronization occurs. You can specify a number of minutes,
hours, or days. The default is 1 day.
■ Audit level—Verbosity setting for LDAP audit logs. Choices of Off,
Low, and Verbose are available. The default is Off.
■ Page size—Number of discrete changes that are accepted
together for synchronization. Use a number between 1 and
2,000. The default is 25. If you are using the iPlanet/SunOne
directory server, change Page size to 0 for optimal performance.
This section is grayed out if Usage type is Authentication.
Configuring LDAP settings
Table 2-4 LDAP Server Parameters when adding a server
Item Description
33Configuring system settings
Synchronization
Query Details
Specifies queries to use for synchronization. Available choices are:
■ Autofill—Places default values in the field for you to modify as
needed.
■ Query start (Sync base DN)—Designates the point in the
directory from which to start searching for entries with email
addresses/aliases or groups. To use this field, begin by clicking
Auto Fill for the naming contexts of the directory. Reduce the
received list of DN’s brought into the field by Auto Fill to a single
DN, or write your own DN based on the provided list.
■ Custom query start—Allows for the addition of a customized
query.
■ User query—Finds users in the LDAP server.
■ Group query—Finds LDAP groups in the LDAP server.
■ Distribution list query—Finds Distribution Lists in the LDAP
Server.
Buttons labelled Test allow you to test each synchronization query
type.
Note: If you need to change Host, Port, base DN, ldap Group filter,
User filter, or Distribution List filter after saving an LDAP
synchronization source, you must delete the source, add the source
including all attributes to be filtered, and perform a full
synchronization.
To edit an LDAP server
1 In the Control Center, click Settings > LDAP.
2 Choose an LDAP server definition by checking the box next to it.
3 Click Edit.
4 Make changes as appropriate.
5 Click Save.
34 Configuring system settings
Configuring LDAP settings
Table 2-5 LDAP Server Parameters when editing a server
Not all parameters are available for editing in an LDAP definition. Only the
following can be changed after an LDAP server has been defined:
Item Description
Administrator
Credentials
Windows
Domain Names
(Active Directory
only)
Specifies login and usage information for the LDAP server as follows:
Anonymous bind—Allows you to login to an LDAP server without
providing specific user ID and password information. Before using
anonymous bind, configure your LDAP server to grant anonymous
access to the changelog and base DN. For the Domino Directory Type
using anonymous bind, group and dlist data are not retrieved.
■ Name (bind DN)—Login name allowing you to access the LDAP
server.
When entering the Name (bind DN) for an Exchange 5.5 server,
be sure to use the full DN such as
cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather
than a shortened form such as cn=Administrator to ensure
detection of all change events and guarantee full authentication
by the LDAP server.
For an Active Directory server, the full DN or logon name with
User Principal Name suffix can be required.
■ Password—Password information that allows you to access the
LDAP server.
■ Test Login—Verifies the anonymous bind connection or the user
id and password given for accessing the LDAP server.
Windows domain names you see in the Log on to dropdown list when
logging onto a Windows host. Use commas or semicolons to separate
multiple domain names.
Primary domain
(Domino only)
Domain aliases
(Domino only)
Internet domain to which mail is delivered.
Internet domain names that resolve to the primary domain. For
example, you could assign company.net to be an alias for
company.com. Use commas to separate multiple names.
Configuring LDAP settings
Table 2-5 LDAP Server Parameters when editing a server
Item Description
35Configuring system settings
Authentication
Query Details
Synchronization
Configuration
Contains the following options:
■ Autofill—Places default values in the field for you to modify as
needed.
■ Query start (Auth base DN)—Designates the point in the
directory from which to start searching for entries to
authenticate.
■ Login attribute—Specifies the attribute that identifies a directory
entry representing a person.
■ Primary email attribute—Finds users based on the attribute
which represents a mailbox.
■ Email alias attribute—Finds users based on the attribute
representing an alternative address for entities’ mailbox.
■ Login query—Finds users based on their Login attributes.
■ Test—Attempts to execute the query as defined.
Allows for the following definitions governing synchronization
behavior:
■ Synchronize every—Specifies how often scheduled
synchronization occurs. You can specify a number of minutes,
hours, or days. The default is 1 day.
■ Audit level—Verbosity setting for LDAP audit logs. Choices of Off,
Low, and Verbose are available. The default is Off.
■ Page size—Number of discrete changes that are accepted
together for synchronization. Use a number between 1 and
2,000. The default is 25. If you are using the iPlanet/SunOne
directory server, change Page size to 0 for optimal performance.
Editing an LDAP server definition can cause a full synchronization to be
initiated. This can have serious performance impact on your system until
the synchronization completes.
To initiate an LDAP synchronization
1 Click Status > LDAP Synchronization.
2 If you wish to synchronize fewer than 1,000 changes of LDAP data, click
Synchronize Changes.
3 If you wish to synchronize 1,000 changes of LDAP data or more, click Full
Synchronization.
This section is grayed out if Usage type is Authentication.
36 Configuring system settings
Configuring LDAP settings
To cancel an LDAP synchronization in progress
1 Click Status > LDAP Synchronization.
2 Click Cancel Synchronization.
To delete an LDAP server
1 In the Control Center, click Status > LDAP Synchronization.
2 Click Settings > LDAP.
3 Choose an LDAP server definition by checking the box next to it.
4 Click Delete.
Synchronization status information
When LDAP data is synchronized between an LDAP server and the Control
Center, status information is generated and displayed via the Status tab.
Check to be sure that no synchronization is processing. You cannot delete a
synchronization server while synchronization is running.
To view LDAP Synchronization status information
◆ In the Control Center, click Status > LDAP Synchronization.
The following information is displayed:
Item Description
Status Information about synchronization activity.
Status can be any of the following:
■ Idle—Nothing is happening.
■ Starting—A synchronization request was issued either by the Control
Center or through a replication request from a Scanner.
■ Cancelled—Either the LDAP synchronization was cancelled manually
via clicking Status > LDAP Synchronization > Cancel, or a
replication was in progress when a scheduled or manual LDAP
synchronization was initiated.
■ In Progress—A synchronization request has been acknowledged by
the synchronization server and the process is under way.
■ Success—The synchronization has completed successfully.
■ Failed—The synchronization has failed. Consult your logs to identify
possible causes.
Started The time at which the most recent synchronization began.
Ended The time at which the most recent synchronization finished.
Replicating data to Scanners
Item Description
Read The number of directory entries read from the synchronization server. For
a full synchronization, this number is equal to the total number of records
from the LDAP source.
Added The number of directory entries added from the synchronization server to
the Control Center.
Modified The number of records modified in the Control Center based on
synchronization server information.
Deleted The number of entries deleted from the Control Center based on
synchronization server information.
Rejected The number of directory entries from the LDAP server rejected by the
synchronization server.
A number of LDAP transactions can be rejected when an attempt to add a
group entry fails because one or more of the group members is not yet
known to the LDAP synchronization service. Generally, this can be
resolved by issuing a Synchronize Changes request from the Control
Center. Each time this is done, the number of rejected entries should
decrease. Once all group members are propagated, the group entries are
added successfully. If, after a number of LDAP synchronization attempts,
you continue to see the same number of rejected entries for an LDAP
Source, examine the logs at Status > Logs with Control Center: LDAP
selected in the Log Type: drop-down list. Use the information on this page
to determine why the entries are repeatedly rejected. Pay particular
attention to the file error.log.X, where X is a number.
37Configuring system settings
Replicating data to Scanners
After an LDAP server has been defined to the Control Center, and after the
synchronization of LDAP data between the LDAP server and the Control Center
has successfully completed one full cycle, LDAP data can be synchronized to all
attached and enabled Scanners.
LDAP data includes:
■ Directory information
■ User settings
■ Allowed/Blocked Sender settings
■ Language settings
For replication to work properly, you must have completed the procedures in
“Configuring, enabling and scheduling Scanner replication” on page 42 and
38 Configuring system settings
Replicating data to Scanners
made certain that Scanner replication is enabled for each Scanner as described
in “Working with the Services page” on page 20.
In this section, information is available on the following:
■ Starting and stopping replication
■ Replication status information
■ Troubleshooting replication
Starting and stopping replication
You may occasionally need to start or stop replication manually.
Start or stop replication
Start and stop replication using the following procedures.
To start a manual replication cycle
1 In the Control Center, click Status > Scanner Replication.
2 Click Replicate Now.
To stop a replication in progress
1 In the Control Center, click Status > Scanner Replication.
2 Click Cancel Replication.
Replication status information
When LDAP data is replicated from the Control Center to one or more Scanners,
status information is generated and displayed via the Status interface in
Symantec Mail Security for SMTP.
To view replication status information
◆ In the Control Center, click Status > Scanner Replication.
The following information is displayed:
Item Description
Status Status can be any of the following:
■ Idle—Nothing is happening.
■ Started—A replication request has been issued.
■ Cancelled—Either the LDAP synchronization was cancelled manually via clicking Status
Synchronization > LDAP > Cancel, or a replication was in progress when a scheduled
or manual LDAP synchronization was initiated.
■ In Progress—A replication request has been acknowledged by the Control Center and the
process is under way.
■ Success—The replication has completed successfully.
■ Failed—The replication has failed. Consult your logs to identify possible causes.
Started The time at which the most recent replication began.
Ended The time at which the most recent replication finished.
39Configuring system settings
Replicating data to Scanners
Size The number of bytes of replicated data.
Troubleshooting replication
Replication will not complete until at least one LDAP synchronization source is
available, and synchronization has completed successfully. Until this happens,
there is no data that replication can use to update Scanners.
Troubleshoot replication
The following techniques can help you troubleshoot replication problems.
Basic troubleshooting procedure
1 Verify that synchronization has occurred.
2 If a successful synchronization has occurred, check your replication status
and take one or more of the actions described below.
To verify that synchronization has completed successfully
1 In the Control Center, click Status > LDAP Synchronization.
2 Check the Status column for a Success message.
For additional information about synchronization status, see
“Synchronization status information” on page 36.
To check replication status
1 In the Control Center, click Status > Scanner Replication.
40 Configuring system settings
Configuring Control Center settings
2 Check the Status column for each attached and enabled Scanner on the list.
To troubleshoot a status message
1 If the Scanner has a Status of Success, all attached and enabled Scanners are
2 If a message is displayed indicating that replication has been cancelled and
For additional information about replication status, see “Replication status
information” on page 38.
fully updated with LDAP information and no action is required.
was not cancelled via Status > Replication and clicking Cancel, an LDAP
synchronization source was found, but either synchronization has not yet
completed, or synchronization has failed.
Check your synchronization status. (See “To check replication status” on
page 39.) Check the Control Center log for errors about creating or moving
synchronization data within the Control Center, or errors regarding
communication between the Control Center and a Scanner. Check LDAP
synchronization logs for any errors that occur in transforming data from the
Control Center database to a Scanner database.
3 If you see the message
No scanners configured for replication, make
sure you have successfully added an LDAP synchronization server, that the
initial synchronization service has completed successfully, that you have
enabled global replication via Settings > Replication Settings, and that
replication is enabled on at least one attached and enabled Scanner via the
Replication tab at Settings > Hosts > Edit.
4 If the replication process shows the message
long period of time, the replication process has stalled. It is difficult to
predict the length of time a replication can take. As a benchmark, a user
population of 25k users and 5k distribution lists (with nesting levels ranging
from 1-10), can take as much as 7.5 hours on a Dell 1850 running Linux.
To resolve a replication process with a message of In-Progress
◆ Perform a manual replication from the Control Center.
If replication still stalls, restart the Control Center software and begin the entire
cycle again with a full synchronization.
Configuring Control Center settings
IN-PROGRESS for an unusually
The Symantec Mail Security for SMTP Control Center allows you to configure
the following:
■ Control Center administration
■ Control Center certificate
■ Configuring, enabling and scheduling Scanner replication
■ SMTP host
■ System locale
Control Center administration
You access the Control Center via a Web browser. By default anyone with the
correct address and logon information has access from any host. You can choose
to limit host access to the Control Center if you wish. Users attempting to log
into the Control Center from unauthorized computers will see a 403 Forbidden
page in their Web browser. Reverse Domain Name Server (DNS) lookup must be
enabled in your DNS software for this feature to work with host names.
When entering host names, there is a possibility that a name can be entered
incorrectly. If it is the only name on the list, you have effectively blocked
yourself all access to the Control Center. See the procedure below for help
resolving this situation.
41Configuring system settings
Configuring Control Center settings
Specify Control Center access or reset Control Center access
Follow these instructions to specify Control Center access or to regain access to
the Control Center.
To specify Control Center access
1 In the Control Center, click Settings > Control Center.
2 Check All hosts to allow any host access to the Control Center.
3 Check Only the following hosts to assign specific hosts to access the Control
Center.
All other hosts are rejected after you add one or more hosts to the list.
Add and Delete buttons are available to help you manage the list of allowed
hosts.
4 To add a host, type host name, IP address, IP address with subnet mask, or
Classless Inter-Domain Routing (CIDR) netblock and click Add.
Specify additional computers or networks as needed.
5 Click Save to store the current settings.
To regain access to the Control Center when no host name matches the list
1 Log in to the MySQL Control Center.
2 Select the Brightmail database.
use brightmail;
42 Configuring system settings
Configuring Control Center settings
3 Delete the host control access items from the database.
About specifying host names for Control Center access
When specifying host names for Control Center access, the Control Center
allows clients to connect based on the Control Center’s own DNS perspective. If
the client’s IP address resolves into a name that is allowed (a “reverse lookup”),
then it’s a match and the client is allowed to access the Control Center. The
reverse lookup of an IP address is controlled by the owner of a netblock, not
necessarily a user of that netblock, so users often have no control over what
name their IP addresses resolve to. Also, two different DNS servers may each
have mappings for the same netblock that are not the same. For example, the
client’s authoritative DNS server has a reverse lookup record of
m1.example.com for the client’s IP address, while the DNS that is configured to
be the Control Center’s primary DNS server has a reverse mapping of
dhcp23.example.com for the same IP address. In this case, the Control Center
will see the dhcp23.example.com name whenever the client connects, so that is
the name that should be entered into the host access control list in the Control
Center. This situation happens more frequently on private networks than on the
public Internet.
truncate settings_host_access_control;
Control Center certificate
Through the Control Center, you can designate a user interface HTTPS
certificate. This enhances the security for the Control Center and those logging
into it.
To designate a Control Center certificate
1 In the Control Center, click Settings > Control Center.
2 Through the User interface HTTPS certificate dropdown list, select the
desired choice.
3 Click Save to store the current settings.
Configuring, enabling and scheduling Scanner replication
In the Control Center, replication refers to the process by which LDAP data are
propagated from the Control Center to attached and enabled Scanners.
Replication is controlled by global settings in the Control Center and by locally
configurable settings on each Scanner. The following information will assist you
in configuring and scheduling replication. However, no replication can occur
until you have defined one or more LDAP servers to the Control Center and one
Configuring Control Center settings
full synchronization cycle has completed. For information on setting up LDAP
services, see “Configuring LDAP settings” on page 29.
The replication attributes on the Control Center > Replication Settings page
determine how replication operates in your installation. You can determine if
replication is to take place, and how often it occurs. These are in addition to
settings available on local Scanners attached and enabled through the Control
Center.
To configure Control Center replication settings
1 In the Control Center, click Settings > Control Center.
2 To activate Scanner replication, check Enable Scanner Replication.
3 If Scanner replication is enabled, set the frequency and interval of
replication for Replicate every as follows:
■ Frequency—Use this edit box to enter a digit indicating the number of
intervals at which replication occurs.
43Configuring system settings
■ Interval—Use the combo box to select the interval of time between
replications. Available choices are hours and days.
The replication schedule should begin at a different time than the
synchronization schedule to avoid schedule conflicts. For instance, if you
have replication set to every 12 hours, setting the LDAP synchronization
schedule to 53 minutes will help prevent one from starting while the other is
in progress.
4 Click Replicate Now to have LDAP data replicated to all attached and
enabled Scanners immediately.
5 Click Save to store the current settings.
6 To verify the most recent replication, click Status > Scanner Replication in
the Control Center.
Note: The replication process will not complete until an LDAP
synchronization source is available.
Local replication settings
Local replication settings for each Scanner are configured by editing the
Scanner configuration. For more information, see “Starting and stopping
replication” on page 38. Additional information is available for checking the
status of Scanner replication and for troubleshooting possible problems with
Scanner replication in “Replicating data to Scanners” on page 37 and
“Troubleshooting replication” on page 39.
44 Configuring system settings
Configuring Control Center settings
SMTP host
The Control Center manages the sending of the following information to
designated email addresses and repositories at your site:
■ Alert notifications
■ Reports
■ Spam Quarantined messages
When the MTA for Symantec Mail Security for SMTP is used, messages that pass
through it will be tracked by the message tracking log facilities in the product.
In order for the Control Center to know where to send information, you must
supply the SMTP host IP address and port.
To specify where the Control Center should send alerts, reports, and
quarantined messages
1 In the Control Center, click Settings > Control Center.
System locale
2 In the Control Center Settings section of the page, fill in the Host and Port
values for the MTA.
3 Click Save to store the current settings.
The Control Center can be configured for single and double-byte character sets
and for related language settings. This is done through the Locale setting.
To configure the Control Center to handle single and double-byte character
sets and related foreign languages
1 In the Control Center, click Settings > Control Center.
2 Using the dropdown list in the System Locale section of the page, select a
language from the list.
Chapter
Configuring email settings
■ Configuring address masquerading
■ Configuring aliases
■ Configuring local domains
■ Understanding spam settings
3
■ Configuring virus settings
■ Configuring invalid recipient handling
■ Configuring scanning settings
Configuring address masquerading
Address masquerading is a method of concealing email addresses or domain
names behind the mail gateway by assigning replacement values to them.
Symantec Mail Security for SMTP lets you implement address masquerading on
inbound mail, outbound mail, or both.
Manage masqueraded entries
Follow these steps to add or edit masqueraded entries.
To add a masqueraded entry
1 In the Control Center, click Settings > Address Masquerading.
2 Click Add.
3 Specify an address or domain to masquerade.
4 Specify a new name for the address or domain name.
5 Specify a mail flow direction to which this masqueraded name will apply:
inbound, outbound, or both.
46 Configuring email settings
Configuring address masquerading
6 Click Save.
To edit a masqueraded entry
1 In the Control Center, click Settings > Address Masquerading.
2 Click the masqueraded address or domain or check a box, and then click
Edit.
3 In the Edit Masqueraded Entry page, modify the masqueraded entry as
desired.
4 Click Save.
Importing masqueraded entries
In addition to creating new masqueraded entries, you can import them from a
text file similar to the Sendmail
masquerade address definition on a line by itself. Each address in the file must
be separated with one or more spaces or tabs, or a combination of spaces and
tabs. Commas or semi-colons are not valid delimiters.
virtusertable. In the import file, place each
The masquerade address definition consists of the following:
■ Original entry—Specifies the original email address or domain name to be
masqueraded
■ Replacement entry—Specifies the replacement email address or domain
name.
■ Apply to—Indicates the direction to which masquerading is applied.
Available choices are:
■ Inbound messages
■ Outbound messages
■ Inbound and outbound messages
Following is a sample import file:
orig1@domain.com new1@domain.com inbound
orig2@domain.com new2@domain.com outbound
orig3@domain.com new3@domain.com inbound/outbound
orig4@domain.com new4.com inbound
orig5@domain.com new5.com outbound
orig6@domain.com new6.com inbound/outbound
orig7.com new7@domain.com inbound
orig8.com new8@domain.com outbound
orig9.com new9@domain.com inbound/outbound
To import a list of masqueraded entries
1 In the Control Center, click Settings > Address Masquerading.
2 Click Import.
3 On the Import Masqueraded Entry page, enter or browse to the filename
containing the list of masqueraded entries.
4 Click Import.
Note: If entries in the import file are not specified correctly, do not match
the required file format, or are duplicates, a message is displayed. You can
click a link to download a file containing the unprocessed entries. Click
Cancel to return to the main Address Masquerading page to review the valid
imported entries.
Configuring aliases
47Configuring email settings
Configuring aliases
An alias is an email address that translates to one or more other email
addresses. Windows users may understand this concept as a “distribution list.”
You can add an alias as a convenient shortcut for typing a long list of recipients.
An alias can also translate addresses from one top-level domain to another, such
as from example.com to example-internetsecurity.com. Email addressed to
kyi@example.com, for example, would be delivered to kyi@exampleinternetsecurity.com.
Note: The alias functionality available on the Settings > Aliases page is separate
from LDAP aliases.
Note the following additional information about aliases:
■ Aliases are recursive. This means that an alias specified in the destination
email address list is expanded as defined in the list of aliases. For example,
with the aliases specified in Table 3-1, a message addressed to
it@example.com would be delivered to the destination addresses for both
it@example.com and ops@example.com, because it@example.com includes
ops@example.com.
Table 3-1 Example of recursive aliases
Alias Destination addresses
it@example.com alro@example.com, oak@example.com, ops@example.com
ops@example.com tla@example.com, bmi@example.com, map@example.com
48 Configuring email settings
Configuring aliases
■ Alias transformation does not occur for messages passing through
Symantec Mail Security for SMTP’s MTA to the Internet. Alias
transformation only applies to inbound or internal messages that pass
through Symantec Mail Security for SMTP’s MTA.
■ The system’s inbound MTA checks email addresses in the SMTP envelope
To: to determine if any need to be transformed exists. Transformed
addresses are written back to the SMTP envelope
message
■ Inbound address masquerading has precedence over aliases. If the same
To: and Cc: headers are ignored and not changed.
To:. The contents of the
original email address or domain exists in both the address masquerading
list and the aliases list, but the new address or domain is different, the
message is routed to the new address or domain in the address masquerade
list, not the aliases list.
Manage aliases
Follow these steps to add or edit aliases.
To add an alias
1 In the Control Center, click Settings > Aliases.
2 Click Add.
3 In the Add Aliases page, type the alias in the Alias domain or email address
box.
Alias form Examples
Email address—specify one user name and domain kyi@example.com
Domain—specify one domain from which email addresses
should be translated
example.com
4 Type a domain or one or more destination email addresses in the Domain or
email addresses for this alias box.
Alias form Examples
Email address—specify user name and
domain for each email address. Separate
multiple email addresses with a comma,
semicolon, or space.
oak@example.com, ops@example.com
Domain—specify one domain to which
email addresses should be translated
symantec-internetsecurity.com
5 Click Save.
To edit an alias
1 In the Control Center, click Settings > Aliases.
2 Click the alias or check the box next to an alias, and then click Edit.
3 In the Edit aliases page, modify the text in the Alias domain or email
4 Modify the text in the Domain or email addresses for this alias box as
5 Click Save.
Importing aliases
Aliases can be imported from a text file. Each address in the text file must be
separated with one or more spaces or tabs, or a combination of spaces and tabs.
Commas or semi-colons are not valid delimiters. In the import file, each line
must contain an alias address followed by one or more destination addresses.
Following is a sample import file:
49Configuring email settings
Configuring aliases
address box as desired.
desired.
oak@example.com quercus@symantec-internetsecurity.com
ops@example.com tla@example.com bmi@example.com
noadsorspam.com blocksads.com
To import aliases
1 In the Control Center, click Settings > Aliases.
2 Click Import.
3 On the Import Aliases page, enter or browse to the filename containing the
list of aliases.
4 Click Import.
Note: If entries in the import file are not specified correctly, do not match
the required file format, or are duplicates, a message is displayed. You can
click a link to download a file containing the unprocessed entries. Click
Cancel to return to the main Aliases page to review the valid imported
entries.
50 Configuring email settings
Configuring local domains
Configuring local domains
On the Local Domains page, you can view, add, edit, and delete local domain
names and email addresses for which inbound messages are accepted. You can
also import lists of local domains formatted as described in this section.
Work with local domains
Use these procedures to manage local domains.
To add local domains or email addresses
1 In the Control Center, click Settings > Local Domains.
2 On the Local Domains page, click Add.
3 In Domain or email address from which to accept inbound mail, enter a
local domain, subdomain, or email address.
The resulting behavior for each setting is as follows:
Setting Syntax Behavior
Domain name company.com The system accepts email for all recipients
in the specified domain.
Subdomain .company.com The system accepts email for all recipients
in all subdomains of the parent domain,
but not in the parent domain.
Email address user@company.com The system accepts email only for the
specified recipient.
You can also specify a destination host to which the domain or email address is
routed via the Optional Destination Host field. You can specify both host name
and port for the destination host as well as enable MX lookup.
Note: If you do not specify a destination host here, the domain or email address
is routed to the Inbound Relay you configure on the SMTP Settings page. See
“SMTP Scanner settings” on page 22.
4 Click Save to add the domain, subdomain, or email address.
To delete a local domain
1 In the Control Center, click Settings > Local Domains.
2 Select a local domain from the list of domains.
3 Click Delete.
Importing local domains and email addresses
Lists of local domain definitions and email addresses can be imported from a
US-ASCII file, similar to the Sendmail
each domain definition on a line by itself. The domain definition consists of the
following:
■ Domain Name—Can be either a complete domain name, a subdomain name,
or an email address.
■ Destination—Consists of destination type and destination host name. Only
definitions with a destination type (Mailer) of SMTP or ESMTP are
supported, and %backreferences are not supported. After import, ESMTP
destination types convert to SMTP. When the host name is enclosed in
brackets—smtp:[destination.domain.com]—MX lookup is not performed for
the destination host.
Here is a sample import file:
mailertable. In the import file, place
51Configuring email settings
Understanding spam settings
local1@domain.com smtp:local1.com
local2@domain.com smtp:local2.com:20
local3@domain.com smtp:[local3.com]:30
local4@domain.com smtp:[local4.com]
.local5.com smtp:[192.168.248.105]
local6.com smtp:[192.168.248.106]:60
To import a list of local domains
1 In the Control Center, click Settings > Local Domains.
2 Click Import.
3 On the Import Local Domains page, enter or browse to the file containing
the list of domain definitions.
4 Click Import.
Note: If entries in the import file do not match the required file format, you
can download a file containing the unprocessed entries.
Understanding spam settings
The following types of spam settings are available in Symantec Mail Security for
SMTP:
■ Configuring suspected spam
■ Choosing language identification type
52 Configuring email settings
Understanding spam settings
■ Software acceleration
Configuring suspected spam
Note: This feature is only available if you are running Symantec Premium
AntiSpam (SPA). If you would like to know more about this feature, contact your
Symantec representative.
When evaluating whether messages are spam, Symantec Mail Security for SMTP
calculates a spam score from 1 to 100 for each message, based on techniques
such as pattern matching and heuristic analysis. If an email scores in the range
of 90 to 100 after being filtered by Symantec Mail Security for SMTP, it is
defined as spam.
For more aggressive filtering, you can optionally define a discrete range of
scores from 25 to 89. The messages that score within this range will be
considered “suspected spam.” Unlike spam, which is determined by Symantec
and not subject to adjustment by administrators, you can adjust the trigger for
suspected spam. Using policies, you can specify different actions for messages
identified as suspected spam and messages identified as spam by Symantec.
For example, assume that you have configured your suspected spam scoring
range to encompass scores from 80 through 89. If an incoming message receives
a spam score of 83, Symantec Mail Security for SMTP will consider this message
to be suspected spam, and will apply the action you have in place for suspected
spam messages, such as Modify the Message (tagging the subject line). Messages
that score 90 or above will not be affected by the suspected spam scoring setting,
and will be subject to the action you have in place for spam messages, such as
Quarantine the Message.
Note: Symantec recommends that you not adjust the spam threshold until you
have some exposure into the filtering patterns at your site. Then, gradually
move the threshold setting down 1 to 5 points per week until the number of false
positives is at the highest level acceptable to you. A great way to test the effects
of spam scoring is to set up a designated mailbox or user to receive false positive
notifications to monitor the effects of changing the spam score threshold.
Choosing language identification type
Language identification is the ability to block or allow messages written in a
specified language. For example, you can choose to only allow English and
Spanish messages, or block messages in English and Spanish and allow
messages in all other languages.
You can use one of two types of language identification:
■ Language identification offered by Symantec Mail Security for SMTP
Processing takes place within the software, and no further software needs
to be installed. Using the Policies > Group Policies > Edit > Language tab,
administrators can set language preferences or allow users to set language
preferences.
■ Language identification offered by the Symantec Outlook Spam Plug-in
Processing takes place on each user’s computer, and each user must install
the Symantec Outlook Spam Plug-in. Users set their own language
preferences.
Software acceleration
53Configuring email settings
Understanding spam settings
It is possible to increase the speed at which your software can operate. Doing so
will increase your need for system memory. Software acceleration is turned on
by default.
Configuring spam settings
You can use the Spam Settings page to configure settings for suspected spam,
language identification, and software acceleration.
To configure spam settings:
1 In the Control Center, click Settings > Spam.
2 Under Do you want messages to be flagged as suspected spam?, click Ye s .
3 Click and drag the slider to increase or decrease the lower limit of the range
for suspected spam. You can also type a value in the box.
4 Under Do you want to enable Language Identification, click Yes or No.
Ye s Click Ye s if users will use the Symantec Outlook Spam Plug-in for
language identification. Built-in language identification is disabled,
and can’t be accessed in the Edit Group page.
No Click No to use the built-in language identification. Symantec
5 Under Software acceleration, check Enable antispam software
acceleration.
Outlook Spam Plug-in language identification won’t work if you click
No.
54 Configuring email settings
Configuring virus settings
6 Click Save.
Configuring virus settings
The following types of virus settings are available in Symantec Mail Security for
SMTP:
■ Configuring LiveUpdate
■ Excluding files from virus scanning
■ Configuring general settings
Configuring LiveUpdate
LiveUpdate is the process by which your system receives current virus
definitions from Symantec Security Response.
Work with LiveUpdate
Follow these procedures to view LiveUpdate status, start LiveUpdate, and
schedule LiveUpdate to run automatically.
To view L i veUpda t e statu s
1 Click Settings > Virus.
The top portion of the LiveUpdate tab shows the time of the last update
attempt, its status, and the update version number.
2 Click View Manifest to view a complete list of virus definitions contained in
this update.
To initiate a LiveUpdate
1 Click Settings > Virus.
2 Click LiveUpdate.
3 Click the LiveUpdate Now button.
To set the LiveUpdate schedule
1 Click Settings > Virus.
2 Click LiveUpdate.
3 To discontinue using an automatic update schedule, click the Disable
automatic updates button.
4 To implement scheduled automatic updates, click the Enable scheduled
updates button.
Configuring virus settings
5 Specify a day or days of the week and time at which to begin LiveUpdates.
6 Specify an interval of time after which LiveUpdate runs again.
Configuring Rapid Response updates
Rapid Response updates retrieve the very latest virus definitions from Symantec
Security Response. While Rapid Response definitions are published more
frequently (every 10 minutes) than automatic update definitions, they are not as
thoroughly tested.
To receive Rapid Response updates
1 Click Settings > Virus.
2 Click LiveUpdate.
3 Click Enable Rapid Response updates.
Symantec Mail Security for SMTP checks every 10 minutes after this setting
is saved.
55Configuring email settings
4 Click Save.
Installing non-default definitions
Symantec Mail Security for SMTP employs the Intelligent Updater in order to
update virus definitions. You can also update antivirus files with any other
Symantec definitions downloaded to the computer running Symantec Mail
Security for SMTP.
To enable installation of non-default definitions:
◆ Click the box, Check for and install non-default definitions.
Excluding files from virus scanning
You can exclude specific classes and formats of files (such as .wav or MIDI) from
being scanned by Symantec Mail Security for SMTP.
To exclude a class and format of file from virus scanning
1 Click Settings > Virus .
2 Click Exclude Scanning.
3 Click Add to create a definition of files for exclusion from virus scanning.
4 Name the definition by placing a value in Exclude scanning list name.
5 In the File Classes list, choose All File Classes or a specific class such as
Sound.
56 Configuring email settings
Configuring invalid recipient handling
6 If you choose to exclude specific file classes, you can also select the types of
files in that class to be excluded in the File Type list.
7 Click the Add File Classes or Add File Types button.
8 Click Save to store a list.
Configuring general settings
The Bloodhound level determines the way in which the system uses heuristics to
flag viruses. Symantec Mail Security uses Symantec Bloodhound™ heuristics
technology to scan for threats for which no known definitions exist. Bloodhound
heuristics technology scans for unusual behaviors, such as self-replication, to
target potentially infected message bodies and attachments. Bloodhound
technology is capable of detecting upwards of 80 percent of new and unknown
executable file threats. Bloodhound-Macro technology detects and repairs over
90 percent of new and unknown macro viruses.
Bloodhound requires minimal overhead because it examines only message
bodies and attachments that meet stringent prerequisites. In most cases,
Bloodhound can determine in microseconds whether a message or attachment is
likely to be infected. If it determines that a file is not likely to be infected, it
moves to the next file.
Lower heuristic levels may miss viruses, but consume less processing power,
potentially speeding incoming mail processing. Higher heuristic levels may
catch more viruses, but consume more processing power, potentially slowing
incoming mail processing.
To set the Bloodhound Level
1 Click Settings > Virus .
2 Under Bloodhound Level, click the High, Medium, Low, or Off button.
3 Click Save.
Configuring invalid recipient handling
By default, when an email message arrives addressed to your domain, but is not
addressed to a valid user, Symantec Mail Security for SMTP passes the message
to the internal mail server. The internal mail server may either accept the
message and generate a bounce message for that recipient, or the internal mail
server may reject the recipient, in which case Symantec Mail Security for SMTP
generates a bounce message for the recipient. Upon receiving the bounce
message, the sender can resend the original message with the correct address.
Configuring scanning settings
However, messages with invalid recipients can also result from a spammer’s
directory harvest attack.
You can drop all messages for invalid recipients using the Drop messages for
invalid recipients action described below. There is a Remove invalid recipients
action available on the Policies > Attacks > Directory Harvest Attack page that
only removes invalid recipients if a directory harvest attack is occurring. These
two settings can be combined or enabled individually.
Note: Dropping messages for invalid recipients is an extreme measure. Enabling
it may prevent diagnosis of serious problems with your email configuration, so
only enable it after you’re sure your email system is stable. Also, if enabled, even
accidentally mis-addressed messages will be dropped, and no bounce message
sent. The Remove invalid recipients action available on the Policies > Attacks >
Directory Harvest Attack page is a less extreme measure.
57Configuring email settings
To configure invalid recipient handling
1 In the Control Center, click Settings > Invalid Recipients.
2 Do one of the following:
■ Uncheck Drop messages for invalid recipients to return bounce
messages to the sender for invalid addresses.
■ Check Drop messages for invalid recipients to drop invalid messages
from the mail stream and return no bounce messages to the sender. For
this setting to take effect, a full synchronization and replication cycle
must be completed.
This setting is independent of the Directory Harvest Attack Email
Firewall policy, and can be used in conjunction with it.
3 Click Save.
Configuring scanning settings
Use the Scanning Settings page to configure container settings and content
filtering settings.
Configuring container settings
When Symantec Mail Security for SMTP processes certain zip files and other
types of compressed files, these files can expand to the point where they deplete
system memory. Such container files are often referred to as “zip bombs.”
Symantec Mail Security for SMTP can handle such situations by automatically
58 Configuring email settings
Configuring scanning settings
sidelining large attachments and cleaning them. There is a presumption that
such a file can be a zip bomb and should not be allowed to deplete system
resources. The file is sidelined for cleaning only because of its size, not because
of any indication that it contains a virus.
You can specify this size threshold and the maximum extraction level that
Symantec Mail Security for SMTP will process in memory, as well as a time limit
for scanning containers. If the configured limits are reached, Symantec Mail
Security for SMTP will automatically perform the action designated for the
“unscannable” category in the Group Policies settings.
To configure container settings
1 In the Control Center, click Settings > Scanning.
2 Under Container Settings, specify a number in the Maximum container
scan depth box.
A container is unscannable for viruses if the nested depth in a container file
(such as a .zip file or email message) exceeds the number specified. Do not
set this value too high or you could be vulnerable to denial of service attacks
or zip bombs, in which huge amounts of data are zipped into very small files.
3 Specify a number in the Maximum time to open container box and click
Seconds, Minutes, or Hours.
A container is unscannable for viruses if the specified time elapses when
scanning containers (such as .zip files). Use this setting to detect containers
that don’t exceed the other container settings, but yet include container
nesting, many files, large files, or a combination of these.
4 Specify a number in the Maximum individual file size when opened box
and click KB, MB, or GB.
A container is unscannable for viruses if any individual component of the
container when unpacked exceeds the size specified.
5 Specify a number in the Maximum accumulated file size when opened box
and click KB, MB, or GB.
A container is unscannable for viruses if the total size of all the files in a
container when unpacked exceeds the size specified.
6 Click Save.
Configuring content filtering settings
In addition for checking plain text files against words as defined in contentrelated policies, Symantec Mail Security for SMTP can check attachments
against these dictionaries that are not plain-text files. While such checking
Configuring scanning settings
maximizes the effect of content filtering, it can also impact the system load and
slow down email filtering.
To check attachments that are not plain text against your dictionaries
1 Click Settings > Scanning.
2 In Content Filtering Settings, check Enable searching of non-plain text
attachments for words in dictionaries.
This can decrease system efficiency.
3 Click Save.
59Configuring email settings
60 Configuring email settings
Configuring scanning settings
Chapter
Configuring email filtering
This chapter includes the following topics:
■ About email filtering
■ Creating groups and adding members
■ Assigning filter policies to a group
4
■ Managing Group Policies
■ Creating virus, spam, and compliance filter policies
■ Managing Email Firewall policies
■ Configuring Sender Authentication
■ Managing policy resources
About email filtering
Although Symantec Mail Security for SMTP provides default settings for dealing
with spam and viruses, you will likely want to tailor the actions taken on spam
and viruses to suit your requirements. Content filtering and Email Firewall
policies offer further methods of managing mail flow into and out of your
organization.
Symantec Mail Security for SMTP provides a wide variety of actions for filtering
email, and allows you to either set identical options for all users, or specify
different actions for distinct user groups.
You can specify groups of users based on email addresses, domain names, or
LDAP groups. For each group, you can specify an action or group of actions to
perform, given a particular verdict.
Each category of email includes one or more verdicts. Verdicts are the
conclusions reached on a message by the filtering process. Symantec Mail
62 Configuring email filtering
About email filtering
Security for SMTP performs actions on a message based on the verdict applied
to that message, and the groups that include the message recipient as a member.
The following table lists filtering verdicts by filtering category:
Table 4-1 Filtering verdicts by category
Filtering Category Verdict Description
Email Firewall Directory harvest attack Connection is blocked because an attempt is underway—via
emailing to your domain with a specified number of non-existent
recipient addresses, sent from the same IP address—to capture
valid email addresses.
Spam attack Connection is blocked because a specified quantity of spam
messages has been received from a particular IP address.
Virus attack Connection is blocked because a specified quantity of infected
messages has been received from a particular IP address.
Virus Virus Email is flagged because it contains a virus, based on current
Symantec virus filters.
Mass-mailing worm Email is flagged because it contains a mass-mailing worm, based
on current virus filters from Symantec.
Unscannable for viruses Email is flagged because it exceeds the container limits
configured on the Scanning Settings page, or because it is
unscannable for other reasons, such as malformed MIME
attachments.
Encrypted attachment Email is flagged because it contains an attachment that is
encrypted or password-protected and therefore cannot be
scanned
Spyware or adware Email is flagged because it contains nay of the following types of
security risks: spyware, adware, hack tools, dialers, joke
programs, or remote access programs. See “Security risks” on
page 70 for descriptions of these risks.
Suspicious attachment Email is flagged because it contains an attachment that may
contain a virus or other threat.
Spam Spam Email is flagged as spam, based on current spam filters from
Symantec.
Suspected spam Email is flagged as suspected spam based on administrator-
Content Compliance Any part of a message Email is flagged because it contains keywords in your
configurable Spam Scoring.
configurable dictionary.
Table 4-1 Filtering verdicts by category (Continued)
Filtering Category Verdict Description
Attachment type Email is flagged because it contains a specific attachment type.
Attachment content Email is flagged because specific text appears in a specific
frequency in its attachments.
Subject: Email is flagged based on the text in the Subject: line.
From: Address Email is flagged based on the text in the From: address.
To: Address Email is flagged based on the text in the To: address.
Cc: Address Email is flagged based on the text in the Cc: address.
Bcc: Address Email is flagged based on the text in the Bcc: address.
To:/Cc:/Bcc: Address Email is flagged based on the text in the To:, Cc:, or Bcc:
address.
63Configuring email filtering
About email filtering
From:/To:/Cc:/Bcc:
Address
Envelope Sender Email is flagged because its envelope contains a particular
Envelope Recipient Email is flagged because its envelope contains a particular
Envelope HELO Email is flagged because its envelope contains a particular SMTP
Message Header Email is flagged because it contains a particular header.
Message Size Email is flagged because it is a particular size.
Body Email is flagged based on the text in the body.
For all messages All email not filtered by a higher precedence policy is flagged.
Email is flagged based on the text in the From:, To:, Cc:, or
Bcc: address.
sender address.
recipient address.
HELO domain.
64 Configuring email filtering
About email filtering
The following table shows the filtering actions available for each verdict.
Note: See “Notes on filtering actions” on page 66 for additional limitations.
Table 4-2 Filtering actions by verdict
Action Description Verdict
Directory harvest attack
Spam attack
Virus attack
Virus
Spam, Suspected Spam
Content Compliance
Add a header Add an X-header to the message.
Add annotation Insert predefined text into the message (a disclaimer, for
example).
Add BCC recipients Blind carbon copy the message to the designated SMTP
address(es).
Archive the message Deliver the original message and forward a copy to the
designated SMTP address, and, optionally, host.
Bounce the message Return the message to its From: address with a custom
response, and deliver it to the recipient. Optionally, the
original message can be included.
Clean the message Delete unrepairable virus infections and repair repairable
virus infections.
Defer SMTP
connection
Delay message delivery Hold the message in the Suspect Virus Quarantine for a
Using a 4xx SMTP response code, tell the sending MTA to
try again later.
configured number of hours (default is six hours), then
refilter, using new virus definitions, if available. Only
available for the suspicious attachment verdict.
●●●●●●
●●●●●●
●●●●●●
●●●●●●
●●●●●●
●
●●●
●
Delete the message Delete the message.
Deliver the message
normally
Deliver the message. Viruses and mass-mailing worms
are neither cleaned nor deleted.
●●●●●●
●●●●●●
About email filtering
Table 4-2 Filtering actions by verdict (Continued)
Action Description Verdict
Directory harvest attack
Spam attack
Virus attack
65Configuring email filtering
Virus
Spam, Suspected Spam
Content Compliance
Deliver message to the
recipient’s Spam folder
Forward the message Forward the message to designated SMTP address(es).
Hold message in Spam
Quarantine
Modify the Subject line Add a tag to the message’s Subject: line.
Reject SMTP
connection
Remove invalid
recipients
Route the message Route the message using the designated SMTP host.
Save to disk Save the message to a standard location on the Scanner
Deliver the message to end-user Spam folder(s). Requires
use of the Symantec Spam Folder Agent for Exchange or
the Symantec Spam Folder Agent for Domino.
Send the message to the Spam Quarantine.
Using a 5xx SMTP response code, notify the sending MTA
that the message is not accepted.
If a directory harvest attack is taking place, remove each
invalid recipient rather than sending a bounce message
to the sender. You must complete LDAP synchronization
and Scanner replication before enabling this feature.
computer. On Solaris or Linux, you must specify a
writable directory.
●●●●●●
●●●●●●
●●●●●●
●●●●●●
●●●
●
●●●●●●
●●●●●●
Send notification Deliver the original message and send a predefined
notification to designated SMTP address(es) with or
without attaching the original message.
Strip and hold in
Suspect Virus
Quarantine
Strip attachments Remove all message attachments.
Remove all message attachments and hold the message
in the Suspect Virus Quarantine for a configured number
of hours (default is six hours). Then refilter, with new
virus definitions, if available. Only available for the
suspicious attachment verdict.
●●●●●●
●
●●●
66 Configuring email filtering
About email filtering
Table 4-2 Filtering actions by verdict (Continued)
Action Description Verdict
Directory harvest attack
Spam attack
Virus attack
Virus
Spam, Suspected Spam
Content Compliance
Treat as a b l ocked
sender
Treat as a m assmailing worm
Treat as an allowed
sender
Treat as a virus Process the message using the action(s) specified in the
Treat as spam Process the message using the action(s) specified in the
Process the message using the action(s) specified in the
domain-based Blocked Senders List. Applies even if the
domain-based Blocked Senders List is disabled, and
applies to inbound messages only.
Process the message using the action(s) specified in the
associated worm policy. The message is delivered
normally if the worm policy is disabled or does not apply
because of message direction.
Process the message using the action(s) specified in the
domain-based Allowed Senders List. Applies even if the
domain-based Allowed Senders List is disabled, and
applies to inbound messages only.
associated virus policy. The message is delivered
normally if the virus policy is disabled or does not apply
because of message direction.
associated spam policy. The message is delivered
normally if the spam policy is disabled or does not apply
because of message direction.
●
●
●
●
●
Treat as suspected
spam
Process the message using the action(s) specified in the
associated suspected spam policy. The message is
delivered normally if the suspected spam policy is
disabled or does not apply because of message direction.
Notes on filtering actions
When using Table 4-2 consider the following limitations:
■ All Virus verdicts except suspicious attachments share the same available
actions. Two additional actions, Delay message delivery and Strip and hold
●
About email filtering
in Suspect Virus Quarantine, are available only for the suspicious
attachment verdict.
■ All Spam verdicts share the same available actions.
■ All Content Compliance verdicts share the same available actions.
■ Messages from senders in the Allowed Senders Lists are always delivered
directly to end-user mailboxes, bypassing spam filtering.
■ When using the Modify the subject action, you can specify the character set
encoding to use. If the encoding you choose is different than the encoding
used by the original message, either the message or the modified subject
line will not be displayed correctly.
■ When using the Save to disk action on Solaris or Linux, you must specify a
writeable directory.
■ By default, inbound and outbound messages containing a virus or mass-
mailing worm, and unscannable messages, including malformed MIME
messages, will be deleted. You may want to change the default setting for
unscannable messages if you are concerned about losing important
messages. See Table 4-5, “Virus categories and default actions,” on page 75.
67Configuring email filtering
Multiple actions
You can create compound actions, performing multiple actions for a particular
verdict. An example follows:
1 Defining a virus policy, the administrator selects the Virus verdict and then
2 Defining a Group Policy, the administrator assigns members then selects the
3 An email message is received whose recipients include someone in the new
4 Symantec Mail Security for SMTP cleans the message, annotates it, then
assigns the actions, Clean, Add annotation, and Send notification to the
policy.
new virus policy.
Group Policy.
sends a notification to its intended recipients.
68 Configuring email filtering
About email filtering
The following table lists the limitations on combining actions.
Table 4-3 Compatibility of filtering actions by verdict
Action Compatibility with other actions Can be added multiple
times?
Add a header Any except Delete the message No
Add annotation Any except Delete the message One for header or one for
footer, but not both
Add BCC recipients Any except Delete the message Yes
Archive the message Any No
Bounce the message
Any
No
Clean the message Any except Delete the message No
Defer SMTP
Can’t be used with other actions No
connection
Delay message delivery Any except Delete the message, Deliver message normally,
No
Hold the message in Spam Quarantine, Strip and delay
Delete the message
Deliver message
normally
Deliver the message to
■ Bounce Message
■ Send Notification
■ Archive
Any except Delay message delivery, Delete the message,
No
No
Quarantine the message, and Strip and delay
Any except Delete the message No
the recipient’s Spam
folder
Forward the message Any except Delete the message Yes
Hold message in Spam
Quarantine
Any except
■ Delay message delivery
■ Deliver the message normally
■ Delete the message
■ Strip and delay
No
If used with Deliver the message to the recipient’s Spam
folder, affected messages are quarantined, but if released
from Spam Quarantine, messages are delivered to the
recipient’s Spam folder.
Modify the Subject line Any except Delete the message One for prepend and one for
append
About email filtering
Table 4-3 Compatibility of filtering actions by verdict (Continued)
Action Compatibility with other actions Can be added multiple
times?
69Configuring email filtering
Reject SMTP
connection
Remove invalid
recipients
Route the message Any except Delete the message No
Save to disk Any No
Send notification Any except Delete the message No
Strip and hold message
in Suspect Virus
Quarantine
Strip attachments Any except Delete the message Yes
Treat as a b l ocked
sender
Treat as a m assmailing worm
Can’t be used with other actions No
Any except Delete the message No
Any except:
■ Delete the message
■ Deliver message normally
■ Hold the message in Spam Quarantine
■ Delay message delivery
Can’t be used with other actions No
Can’t be used with other actions No
No
Treat as an allowed
sender
Treat as a virus Can’t be used with other actions No
Treat as spam Can’t be used with other actions No
Treat as suspected
spam
Can’t be used with other actions No
Can’t be used with other actions No
Multiple policies
If there are multiple policies that may apply to a message, the policy that is
applied depends on the direction the message is traveling. If the message is
outbound, the policy applied is based on the sender. If the message is inbound,
the policy applied is based on the recipient.
70 Configuring email filtering
About email filtering
Security risks
Symantec Mail Security for SMTP can detect security risks. Security risks are
programs that do any of the following:
■ Provide unauthorized access to computer systems
■ Compromise data integrity, privacy, confidentiality, or security
■ Present some type of disruption or nuisance
These programs can put your employees and your organization at risk for
identity theft or fraud by logging keystrokes, capturing email and instant
messaging traffic, or harvesting personal information, such as passwords and
login identifications.
Security risks can be introduced into your system unknowingly when users visit
a Web site, download shareware or freeware software programs, click links or
attachments in email messages, or through instant messaging clients. They can
also be installed after or as a by-product of accepting an end user license
agreement from another software program related to or linked in some way to
the security risk.
Table 4-4 lists the categories of security risks that Symantec Mail Security for
SMTP detects. Each of these risks can cause a verdict of spyware or adware.
Table 4-4 Security risk categories included in spyware or adware verdict
Category Description
Adware Stand-alone or appended programs that gather personal information
through the Internet and relay it back to a remote computer without the
user’s knowledge.
Adware might monitor browsing habits for advertising purposes. It can
also deliver advertising content.
Hack tools Programs used to gain unauthorized access to a user’s computer.
For example, a keystroke logger tracks and records individual keystrokes
and sends this information to a remote computer. The remote user can
perform port scans or vulnerability scans. Hack tools might also be used
to create viruses.
Dialers Programs that use a computer, without the user’s permission or
knowledge, to dial out through the Internet to a 900 number or FTP site,
typically to accrue charges.
Joke programs Programs that alter or interrupt the operation of a computer in a way
that is intended to be humorous or bothersome.
For example, a joke program might move the Recycling Bin away from
the mouse when the user tries to click on it.
About email filtering
Table 4-4 Security risk categories included in spyware or adware verdict
Category Description
71Configuring email filtering
Remote access
programs
Spyware Stand-alone programs that can secretly monitor system activity and
About precedence
Determining the precedence of different types of filtering for a particular
message rests on many factors. For more information on the various lists
discussed below, see “Configuring sender groups” on page 95.
If more than one verdict matches a message, the following applies:
■ Any matching verdict that calls for an action of defer or reject takes
■ If multiple matching verdicts call for defer or reject, the one of those
■ If no matching verdict calls for an action of defer or reject, then the
Programs that let a remote user gain access to a computer over the
Internet to gain information, attack, or alter the host computer.
detect passwords and other confidential information and then relay the
information back to a remote computer.
precedence over verdicts that call for other actions.
verdicts that appears first in the precedence list (see below) takes
precedence.
matching verdict that appears first in the precedence list takes precedence.
■ Although a verdict can call for multiple actions, only one verdict determines
the actions that are taken on a message. Actions called for by lower
precedence verdicts are not applied.
Order of precedence:
■ Virus attack
■ Wo rm
■ Virus
■ Spyware or adware
■ Suspicious attachment (suspected virus)
■ Unscannable
■ Encrypted attachment
■ End user-defined Allowed Senders List
■ End user-defined Blocked Senders List
■ Administrator-defined, IP-based Allowed Senders List
72 Configuring email filtering
Creating groups and adding members
■ Administrator-defined, IP-based Blocked Senders List
■ Administrator-defined, domain-based Allowed Senders List
■ Administrator-defined, domain-based Blocked Senders List
■ Spam attack
■ Directory harvest attack
■ Safe Senders List (part of the Sender Reputation Service)
■ Open Proxy Senders (part of the Sender Reputation Service)
■ Third Party Services Allowed Senders List
■ Third Party Services Blocked Senders List
■ Content Compliance policies
■ Dropped invalid recipient
■ Spam
■ Blocked language
■ Suspected spam
■ Suspected Spammers (part of the Sender Reputation Service)
■ Sender authentication failure
Note that end user-defined lists have precedence over all other lists. This may
affect your decision regarding whether to enable end user preferences.
Also, lists that you create have precedence over lists created by Symantec.
However, third party DNS blacklists do not have priority over all Symantec lists.
In the event of a conflict between Open Proxy Senders and an entry from a DNS
blacklist, Open Proxy Senders will “win.”
Creating groups and adding members
Group policies are configurable message management options for an unlimited
number of user groups which you define. Policies collect the spam, virus, and
content filtering verdicts and actions for a group.
Add or remove members from a group
You can specify groups of users based on email addresses, domain names, or
LDAP groups. For each group, you can specify email filtering actions for
different categories of email.
Creating groups and adding members
Note: To edit a group member, such as to correct a typo, delete the member and
add the member again. There is no edit button for group members.
To crea t e a new G r oup Pol i c y
1 In the Control Center, click Pol icies > Group Policies.
This page lists each Group Policy. The Default Group Policy, which contains
all users and all domains, appears last. Although you can add or modify
actions for the Default Group Policy, you cannot add members to the Default
Group Policy. You cannot delete or disable the Default Group Policy.
2 On the Group Policies page, click Add.
3 Enter a name in the Group Name box.
4 Click Save.
To add a new member to a Group Policy
73Configuring email filtering
1 In the Control Center, click Pol icies > Group Policies.
2 Click the underlined name of the Group Policy you want to edit.
3 Ensure that the Members tab is displayed, and click Add.
4 Specify members using one or both of the following methods:
■ Type email addresses, domain names, or both in the box. To specify
multiple entries, separate each with a comma, semicolon, or space.
However, do not use a comma and a space, or a semicolon and a space.
Use * to match zero or more characters and ? to match a single
character. To add all recipients of a particular domain as members,
type any of the following:
domain.com
@domain.com
*@domain.com
If you use a wildcard in the domain when specifying a member, be sure
to precede the domain with the @ symbol and precede the @ symbol
with a wildcard, a specific user, or a combination of those. The
following examples show valid uses of wildcards:
user@domain.*
user*@dom*.com
ali*@sub*.domain.com
74 Configuring email filtering
Creating groups and adding members
5 Click Add members to add the new member(s).
6 Click Save on the Edit Group page.
To delete a Group Policy member
These examples are not valid, and won’t match any users:
domain.*
@domain.*
dom*.com
sub*.domain.com
■ Check the box next to one or more LDAP groups.
The LDAP groups listed on this page are loaded from your LDAP server.
See “Configuring LDAP settings” on page 29 for information about
configuring LDAP.
1 On the Members tab of the Add Group page, check the box next to one or
more email addresses, domains, or LDAP groups, and then click Delete.
2 Click Save on the Edit Group page.
To import Group Policy members from a file
1 On the Members tab of the Add Group page, click Import.
2 Enter the appropriate path and filename (or click Browse to locate the file
on your hard disk), and then click Import.
Separate each domain or email address in the plain text file with a newline.
Below is a sample file:
ruth@example.com
rosa@example.com
ben*@example.com
example.net
*.org
The email addresses in the samples behave as follows:
■ ruth@example.com and rosa@example.com match those exact email
addresses.
■ ben*@example.com matches ben@example.com and
benjamin@example.com, etc.
■ example.net matches all email addresses in example.net.
■ *.org matches all email addresses in any domain ending with .org.
3 Click Save.
Assigning filter policies to a group
Note: The maximum number of entries in the Members list for a Group Policy is
10,000. If you require more than 10,000 entries, contact your Symantec
representative for instructions on how to configure MySQL and Tomcat to
support more entries. This limitation refers to the number of entries in the
Members list, not the number of users at your company. Due to this limit on
importing large lists of users, when possible use domain names, subdomain
names or wildcards in email addresses to add users to groups.
To export Group Policy members to a file
1 In the Members tab of the Add Group page, click Export.
2 Complete your operating system’s save file dialog box as appropriate.
Note: LDAP groups cannot be imported or exported. If you export from a group
that includes LDAP groups, the LDAP groups will be omitted from the export.
75Configuring email filtering
Assigning filter policies to a group
By default, groups you create are assigned the default filter policies for spam
and viruses (there is no default for compliance policies). Follow the steps in the
sections below to assign different filter policies to groups. You may first want to
create your own filter policies. See “Creating virus, spam, and compliance filter
policies” on page 82.
Selecting virus policies for a group
Virus policies determine what to do with inbound and outbound messages that
contain any of six categories of threats. Table 4-5 lists the categories and the
default action for each category.
Table 4-5 Virus categories and default actions
Category Default action
Viruses Clean the message
Mass-mailing worms Delete the message
Unscannable messages Delete the message
Encrypted attachments Prepend [WARNING ENCRYPTED ATTACHMENT NOT VIRUS
SCANNED] to Subject: header.
76 Configuring email filtering
Assigning filter policies to a group
Table 4-5 Virus categories and default actions (Continued)
Category Default action
Spyware or adware Prepend [SPYWARE OR ADWARE INFECTED] to Subject:
header.
Suspicious attachments Inbound message: Strip and hold message in Suspect Virus
Quarantine.
Outbound message: Delay message delivery.
For a description of each of these categories, see Table 4-1. See “Creating virus
policies” on page 83 for information about creating virus policies.
By default, inbound and outbound messages containing a virus or mass-mailing
worm, and unscannable messages, including malformed MIME messages, will be
deleted. You may want to change the default setting for unscannable messages if
you are concerned about losing important messages.
To select virus policies for a group
1 In the Control Center, click Policie s > Group Policies.
2 On the Group Policies page, click the group for which you want to select
virus policies.
3 Click the Virus tab.
4 If desired, check Enable inbound virus scanning for this group to enable
the following six virus policies for incoming email.
5 Select the desired policy from each of the following drop-down lists:
■ Inbound virus policy
■ Inbound mass-mailing worm policy
■ Inbound unscannable message policy
■ Inbound encrypted message policy
■ Inbound suspicious attachment message policy
■ Inbound spyware/adware message policy
6 If desired, check Enable outbound virus scanning for this group to enable
the following six virus policies for outgoing email.
7 Select the desired policy from each of the following drop-down lists:
■ Outbound virus policy
■ Outbound mass-mailing worm policy
■ Outbound unscannable message policy
■ Outbound encrypted message policy
■ Outbound suspicious attachment message policy
■ Outbound spyware/adware message policy
8 Optionally, click View next to any policy to view details of that policy.
9 Click Save.
Note: You cannot change virus policy details from the Edit Group page. See
“Creating virus policies” on page 83 for information about creating or editing
virus policies.
Selecting spam policies for a group
Spam policies determine what to do with inbound and outbound messages that
contain spam or suspected spam. See “Creating spam policies” on page 85 for
information about creating spam policies.
77Configuring email filtering
Assigning filter policies to a group
By default, inbound and outbound spam will be marked up with [Spam] at the
beginning of subject lines, and inbound and outbound suspected spam will be
marked with [Suspected Spam]. Both types of spam will not be deleted by
default.
To select spam policies for a group
1 In the Control Center, click Pol icies > Group Policies.
2 On the Group Policies page, click the group for which you want to select
spam policies.
3 Click the Spam tab.
4 If desired, check Enable inbound spam scanning for this group to enable
the following two spam policies for incoming email.
5 Select the desired policy from each of the following drop-down lists:
■ Inbound spam policy
■ Inbound suspected spam policy
6 If desired, check Enable outbound spam scanning for this group to enable
the following two spam policies for outgoing email.
7 Select the desired policy from each of the following drop-down lists:
■ Outbound spam policy
■ Outbound suspected spam policy
8 Click Save.
78 Configuring email filtering
Assigning filter policies to a group
Note: You cannot change spam policy details from the Edit Group page. See
“Creating spam policies” on page 85 for information about creating or editing
spam policies.
Selecting compliance policies for a group
By associating an appropriate compliance policy with a group, you can check
messages for attachment types, keywords, or regular expressions. Depending on
the message content, you can add annotations, send notifications, or copy
messages to an email address. See “Creating compliance policies” on page 86 for
information about creating compliance policies.
To select compliance policies for a group
1 In the Control Center, click Policie s > Group Policies.
2 On the Group Policies page, click the group for which you want to select
compliance policies.
3 Click the Compliance tab.
4 Check Enable Inbound Content Compliance for this group.
5 Select the desired policy from the Content Compliance Policies drop-down
list.
If desired, click View to see a summary of the compliance policy, and then
click OK to return. As you add compliance policies from the drop-down list,
they are displayed in the bottom list and become unavailable in the dropdown list.
6 Click Add.
7 If desired, add additional policies from the Content Compliance Policies
drop-down list.
8 Configure the outbound compliance policies similarly.
9 Click Save.
Note: You cannot change compliance policy details from the Edit Group page.
Although you can add existing policies to the lists on this page, you cannot add
new compliance policies from this page. See “Creating compliance policies” on
page 86 for information about creating compliance policies.
Enabling and disabling end user settings
The end user settings determine whether end users in a group can log in to the
Control Center to configure personal Allowed and Blocked Senders Lists and
block or allow email in specified languages.
Note: Depending on your system and the group you are editing, you may not be
able to view the End Users tab on the Edit Group page. See “Requirements for
enabling end user settings” on page 79 for details.
To log in, users access the same URL in their browser as Control Center
administrators: https://<hostname>:41443/brightmail. The login and password
for end users is the same as their LDAP login and password. For information
about supported browsers, see the Symantec Mail Security for SMTP Installation
Guide.
79Configuring email filtering
Assigning filter policies to a group
Note: End users are limited to a total of 200 entries in their combined Allowed
Senders and Blocked Senders Lists.
The Specify language settings check box enables or disables user access to the
language identification offered by Symantec Mail Security for SMTP, not the
Symantec Outlook Spam Plug-in. If the Symantec Outlook Spam Plug-in is
installed and enabled, end users can set their language preferences using the
Options dialog box accessible from the Symantec Outlook Spam Plug-in toolbar.
Note: The language identification technology employed by Symantec Mail
Security for SMTP to identify the language of a message is not foolproof. Note
that messages identified to be in a disallowed language are deleted.
Requirements for enabling end user settings
The following requirements must be satisfied before end users can configure
their own personal Allowed and Blocked Senders Lists and block or allow email
in specified languages:
■ At least one LDAP SyncService server must be configured and enabled.
■ In Settings > LDAP settings, an LDAP source configured for Authentication
or Authentication and Synchronization must be defined and saved.
■ In Settings > Replication settings, a replication schedule must be defined
and enabled.
80 Configuring email filtering
Assigning filter policies to a group
■ In Policies > Group Policies > Edit Group, the End user preferences must be
enabled for the given group on the End Users tab.
■ The members of the group in question can only be LDAP users, not a locally
defined user (that is, an email address you typed manually).
Note: End user Allowed and Blocked Senders Lists take precedence over most
other filters. See “About precedence” on page 71 for the precedence list. This
could impact your decision on whether to enable end user settings.
To select end user policies for a group
1 In the Control Center, click Policie s > Group Policies.
2 On the Group Policies page, click the group for which you want to select
compliance policies.
3 Click the End Users tab.
4 Check Enable end user settings for this group.
5 If desired, check Create Personal Allowed and Blocked Senders Lists.
6 If desired, check Specify language settings.
7 Click Save.
Allowing or blocking email based on language
Using the language identification offered by Symantec Mail Security for SMTP,
you can block or allow messages written in specified languages for a group. For
example, you can choose to only allow English and Spanish messages, or block
messages in English and Spanish and allow messages in all other languages.
Note: If the Language tab in the Edit Group page is inaccessible, the Symantec
Outlook Spam Plug-in has been enabled. To disable support for the Outlook
Plug-in and enable support for built-in language identification, set Language
Identification to No on the Spam Settings page. That will make the Language tab
accessible. See “Choosing language identification type” on page 52.
To allow or block email based on language for a group
1 In the Control Center, click Policie s > Group Policies.
2 On the Group Policies page, click the group for which you want to select
compliance policies.
3 Click the Language tab.
4 Click the desired setting.
5 If you chose the second or third option, check the box for each desired
language.
6 Click Save.
Note: The language identification technology employed by Symantec Mail
Security for SMTP to identify the language of a message is not foolproof. Note
that messages identified to be in a disallowed language are deleted.
Managing Group Policies
The Group Policy management options let you do the following:
■ Set Group Policy precedence, the order in which Group Policy membership is
determined when policies are applied.
81Configuring email filtering
Managing Group Policies
■ Edit Group Policy membership and actions.
■ Enable and disable Group Policies.
■ Delete Group Policies.
■ View Group Policy information for particular users.
For information on adding members to groups and importing or exporting lists
of group members, see “Creating groups and adding members” on page 72.
Manage Group Policies
The following sections describe common administrative tasks for Group
Policies.
To set Group Policy precedence
◆ Check the box next to a Group Policy, and then click Move Up or Move Down
to change the order in which it is applied.
Note: The Default Group Policy is always the last Group Policy in the list. You
cannot change the precedence of the Default Group Policy.
To edit an existing Group Policy
◆ On the Group Policy page, click the policy name or check the box next to a
Group Policy, and then click Edit.
82 Configuring email filtering
Creating virus, spam, and compliance filter policies
Add or delete members or change filtering actions for this Group Policy as
you did when you created it. See “Add or remove members from a group” on
page 72 for more information.
To enable a Group Policy
◆ Check the box next to a Group Policy, and then click Enable.
To disable a Group Policy
◆ Check the box next to a Group Policy, and then click Disable.
Note: You cannot disable the Default Group Policy.
To delete a Group Policy
◆ On the Group Policies page, check the box next to a Group Policy, and then
click Delete.
To view Group Policy information for a particular user or domain:
1 On the Members tab of the Edit Group page, click Find User.
2 Type an email address or domain name in the Email address box.
3 Click Find User.
The Control Center lists the first enabled group in which the specified user
exists, searching in the order that groups are listed on the Group Policies
page.
Creating virus, spam, and compliance filter policies
Use filter policy pages to combine a message characteristic, such as virus, with
an action, such as delete. The initial page you see when you click on Spam, Virus,
or Compliance under Policies > Filter Policies contains a table that indicates the
status of defined virus, spam, or compliance policies.
Table 4-6 Policy status page
Column Description
Virus/Spam/Content
Compliance Policies
Name of the policy
Enabled Indicates if the policy is enabled for one or more groups
Applied to Indicates the directions the policy is applied to: Inbound,
Outbound, or both
Table 4-6 Policy status page (Continued)
Column Description
Number of Groups Number of groups that this policy has been used in
Creating virus policies
Using the Virus Policies page, you can add, edit, copy, delete, and enable or
disable virus policies.
To add an virus policy
1 In the Control Center, click Pol icies > Virus.
2 Click Add.
3 In the Policy name box, type a name for the virus policy.
This name appears on the Virus Policies page, and on the Virus tab when
configuring a Group Policy. Compliance, spam, and virus policy names must
be unique. For example, if you have a compliance policy called XYZ, you can’t
have an spam or virus policy called XYZ.
83Configuring email filtering
Creating virus, spam, and compliance filter policies
4 Under Apply to, choose where this virus policy should be available:
■ Inbound messages
■ Outbound messages
■ Inbound and Outbound messages
This determines where this virus policy is available on the Virus tab when
configuring a Group Policy. For example, if you choose Inbound messages
and the mass-mailing worm condition on this page, this virus policy is only
available in the Inbound mass-mailing worm policy drop-down list when
configuring a Group Policy.
5 Under Groups, check one or more groups to which this policy should apply.
You can also add an virus policy to a group on the Virus tab of the Edit Group
page.
6 Under Conditions, select one of the following six conditions:
If a message contains a
virus
If a message contains a
mass-mailing worm
The message contains a virus
The message contains a mass-mailing worm, a worm
that propagates itself to other systems via email, often
by using the address book of an email client program
84 Configuring email filtering
Creating virus, spam, and compliance filter policies
If a message is unscannable
for viruses
If a message contains an
encrypted attachment
If a message contains a
suspicious attachment
If a message contains
spyware or adware
A message can be unscannable for viruses for a variety
of reasons. For example, if it exceeds the maximum file
size or maximum scan depth configured on the
Scanning Settings page, or if it contains malformed
MIME attachments, it may be unscannable. Compound
messages such as zip files that contain many levels may
exceed the maximum scan depth.
The message contains an attachment that cannot be
scanned because it is encrypted.
The message contains an attachment that, according to
Symantec filters, may contain a virus or other threat.
The message contains spyware or adware.
7 Select the desired action.
See Table 4-2, “Filtering actions by verdict,” on page 64. For some actions
you need to specify additional information in fields that appear below the
action.
8 Click Add Action.
9 If desired, add more actions.
See Table 4-3, “Compatibility of filtering actions by verdict,” on page 68.
10 Click Save.
Determining your suspicious attachment policy
When you choose the condition, “If a message contains a suspicious
attachment,” two additional actions become available:
■ Delay message delivery
■ Strip and hold in Suspect Virus Quarantine
Both of these actions enable you to make use of the Suspect Virus Quarantine to
delay filtering these messages until a later time, when updated virus definitions
may be available. This provides enhanced protection against new and emerging
virus threats.
By default, these messages are held in the Suspect Virus Quarantine for 6 hours.
You can vary the number of hours on the Settings > Quarantine page, Virus tab.
Changing default virus actions
By default, inbound and outbound messages containing a virus or mass-mailing
worm, and unscannable messages, including malformed MIME messages, will be
deleted. You may want to change the default setting for unscannable messages if
you are concerned about losing important messages. See Table 4-5, “Virus
categories and default actions,” on page 75.
Creating spam policies
Using the Spam Policies page, you can add, edit, copy, delete, and enable or
disable spam policies.
To add a spam policy
1 In the Control Center, click Pol icies > Spam.
2 Click Add.
3 In the Policy name box, type a name for the spam policy.
This name appears on the Spam Policies page, and on the Spam tab when
configuring a Group Policy. Compliance, spam, and virus policy names must
be unique. For example, if you have a compliance policy called XYZ, you can’t
have a spam or virus policy called XYZ.
85Configuring email filtering
Creating virus, spam, and compliance filter policies
4 Under Apply to, choose where this spam policy should be available:
■ Inbound messages
■ Outbound messages
■ Inbound and Outbound messages
This determines where this spam policy is available on the Spam tab when
configuring a Group Policy. For example, if you choose Inbound messages
and the spam condition, this spam policy is only available in the Inbound
spam policy drop-down list when configuring a Group Policy.
5 Under Groups, check one or more groups to which this policy should apply.
You can also add a spam policy to a group on the Spam tab of the Edit Group
page.
6 Under Conditions, select one of the following three conditions:
If the message is
Spam
If the message is
Suspected Spam
Perform the specified action if a message is
determined to be spam.
Perform the specified action if a message might be
spam. The suspected spam level is adjustable on the
Spam Settings page.
If the message is
Spam or Suspected
Spam
Perform the specified action if a message contains
either spam or suspected spam.
86 Configuring email filtering
Creating virus, spam, and compliance filter policies
7 Select the desired action.
See Table 4-2, “Filtering actions by verdict,” on page 64. For some actions
you need to specify additional information in fields that appear below the
action.
8 Click Add Action.
9 If desired, add more actions.
See Table 4-3, “Compatibility of filtering actions by verdict,” on page 68.
10 Click Save.
Creating compliance policies
Using the Content Compliance Policies page, you can add, edit, copy, delete, and
enable or disable compliance policies. You can also change the precedence of
compliance policies by changing their location in the list on this page.
You can create compliance policies based on key words and regular expressions
found in specific areas of a message. Based on policies you set up, you can
perform a wide variety of actions on messages that match against your
compliance policies. Compliance policies can be used to:
■ Eliminate messages with specific content, or specific file attachment types
or filenames.
■ Control message volume and preserve disk space by filtering out oversized
messages.
■ Block email from marketing lists that generate user complaints or use up
excessive bandwidth.
■ Block messages containing certain keywords or regular expressions in their
headers, bodies, or attachments.
Actions specified for custom filter matches will not override actions resulting
from matches in your Blocked Senders Lists or Allowed Senders Lists. In other
words, if a message’s sender matches an entry in your Blocked Senders Lists or
Allowed Senders Lists, compliance policies will have no effect on the message.
See “About precedence” on page 71 for more information.
Guidelines for creating compliance policy conditions
Keep these suggestions and requirements in mind as you create the conditions
that make up a filter.
■ To start out, you may want to set your policies so that messages that are
match by compliance policies are quarantined, forwarded, or modified
Creating virus, spam, and compliance filter policies
instead of deleted. When you are sure the compliance policies are working
correctly, you can adjust the action.
■ Sieve scripts cannot be imported, including those created in previous
versions of Symantec or Brightmail software.
■ There is no limit to the number of conditions per compliance policy.
■ Conditions can’t be nested.
■ You can create compliance policies that block or allow email based upon the
sender information, but usually it is best to use the Allowed Senders Lists
and Blocked Senders Lists. However, it is appropriate to create compliance
policies if you need to block or keep email based on a combination of the
sender and other criteria, such as the subject or recipient.
■ The order of conditions in a filter does not matter as far as whether a filter
matches a message. However, if a filter has Body tests, you can optimize the
filter by positioning them as the final conditions in a filter.
87Configuring email filtering
■ Spammers usually “spoof” or forge some of the visible headers and the
usually invisible envelope information. Sometimes they forge header
information using actual email addresses or domains of innocent people or
companies. Use care when creating filters against spam you’ve received.
■ The following considerations apply to keyword text string searches. For
details on regular expression searches, see “Using Perl-compatible regular
expressions in conditions” on page 91.
■ All tests for words and phrases are case-insensitive, meaning that
lowercase letters in your conditions match lower- and uppercase letters
in messages, and uppercase letters in your conditions match lower- and
uppercase letters in messages. For example, if you tested that the
subject contains “inkjet”, then “inkjet”, “Inkjet”, and “INKJET” in a
message subject would match. If you instead tested for “INKJET” in the
subject, then “inkjet”, “Inkjet”, and “INKJET” would still match. This
applies to all test types and all filter components.
■ Multiple white spaces in an email header or body are treated as a single
space character. For example, if you tested that the subject contains
“inkjet cartridge”, then “inkjet cartridge” and “inkjet cartridge” in a
message subject would match. If you instead tested for
“inkjet cartridge” in the subject, then “inkjet cartridge” and
“inkjet cartridge” would still match. This applies to all test types and
all filter components. A message subject containing
“i n k j e t c a r t r i d g e” would not match a test for “inkjet cartridge” or
“inkjet cartridge”.
88 Configuring email filtering
Creating virus, spam, and compliance filter policies
Adding conditions to compliance policies
Refer to the following tables when creating your compliance policy.
Table 4-7 describes the conditions available when creating a compliance policy.
Table 4-7 Compliance conditions
Condition Test against Examples
Any part of the
message
Attachment content Text within an attachment file. Find all attachments that
Attachment type An attachment list, file name, or MIME
Bcc: address Bcc: (blind carbon copy) message
Body Contents of the message body. This
Cc: address Cc: (carbon copy) message header. jane
Dictionary. See “Configuring
dictionaries” on page 112.
type. See “Configuring attachment
lists” on page 110.
header.
component test is the most processing
intensive, so you may want to add it as
the last condition in a filter to
optimize the filter.
Profanity
contain the word
“discount” more than
three times.
script.vbs
application/octet-stream
jane
example.com
jane@example.com
You a lre a dy ma y hav e
won
example.com
jane@example.com
Envelope HELO SMTP HELO domain in message
Envelope recipient Recipient in message envelope. jane
Envelope sender Sender in message envelope. jane
example.com
envelope.
example.com
jane@example.com
example.com
jane@example.com
Creating virus, spam, and compliance filter policies
Table 4-7 Compliance conditions (Continued)
Condition Test against Examples
89Configuring email filtering
For all messages All email not filtered by a higher
precedence policy is flagged. For
example, if a message matches a spam,
virus, sender group, or higher
precedence compliance policy, it won’t
match the “For all messages”
condition.
From: address From: message header. jane
From:/To:/Cc:/Bcc:
address
Message header Message header specified in the
Message size Size of the message in bytes, kilobytes,
From:, To:, Cc:, and Bcc: message
headers.
accompanying text field. A header is
case-insensitive. Don’t type the
trailing colon in a header.
or megabytes, including the header
and body is less than or greater than
the specified value.
(Not applicable)
example.com
jane@example.com
jane
example.com
jane@example.com
Reply-To
reply-to
Message-ID
2
200
2000
Subject Subject: message header. $100 F R E E, Please Play
Now!
To: address To: message header. jane
example.com
jane@example.com
To:/Cc:/Bcc: address To:, Cc:, and Bcc: message headers. jane
example.com
jane@example.com
90 Configuring email filtering
Creating virus, spam, and compliance filter policies
Table 4-8 shows the additional fields available when you add a condition.
Table 4-8 Additional fields for adding conditions
Condition Information required
Attachment content, Bcc:
address, Body, Cc: address,
Envelope HELO, Envelope
recipient, Envelope sender,
From: address, From/To/Cc/
Bcc: address, Subject, To:
address, To/Cc/Bcc: address
Choose one of three options:
■ Click the first radio button, choose contains or does
not contain, type a frequency and a keyword.
■ Click the second radio button, choose a test type,
and type a keyword.
■ Click the third radio button, choose matches or does
not match, and type a regular expression
Any part of the message Choose a dictionary from the drop-down list, and type a
word frequency in the box.
Attachment type Choose one of three options:
■ Click the first radio button and choose an
attachment list.
■ Click the second radio button and type a filename.
■ Click the third radio button and type a MIME type.
This condition will also flag attachments that are within
container files.
For all messages No additional information is needed. This condition flags
all messages not filtered by a higher precedence policy.
Message header Type the header category (From, To, etc), then follow the
instructions in the first row above.
Message size Choose a comparison from the first drop-down list, type a
number, and choose units from the second drop-down
list.
Table 4-9 describes the filter tests available for certain conditions when creating
a compliance policy.
Table 4-9 Filter tests
Test ty p e Description
Contains/does not
contain
Starts with/does not
start with
Tests for the supplied text within the component specified.
Sometimes called a substring test. You can also test for frequency the number of instances of the supplied text that appear.
Equivalent to ^text.* wildcard test using matches exactly.
Creating virus, spam, and compliance filter policies
Table 4-9 Filter tests (Continued)
Test ty p e Description
91Configuring email filtering
Ends with/does not
end with
Matches exactly/
does not match
exactly
Notes:
All text tests are case-insensitive.
Some tests are not available for some components.
Equivalent to .*text$ wildcard test using matches exactly.
Exact match for the supplied text (not available for the message
body).
Using Perl-compatible regular expressions in conditions
To use Perl-compatible regular expressions, click “matches regular expression”
or “does not match regular expression” for any of the conditions that offer you
that choice (the conditions in the first row of Table 4-8, plus the Message header
condition).
You can refine your search as described in Table 4-10. To match certain special
characters, you must escape each with \ as shown in the table. For more
information about Perl-compatible regular expressions, see:
http://www.perl.com/doc/manual/html/pod/perlre.html
Table 4-10 Sample Perl-compatible regular expressions
Character Description Example Sample matches
. Match any one character j.n jen, jon, j2n, j$n
jo.. john, josh, jo4#
.* Match zero or more
characters
.+ Match one or more
characters
\. Match a period stop\. stop.
\* Match an asterisk b\*\* b**
\+ Match a plus character 18\+ 18+
sara.* sara, sarah,
sarahjane,
saraabc%123
s.*m.* sm, sam, simone,
s321m$xyz
sara.+ sarah, sarahjane,
saraabc%123
s.+m.+ simone, s321m$xyz
92 Configuring email filtering
Creating virus, spam, and compliance filter policies
Table 4-10 Sample Perl-compatible regular expressions (Continued)
Character Description Example Sample matches
[0-9]{n} Match any numeral n
times, for example, match
a social security number
[0-9]{3}-[0-9]{2}-[0-9]{4} 123-45-6789
Note: Symantec Mail Security for SMTP uses two different types of analysis in
scanning for messages that match your criteria. If you specify a condition using
a regular expression, a regular expression analysis is performed. If you specify a
condition using a keyword or dictionary, a text search is performed.
To add a compliance policy
1 In the Control Center, click Policie s > Compliance.
2 Click Add.
3 In the Policy name box, type a name for the compliance policy.
This name appears on the Content Compliance Policies page, and in the
Compliance tab when configuring a Group Policy. Compliance, spam, and
virus policy names must be unique. For example, if you have a compliance
policy called XYZ, you can’t have a spam or virus policy called XYZ.
4 Under Apply to, choose where this compliance policy should be available:
■ Inbound messages
■ Outbound messages
■ Inbound and Outbound messages
5 Under Groups, check one or more groups to which this policy should apply.
You can also add a compliance policy to a group on the Compliance tab of the
Edit Group page.
6 Under Conditions, click a condition. See Table 4-7, “Compliance conditions,”
on page 88. For some conditions you need to specify additional information
in fields that appear below the condition.
7 Click Add Condition.
See Table 4-8, “Additional fields for adding conditions,” on page 90. Add
additional conditions if desired.
8 Under Perform the following action, click an action.
See Table 4-2, “Filtering actions by verdict,” on page 64. For some actions
you need to specify additional information in fields that appear below the
action.
Managing Email Firewall policies
9 Click Add Action.
Add additional actions if desired. See Table 4-3, “Compatibility of filtering
actions by verdict,” on page 68.
10 Click Save.
Note: You can use keywords or a regular expression in a compliance policy
to strip attachments. However, you cannot specify that only attachments
containing the keyword or regular expression are stripped. All attachments
to the message will be stripped if any of the attachments contain the
keyword or regular expression.
Determining compliance policy order
You can change the order in which compliance policies are checked against
messages.
93Configuring email filtering
To set compliance policy order
1 In the Control Center, click Pol icies > Compliance.
2 Check the box next to a compliance policy.
3 Click Move Up or Move Down.
Enabling and disabling compliance policies
After you create compliance policies, they are automatically enabled and put to
use. For testing or other administrative purposes, you may need to enable or
disable one or more filters without having to delete them. By disabling filters,
filters become inactive but are displayed in the Content Compliance Policies list.
To enable or disable a compliance policy
1 In the Control Center, click Pol icies > Compliance.
2 Check the box next to a compliance policy.
3 Click Enable or Disable.
Managing Email Firewall policies
Symantec Mail Security for SMTP can detect patterns in incoming messages to
thwart certain types of spam and virus attacks. You can block and allow
messages based on email addresses, domains, or IP address. Messages can be
checked against Open Proxy Senders, Suspected Spammers, and Safe Senders
94 Configuring email filtering
Managing Email Firewall policies
lists maintained by Symantec. Sender authentication provides a way to block
forged email.
Configuring attack recognition
Symantec Mail Security for SMTP can detect the following types of attacks
originating from a single SMTP server (IP address).
Directory harvest
attacks
Spam attack A specified quantity of spam messages has been received
Virus attack A specified quantity of infected messages has been received
Spammers employ directory harvest attacks to find valid
email addresses at the target site. A directory harvest
attack works by sending a large quantity of possible email
addresses to a site. An unprotected mail server will simply
reject messages sent to invalid addresses, so spammers can
tell which email addresses are valid by checking the
rejected messages against the original list. By default,
connections received from violating senders are deferred.
from a particular IP address. By default, connections
received from violating senders are deferred.
from a particular IP address. By default, connections
received from violating senders are deferred.
Enable, disable, and configure attack recognition
Set up attack recognition as described in the following sections. All attack
recognition types are disabled by default, and must be enabled to be activated.
To enable or disable attack recognition
1 In the Control Center, click Policie s > Attacks.
2 Check the box next to each attack type that you want to enable or disable, or
check the box next to Attacks to select all attack types.
3 Click Enable to enable the checked attack types, or click Disable to disable
the checked attack types.
To configure directory harvest, spam, and virus attack recognition
1 In the Control Center, click Policie s > Attacks.
2 Click Directory Harvest Attack, Spam Attack, or Virus Attack.
Managing Email Firewall policies
3 Accept the defaults or modify the values under Attack Configuration:
Minimum percentage of ... Percentage of bad recipient, spam, or virus messages
from a single server that must be exceeded to trigger the
specified action. The minimum number must also be
exceeded.
Minimum number of ... Number of bad recipient, spam, or virus messages from
a single server that must be exceeded to trigger the
specified action. The minimum percentage must also be
exceeded.
Qualification time window Time period in which the specified percentage and
number of bad recipient, spam, or virus messages
violations must be exceeded to trigger the specified
action.
Penalty box time Period of time to perform the specified action against all
messages from the sending SMTP connection.
95Configuring email filtering
4 Under Actions, accept the default, recommended action of Defer SMTP
Connection, or change and/or add more actions.
5 Click Save.
Configuring sender groups
Filtering based on the source of the message, whether it’s the sender’s domain,
email address or mail server IP connection, can be a powerful way to fine-tune
filtering at your site.
Note: This section describes global Blocked and Allowed Senders Lists, which are
applied at the server level for your organization. Two other options are available
to give users the ability to maintain individual Blocked and Allowed Senders
Lists. You can enable personal Allowed and Blocked Senders Lists on the End
Users tab of the Edit Group page. See “Enabling and disabling end user settings”
on page 79.
Alternatively, you can deploy the Symantec Outlook Spam Plug-in. With the
Symantec Outlook Spam Plug-in, users can easily create personal lists of
blocked and allowed senders from within their Outlook mail client. The Plug-in
imports information from the Outlook address book to populate the personal
Allowed Senders List. See “Installing the Symantec Outlook Spam Plug-in” on
page 210.
96 Configuring email filtering
Managing Email Firewall policies
Symantec Mail Security for SMTP lets you customize spam detection in the
following ways:
■ Define Allowed Senders
Symantec Mail Security for SMTP treats mail coming from an address or
connection in an Allowed Senders List as legitimate mail. As a result, you
ensure that such mail is delivered immediately to the inbox, bypassing any
other filtering. The Allowed Senders Lists reduce the small risk that
messages sent from trusted senders will be treated as spam or filtered in
any way.
■ Define Blocked Senders
Symantec Mail Security for SMTP supports a number of actions for mail
from a sender or connection in a Blocked Senders List. As with spam
verdicts, you can use policies to configure a variety of actions to perform on
such mail, including deletion, forwarding, and subject line modification.
■ Use the Sender Reputation Service
By default, Symantec Mail Security for SMTP is configured to use the
Sender Reputation Service. Symantec monitors hundreds of thousands of
email sources to determine how much email sent from these IP addresses is
legitimate and how much is spam. The service currently includes the
following lists of IP addresses, which are continuously compiled, updated,
and incorporated into Symantec Mail Security for SMTP filtering processes
at your site:
■ Open Proxy Senders
IP addresses that are either open proxies used by spammers or
“zombie” computers that have been co-opted by spammers.
■ Safe Senders
IP addresses from which virtually no outgoing email is spam.
■ Suspected Spammers
IP addresses from which virtually all of the outgoing email is spam.
No configuration is required for these lists. You can choose to disable any of
these lists.
■ Incorporate lists managed by other parties
Third parties compile and manage lists of desirable or undesirable IP
addresses. These lists are queried using DNS lookups. When you configure
Symantec Mail Security for SMTP to use a third-party sender list, Symantec
Mail Security for SMTP checks whether the sending mail server is on the
list. If so, Symantec Mail Security for SMTP performs a configured action,
based on the policies in place.
Managing Email Firewall policies
About Allowed and Blocked Senders Lists
Note the following about the Allowed Senders Lists and Blocked Senders Lists:
■ Duplicate entries:
You cannot have the exact same entry in both a Blocked Senders List and an
Allowed Senders List of the same type. If an entry already exists in one list,
you will receive the message “Duplicate sender - not added” when you try to
add the same entry to the other list. If you’d prefer to have this entry in the
other list, first delete the entry from the list that now contains it, then add it
to the other list.
■ Similar entries:
If you have two entries such as a@b.com and *@b.com in the two different
lists, the list with higher precedence “wins.” See “About precedence” on
page 71 for the precedence of each list.
■ Performance impact of third party DNS lists:
Incorporating third party lists adds additional steps to the filtering process.
For example, in a DNS list scenario, for each incoming message, the IP
address of the sending mail server is queried against the list, similar to a
DNS query. If the sending mail server is on the list, the mail is flagged as
spam. If your mail volume is sufficiently high, running incoming mail
through a third party database could hamper performance because of the
requisite DNS lookups. Symantec recommends that you use the Sender
Reputation Service lists instead of enabling third party lists.
97Configuring email filtering
■ To understand which list or other verdict has priority in message filtering
when more than one applies, see “About precedence” on page 71.
Reasons to use Allowed and Blocked Senders
Table 4-11 provides some examples of why you would employ lists of allowed or
blocked senders. The table also lists an example of a pattern that you as the
system administrator might use to match the sender:
Table 4-11 Use cases for lists of allowed and blocked senders
Problem Solution Pattern example
Mail from an end-user’s
colleague is occasionally
flagged as spam.
Desired newsletter from a
mailing list is occasionally
flagged as spam.
Add a colleague’s email address to the end
user’s Allowed Senders List.
Add the domain name used by the
newsletter to the domain-based Allowed
Senders List.
colleague@trustedco.com
newsletter.com
98 Configuring email filtering
Managing Email Firewall policies
Table 4-11 Use cases for lists of allowed and blocked senders (Continued)
Problem Solution Pattern example
An individual is sending
unwanted mail to people in
your organization.
Numerous people from a
specific range of IP addresses
are sending unsolicited mail to
people in your organization.
How Symantec Mail Security for SMTP identifies senders and
connections
The following sections provide details about the Allowed Senders Lists and
Blocked Senders Lists.
Supported Methods for Identifying Senders
You can use the following methods to identify senders for your Allowed Senders
Lists and Blocked Senders Lists.
■ Domain-based: specify sender addresses or domain names
Symantec Mail Security for SMTP checks the following characteristics of
incoming mail against those in your lists:
Add the specific email address to the
domain-based Blocked Senders List.
After analyzing the received headers to
determine the sender's network and IP
address, add the IP address and net mask to
the IP-based Blocked Senders List.
Joe.unwanted*@getmail.com
218.187.0.0/255.255.0.0
■ MAIL FROM: address in the SMTP envelope. Specify a pattern that
matches the value for localpart@domain in the address. You can use
the * or ? wildcards in the pattern to match any portion of the address.
■ From: address in the message headers. Specify a pattern that matches
the value for localpart@domain in the
From: header. You can use
wildcards in the pattern to match any portion of this value.
If you choose to identify messages by address or domain name, see Table 4-
12 for examples.
Table 4-12 Matches for email addresses or domain names
Example Sample matches
example.com chang@example.com, marta@example.com,
foo@bar.example.com
malcolm@example.net malcolm@example.net
sara*@example.org sara@example.org, sarahjane@example.org
jo??@example.corg john@example.org, josh@example.org
Managing Email Firewall policies
■ IP-based: specify IP connections
Symantec Mail Security for SMTP checks the IP address of the mail server
initiating the connection to verify if it is on your Allowed Senders Lists or
Blocked Senders Lists. Wildcards are not supported. Although you can use
network masks to indicate a range of addresses, you cannot use subnet
masks that define non-contiguous sets of IP addresses (e.g. 69.84.35.0/
255.0.255.0). Supported notations are:
■ Single host: 128.113.213.4
■ IP address with subnet mask: 128.113.1.0/255.255.255.0
■ Classless Inter-Domain Routing (CIDR) IP address: 192.30.250.00/18
■ Third party services: supply the lookup domain of a third party sender
service
Symantec Mail Security for SMTP can check messages sources against third
party DNS-based lists to which you subscribe, for example, list.example.org.
99Configuring email filtering
Automatic expansion of subdomains
When evaluating domain name matches, Symantec Mail Security for SMTP
automatically expands the specified domain to include subdomains. For
example, Symantec Mail Security for SMTP expands example.com to include
biz.example.com and, more generally, *@*.example.com, to ensure that any
possible subdomains are allowed or blocked as appropriate.
Logical connections and internal mail servers: non-gateway deployments
When deployed at the gateway, Symantec Mail Security for SMTP can reliably
obtain the physical or peer IP connection for an incoming message and compare
it to connections specified in the Allowed Senders Lists and Blocked Senders
Lists. If deployed elsewhere in your network, for example, downstream from the
gateway MTA, Symantec Mail Security for SMTP works with the logical IP
connection. Symantec Mail Security for SMTP determines the logical connection
by obtaining the address that was provided as an IP connection address when
the message entered your network. Your network is based on the internal
address ranges that you supply to Symantec Mail Security for SMTP when
setting up your Scanners. This is why it is important that you accurately identify
all the internal mail hosts in your network. For more information, see
“Advanced SMTP settings” on page 25.
Adding senders to Blocked Senders Lists
To prevent undesired messages from being delivered to inboxes, you can add
specific email addresses, domains, and connections to your Blocked Senders
Lists.
100 Configuring email filtering
Managing Email Firewall policies
To add domain-based, IP-based, and Third Party Services entries to your
Blocked Senders Lists
1 In the Control Center, click Policie s > Sender Groups.
2 Click one of the Blocked Sender groups.
3 Click Add.
4 On the Add Sender Group Members page, supply the information
appropriate for the current Blocked Sender group.
See “How Symantec Mail Security for SMTP identifies senders and
connections” on page 98.
5 Click Save.
6 Modify the default action for messages originating from blocked senders
(Delete the message) if desired.
7 Click Save on the Edit Sender Group page.
Adding senders to Allowed Senders Lists
To ensure that messages from specific email addresses, domains, and
connections are not treated as spam, you can add them to your Allowed Senders
Lists.
To add domain-based, IP-based, and Third Party Services entries to your
Allowed Senders Lists
1 In the Control Center, click Policie s > Sender Groups.
2 Click one of the Allowed Sender groups.
3 Click Add.
4 In the Add Sender Group Members page, supply the information appropriate
for the current Allowed Sender group.
See “How Symantec Mail Security for SMTP identifies senders and
connections” on page 98.
5 Click Save.
6 Modify the default action for messages originating from allowed senders
(Deliver message normally) if desired.
7 Click Save on the Edit Sender Group page.
Loading...