Page 1
Symantec Mail Security
Administration Guide
Page 2
Symantec Mail Security Administration Guide
The software described inthis book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2006 Symantec Corporation.
All rights reserved.
Federal acquisitions: Commercial Software - Government Users Subject to Standard License
Terms and Conditions.
Symantec, theSymantec Logo, Brightmail, LiveUpdate, and Norton AntiVirus are trademarks
or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
Other names may be trademarks of their respective owners.
Symantec Mail Security is protected under U.S. Patent Nos. 6,052,709; 5,999,932; and
6,654,787.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "ASIS" AND ALL EXPRESSOR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLYINVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FORINCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Softwareand Documentation are deemedtobe "commercialcomputersoftware"
and "commercial computer software documentation" as defined in FAR Sections 12.212 and
DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014 USA
http://www.symantec.com
Page 3
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product feature and
function, installation, andconfiguration. The Technical Supportgroup also authors
content for our online Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting
services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ A telephone and web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are
enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web
site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support. The specific features that
are available may vary based on the level of maintenance that was purchased and
the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support
information at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to recreate
the problem.
Page 4
When you contact Technical Support, please have the following information
available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access ourtechnical
support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region orlanguage under Global Support, and then select the Licensing
and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about the Symantec Value License Program
Page 5
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
■ Asia-Pacific and Japan: contractsadmin@symantec.com
■ Europe, Middle-East, and Africa: semea@symantec.com
■ North America and Latin America: supportsolutions@symantec.com
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber
attacks, comprehensive threat analysis, and
countermeasuresto preventattacks before they occur.
Symantec Early WarningSolutions
These services remove the burden of managing and
monitoring security devices and events, ensuring
rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site
technical expertise from Symantec and its trusted
partners. Symantec Consulting Services offer a variety
of prepackaged andcustomizableoptions that include
assessment, design,implementation,monitoringand
management capabilities, each focused on establishing
and maintainingthe integrity andavailabilityof your
IT resources.
Consulting Services
Educational Services provide a full array of technical
training, security education, security certification,
and awareness communication programs.
Educational Services
Page 6
To access more information about Enterprise services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
Page 7
Symantec Software License Agreement
Symantec Mail Security or SMTP
1. License:
You may:
You may not:
2. Limited Warranty:
3. Disclaimer of Damages:
4. U.S. Government Restricted Rights:
5. Export Regulation:
6. General:
7. Additional Uses and Restrictions:
Page 8
Page 9
Technical Support
Chapter 1 About Symantec Mail Security
Key features ...... ... ....... .......... ....... ... ....... .......... ....... ... ....... ... ....... 15
New features ...... ....... ... ....... .......... ....... ... ....... ... ....... ....... ... ....... .. 16
Functional overview ..... ... ....... .......... ....... ... ....... .......... ....... ... ....... . 18
Architecture ... ... ....... .......... ....... ... ....... .......... ....... ... ....... ... ....... .. 19
Where to get more information ......... ....... ... ....... .......... ....... ... ....... .. 20
Chapter 2 Configuring system settings
Configuring certificate settings . .......... ....... ... ....... .......... ....... ... ...... 23
Manage certificates . .......... ....... ... ....... .......... ....... ... ....... ... ...... 24
Configuring host (Scanner) settings ....... ....... ... ....... .......... ....... ... ..... 25
Working with Services ....... ... ....... .......... ....... ... ....... .......... ....... 26
HTTP proxies .... ... ....... .......... ....... ... ....... ... ....... ....... ... ....... ... . 27
SMTP Scanner settings .... ... ....... .......... ....... ... ....... .......... ....... . 27
Configuring Default SMTP Settings . ... ....... ... ....... .......... ....... ... .. 31
Configuring internal mail hosts .......... ....... ... ....... ... ....... .......... . 35
Testing Scanners ...... .......... ....... ... ....... .......... ....... ... ....... ... ....... .... 35
Configuring LDAP settings ... ... ....... ... ....... .......... ....... ... ....... .......... . 36
Configure LDAP settings ....... ... ....... ... ....... .......... ....... ... ....... .... 37
Synchronization status information .... ....... ... ....... ... ....... .......... . 43
Replicating data to Scanners . ... ....... ....... ... ....... ... ....... .......... ....... ... 45
Starting and stopping replication .. ....... ... ....... ....... ... ....... ... ....... 46
Replication status information .. ... ....... ....... ... ....... ... ....... .......... . 46
Troubleshooting replication ... ... ....... .......... ....... ... ....... ... ....... ... 47
Configuring Control Center settings ...... ... ....... ... ....... ....... ... ....... ... ... 48
Control Center administration .... ....... ... ....... .......... ....... ... ....... .. 49
Control Center certificate .. .......... ....... ... ....... .......... ....... ... ....... . 50
Configuring, enabling and scheduling Scanner replication .. ....... ... . 50
Control Center Settings ... ... ....... ....... ... ....... ... ....... .......... ....... .. 51
System locale ...... ... ....... .......... ....... ... ....... .......... ....... ... ....... .. 52
Contents
Page 10
Chapter 3 Configuring email settings
Configuring address masquerading ... ....... ... ....... .......... ....... ... ....... .. 53
Importing masqueraded entries ... ... ....... .......... ....... ... ....... ... ..... 54
Configuring aliases ... ....... ... ....... ... ....... .......... ....... ... ....... .......... ... 55
Managing aliases . ... ....... .......... ....... ... ....... ... ....... .......... ....... .. 56
Importing aliases . ....... ... ....... .......... ....... ... ....... .......... ....... ... .. 57
Configuring local domains .... ....... ... ....... ... ....... .......... ....... ... ....... ... 58
Importing local domains and email addresses ....... ....... ... ....... ... ... 59
Understanding spam settings .. ....... .......... ....... ... ....... .......... ....... ... 60
Configuring suspected spam . ....... ... ....... ....... ... ....... ... ....... ....... 61
Choosing language identification type ..... .......... ....... ... ....... ....... 61
Software acceleration .. ....... ... ....... ... ....... ....... ... ....... ... ....... ...... 62
Configuring spam settings .... ... ....... .......... ....... ... ....... .......... .... 62
Configuring virus settings ... ....... ... ....... .......... ....... ... ....... ... ....... ..... 62
Configuring LiveUpdate ...... ... ....... .......... ....... ... ....... .......... ..... 63
Excluding files from virus scanning . ....... ... ....... ....... ... ....... ... ..... 64
Configuring Bloodhound settings .......... ....... ... ....... .......... ....... .. 64
Configuring invalid recipient handling .... ... ....... .......... ....... ... ....... ... . 65
Configuring scanning settings ....... ... ....... .......... ....... ... ....... .......... .. 66
Configuring container settings .. ....... ... ....... .......... ....... ... ....... ... . 66
Configuring content filtering settings ....... .......... ....... ... ....... ...... 67
Chapter 4 Configuring email filtering
About email filtering ...... ... ....... ... ....... .......... ....... ... ....... .......... ...... 69
Notes on filtering actions .. .......... ....... ... ....... ... ....... ....... ... ....... . 78
Multiple actions per verdict ... ... ....... ....... ... ....... ... ....... .......... .... 79
Multiple group policies ... ... ....... ....... ... ....... ... ....... .......... ....... ... 81
Security risks . .......... ....... ... ....... ... ....... .......... ....... ... ....... ....... 81
About precedence ...... ... ....... ....... ... ....... ... ....... .......... ....... ... .... 83
Creating groups and adding members ...... ....... ... ....... ... ....... ....... ... ... 84
Add or remove members from a group .. ....... ... ....... .......... ....... ... . 84
Assigning filter policies to a group ...... ....... ... ....... ... ....... .......... ....... . 87
Selecting virus policies for a group ....... ....... ... ....... ... ....... .......... 87
Selecting spam policies for a group ... ....... ... ....... .......... ....... ... .... 89
Selecting compliance policies for a group ... .......... ....... ... ....... ...... 89
Enabling and disabling end user settings ... ... ....... .......... ....... ... ... 90
Allowing or blocking email based on language . ....... .......... ....... ... . 92
Managing Group Policies ... .......... ....... ... ....... ... ....... .......... ....... ... ... 92
Manage Group Policies .... ....... ... ....... ... ....... .......... ....... ... ....... .. 93
Creating virus, spam, and compliance filter policies ......... ....... ... ....... .. 94
Creating virus policies .. ....... .......... ....... ... ....... .......... ....... ... ..... 94
Creating spam policies ...... .......... ....... ... ....... .......... ....... ... ....... 96
Contents10
Page 11
Creating compliance policies ... ....... ... ....... ... ....... .......... ....... ... .. 98
Managing Email Firewall policies ... ... ....... .......... ....... ... ....... .......... . 107
Configuring attack recognition ...... .......... ....... ... ....... .......... ..... 107
Configuring sender groups ... ....... ... ....... ....... ... ....... ... ....... ...... 108
Configuring Sender Authentication ... ....... ... ....... ... ....... ....... ... ....... . 119
Managing policy resources ... ... ....... ... ....... .......... ....... ... ....... ......... 120
Annotating messages .... ... ....... .......... ....... ... ....... .......... ....... .. 120
Archiving messages ....... ... ....... .......... ....... ... ....... .......... ....... . 122
Configuring attachment lists . .......... ....... ... ....... ... ....... .......... .. 124
Configuring dictionaries ....... ... ....... .......... ....... ... ....... ... ....... .. 126
Adding and editing notifications ... ... ....... ... ....... .......... ....... ... ... 128
Chapter 5 Working with Spam Quarantine
About Spam Quarantine .. .......... ....... ... ....... ... ....... ....... ... ....... ... .... 131
Delivering messages to Spam Quarantine .. ....... .......... ....... ... ....... ... . 132
Working with messages in Spam Quarantine for administrators ... ....... 132
Accessing Spam Quarantine ...... ... ....... ... ....... ....... ... ....... ... ..... 132
Checking for new Spam Quarantine messages ... ....... ... ....... ... ..... 133
Administrator message list page .......... ....... ... ....... ... ....... ....... .. 133
Administrator message details page ... ....... ... ....... .......... ....... ... . 135
Searching messages ...... ....... ... ....... ... ....... ....... ... ....... ... ....... .. 137
Configuring Spam Quarantine ........ ....... ... ....... ... ....... ....... ... ....... ... 140
Delivering messages to Spam Quarantine from the Scanner ........ .. 140
Configuring Spam Quarantine port for incoming email ...... ....... ... 141
Configuring Spam Quarantine for administrator-only access .... ... . 141
Configuring the Delete Unresolved Email setting .. ....... .......... ..... 142
Configuring the login help ...... ... ....... ....... ... ....... ... ....... .......... . 142
Configuring recipients for misidentified messages ... ....... ... ....... .. 142
Configuring the user and distribution list notification
digests ... ... ....... ....... ... ....... ... ....... .......... ....... ... ....... ....... 143
Configuring the Spam Quarantine Expunger .. ... ....... .......... ....... . 149
Specifying Spam Quarantine message and size thresholds .. ... ....... 150
Troubleshooting Spam Quarantine ... ... ....... .......... ....... ... ....... ... 150
Chapter 6 Working with Suspect Virus Quarantine
About Suspect Virus Quarantine ..... ... ....... .......... ....... ... ....... .......... 157
Routing messages to Suspect Virus Quarantine ... ....... ... ....... .......... .. 157
Accessing Suspect Virus Quarantine ...... ... ....... ... ....... .......... ....... ... 158
Checking for new Suspect Virus Quarantine messages ...... .......... . 158
Suspect Virus Quarantine messages page .... ... ....... .......... ....... ... 158
Searching messages ...... ....... ... ....... ... ....... ....... ... ....... ... ....... .. 160
Configuring Suspect Virus Quarantine ... ... ....... ... ....... .......... ....... ... . 162
11Contents
Page 12
Configuring Suspect Virus Quarantine port for incoming
email ....... ... ....... .......... ....... ... ....... ... ....... .......... ....... ... .. 162
Configuring the size for Suspect Virus Quarantine .. ....... ... ....... ... 163
Chapter 7 Testing Symantec Mail Security
Verifying normal delivery ... ....... ... ....... ... ....... .......... ....... ... ....... ... 165
Verifying spam filtering ... ....... ... ....... .......... ....... ... ....... .......... ...... 165
Testing antivirus filtering ...... ... ....... ... ....... .......... ....... ... ....... ....... 166
Verifying filtering to Spam Quarantine ....... .......... ....... ... ....... ......... 167
Chapter 8 Configuring alerts and logs
About alerts ..... .......... ....... ... ....... ... ....... ....... ... ....... ... ....... ......... 169
Configuring alerts ....... ....... ... ....... .......... ....... ... ....... ... ....... ... 171
Viewing logs ...... ... ....... .......... ....... ... ....... .......... ....... ... ....... ... ..... 171
Working with logs . ....... ... ....... ....... ... ....... ... ....... .......... ....... ... 172
About logs .... ... ....... .......... ....... ... ....... .......... ....... ... ....... ... ....... ... 173
Configuring logs ... ....... .......... ....... ... ....... ... ....... .......... ....... ... 173
Chapter 9 Working with Reports
About reports ... .......... ....... ... ....... ... ....... .......... ....... ... ....... ......... 177
Selecting report data to track ...... ... ....... ... ....... .......... ....... ... ....... ... 178
Choosing a report . ... ....... ... ....... .......... ....... ... ....... .......... ....... ... ... 178
About charts and tables ...... ... ....... ... ....... .......... ....... ... ....... .......... 188
Setting the retention period for report data . ....... ... ....... .......... ....... .. 188
Running reports .... ....... ... ....... .......... ....... ... ....... ... ....... .......... ..... 189
Saving and editing Favorite Reports . .......... ....... ... ....... .......... ....... .. 190
Running and deleting favorite reports . ....... .......... ....... ... ....... ......... 190
Troubleshooting report generation .... ....... ... ....... .......... ....... ... ....... 191
No data available for the report type specified ......... ....... ... ....... .. 191
Sender HELO domain or IP connection shows gateway
information ... ....... .......... ....... ... ....... .......... ....... ... ....... ... 191
Reports presented in local time of Control Center ...... ....... ... ....... 191
By default, data are saved for one week .......... ....... ... ....... ... ....... 192
Processed message count recorded per message, not per
recipient . ....... .......... ....... ... ....... ... ....... ....... ... ....... ... ...... 192
Recipient count equals message count . ... ....... ... ....... ....... ... ....... 193
Deferred or rejected messages are not counted as received ..... ....... 193
Reports limited to 1,000 rows ... .......... ....... ... ....... .......... ....... ... 193
Printing, saving, and emailing reports ...... ....... ... ....... .......... ....... ... . 193
Print, save, or email reports ...... ... ....... ... ....... ....... ... ....... ... ...... 194
Scheduling reports to be emailed . .......... ....... ... ....... .......... ....... ... ... 194
Contents12
Page 13
Schedule, Edit, or Delete Reports ... ....... ... ....... .......... ....... ... ..... 194
Chapter 10 Administering the system
Getting status information .. ... ....... .......... ....... ... ....... .......... ....... .. 197
Overview of system information .. ... ....... .......... ....... ... ....... ...... 198
Message status ...... ... ....... ....... ... ....... ... ....... .......... ....... ... ..... 198
Host details ....... ... ....... ... ....... ....... ... ....... ... ....... .......... ....... .. 203
LDAP Synchronization .......... ....... ... ....... ... ....... ....... ... ....... ... . 204
Log details ..... ....... ... ....... ... ....... .......... ....... ... ....... .......... ..... 204
Version Information . ....... ... ....... ... ....... ....... ... ....... ... ....... ...... 204
Scanner replication ......... ....... ... ....... .......... ....... ... ....... ... ....... 205
Managing Scanners . ... ....... .......... ....... ... ....... .......... ....... ... ....... ... 205
Editing Scanners ....... ....... ... ....... ... ....... .......... ....... ... ....... .... 205
Enabling and disabling Scanners ..... ....... ... ....... ... ....... ....... ... .. 206
Deleting Scanners .. ....... ... ....... .......... ....... ... ....... .......... ....... .. 207
Administering the system through the Control Center ..... ....... ... ....... 208
Managing system administrators ....... ... ....... .......... ....... ... ....... 208
Managing software licenses ...... ....... ... ....... .......... ....... ... ....... . 209
Administering the Control Center ... .......... ....... ... ....... ... ....... ....... .. 209
Starting and stopping the Control Center ...... ... ....... ... ....... ........ 209
Checking the Control Center error log ..... ....... ... ....... ... ....... ....... 210
Increasing the amount of information in BrightmailLog.log ... ....... 211
Starting and stopping UNIX and Windows services .. ....... ... ....... ........ 213
Starting and stopping Windows services ....... ....... ... ....... ... ....... . 213
Starting and stopping UNIX services ...... ... ....... .......... ....... ... .... 215
Periodic system maintenance .... ....... ... ....... ... ....... .......... ....... ... .... 215
Backing up logs data . ....... ... ....... ... ....... ....... ... ....... ... ....... ...... 216
Backing up the Spam and Virus Quarantine databases ..... ... ....... . 216
Maintaining adequate disk space ... .......... ....... ... ....... .......... ..... 219
Appendix A Integrating Symantec Mail Security with Symantec
Security Information Manager
About Symantec Security Information Manager . .......... ....... ... ....... ... 221
Interpreting events in the Information Manager .. .......... ....... ... ....... .. 222
Configuring data sources ... ... ....... .......... ....... ... ....... .......... ..... 223
Firewall events that are sent to the Information Manager ...... ... .... 224
Definition Update events that are sent to the Information
Manager .......... ....... ... ....... ... ....... ....... ... ....... ... ....... ....... 224
Message events that are sent to the Information Manager ....... ... .. 225
Administration events that are sent to the Information
Manager .......... ....... ... ....... ... ....... ....... ... ....... ... ....... ....... 226
13Contents
Page 14
Glossary
Index
Contents14
Page 15
About Symantec Mail
Security
This chapter includes the following topics:
■ Key features
■ New features
■ Functional overview
■ Architecture
■ Where to get more information
Key features
Symantec Mail Security offers enterprises an easy-to-deploy, comprehensive
gateway-based email security solution through the following features:
■ Antispam technology – Symantec's state-of-the-art spam filters assess and
classify email as it enters your site.
■ Antivirus technology – Virus definitions and engines protect your users from
email-borne viruses.
■ Content Compliance – These features help administrators enforce corporate
policies, reduce legal liability, and ensure compliance with regulatory
requirements.
■ Group policies and filter policies – An easy-to-use authoring tool lets
administrators create powerful, flexible ad hoc filters for users and groups.
1
Chapter
Page 16
New features
The following table lists the features that have been added to this version of
Symantec Mail Security:
Table 1-1
New features for Symantec Mail Security (all users)
DescriptionFeaturesCategory
Protects against directory-harvest attacks,
denial-of-service attacks, spam attacks, and virus
attacks.
Improved email
firewall
Threat
protection
features
Protects against phishing attacks, using the Sender
Policy Framework (SPF), Sender ID, or both.
Sender
Authentication
Additional virus verdicts protect against suspected
viruses, spyware, and adware and quarantine
messages with suspicious encrypted attachments.
Email messages that may contain viruses can be
delayed in the Suspect Virus Quarantine, then
refiltered, withupdated virus definitions,if available.
This feature tcan be effective in defeating virus
attacks before conventional signatures are available.
View a list of available virus-definition updates.
Improved virus
protection
Automatically detects file types without relying on
file name extensions or MIME types.
True file type
recognition for
content compliance
filtering
Inbound
and
outbound
content
controls
Scan within attachments to find keywords from
dictionaries you create or edit. Specify a number of
occurrences to look for.
Keywords filtering
within attachments,
keyword frequency
filtering
Use regular expressions to further customize filter
conditions by searching within messages and
attachments.
Regular expression
filtering
Specify conditions that result in email being sent to
an archival email address or disk location.
Support for
Enterprise Vault and
third-party archival
tools
About Symantec Mail Security
New features
16
Page 17
Table 1-1
New features for Symantec Mail Security (all users) (continued)
DescriptionFeaturesCategory
Dynamic group population via any of several
supported LDAP servers
LDAP integrationFlexible
mail
management
More than two dozen actions that can be taken,
individually or in combination, on messages
Expanded variety of
actions and
combinations
SMTP connection management, including supportfor
secure email (TLS encryption, with security level
depending on platform); for user-based routing and
static routes; for address masquerading, invalid
recipient handling, and control over delivery-queue
processing
Expanded mail
controls
Distribution lists automatically expanded, mail
filtered and delivered correctly for each user
Aliasing
More than 50 graphical reports that you can generate
ad-hoc or on a scheduled basis. Reports can be
exported for offline analysis and emailed.
Extensive set of
pre-built reports,
scheduled reporting,
and additional alert
conditions
Improved
reporting
and
monitoring
View a trail of detailed information about a message,
including the filtering processing applied to a
message.
Message tracking
Control which hosts and networks can access your
Control Center.
IP-based access
control
Expanded
administration
capabilities
Specify user-based and total limits, configure
automatic message deletions.
Control over
Quarantine size
limits
Support for double-byte character sets.
Language autodetection of messages for Quarantine
and of subject encodings for message handling.
Support for non-ASCII LDAP source descriptions.
Support for
non-ASCII character
sets
Enhanced
localization
capabilities
17About Symantec Mail Security
New features
Page 18
Functional overview
You can deploy Symantec Mail Security in different configurations to best suit
the size of your network and your email processing needs.
Each Symantec Mail Security host can be deployed in the following ways:
Deployed as a Scanner, a Symantec Mail Security host filtersemail
for viruses, spam, and noncompliant messages. You can deploy
Scanners on exisiting email or groupware server(s).
Scanner
Deployed as aControlCenter, a Symantec MailSecurityhost allows
you to configureand manage emailfiltering,SMTP routing, system
settings, and all other functions from a Web-based interface.
Multiple Scanners can be configured and monitored from your
enterprise-wide deployment of Symantec Mail Security, but only
one Control Center can be deployed to administer all the Scanner
hosts.
The Control Center provides information on the status of all
Symantec Mail Security hosts in your system, including system
logs and extensive customizable reports. Use the Control Center
to configure both system-wide and host-specific details.
The Control Center provides the Setup Wizard, for initial
configuration ofall Symantec MailSecurityinstances at your site,
and also the Add Scanner Wizard, for adding new Scanners.
The Control Centrer also hosts the Spam and Suspect Virus
Quarantines to isolate and store spam and virus messages,
respectively. End userscan view theirquarantinedspam messages
and set their preferences for language filtering and blocked and
allowed senders. Alternatively, you can configureSpam Quarantine
for administrator-only access.
Control Center
A single Symantec Mail Security host performs both functions.Scanner and Control
Center
Note: Symantec Mail Security provides neither mailbox access for end users nor
message storage. It is not intended for use as the only MTA in your email
infrastructure.
About Symantec Mail Security
Functional overview
18
Page 19
Note: Symantec Mail Security does not filter messages that don't flow through
the SMTP gateway. For example, when two mailboxes reside on the same MS
Exchange Server, or on different MS Exchange Servers within an Exchange
organization, their messages will not pass through the Symantec Mail Security
filters.
Architecture
Figure 1-1 shows how a Symantec Mail Security installation processes an email
message, assuming the sample message passes through the Filtering Engine to
the Transformation Engine without being rejected.
Figure 1-1
Symantec Mail Security architecture
Messages proceed through the installation in the following way:
■ The incoming connection arrives at the inbound MTA via TCP/IP.
19About Symantec Mail Security
Architecture
Page 20
■ The inbound MTA accepts theconnection and moves the message to its inbound
queue.
■ The Filtering Hub accepts a copy of the message for filtering.
■ The Filtering Hub consults the LDAP SyncService directory to expand the
message's distribution list.
■ The Filtering Engine determines each recipient's filtering policies.
■ The message is checked against Blocked/Allowed Senders Lists defined by
administrators.
■ Virus and configurable heuristic filters determine whether the message is
infected.
■ Content Compliance filters scan the message for restricted attachment types,
regular exessions, or keywords as defined in configurable dictionaries.
■ Spam filters compare message elements with current filters published by
Symantec Security Response to determine whether the message is spam. At
this point, the message may also be checkedagainst end-user defined Language
settings.
■ The Transformation Engine performs actions per recipient based on filtering
results and configurable Group Policies.
Where to get more information
The Symantec MailSecuritydocumentationset consists ofthe following manuals:
■ Symantec Mail Security Administration Guide
■ Symantec Mail Security Planning Guide
■ Symantec Mail Security Installation Guide
■ Symantec Mail Security Getting Started
Symantec Mail Security also includes a comprehensive help system that contains
conceptual and procedural information.
You can visit the Symantec Web site for more information about your product.
The following online resources are available:
www.symantec.com/enterprise/supportProvides access to the technical support Knowledge
Base, newsgroups, contact information, downloads,
and mailing list subscriptions
About Symantec Mail Security
Where to get more information
20
Page 21
www.symantec.com
/licensing/els/help/en/help.html
Provides information about registration, frequently
asked questions, how to respond to error messages,
and how to contactSymantec License Administration
www.enterprisesecurity.symantec.comProvides product news and updates
www.symantec.com/security_responseProvides access to the Virus Encyclopedia, which
contains information about all known threats;
information about hoaxes; and access to white
papers about threats
21About Symantec Mail Security
Where to get more information
Page 22
About Symantec Mail Security
Where to get more information
22
Page 23
Configuring system settings
This chapter includes the following topics:
■ Configuring certificate settings
■ Configuring host (Scanner) settings
■ Testing Scanners
■ Configuring LDAP settings
■ Replicating data to Scanners
■ Configuring Control Center settings
Configuring certificate settings
Manage your certificates using the Certificate Settings page.
The two types of certificates are as follows:
This is the TLS certificate used by the MTAs in each Scanner. Every
Scanner has separate MTAs for inbound messages, outbound messages,
and message delivery. Assign this certificate from the Inbound Mail
Settings and Outbound Mail Settings portions of the SMTP tab on the
Settings > Hosts > Edit Host Configuration page.
MTA TLS
certificate
This is the HTTPS certificate used by the Control Center for secure Web
management. Assign this certificate from the Settings > Control Center
> Control Center Settings page using the Control Center Certificate
drop-down menu.
User interface
HTTPS
certificate
You can add certificates to the certificate list in the following two ways:
■ Add a self-signed certificate by adding the certificate and filling out the
requested information as presented to you at the time.
2
Chapter
Page 24
■ Add a Certification Authority Signed certificate by submitting a certificate
request to a Certification Authority. When you receive the certificate back
from the Certification Authority, you then import the certificate into the
Control Center.
Manage certificates
Follow these steps to add either self-signed or Certification Authority Signed
certificates and to assign certificates.
To add a self-signed certificate to the list
1
In the Control Center, click Settings > Certificates.
2
Click Add.
3
In the Certificate type drop-down list, choose Self-Signed Certificate.
4
Complete the information on the Add Certificate page.
Some Certificate Authorities may not support certificates created using an
IP address instead of a domain name. Check with your Certificate Authority,
or use a domain name to be sure.
5
Click Create.
To add a Certification Authority Signed certificate to the list
1
In the Control Center, click Settings > Certificates.
2
Click Add.
3
In the Certificate type drop-down list, choose Certificate Authority Signed.
4
Fill in the information on the Add Certificate page.
5
Click Request.
A new page is displayed, showing the certificate information in a block of
text, designed for use by the Certification Authority.
6
Copy the block of text that appears andsubmit it to theCertification Authority.
Each Certification Authority has its own set of procedures for granting
certificates. Consult your Certificate Authority for details.
7
When you receive the certificate file from the Certification Authority, place
the file in an easily accessed location on the computer from which you are
connecting to the Control Center.
8
On the Certificate Settings page, click Import.
Configuring system settings
Configuring certificate settings
24
Page 25
9
On theImport Certificate page, type the full path and filename or click Browse
and choose the file.
10
Click Import.
To view or delete a certificate
1
In the Control Center, click Settings > Certificates.
2
Check the box next to the certificate to be viewed or deleted.
3
Click View to read the certificate.
4
Click Delete to remove the certificate.
To assign an MTA TLS certificate
1
In the Control Center, click Settings > Hosts.
2
Select a host and click Edit.
3
Click the SMTP tab.
4
Check Accept TLS encryption as appropriate.
5
Choose theTLS certificate from the Certificatedrop-down list forthe inbound
or outbound MTA.
6
Click Save.
To assign a user interface HTTPS certificate
1
In the Control Center, click Settings > Control Center.
2
Select a certificate from the User interface HTTPS certificate drop-down
list.
3
Click Save.
Configuring host (Scanner) settings
The following sections describe changes that can be made to individual hosts
using the tabs on the Edit Host Configuration page, under Settings > Hosts:
■ Working with Services
■ HTTP proxies
■ SMTP Scanner settings
■ Configuring Default SMTP Settings
■ Configuring internal mail hosts
25Configuring system settings
Configuring host (Scanner) settings
Page 26
Working with Services
You can stop or start the following services on a Scanner using the Services tab
on the Edit Host Configuration page, under Settings > Hosts.
■ Conduit
■ LiveUpdate
■ Filter Engine
■ MTA
Note: If you stop the filter engineor the MTAservice and wish to continue receiving
alerts, specify an operating MTA IP address under Control Center Settings on the
Settings > Control Center > Control Center Settings page.
In addition, you can enable or disable individual Scanner replicationand configure
MTA settings that can help you take a Scanner offline from the Services tab at
Settings > Hosts > Edit Host Configuration.
Work with the Services tab
Use the following procedures from the Services tab to manage individual Scanner
services, replication, and stop the flow ofmessages through a Scanner. Replication
synchronizes Scanner directory data with LDAP directory data stored on the
Control Center.
To start and stop services
1
In the Control Center, click Settings > Hosts.
2
Check the Scanner to edit.
3
Click Edit.
4
Select the services to be started or stopped.
5
Click Stop to stop a running service or Start to start a stopped service.
To enable or disable Scanner replication for a host
1
In the Control Center, click Settings > Hosts.
2
Check the Scanner to edit.
3
Click Edit.
4
Using the Scanner Replication portion of the page, check Enable Scanner
Replicationforthishost to enableScanner replication. (Replication is enabled
by default.)
Configuring system settings
Configuring host (Scanner) settings
26
Page 27
5
Using the Scanner Replication portion of the page, uncheck EnableScanner
Replication for this host to disable Scanner replication. The Control Center
will not update the directory for this Scanner when the box is not checked.
6
Click Save to store your changes.
To take a Scanner out of service
1
In the Control Center, click Settings > Hosts.
2
Check the Scanner to edit.
3
Click Edit.
4
On the MTA Operation portion of the page, check Do not accept incoming
messages.
All messages inScanner queues areprocessedas needed, but no new messages
will be received.
5
Click Save to store your changes.
HTTP proxies
The Conduit and Symantec LiveUpdate services run on each Scanner and receive
filter updates from Symantec. If you need to add proxy and/or other security
settings to your server definition, follow the steps below.
To change or add proxy information
1
In the Control Center, click Settings > Hosts.
2
Check the Scanner to edit.
3
Click Edit.
4
Click the Proxy tab.
5
Check Use proxy server.
6
Specify the proxy host name and port on this panel. In addition to this
information, you can include a user name and password as needed.
7
Click Save to store your information.
SMTP Scanner settings
A full complement of SMTP settings has been provided to help youdefine internal
and external SMTP configurations for Scanners. Inbound SMTP settings determine
how the inbound MTA processes inbound messages. Outbound SMTP settings
determine how the outbound MTA processes outbound messages.
27Configuring system settings
Configuring host (Scanner) settings
Page 28
Note: For incoming messages, you can conserve computing resources by blocking
messages from undesirable domains and IP addresses usingSMTP Scanner settings
rather than by configuring content filtering policies from the Policies > Sender
Groups page. SMTP Scanner settings effectively block unwanted messages before
they are filtered by Content Compliance policies, resulting in fewer messages
filtered through Content Compliance policies.
To modify SMTP settings for a Scanner
1
In the Control Center, click Settings > Hosts.
2
Check the Scanner to edit.
3
Click Edit.
4
Click SMTP.
5
As appropriate, complete the SMTP definition for the scanner. The following
parameters are included:
Determines if the Scanner is used for Inbound mail filtering
only, Outbound mail filtering only, or Inbound and outbound
mail filtering.
Scanner Role
Configuring system settings
Configuring host (Scanner) settings
28
Page 29
Provides settings for inbound messages. In this area, you can
provide the following information:
■ Inbound mail IP address – Location at which inbound
messages will be received. You can ping this address by
pressing Test.
■ Inbound mail SMTP port – Port on which inbound mail is
received, typically port 25.
■ Accept TLS encryption – Indicates if TLS encryption is
accepted. Check thebox to accept encryption. You must have
a certificate defined for MTA TLS certificate in Settings >
Certificates to accept TLS encryption.
■ Certificate – Specifies an available certificate for TLS
encryption.
■ Accept inbound mail connections from all IP addresses –
Indicates that all connections for inbound messages are
accepted. This is the default.
■ Accept inbound mail connections from only the following
IP addresses and domains – Indicates thatonly the addresses
or domainnames entered in thechecked IPAddress/Domains
box are accepted. Click Add to add an entry or Remove to
delete one.
If you specify one or more IP addresses, you must include
the IPaddressof theControl Center sothat Spam Quarantine
and Suspect Virus Quarantine can release messages. After
you add the first entry, the IP address of the Control Center
is added automatically and selected. If you are using a
different IP address for the Control Center, or have the
ControlCenter and Scanner installedon differentmachines,
you must add the new IP address and disable the one that
was added automatically.
Warning: If you deploy this Scanner behind a gateway and
specify one or more IP addresses instead of All IP addresses,
you must add the IP addresses of ALL upstream mailservers
in use by your organization. Upstream mail servers that are
not specified here may be classified as spam sources.
■ Relay local domain mail to – Gives the location where
inbound mail is sent after being received on the inbound
port. Click Add to add an entry.
Inbound Mail
Settings*
29Configuring system settings
Configuring host (Scanner) settings
Page 30
Provides settings for outbound mail characteristics.In this area,
you can provide the following information:
■ Outbound mail IP address – Specifiesthe IP addresson which
outbound messages are sent. You can ping this address by
pressing Test.
■ Outbound mail SMTP port – Specifies the port on which
outbound mail is sent, typically port 25.
■ Accept TLS encryption – Indicates if TLS encryption is
accepted. Check the box to accept encrypted information.
You must have a certificate defined for MTA TLS certificate
in Settings > Certificates to accept TLS encryption.
■ Certificate – Specifies an available certificate for TLS
encryption.
■ Accept outbound mail connections from the following IP
addresses and domains – Only the addresses entered in the
checked IP Address/Domains box are accepted. Click Add to
add an entry or Remove to delete one. If you specify one or
more IP addresses, you must include the IP address of the
Control Center so that Spam Quarantine and Suspect Virus
Quarantine can release messages. After you add the first
entry, the IP address of the Control Center is added
automatically and selected. If you are using a different IP
address for the Control Center, or have the Control Center
and Scanner installed on different machines, you must add
the new IP address and disable the one that was added
automatically.
■ Relay non-local domain mail to – Specifies how outbound
SMTP message relaying is routed. By default, MX Lookup is
used. Click Add to add an entry.
Outbound Mail
Settings*
Indicates that, when saved, all settings on this page are applied
immediately to all hosts.
Apply above
settings to all hosts
Provides for inbound, outbound and delivery advanced settings.
See “Configuring Default SMTP Settings” on page 31.
Advanced Settings
(*) Classless InterDomain Routing (CIDR) is supported for inbound and
outbound mail connection IP addresses.
6
Click Save to store your changes.
Configuring system settings
Configuring host (Scanner) settings
30
Page 31
Configuring Default SMTP Settings
Additional SMTP settings are available from the SMTP Defaults page of the SMTP
tab when you click the Advanced Settings button at the bottom of the Edit Host
Configuration page. There are advanced SMTP settings for:
■ Inbound messages
■ Outbound messages
■ Delivering messages
Specify the MTA host namein the MTA Configuration portion of the SMTPDefaults
page. The MTA Host Name gives you the ability to define the HELO banner during
the initial portion of the SMTP conversation.
SMTP Defaults page–inbound settings describes inbound SMTP settings you can
use to further define your SMTP configuration.
Table 2-1
SMTP Defaults page—inbound settings
DescriptionItem
Sets the maximum number of simultaneous inbound
connections allowed. Additional attempted connections
are rejected. The default is 2,000 connections.
Maximum number of
connections
(Not available on Windows systems.) Sets the maximum
number of simultaneous inbound connections allowed
from a single IP address. Additional connections for the
same IP address will be rejected. The default is 20.
Maximum number of
connections from a single IP
address
Sets the maximum size of a message before it is rejected.
The default is 10,485,760 bytes.
Maximum message size in
bytes
Sets the maximum number of recipients for a message.
The default is 1,024 recipients.
Maximum number of
recipients per message
Places a RECEIVED header in the message during inbound
SMTP processing.
Insert RECEIVED header to
inbound messages
Causes the system to perform reverse DNS lookup on the
SMTP client IP addresses to resolve the IP address to a
name when checked. This is the default condition. When
unchecked, reverse DNS lookup is not performed for
inbound messages.
Enable reverse DNS lookup
SMTP Defaults page–outbound settings describes the advanced outbound SMTP
settings that you can use to further define your SMTP configuration.
31Configuring system settings
Configuring host (Scanner) settings
Page 32
Table 2-2
SMTP Defaults page—outbound settings
DescriptionItem
Sets the maximum number of permissible simultaneous
outbound connections. Additional attempted connections are
rejected. The default is 2,000 connections.
Maximum number of
connections
(Not available on Windows systems.)Sets the maximum number
of permissible simultaneous outbound connections from a
single IP address. Additional attempted connections are
rejected. The default is 20 connections.
Maximum number of
connections from a single
IP address
Sets the maximum number of permissible simultaneous
outbound connections from a single IP address. Additional
attempted connections are rejected. The default is 20
connections.
Maximum number of
connections from a single
IP address
Sets the maximum size allowable for a message before it is
rejected. The default is 10,485,760 bytes.
Maximum message size in
bytes
Indicates the maximum number of recipients permitted for a
message. The default is 1,024 recipients.
Maximum number of
recipients per message
Sets a default domain when none can be found in the message.Default domain for sender
addresses with nodomain
Places a RECEIVED header in the message during outbound
SMTP processing when checked. When unchecked, no
RECEIVED header is inserted during outbound SMTP
processing. If Insert RECEIVED header to outbound messages
and Strip pre-existing RECEIVED headers from outbound
messages are both checked, the outbound SMTP RECEIVED
header remains when the message goes to the delivery queue.
Insert RECEIVED header
to outbound messages
Removesall RECEIVEDheadersfor the message when checked.
When headers are stripped, message looping can occur
depending on the settings of other MTAs. When unchecked,
RECEIVED headers remain in the message during outbound
processing. The RECEIVED header for outbound SMTP
processing remains in the message when Insert RECEIVED
header to outbound messages and Strippre-existingRECEIVED
headers from outbound messages are checked.
Strip pre-existing
RECEIVED headers from
outbound messages
Causes the system to perform reverseDNS lookup on theSMTP
client IP addresses to resolve the IP address to a name when
checked.This is the default condition. When unchecked, reverse
DNS lookup is not performed for outbound messages.
Enable reverse DNS
lookup
Configuring system settings
Configuring host (Scanner) settings
32
Page 33
SMTP Defaults page–delivery settings describes SMTP delivery configuration
message settings for your site.
Table 2-3
SMTP Defaults page—delivery settings
DescriptionItem
Sets the maximumnumber of simultaneously allowed external
connections. Additional attempted connections are rejected.
The default is 100 connections.
Maximum number of
external connections
Sets themaximum numberof connections allowed to alldefined
internal mail servers. Additional connection attempts are
rejected. The default is 100 internal mail server connections.
Maximum number of
connections to all internal
mail servers
Sets themaximum number of connections to oneinternal mail
server. Additional connection attempts are rejected. The default
is 50 connections.
Maximum number of
connections per single
internal mail server
Sets the smallest interval the SMTP server waits before trying
to deliver a message again. The default is 15 minutes.
Minimum retry interval
Sets the time after which an undelivered message times out
and is rejected from the queue. The default is 5 days.
Sent message time-out
(Unix/Linux only) Sets a time-out period for deletion of
messages in your bounce queue. This canbe particularlyuseful
in environments where you cannot configure LDAP settings.
The default is 1 day.
Bounce messagetime-out
Sets the time a message waits in the mail queue before
notification of nondelivery is sent. The default is 4 hours.
Message delay time in
queue before notification
(Unix/Linux only) Reverses the default delivery MTA interface
bindings. Check this box if messages back up in the delivery
queue due to routing issues.
Reverse Address Binding
Strategy
33Configuring system settings
Configuring host (Scanner) settings
Page 34
Table 2-3
SMTP Defaults page—delivery settings (continued)
DescriptionItem
For Unix/Linux installations, indicates if TLS encrypted
information can beaccepted. Check the box to accept encrypted
information. Whenleft unchecked, TLS encryption is not
performed.
On Windows installations, indicates which domains require
information to be encrypted. Add ordelete domains from which
you require encryption.
Note: You must have created an MTA TLS certificate from the
Certicate Setting page in Settings > Certificates before you can
enable TLS encryption.
See “Configuring certificate settings ” on page 23.
Enable TLS encryption
(Unix/Linux)
Require TLS encryption
for the following hosts
(Windows)
(Windows only) Adds the names of domains from which you
may require encryption. Check the names of those domains
from which information must currently be encrypted. Leave
unchecked to currently except listed domains from this
requirement. Press Delete to remove selected domains from
the list.
Domains
To configure SMTP Default settings
1
From the Control Center, click Settings > Hosts.
2
Select a Scanner from the displayed list.
3
Click Edit.
4
Click the SMTP tab.
On this tab, you will see some general-purpose settings.
See “SMTP Scanner settings” on page 27. for details on these settings.
5
Click Advanced Settings.
On this page you will see the advanced settings for SMTP configuration
detailed in the above tables.
6
As appropriate, modify the settings explained above.
7
Click Continue to store your information.
You are returned to the SMTP tab of the Edit Host Configuration page.
8
Click Save.
Configuring system settings
Configuring host (Scanner) settings
34
Page 35
Configuring internal mail hosts
You can add or delete internal mail hosts at your site.
Configure internal mail hosts
Follow these procedures to add or delete internal mail hosts.
To add an internal mail host
1
From the Control Center, click Settings > Hosts.
2
Check the Scanner you want to configure.
3
Click Edit.
4
Click the Internal Mail Hosts tab.
5
Specify the IP address for an internal mail host.
6
Click Add.
7
Click Save to store the information.
To delete an internal mail host
1
From the Control Center, click Settings > Hosts.
2
Check the Scanner you want to configure.
3
Click Edit.
4
Click the Internal Mail Hosts tab.
5
Select an internal mail host.
6
Click Delete.
7
Click Save to store the information.
Testing Scanners
After adding or editing a Scanner, you can quickly test that the Scanner is
operating and that the Agent is able to make a connection. The Agent facilitates
the transfer of configuration information between the Control Center and attached
and enabled Scanners.
35Configuring system settings
Testing Scanners
Page 36
To test a Scanner
1
In the Control Center, click Status > Host Details.
2
If only one Scanner is attached to your system, you can see a snapshot of how
it is currently functioning.
3
If more than one Scanner is attached, select the Scanner you want to test
from the drop-down list.
You will see a snapshot of its current status. You can click on the plus sign
to expand a section.
Configuring LDAP settings
The Control Center can optionally use directory information from LDAP servers
at your site for any of the following purposes:
LDAP user data is used by the Control Center to authenticate
Quarantine access and resolve email aliases for quarantined
messages. The Control Center authenticates users by checking
their user-name and password data directly against the LDAP
source.
Authentication
LDAP user and group data is used to apply group policies,
recognize directory harvest attacks, expand distribution lists,
and validate message recipients. LDAP-authenticated user and
group email address data are cached in the Control Center for
replication to Scanners but are not written back to the LDAP
source.
Synchronization
Symantec Mail Security supports the following LDAP directory types:
■ Windows 2000 Active Directory
■ Windows 2003 Active Directory
■ Sun Directory Server 5.2 (formerly known as the iPlanet Directory Server)
Note: If you are using Sun Directory Server 5.2, you must update to patch 4 to
address some changelog issues that arose in patch 3.
■ Exchange 5.5
■ Lotus Domino LDAP Server 6.5
Configuring system settings
Configuring LDAP settings
36
Page 37
Configure LDAP settings
Follow these procedures to configure LDAP settings.
To add an LDAP server definition to the Control Center
1
In the Control Center, click Settings > LDAP.
2
Click Add.
3
Complete the necessary fields presented for defining a new LDAP Server.
The values you complete will depend on your choices for LDAP Server Usage.
See Table 2-4on page 38.for a descriptionof theavailable settings when adding
an LDAP server to the Control Center.
4
Click Save.
Warning: When adding an LDAP server that performs synchronization, you can
replicate data from the Control Center to attached and enabled Scanners using
the Replicate now button on the Control Center Settings page. Begin this replication
only after initial synchronization has completed successfully as shown on the
LDAP Synchronization page, and the number of rejected entries is 0 or stays
constant after successive synchronization changes. If synchronization has not
completed successfully, a status of Failed appears on the LDAP Synchronization
page. Error messages recorded in the logs detail the cause of the failure.
Alternatively, you can wait until the next scheduled replication occurs, at which
time the LDAP synchronization service updates all Scanners.
Warning: If you see the Failed to create user mappings for source error during
source creation and you have recently changed DNS servers, restart your LDAP
synchronization service.
See “Starting and stopping UNIX and Windows services” on page 213..
Then, follow the above steps again.
Note: If your LDAP service runs on the Linux operating system, restart LDAP
synchronization by logging in and issuing the following command:
service ldapsync restart.
37Configuring system settings
Configuring LDAP settings
Page 38
Table 2-4
Add LDAP Server page
DescriptionItem
Description – Text describing the LDAP server being defined. Permissible characters are
any alphanumeric character (1-9, a-z, and A-Z), a space ( ), hyphen (-), underline (_), and
double-byte characters. The Description entry will fail if any of the following characters
are used: reverse apostrophe (‵), tilde (~), exclamation point (!), at-sign (@), number symbol
(#), dollar sign ($), percent sign (%), circumflex (^), ampersand (&), asterisk (*), left and
right parentheses, plus (+), equal (=), left and right braces ({}), left and right bracket ([]),
vertical bar (|), colon (:), semicolon (;), quote ("), apostophe ('), less than and greater than
(<>), comma (,), question mark (?), slash (/), backslash (\).
Host – Host name or IP address of the LDAP server.
Port – TCP/IP port for the server. The default port is 389.
Directory Type – Specifies the type of directory used by the LDAP server. Available choices
are:
■ Active Directory
■ iPlanet/Sun ONE/Java Directory Server
■ Exchange 5.5
■ Domino
■ Other (for authentication only)
Usage (Required) – Describes how this LDAP server is used. Select any of the following
items that apply to this server definition:
■ Authentication
■ Synchronization
■ Authentication and Synchronization
LDAP Server
Anonymous bind – Allows you to login to an LDAP server without providing specific user
ID and password information. Before using anonymous bind, configure your LDAP server
to grant anonymous access to the changelog and base DN. For the Domino Directory Type
using anonymous bind, group and dlist data are not retrieved.
Use the following – Specifies login and usage information to the LDAP server as follows:
■ Name (bind DN) – Login name allowing you to access the LDAP server.
When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full
DN such as cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather than a
shortened form such as cn=Administrator to ensure detection of all change events and
guarantee full authentication by the LDAP server.
For an Active Directory server, the full DN or logon name with User Principal Name
suffix may be required.
■ Password – Password information that allows you to access the LDAP server.
Test Login – Verifies the anonymous bind connection or the user id and password given
for accessing the LDAP server.
Administrator
Credentials
Configuring system settings
Configuring LDAP settings
38
Page 39
Table 2-4
Add LDAP Server page (continued)
DescriptionItem
If you are using Active Directory, specify the Windows Domain names – When logging
onto a Windows host, you see Windows domain names in the Log on to dropdown list. Use
commas or semicolons to separate multiple domain names. You will not see this option
unless you have chosen Active Directory as your Directory type.
Windows Domain
Names
Domain entries are required for Domino server definitions. You will not see this option
unless you have chosen Domino as your Directory type. Select any of the following items
that apply to this server definition:
■ Primary domain – Internet domain to which mail is delivered.
■ Domain aliases – Internet domain names that resolve to the primary domain. For
example, you could assign company.net to be an alias for company.com. Use commas
to separate multiple names.
Internet Domain Names
Auto Fill—Places default values in the fields for you to modify as needed. You can have
only one authentication server defined in the Control Center.
Specify the queries to use – You have the following options when selecting what
authentication queries to use:
■ Query start (Auth base DN) – Designates the point in the directory from which to start
searching for entries to authenticate. If an entry contains an ampersand, delimit the
ampersand as follows:
OU=Sales \& Marketing,OU=test,DC=domain,DC=com &
OU=test1,DC=domain,DC=com
■ Login attribute – The attribute on a person entry that defines a user name.
■ Primary email attribute – The attribute on a person or distribution-group entry that
represents a mailbox.
■ Email alias attribute – The attribute on a person or distributing-group entry that
contains one or more alternative email addresses for that entity's mailbox
■ Login query – Finds users based on their Login attributes.
Test – Attempts to execute the query as defined.
Note: For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid)
for that user.
Authentication Query
Details
39Configuring system settings
Configuring LDAP settings
Page 40
Table 2-4
Add LDAP Server page (continued)
DescriptionItem
Specify default synchronization options – This section only appears if Synchronization
is checked for Usage. It allows for the following definitions governing synchronization
behavior:
■ Synchronize every – Specifies how often scheduled synchronization occurs. You can
specify a number of minutes, hours, or days. The default is 1 day.
■ Audit level – Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose
are available. The default is Off.
■ Pagesize – Number of discretechanges that are accepted together for synchronization.
Use a number between 1 and 2,000. The default is 25. If you are using the
iPlanet/SunOne directory server, change Page size to 0 for optimal performance.
Synchronization
Configuration
This section only appears if Synchronization is checked for Usage.
Auto Fill – Places default values in the field for you to modify as needed.
Specify the queries to use – Specifies queries to use for synchronization. Available choices
are:
■ Query start (Sync base DN) – Designates the point in the directory from which to start
searching for entries with email addresses/aliases or groups. To use this field, begin
by clicking Auto Fill for the naming contexts of the directory. Reduce the received list
of DN's brought into the field by Auto Fill to a single DN, or write your own DN based
on the provided list.
■ Custom query start – Allows for the addition of a customized query.
■ User Query – Finds users in the LDAP server. Test checks to see that your Custom/User
query works.
■ Group Query – Finds LDAP groups in the LDAP server. Test checks your Group query
to see that it works.
■ Distribution List Query – Finds Distribution Lists in the LDAP Server. Test checks to
see that your Distribution query works.
Note: If you need to change Host, Port, base DN, ldap Group filter, User filter, or
Distribution List filter after saving an LDAP synchronization source, you must delete the
source, add the source including all attributes to be filtered, and perform a full
synchronization.
Synchronization Query
Details
To edit an LDAP server definition to the Control Center
1
In the Control Center, click Settings > LDAP.
2
Select an LDAP server definition from the list to edit.
3
Click Edit.
Configuring system settings
Configuring LDAP settings
40
Page 41
4
Make changes to the definition as appropriate.
Not all of the original portions of this definiton visible duringthe add process
are available for editing.
5
Click Save.
See Table 2-5 on page 41. for a description of settings that can be changed after an
LDAP server has been defined.
Table 2-5
Edit LDAP Server page
DescriptionItem
Anonymous bind – Allows you to login to an LDAP server without providing specific user
ID and password information. Before using anonymous bind, configure your LDAP server
to grant anonymous access to the changelog and base DN. For the Domino Directory Type
using anonymous bind, group and dlist data are not retrieved.
Use the following – Specifies login and usage information to the LDAP server as follows:
■ Name (bind DN) – Login name allowing you to access the LDAP server.
When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full
DN such as cn=Administrator,cn=Recipients,ou=mysite,o=myorg rather than a
shortened form such as cn=Administrator to ensure detection of all change events and
guarantee full authentication by the LDAP server.
For an Active Directory server, the full DN or logon name with User Principal Name
suffix may be required.
■ Password—Password information that allows you to access the LDAP server.
Test Login – Verifies the anonymous bind connection or the user id and password given
for accessing the LDAP server.
Administrator
Credentials
If you are using Active Directory, specify the Windows Domain names – When logging
onto a Windows host, you see Windows domain names in the Log on to dropdown list. Use
commas or semicolons to separate multiple domain names. You will not see this option
unless you have chosen Active Directory as your Directory type.
Windows Domain
Names
Domain entries are required for Domino server definitions. You will not see this option
unless you have chosen Domino as your Directory type. Select any of the following items
that apply to this server definition:
■ Primary Domain: Internet domain to which mail is delivered.
■ Domain Aliases: Internet domain names that resolve to the primary domain. For
example, you could assign company.net to be an alias for company.com. Use commas
to separate multiple names.
Internet Domain Names
41Configuring system settings
Configuring LDAP settings
Page 42
Table 2-5
Edit LDAP Server page (continued)
DescriptionItem
Autofill – Places default values in the fields for you to modify as needed.
Specify the queries to use – You have the following options when selecting what
authentication queries to use:
■ Query start (Auth base DN) – Designates the point in the directory from which to start
searching for entries to authenticate.
■ Login attribute – The attribute on a person entry that defines a user name.
■ Primary email attribute – The attribute on a person or distribution-group entry that
represents a mailbox.
■ Email alias attribute – The attribute on a person or distributing-group entry that
contains one or more alternative email addresses for that entity's mailbox
■ Login query – Finds users based on their Login attributes.
Test –Attempts to execute the query as defined.
Note: For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid)
for that user.
Authentication Query
Details
Specify default synchronization options – This section only appears if Synchronization
is checked for Usage. It allows for the following definitions governing synchronization
behavior:
■ Synchronize every – Specifies how often scheduled synchronization occurs. You can
specify a number of minutes, hours, or days. The default is 1 day.
■ Audit level – Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose
are available. The default is Off.
■ Pagesize – Number of discretechanges that are accepted together for synchronization.
Use a number between 1 and 2,000. The default is 25. If you are using the
iPlanet/SunOne directory server, change Page size to 0 for optimal performance.
Synchronization
Configuration
Caution: Editing an LDAP server definition can cause a full synchronization to be
initiated. This can have serious performance impact on your system until the
synchronization completes.
Note: If you must disable an LDAP server while synchronization is in progress,
you must first cancel the synchronization and then disable the LDAP server.
To initiate an LDAP synchronization from an LDAP server to the Control Center
1
Click Status > LDAP Synchronization.
2
Check the LDAP server you wish to synchronize to the Control Center.
Configuring system settings
Configuring LDAP settings
42
Page 43
3
If you wish to synchronize only the LDAP data that has changed since the
last synchronization, click Synchronize Changes.
In most cases synchronizing only updated data ismuch faster than performing
a full synchronization.
4
If you have made substantial changes to your directory data or structure or
you have recently restored your directory from a backup, click Full
Synchronization.
Full synchronization removes all previously synchronized directory data
from the Control Center and initiates a full scan of the directory. Full
synchronization can significantly impact the peformance of your system
until synchronization completes
To cancel a synchronization in progress
1
Click Status > Synchronization.
2
Check the LDAPserver whose synchronization to theControlCenter you wish
to cancel.
To delete an LDAP server
1
In the Control Center, click Status > Synchronization.
Check to be sure that no synchronization is processing. You cannot delete a
synchronization server while synchronization is running.
2
Click Settings > LDAP.
3
Choose one or more LDAP server definitions from the list.
4
Click Delete.
Note:
If you need to change the IP address of your LDAP server, you must delete the
LDAP source using the Control Center before changing the IP address of the LDAP
server machine, and then re-add the LDAP source using the Control Center.
Synchronization status information
When LDAP data is synchronized between an LDAPserver and the Control Center,
status information is generated and displayed via the Status tab.
To view LDAP Synchronization status information
■ In the Control Center, click Status > Synchronization.
The following information is displayed:
43Configuring system settings
Configuring LDAP settings
Page 44
Information about synchronization activity.
Status can indicate any of the following states:
■ Idle – Nothing is happening.
■ Starting – The status during a one-minute delaybetween saving
an LDAP synchronization source and initiation of
synchronization.
■ Cancelled – The status after synchronization or replication is
manually cancelled by clicking Status > LDAP sychronization
> Cancel or Status > Replication > Cancel. This status is also
indicated if a scheduled LDAP synchronization interrupts a
replication in progress or a scheduled replication interrupts an
LDAP synchronization in progress.
■ In Progress– A synchronization requesthas been acknowledged
by the synchronization server and the process is under way.
■ Success –The synchronization has completed successfully.
■ Failed –The synchronization has failed. Consult your logs to
identify possible causes.
Status
The time at which the most recent synchronization began.Started
The time at which the most recent synchronization finished.Ended
The number of directory entries read from the synchronization
server. For a full synchronization, this number is equal to the total
number of records from the LDAP source.
Read
The number of directory entries added from the synchronization
server to the Control Center.
Added
The number of records modified in the Control Center based on
synchronization server information.
Modified
The number of entries deleted from the Control Center based on
synchronization server information.
Deleted
Configuring system settings
Configuring LDAP settings
44
Page 45
The number of directory entries from the LDAP server rejected by
the synchronization server.
A number of LDAP transactions can be rejected when an attempt
to add a group entry failsbecause one or more of the group members
is not yet known to the LDAP synchronization service. Generally,
this can be resolved by issuing a SynchronizeChanges request from
the Control Center. Each time this is done, the number of rejected
entries should decrease. Once all group members are propagated,
the group entries are added successfully. If, after a number of LDAP
synchronization attempts, you continue to see the same number of
rejected entries for an LDAP Source, examine the logs at Status >
Logs with Control Center: LDAP selected inthe Log Type: drop-down
list. Use the information on this page to determine why the entries
are repeatedly rejected. Pay particular attention to the file
error.log.X, where X is a number.
Rejected
Replicating data to Scanners
After an LDAP server has been defined to the Control Center, and after the
synchronization of LDAP data between the LDAP server and the Control Center
has successfully completed one full cycle, LDAP data can be synchronized to all
attached and enabled Scanners.
LDAP data includes the following:
■ Email addresses of users and distribution lists
■ Membership information for groups and distribution lists
If any policies have end user settings enabled, the following data is replicated
along with the above LDAP data:
■ Allowed/Blocked Sender settings
■ Language settings
Forreplicationto work properly, youmust have configured, enabled, and scheduled
Scanner replication and made certain that Scanner replication is enabled for each
Scanner.
See “Work with the Services tab” on page 26.
In this section, information is available on the following topics:
■ Starting and stopping replication
■ Replication status information
■ Troubleshooting replication
45Configuring system settings
Replicating data to Scanners
Page 46
Starting and stopping replication
You may occasionally need to start or stop replication manually.
Start or stop replication
Start and stop replication using the following procedures.
To start a manual replication cycle
1
In the Control Center, click Status > Scanner Replication.
2
Click Replicate Now.
To stop a replication in progress
1
In the Control Center, click Status > Scanner Replication.
2
Click Cancel Replication.
Replication status information
When LDAP data is replicated from the Control Center to one or more Scanners,
status information isgeneratedand displayed via the Status interface in Symantec
Mail Security.
To view replication status information
■ In the Control Center, click Status > Scanner Replication.
The following information is displayed:
DescriptionItem
Status can indicate any of the following states:
■ Idle – Nothing is happening.
■ Started – A replication request has been issued.
■ Cancelled – Either the replication was cancelled manually
by clicking Status > LDAP Synchronization > Cancel
Synchronization, or an LDAP synchronization was in
progress when a scheduled or manual replication was
initiated.
■ In Progress – A replication request has been acknowledged
by the Control Center and the process is under way.
■ Success – The replication has completed successfully.
■ Failed – The replication has failed. Consult your logs to
identify possible causes.
Status
The time at which the most recent replication began.Started
Configuring system settings
Replicating data to Scanners
46
Page 47
DescriptionItem
The time at which the most recent replication finished.Ended
The number of bytes of replicated data.Size
Troubleshooting replication
Replication will not complete until at least one LDAP synchronization source is
available and synchronization has completed successfully. Until this happens,
there is no data that replication can use to update Scanners.
Troubleshoot replication
The following techniques can help you troubleshoot replication problems.
Basic troubleshooting procedure
1
Verify that synchronization has occurred.
2
If a successful synchronization has occurred, check your replication status
and take one or more of the actions described below.
To verify that synchronization has completed successfully
1
In the Control Center, click Status > LDAP Synchronization.
2
Check the Status column for a Success message.
See “Synchronization status information” on page 43. for additional
information about synchronization status.
To check replication status
1
In the Control Center, click Status > Scanner Replication.
2
Check the Status column for each attached and enabled Scanner on the list.
See “Replication status information” on page 46. for additional information
about replication status.
47Configuring system settings
Replicating data to Scanners
Page 48
To troubleshoot a status message
1
If the Scanner has a Status of Success, all attached and enabled Scanners are
fully updated with LDAP information and no action is required.
2
If a message is displayed indicating that replication has been cancelled and
was not cancelled via Status > Scanner Replication and clicking Cancel
Synchronization, an LDAP synchronization source was found, but either
synchronization has not yet completed, or synchronization has failed.
Check your synchronization status.
See “To check replication status” on page 47.for information onchecking your
synchronization status.
Check the Control Center log for errors about creating or moving
synchronization data within the Control Center, or errors regarding
communication between the Control Center and a Scanner. Check LDAP
synchronization logs for any errors that occur in transforming data from the
Control Center database to a Scanner database.
3
If you see the message No scanners configured for replication, make
sure you have successfully added an LDAP synchronization server, that the
initial synchronization service has completed successfully, that you have
enabled global replication via Settings> ControlCenter>ScannerReplication
section and that replication is enabled on at least one attached and enabled
Scanner via the Services tab at Settings > Hosts > Edit Host Configuration.
To resolve a replication process with a message of In-Progress
■ Perform a manual replication from the Control Center.
If replication still stalls, restart the Control Center software and begin the entire
cycle again with a full synchronization.
Configuring Control Center settings
Symantec Mail Security Control Center allows you to configure the following:
■ Control Center administration
■ Control Center certificate
■ Configuring, enabling and scheduling Scanner replication
■ Control Center Settings
■ System locale
Configuring system settings
Configuring Control Center settings
48
Page 49
Control Center administration
You access the Control Center via a Web browser. By default anyone with the
correct address and logon information has access from any host. You can choose
to limit host access to the Control Center. Users attempting to log into the Control
Center from unauthorized computers will see a 403 Forbidden page in their Web
browser. Reverse Domain Name Server (DNS) lookup must be enabled in your
DNS software for this feature to work with host names.
When entering host names, there is a possibility that a name can be entered
incorrectly. If itis the only name on the list, you have effectively blocked allaccess
to the Control Center. See the procedure below for help in resolving this situation.
Specify Control Center access or reset Control Center access
Follow these instructions to specify Control Center access or to regain access to
the Control Center.
To specify Control Center access
1
In the Control Center, click Settings > Control Center.
2
Check All hosts to allow any host access to the Control Center.
3
Check Only the following hosts to assign specific hosts to access the Control
Center.
All other hosts are rejected after you add one or more hosts to the list. Add
and Delete buttons are available to help you manage the list of allowed hosts.
4
To add a host, type host name, IP address, IP address with subnet mask, or
Classless Inter-Domain Routing (CIDR) netblock and click Add.
Specify additional computers or networks as needed.
5
Click Save to store the current settings.
To regain access to the Control Center when no host name matches the list
1
Log in to the MySQL Control Center.
2
Select the Brightmail database.
use brightmail;
3
Delete the host control access items from the database.
truncate settings_host_access_control;
49Configuring system settings
Configuring Control Center settings
Page 50
About specifying host names for Control Center access
When specifying host names for Control Center access, the Control Center allows
clients to connect based on the Control Center's own DNS perspective. If the
client's IP address resolves into a name that matches an allowed host name (a
“reverse lookup”), then the the Control Center permits access to the client.
The owner of a netblock controls the reverse lookup of an IP address, so users
often have no control over what name their IP addresses resolve to. Also, two
different DNS servers may each have mappings for the same netblock that are
not the same. For example, the client's authoritative DNS server has a reverse
lookup record of m1.example.com for the client's IP address. The DNS that is
configured to be the Control Center's primary DNS server has a reverse mapping
of dhcp23.example.com for the same IP address. In this case, the Control Center
will see the dhcp23.example.com name whenever the client connects, so that is
the name that should be entered into the host access control list in the Control
Center. This situation happens more frequently on private networks than on the
public Internet.
Control Center certificate
Through the Control Center, you can designate a user interface HTTPS certificate.
This enhances the security for the Control Center and those logging into it.
To designate a Control Center certificate
1
In the Control Center, click Settings > Control Center.
2
Under Control Center Certificate, select the desired certificate in the User
interface HTTPS certificate dropdown list.
You add certificates to this list using the Settings > Certificates page.
See “Configuring certificate settings ” on page 23..
3
Click Save to store the current settings.
Configuring, enabling and scheduling Scanner replication
In the Control Center, replication refers to the process by which LDAP data stores
are propagated from the Control Center to attached and enabled Scanners.
Replication is controlled by global settings in the Control Center and by locally
configurable settings on each Scanner. The following information will assist you
in configuring and scheduling replication. However, no replication can occur until
you have defined one or more LDAP servers to the Control Center and one full
synchronization cycle has completed.
Configuring system settings
Configuring Control Center settings
50
Page 51
See “Configuring LDAP settings” on page 36. for information on setting up LDAP
services.
The replication attributes on the Settings > Control Center page determine how
replication operates in your installation. You can determine if replication is to
take place and how often it occurs. These settings are in addition to those available
on local Scanners that are attached and enabled through the Control Center.
To configure Control Center replication settings
1
In the Control Center, click Settings > Control Center.
2
To activate Scanner replication, under Scanner Replication, check Enable
Scanner Replication.
3
If Scanner replication is enabled, set the frequency of replication in the
Replication frequency field.
The replication schedule should begin at a different time than the
synchronization schedule to avoid schedule conflicts. For instance, if you
have replication set to every 12 hours, setting the LDAP synchronization
schedule to 53 minutes will help prevent one from starting while the other
is in progress.
4
Click Replicate Now to have LDAP data replicated to all attached and enabled
Scanners immediately.
5
Click Save to store the current settings.
6
To verify the most recent replication, click Status > Scanner Replication.
The replication process will not complete until an LDAP synchronization source
is available.
Local replication settings
Local replication settings for each Scanner are configured by editing the Scanner
configuration.
See “Starting and stopping replication” on page 46. for more information.
Additional information is available for checking the status of Scanner replication
and for troubleshooting possible problems with Scanner replication in Replicating
data to Scanners and Troubleshooting replication.
Control Center Settings
The Control Center sends the the following information to designated email
addresses and repositories at your site:
■ Alert notifications
51Configuring system settings
Configuring Control Center settings
Page 52
■ Reports
■ Spam Quarantined messages
You must supply the SMTP host IP address and port number where you want the
Control Center to send information.
To specify where the Control Center should send alerts, reports, and quarantined
messages
1
In the Control Center, click Settings > Control Center.
2
Do one of the following:
■ Under Control Center Settings, click Use existingnon-local relaysettings
to specify that email generated by the Control Center use the non-local
relay for sending email.
■ Under Control Center Settings, click Define new host to specify the IP
address or fully qualified domain name of a computer that has a working
MTA on it.
Change this information from the default if the Control Center doesn't
have a working Scanner. Specify the port to use for SMTP. The default is
25.
3
Click Save to store the current settings.
System locale
You can configure the Control Center for single- and double-byte character sets
and for related language settings the Locale setting.
To configure the Control Center to handle single and double-byte character sets
and related foreign languages
1
In the Control Center, click Settings > Control Center.
2
Under System Locale, select a language from the Locale list.
3
Click Save to store the current settings.
Configuring system settings
Configuring Control Center settings
52
Page 53
Configuring email settings
This chapter includes the following topics:
■ Configuring address masquerading
■ Configuring aliases
■ Configuring local domains
■ Understanding spam settings
■ Configuring virus settings
■ Configuring invalid recipient handling
■ Configuring scanning settings
Configuring address masquerading
Addressmasquerading is amethod ofconcealing email addresses or domain names
behind themail gateway by assigning replacement values to them. Symantec Mail
Security lets you implement address masquerading on inbound mail, outbound
mail, or both. A typical use of address masquerading is to hide the names of
internal mail hosts, so that outgoing mail appears to be coming from a different
domain than that of the actual host.
Follow these steps to add or edit masqueraded entries.
To add a masqueraded entry
1
In the Control Center, click Settings > Address Masquerading.
2
Click Add.
3
Specify an address or domain to masquerade.
4
Specify a new name for the address or domain name.
3
Chapter
Page 54
5
Specify a mail flow direction to which this masqueraded name will apply:
Inbound, Outbound, or Inbound and Outbound.
6
Click Save.
To edit a masqueraded entry
1
In the Control Center, click Settings > Address Masquerading.
2
Click the masqueraded address or domain or check a box, and then click Edit.
3
In the Edit Masqueraded Entry page, modify themasqueraded entry as desired.
4
Click Save.
Importing masqueraded entries
In addition to creating new masqueraded entries, you can import them from a
text file similar to the Sendmail virtusertable. In the import file, place each
masqueraded address definition on a line by itself. Each address in the file must
be separated with one or more spaces or tabs, or a combination of spaces and tabs.
Commas or semicolons are not valid delimiters.
Note: You cannot import a file with extended ASCII or non-ASCII characters; you
can only import files encoded in US-ASCII format.
The masquerade address definition consists of the following elements:
Specifies theoriginal emailaddress or domain name to be masqueradedOriginal entry
Specifies the replacement email address or domain name.Replacement
entry
Indicates the direction to which masquerading is applied. Available
choices are:
■ Inbound messages
■ Outbound messages
■ Inbound and outbound messages
Apply to
Following is a sample import file:
orig1@domain.com new1@domain.com inbound
orig2@domain.com new2@domain.com outbound
orig3@domain.com new3@domain.com inbound/outbound
orig4@domain.com new4.com inbound
orig5@domain.com new5.com outbound
Configuring email settings
Configuring address masquerading
54
Page 55
orig6@domain.com new6.com inbound/outbound
orig7.com new7@domain.com inbound
orig8.com new8@domain.com outbound
orig9.com new9@domain.com inbound/outbound
To import a list of masqueraded entries
1
In the Control Center, click Settings > Address Masquerading.
2
Click Import.
3
On the Import Masqueraded Entry page, enter or browse to the filename
containing the list of masqueraded entries.
4
Click Import.
If entries in the import file are not specified correctly, do not match the
required file format, or are duplicates, a message is displayed. You can click
a link to download a file containing the unprocessed entries. Click Cancel to
return to the main Address Masquerading page to review the valid imported
entries.
Configuring aliases
An alias is an email address that translates to one or more other email addresses.
Windows users may understand this concept as a “distribution list.” You can add
an alias as a convenient shortcut for typing a long list of recipients. An alias can
also translate addresses from one top-level domain to another, such as from
example.com to example-internetsecurity.com. Email addressed to
kyi@example.com, for example, would be delivered to
kyi@example-internetsecurity.com.
Note: The alias functionality available on the Settings > Aliases page is separate
from LDAP aliases.
Note the following additional information about aliases:
■ Aliases are recursive. This means that an alias specified in the destination
email address list is expanded as defined in the list of aliases.
Destination addressesAlias
alro@example.com, oak@example.com, ops@example.comit@example.com
tla@example.com, bmi@example.com, map@example.comops@example.com
55Configuring email settings
Configuring aliases
Page 56
In the example shown above, a message addressed to it@example.com would
be delivered to the destination addresses for both it@example.com and
ops@example.com, because it@example.com includes ops@example.com.
■ Alias transformation does not occur for messages passing through the
Symantec MTA to the Internet. Alias transformation only applies to inbound
or internal messages that pass through the Symantec MTA.
■ The system's inbound MTA checks email addresses in the SMTP envelope To:
to determine if any transformations are needed. Transformed addresses are
written back to the SMTP envelope To:. The contents of the message To: and
Cc: headers are ignored and not changed.
■ Inbound address masquerading has precedence over aliases.If the same original
email address or domain exists in both the address masquerading list and the
aliases list, but the new address or domain is different, the message is routed
to the new address or domain in the address masquerading list, not the aliases
list.
Managing aliases
Follow these steps to add or edit aliases.
To add an alias
1
In the Control Center, click Settings > Aliases.
2
Click Add.
3
In the Add Aliases page, type the alias in the Alias domain or email address
box:
ExamplesAlias form
kyi@example.comEmail address - specify one user name and domain
example.comDomain - specify one domain from which email addresses
should be translated
Configuring email settings
Configuring aliases
56
Page 57
4
Type a domain or one or more destination email addresses in the Domain or
email addresses for this alias box:
ExamplesAlias form
oak@example.com, ops@example.comEmail address - specify user name and
domain for each email address. Separate
multiple email addresses with a comma,
semicolon, or space.
symantec-internetsecurity.comDomain - specify one domain to which
email addresses should be translated
5
Click Save.
To edit an alias
1
In the Control Center, click Settings > Aliases.
2
Click the alias or check the box next to an alias, and then click Edit.
3
In the Edit aliases page, modify the text in the Alias domain or email address
box as desired.
4
Modify the text in the Domain or email addresses for this alias box as desired.
5
Click Save.
Importing aliases
Aliases can be imported from a text file. Each address in the text file must be
separated with one or more spaces or tabs, or a combination of spaces and tabs.
Commas or semicolons are not valid delimiters. In the import file, each line must
contain an alias address followed by one or more destination addresses.
Following is a sample import file:
oak@example.com quercus@symantec-internetsecurity.com
ops@example.com tla@example.com bmi@example.com noadsorspam.com
To import aliases
1
In the Control Center, click Settings > Aliases.
2
Click Import.
57Configuring email settings
Configuring aliases
Page 58
3
On the Import Aliases page, enter or browse to the filename containing the
list of aliases.
4
Click Import.
If entries in the import file are not specified correctly, do not match the
required file format, or are duplicates, a message is displayed. You can click
a link to download a file containing the unprocessed entries. Click Cancel to
return to the main Aliases page to review the valid imported entries.
Configuring local domains
On the Local Domains page, you can view, add, edit, and delete local domains and
email addresses for which inbound messages are accepted. When adding or editing
a local domain, you can assign routing characteristics for messages accepted from
the domain. You can also import lists of local domains, formatted as described in
this section.
Use these procedures to manage local domains.
To add or edit a local domain or email address
1
In the Control Center, click Settings > Local Domains.
2
On the Local Domains page, click Add or Edit.
Configuring email settings
Configuring local domains
58
Page 59
3
In Domain or email addressfromwhichtoacceptinboundmail, enter a local
domain, subdomain, or email address.
The resulting behavior for each setting is as follows:
BehaviorSyntaxSetting
The system accepts email for all
recipients in the speicified
domain.
company.comDomain name
The system accepts email for all
recipients in all subdomains of
the parent domain, but not in
the parent domain.
.company.comSubdomain
The system accepts email only
for the specified recipient.
user@company.comEmail address
You can also specify a destination host to which the domain or email address
is routed via the Optional Destination Host field. You can specify both host
name and port for the destination host as well as enable MX lookup.
If you do not specify a destination host here, the domain or email address is
routed to the Inbound Relay you configure on the SMTP Settings page.
See SMTP Scanner settings.
4
Click Save to add the domain, subdomain, or email address to the list or to
confirm your edits.
To delete a local domain or email address
1
In the Control Center, click Settings > Local Domains.
2
Select one or more local domains or email addresses from the list.
3
Click Delete.
Importing local domains and email addresses
Lists of local domain definitions and email addresses can be imported from a
US-ASCII file, similar to the Sendmail mailertable. In the import file, place each
domain definition on a line by itself. The domain definition consists of the
following:
Can be either a complete domain name, a subdomain name, or an email
address.
Domain name
59Configuring email settings
Configuring local domains
Page 60
Consists of destination type anddestination host name. Only definitions
with a destination type (Mailer) of SMTP or ESMTP are supported, and
%backreferences are not supported. After import, ESMTP destination
types convert to SMTP. When the host name is enclosed in
brackets—smtp:[destination.domain.com]—MX lookup is not performed
for the destination host.
Destination
Here is a sample import file:
local1@domain.com smtp:local1.com
local2@domain.com smtp:local2.com:20
local3@domain.com smtp:[local3.com]:30
local4@domain.com smtp:[local4.com]
.local5.com smtp:[192.168.248.105]
local6.com smtp:[192.168.248.106]:60
To import a list of local domains
1
In the Control Center, click Settings > Local Domains.
2
Click Import.
3
On the Import Local Domains page, enter or browse to the file containing the
list of domain definitions.
4
Click Import.
If entries in the import file do not match the required file format, an error
message with a link appears. Click on the link to download a file containing
the unprocessed entries.
Understanding spam settings
The following types of spam settings are available in Symantec Mail Security:
■ Configuring suspected spam
■ Choosing language identification type
■ Software acceleration
■ Configuring spam settings
Configuring email settings
Understanding spam settings
60
Page 61
Configuring suspected spam
Note: This feature is only available if you are running Symantec Premium
AntiSpam (SPA). If you would like to know more about this feature, contact your
Symantec representative.
When evaluating whether messages are spam, Symantec Mail Security calculates
a spam score from 1 to 100 for each message, based on techniques such as pattern
matching and heuristic analysis. If an email scores in the range of 90 to 100 after
being filtered, it is defined as spam.
For more aggressive filtering, you can optionally define a discrete range of scores
from 25 to 89. The messages that score within this range will be considered
“suspected spam.” Unlike spam, which isdetermined by Symantec and not subject
to adjustment by administrators, you can adjust the trigger for suspected spam.
Using policies, you can specify different actions for messages identified as
suspected spam and messages identified as spam by Symantec.
Forexample, assume thatyou have configuredyour suspected spamscoring range
to encompass scores from 80 through 89. If an incoming message receives a spam
score of 83, Symantec Mail Security will consider this message to be suspected
spam, and will apply the action you have in place for suspected spam messages,
such as Modify the Message (tagging the subject line). Messages that score 90 or
above will not be affected by the suspected spam scoring setting, and will be subject
to the action you have in place for spam messages, such asQuarantine the Message.
Note: Symantec recommends that you not adjust the spam threshold until you
have some exposure into the filtering patterns at your site. Then, gradually move
the threshold setting down 1 to 5 points per week until the number of false
positives is at the highest level acceptable to you. A great way to test the effects
of spam scoring is to set up a designated mailbox or user to receive false positive
notifications to monitor the effects of changing the spam score threshold.
Choosing language identification type
Language identification is the ability to block or allow messages written in a
specified language. For example, you can choose to only allow English andSpanish
messages, or block messages in English and Spanish and allow messages in all
other languages.
You can use one of the following two types of language identification:
■ Language identification offered by Symantec Mail Security
61Configuring email settings
Understanding spam settings
Page 62
Processing takes place within Symantec Mail Security, and no further software
needs to be installed. Using the Policies > Group Policies > Edit > Language
tab, administrators can setlanguage preferencesor allow users to set language
preferences.
■ Language identification offered by the Symantec Outlook Spam Plug-in
Processing takes place on each user's computer, and each user must install
the Symantec Outlook Spam Plug-in. Usersset theirown language preferences.
Software acceleration
It is possible to increase the speed at which your software operates. Doing so will
increase your need for system memory. Software acceleration is turned off by
default. You can enable software acceleration on the Settings > Spam page.
Configuring spam settings
You can use the Spam Settings page to configure settings for suspected spam,
language identification, and software acceleration.
To configure spam settings
1
In the Control Center, click Settings > Spam.
2
Under Do you want messages to be flagged as suspected spam?, click Yes.
3
Click and drag the slider to increase or decrease the lower limit of the range
for suspected spam. You can also type a value in the box.
4
Under Do you want to enable Language Identification, click Yes or No:
Click Yes if users will use the Symantec Outlook Spam Plug-in for
language identification. Built-inlanguage identification is disabled,
and can't be accessed in the Edit Group page.
Yes
Click No to use the built-in language identification. Symantec
Outlook Spam Plug-in language identification won't work if you
click No.
No
5
Under Software acceleration, check Enable spam software acceleration.
6
Click Save.
Configuring virus settings
The following types of virus settings are available in Symantec Mail Security:
Configuring email settings
Configuring virus settings
62
Page 63
■ Configuring LiveUpdate
■ Excluding files from virus scanning
■ Configuring Bloodhound settings
Configuring LiveUpdate
LiveUpdate is the process by which your system receives current virus definitions
from Symantec Security Response.
Configuring Rapid Response updates
Rapid Response updates retrieve the very latest virus definitions from Symantec
Security Response. While Rapid Response definitions are published more
frequently (every 10 minutes) than automatic update definitions, they are not as
thoroughly tested.
To receive Rapid Response updates
1
Click Settings > Virus.
2
On the LiveUpdate tab click Enable Rapid Response updates.
Symantec Mail Security checks every 10 minutes after this setting is saved.
3
Click Save.
Working with LiveUpdate
Follow these procedures to view LiveUpdate status, start LiveUpdate, schedule
LiveUpdate to run automatically, and establish a source for download of
LiveUpdate virus definitions.
To view LiveUpdate status
1
Click Settings > Virus.
The top portion of the LiveUpdate tab shows the time of the last update
attempt, its status, and the update version number.
2
Click View Manifest to view a complete list of virus definitions contained in
this update.
To initiate a LiveUpdate
1
Click Settings > Virus.
2
On the LiveUpdate tab, click the LiveUpdate Now button.
63Configuring email settings
Configuring virus settings
Page 64
To set the automatic update schedule
1
Click Settings > Virus.
2
To stop automatic updates, on the LiveUpdate tab click Disable automatic
updates.
3
To start automatic updates, click Enable automatic updates on thefollowing
schedule.
4
Specify a day or days of the week and time at which to begin LiveUpdates.
5
Specify the frequency with which LiveUpdate runs after the first time.
Excluding files from virus scanning
You can exclude specific classes and formats of files (such as .wav or MIDI) from
being scanned by Symantec Mail Security.
To exclude a class and format of file from virus scanning
1
Click Settings > Virus.
2
Click the Exclude Scanning tab.
3
Click Add to create a definition of files for exclusion from virus scanning.
4
Name the definition by placing a value in Exclude scanning list name.
5
In the File Classes list, choose All File Classes or a specific class such as
Sound File Format.
6
If you choose to exclude specific file classes, you can also select the types of
files in that class to be excluded in the File Type list.
7
Click the Add File Classes or Add File Types button.
8
Click Save to store a list.
Configuring Bloodhound settings
The Bloodhound level determines the way in which the system uses heuristics to
flag viruses. Symantec Mail Security uses Symantec Bloodhound™ heuristics
technology to scan for threats for which no known definitions exist. Bloodhound
heuristics technology scans for unusual behaviors, such as self-replication, to
target potentially infected message bodies and attachments. Bloodhound
technology is capable of detecting upwards of 80 percent of new and unknown
executable file threats. Bloodhound-Macro technology detects and repairs over
90 percent of new and unknown macro viruses.
Bloodhound requires minimal overhead because it examines only message bodies
and attachments that meet stringent prerequisites. In most cases, Bloodhound
Configuring email settings
Configuring virus settings
64
Page 65
can determine in microseconds whether a message or attachment is likely to be
infected. If it determines that a file is not likely to be infected, it moves to the next
file.
Lower heuristic levels may miss viruses, but consume less processing power,
potentially speeding incoming mail processing. Higher heuristic levels may catch
more viruses, but consume more processing power, potentially slowing incoming
mail processing.
To set the Bloodhound Level
1
Click Settings > Virus.
2
Click the Bloodhound tab.
3
Under Bloodhound Level, click High, Medium, Low, or Off.
4
Click Save.
Configuring invalid recipient handling
By default, when an email message arrives addressed to your domain, but is not
addressed to a valid user, Symantec Mail Security passes the message to the
internal mail server. The internal mail server may either accept the message and
generate a bounce message for that recipient, or the internal mail server may
reject the recipient, in which case Symantec Mail Security generates a bounce
message for the recipient. Upon receiving the bounce message, the sender can
resend the original message with the correct address. However, messages with
invalid recipients can also result from a spammer's directory harvest attack.
You can drop all messages for invalid recipients using the Drop messages for
invalid recipients action described below. There is a Remove invalid recipients
action available on the Policies > Attacks > Directory Harvest Attacks page that
only removes invalid recipients if a directory harvest attack is occurring. These
two settings can be combined or enabled individually.
Note: Dropping messages for invalid recipients is an extreme measure. Enabling
it may prevent diagnosis of serious problems with your email configuration, so
only enable it after you're sure your email system is stable. Also, if enabled, even
accidentally mis-addressed messages will be dropped, and no bounce message
sent. The Remove invalid recipients action available on the Policies > Attacks >
Directory Harvest Attack page is a less extreme measure.
65Configuring email settings
Configuring invalid recipient handling
Page 66
To configure invalid recipient handling
1
In the Control Center, click Settings > Invalid Recipients.
2
Do one of the following:
■ UncheckDropmessagesfor invalidrecipients to returnbounce messages
to the sender for invalid addresses.
■ Check Drop messages for invalid recipients to drop invalid messages
from the mail stream and return no bounce messages to the sender. For
this setting to take effect, a full synchronization and replication cycle
must be completed.
This setting isindependent of the Directory Harvest AttackEmail Firewall
policy, and can be used in conjunction with it.
3
Click Save.
Configuring scanning settings
Use the Scanning Settings page to configure container settings and content
filtering settings.
Configuring container settings
When Symantec Mail Security processes certain zip files and other types of
compressed files, these files can expand to the point where they deplete system
memory. Such container files are often referred to as “zip bombs.” Symantec Mail
Security can handle such situations by automaticallysidelining large attachments
and stripping the attachments. There is a presumption that such a file can be a
zip bomb and should not be allowed to deplete system resources. The file is
sidelined only because of its size, not because of any indication that it contains a
virus.
You can specify this size threshold and the maximum extraction level that
Symantec Mail Security will process in memory, as well as a time limit forscanning
containers. If the configured limits are reached, Symantec Mail Security will
automatically perform the action designated for the “unscannable” category in
the Group Policies settings.
Configuring email settings
Configuring scanning settings
66
Page 67
To configure container settings
1
In the Control Center, click Settings > Scanning.
2
Under Container Settings, specify a number in the Maximum containerscan
depth box.
A container is unscannable for viruses if the nested depth in a container file
(such as a .zip file or email message) exceeds the number specified. Do not
set this value too high or you could be vulnerable to denial of service attacks
or zip bombs, which contain many levels of nested files.
3
Specify a number in the Maximum time to open container box and click
Seconds, Minutes, or Hours.
A container is unscannable for viruses if the specified time elapses during a
scan of container attachments (such as .zip files). Use this setting to detect
containers that don't exceed the other container settings, but include
container nesting, many files, large files, or a combination of these.
4
Specify a number in the Maximum individualfilesize when opened box and
click KB, MB, or GB.
A container is unscannable for viruses if any individual component of the
container when unpacked exceeds the size specified.
5
Specify a number in the Maximum accumulated file size when opened box
and click KB, MB, or GB.
A container is unscannable for viruses if the total size of all the files in a
container when unpacked exceeds the size specified.
6
Click Save.
Configuring content filtering settings
In addition to checking plain text files against words as defined in content-related
policies, Symantec Mail Security can check attachments that are not plain-text
files against dictionaries. While such checking maximizes the effect of content
filtering, it can also impact the system load and slow down email filtering.
To check attachments that are not plain text against your dictionaries
1
Click Settings > Scanning.
2
In Content Control Settings, check Enable searching of non-plain text
attachments for words in dictionaries.
This can decrease system efficiency.
3
Click Save.
67Configuring email settings
Configuring scanning settings
Page 68
Configuring email settings
Configuring scanning settings
68
Page 69
Configuring email filtering
This chapter includes the following topics:
■ About email filtering
■ Creating groups and adding members
■ Assigning filter policies to a group
■ Managing Group Policies
■ Creating virus, spam, and compliance filter policies
■ Managing Email Firewall policies
■ Configuring Sender Authentication
■ Managing policy resources
About email filtering
Although Symantec Mail Security provides default settings for dealing with spam
and viruses, you will likely want to tailor the actions taken on spam and viruses
to suit your requirements. Content filtering and Email Firewall policies offer
further methods of managing mail flow into and out of your organization.
Symantec Mail Security provides a wide variety of actions for filtering email, and
allows you to either set identical options for all users, or specify different actions
for distinct user groups.
You can specify groups of users basedon emailaddresses, domain names,or LDAP
groups. For each group, you can specify an action or group of actions to perform,
given a particular verdict.
Each category of email includes one or more verdicts. Verdicts are the conclusions
reached on a message by the filtering process. Symantec Mail Security performs
4
Chapter
Page 70
actions on a message based on the verdict applied to that message, and the groups
that include the message recipient as a member.
Table 4-1 describes filtering verdicts by filtering category.
Table 4-1
Filtering verdicts by category
DescriptionVerdictFiltering
Category
Connection is blocked because anattempt is underway
to capture valid email addresses. A directory harvest
attack is accomplished by emailing to your domain
with a specified number of non-existent recipient
addresses sent from the same IP address.
Directory
harvest attack
Email Firewall
Connection is blocked because a specified quantity of
spam messages has been received from a particular
IP address.
Spam attack
Connection is blocked because a specified quantity of
infected messages has been received from a particular
IP address.
Virus attack
Email is flagged because it contains a virus, based on
current Symantec virus filters.
VirusVirus
Email is flagged because it contains a mass-mailing
worm, based on current virus filters from Symantec.
Mass-mailing
worm
Email is flagged because it exceeds the container
limits configured on the Scanning Settings page, or
because it is unscannable for other reasons, such as
the email or the attachement containing malformed
MIME.
Unscannable for
viruses
Email is flagged because it contains an attachment
that isencrypted or password-protected andtherefore
cannot be scanned
Encrypted
attachment
Email is flagged because it contains any of the
following types of security risks: spyware, adware,
hack tools, dialers, joke programs, or remote access
programs. See Security risks for descriptions of these
risks.
Spyware or
adware
Email is flagged because it either shows virus like
signs or becuse suspicious new patteres of message
flow involving this attachment has been detected.
Suspicious
attachment
Configuring email filtering
About email filtering
70
Page 71
Table 4-1
Filtering verdicts by category (continued)
DescriptionVerdictFiltering
Category
Email isflagged asspam, based on current spam filters
from Symantec.
SpamSpam
Email from known spammers is flagged as suspected
spam based on a configurable Suspected Spam
Threshold.
Suspected spam
Email is flagged because it contains keywords in your
configurable dictionary.
Any part of a
message (body,
subject, or
attachment)
Content
Compliance
Email is flagged because it contains a specific
attachment type as defined by file extension, MIME
type, or true file type.
Attachment type
Email is flagged because specific text appears with a
specific frequency in its attachments.
Attachment
content
Email is flagged based on the text in the Subject:
line.
Subject:
Email is flagged based on the text in the From:
address.
From: Address
Email is flagged based on the text in the To: address.To: Address
Email is flagged based on the text in the Cc: address.Cc: Address
Email isflagged basedon thetext in theBcc: address.Bcc: Address
Email is flagged based on the text in the To:, Cc:, or
Bcc: address.
To:/Cc:/Bcc:
Address
Email is flagged based on the text in the From:, To:,
Cc:, or Bcc: address.
From:/To:/Cc:/Bcc:
Address
Email is flagged because its envelope contains a
particular sender address.
Envelope Sender
Email is flagged because its envelope contains a
particular recipient address.
Envelope
Recipient
Email is flagged because its envelope contains a
particular SMTP HELO domain.
Envelope HELO
71Configuring email filtering
About email filtering
Page 72
Table 4-1
Filtering verdicts by category (continued)
DescriptionVerdictFiltering
Category
Email is flagged because it contains a particular
header.
Message Header
Email is flagged because it is a particular size.Message Size
Email is flagged based on the text in the body.Body
All email not filtered by a higher precedence policy
is flagged.
For all messages
See Notes on filtering actions for additional limitations.
Table 4-2 describes the filtering actions available for each verdict.
Table 4-2
Filtering actions by verdict
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
xxxxx
Add an X-header to
the message.
Add a header
xxxxx
Insert predefined
text into the
message (a
disclaimer, for
example).
Add annotation
xxxxx
Blind carbon copy
the message to the
designated SMTP
address(es).
Add BCC recipients
xxxxx
Deliver the original
message and
forward a copy to
the designated
SMTP address, and,
optionally, host.
Archive the message
Configuring email filtering
About email filtering
72
Page 73
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
x
Delete unrepairable
virus infections and
repair repairable
virus infections.
Clean the message
xx
Using a 4xx SMTP
response code, tell
the sending MTA to
try again later.
Defer SMTP
connection
xxxxxDelete the message.Delete the message
xxxxx
Deliver the
message. Viruses
and mass-mailing
worms are neither
cleaned nor deleted.
Deliver the message
normally
xxxxx
Deliver the message
to end-user Spam
folder(s). Requires
use ofthe Symantec
Spam Folder Agent
for Exchange or the
Symantec Spam
Folder Agent for
Domino.
Deliver message to the
recipient's Spam folder
xxxxx
Forward the
message to
designated SMTP
address(es).
Forward the message
xxxxx
Send the message
to the Spam
Quarantine.
Hold message in Spam
Quarantine
73Configuring email filtering
About email filtering
Page 74
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
x
Hold the messagein
the Suspect Virus
Quarantine for a
configured number
of hours (default is
six hours), then
refilter, using new
virus definitions, if
available. Only
available for the
suspicious
attachmentverdict.
Hold message in
Suspect Virus
Quarantine
xxxxx
Add a tag to the
message's
Subject: line.
Modify the Subject line
xx
Using a 5xx SMTP
response code,
notify the sending
MTA that the
message is not
accepted.
Reject SMTP
connection
x
If a directory
harvest attack is
taking place,
removeeachinvalid
recipient rather
than sending a
bounce message to
the sender. You
must complete
LDAP
synchronization
and Scanner
replication before
enabling this
feature.
Remove invalid
recipients
Configuring email filtering
About email filtering
74
Page 75
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
xxxxx
Route the message
using the
designated SMTP
host.
Route the message
xxxxx
Save the message to
a standard location
on the Scanner
computer. On
Solaris or Linux,
you must specify a
writable directory.
Save to disk
xxxxx
Return the message
to its From:
address with a
custom response,
and deliver it to the
recipient.
Optionally, the
original message
can be included.
Send abouncemessage
xxxxx
Deliver the original
message and send a
predefined
notification to
designated SMTP
address(es) with or
without attaching
the original
message.
Send notification
75Configuring email filtering
About email filtering
Page 76
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
x
Removeall message
attachments, hold
the message with
its attachments in
Suspect Virus
Quarantine and
deliver the message
without
attachments after a
configured number
of hours (default is
six hours). Message
is released and then
rescanned after
configured number
of hours. Only
available for the
suspicious
attachmentverdict.
Strip and hold in
Suspect Virus
Quarantine
xxx
Remove all
attachments
according to a
specific attachment
list.
Strip attachments
x
Process the
message using the
action(s) specified
in the
domain-based
Blocked Senders
List. Applies even if
the domain-based
Blocked Senders
List is disabled, and
applies to inbound
messages only.
Treat as a blocked
sender
Configuring email filtering
About email filtering
76
Page 77
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
x
Process the
message using the
action(s) specified
in the associated
worm policy. The
message is
delivered normally
if the worm policy
is disabled or does
not apply because
of message
direction.
Treat as a
mass-mailing worm
x
Process the
message using the
action(s) specified
in the
domain-based
Allowed Senders
List. Applies even if
the domain-based
Allowed Senders
List is disabled, and
applies to inbound
messages only.
Treat as an allowed
sender
x
Process the
message using the
action(s) specified
in the associated
virus policy. The
message is
delivered normally
if the virus policy is
disabled ordoes not
apply because of
message direction.
Treat as a virus
77Configuring email filtering
About email filtering
Page 78
Table 4-2
Filtering actions by verdict (continued)
VerdictDescriptionAction
Content
Compliance
Spam,
Suspected
Spam
VirusVirus
attack
Directory
harvest
attack
x
Process the
message using the
action(s) specified
in the associated
spam policy. The
message is
delivered normally
if thespam policy is
disabled ordoes not
apply because of
message direction.
Treat as spam
x
Process the
message using the
action(s) specified
in the associated
suspected spam
policy. The message
is delivered
normally if the
suspected spam
policy is disabledor
does not apply
because of message
direction.
Treat as suspected
spam
Notes on filtering actions
When using Table 4-2 consider the following limitations:
■ All Virus verdicts except suspicious attachments share the same available
actions. Two additional actions, Hold message in Suspect Virus Quarantine
and Strip and hold in Suspect Virus Quarantine, are available only for the
suspicious attachment verdict.
■ All Spam verdicts share the same available actions.
■ All Content Compliance verdicts share the same available actions.
■ Messages from senders in the Allowed Senders Lists bypass spam filtering.
Configuring email filtering
About email filtering
78
Page 79
■ When using the Modify the subject action, you can specify the character set
encoding to use. If theencoding you choose is different than the encoding used
by the original message, either the message or the modified subject line will
not be displayed correctly.
■ When using the Save to disk action on Solaris, Linux, or Windows, you must
specify a writeable directory.
■ By default, inbound and outbound messages containing a virus are cleaned of
the virus. Inbound and outbound messages containing a mass-mailing worm,
unscannable messages, including malformed MIME messages, are deleted.
You may want to change the default setting for unscannable messages if you
are concerned about losing important messages.
Multiple actions per verdict
Within a filtering policy, you can create compound actions, performing multiple
actions for a particular verdict.
An example follows:
1
Defining a virus policy, the administrator selects the Virus verdict and then
assigns theactions, Clean, Add annotation, and Send notification to the policy.
2
Defining a Group Policy, the administrator assigns members then selects the
new virus policy.
3
An email message is received whose recipients include someone in the new
Group Policy.
4
Symantec Mail Security cleans the message, annotates it, then sends a
notification to its intended recipients.
Table 4-3 describes lists the limitations on combining actions within a filtering
policy.
Table 4-3
Compatibility of filtering actions by verdict
Can be added multiple
times?
Compatibility with other actionsAction
NoAny except Delete the messageAdd a header
One for header or one for
footer, but not both
Any except Delete the messageAdd annotation
YesAny except Delete the messageAdd BCC recipients
NoAnyArchive the message
79Configuring email filtering
About email filtering
Page 80
Table 4-3
Compatibility of filtering actions by verdict (continued)
Can be added multiple
times?
Compatibility with other actionsAction
NoAny except Delete the messageClean the message
NoCan't be used with other actionsDefer SMTP
connection
No■ Bounce Message
■ Send Notification
■ Archive
Delete the message
NoAny except Hold message in
Suspect Virus Quarantine, Delete
the message, Quarantine the
message, and Strip and delay
Deliver message
normally
NoAny except Delete the messageDeliver the message
to the recipient's
Spam folder
YesAny except Delete the messageForward the message
NoAny except
■ Hold message in Suspect Virus
Quarantine
■ Deliver the message normally
■ Delete the message
■ Strip and delay
If used with Deliver the message to
the recipient's Spam folder,
affectedmessages are quarantined,
but if released from Spam
Quarantine, messages are delivered
to the recipient's Spam folder.
Hold message in
Spam Quarantine
One for prepend and one for
append
Any except Delete the messageModify the Subject
line
NoCan't be used with other actionsReject SMTP
connection
NoAny except Delete the messageRemove invalid
recipients
NoAny except Delete the messageRoute the message
Configuring email filtering
About email filtering
80
Page 81
Table 4-3
Compatibility of filtering actions by verdict (continued)
Can be added multiple
times?
Compatibility with other actionsAction
NoAnySave to disk
NoAny except Delete the messageSend notification
NoAnySend a bounce
message
NoAny except:
■ Delete the message
■ Deliver message normally
■ Hold the message in Spam
Quarantine
■ Delay message delivery
Strip and hold
message in Suspect
Virus Quarantine
YesAny except Delete the messageStrip attachments
NoCan't be used with other actionsTreat as a blocked
sender
NoCan't be used with other actionsTreat as a
mass-mailing worm
NoCan't be used with other actionsTreat as an allowed
sender
NoCan't be used with other actionsTreat as a virus
NoCan't be used with other actionsTreat as spam
NoCan't be used with other actionsTreat as suspected
spam
Multiple group policies
If there are multiple group policies that may apply to a message, the policy that
is applied depends on the direction the message is traveling. If the message is
outbound, the group policy applied is based on the sender. If the message is
inbound, the group policy applied is based on the recipient.
Security risks
Symantec Mail Security can detect security risks. Security risks are programs
that do any of the following:
81Configuring email filtering
About email filtering
Page 82
■ Provide unauthorized access to computer systems
■ Compromise data integrity, privacy, confidentiality, or security
■ Present some type of disruption or nuisance
These programs can put your employees and your organization at risk for identity
theft or fraud by logging keystrokes, capturingemail andinstant messagingtraffic,
or harvesting personal information, such as passwords and login identifications.
Security risks can be introduced into your system unknowingly when users visit
a Web site, download shareware or freeware software programs, click links or
attachments in email messages, or through instant messaging clients. They can
also be installed after or as aby-productof accepting an end user license agreement
from another software program related to or linked in some way to the security
risk.
Table 4-4 liststhe categories of security risks thatSymantec Mail Security detects.
Each of these risks can cause a verdict of spyware or adware.
Table 4-4
Security risk categories included in spyware or adware verdict
DescriptionCategory
Stand-alone or appended programs that gather personal information
through the Internet and relay it back to a remote computer without
the user's knowledge.
Adware might monitor browsing habits for advertising purposes. It can
also deliver advertising content.
Adware
Programs used to gain unauthorized access to a user's computer.
Forexample,a keystrokeloggertracks and records individual keystrokes
and sends this information to a remote computer. The remote user can
perform port scansor vulnerability scans. Hacktools might alsobe used
to create viruses.
Hack tools
Programs that use a computer, without the user's permission or
knowledge, to dial out through theInternet to a 900 number or FTP site,
typically to accrue charges.
Dialers
Programs that alter or interrupt the operation of a computer in a way
that is intended to be humorous or bothersome.
For example, a joke program might move the Recycling Bin away from
the mouse when the user tries to click on it.
Joke programs
Programs that let a remote user gain access to a computer over the
Internet to gain information, attack, or alter the host computer.
Remote access
programs
Configuring email filtering
About email filtering
82
Page 83
Table 4-4
Security risk categories included in spyware or adware verdict
(continued)
DescriptionCategory
Stand-alone programs that can secretly monitor system activity and
detect passwords and other confidential information and then relay the
information back to a remote computer.
Spyware
About precedence
Determining the precedence of different types of filtering for a particular message
rests on many factors.
If more than one verdict matches a message, the following applies:
■ Any matching verdict that calls for an action ofdefer or reject takes precedence
over verdicts that call for other actions.
■ If multiple matching verdicts call for defer or reject, the one of those verdicts
that appears first in the precedence list (see below) takes precedence.
■ If no matching verdict calls for an action of defer or reject, then the matching
verdict that appears first in the precedence list takes precedence.
■ Although a verdict can call for multiple actions, only one verdict determines
the actions that are taken on a message. Actions called for by lower precedence
verdicts are not applied.
Order of precedence:
■ Virus attack
■ Worm
■ Virus
■ Spyware or adware
■ Suspicious attachment (suspected virus)
■ Unscannable
■ Encrypted attachment
■ End user-defined Allowed Senders List
■ End user-defined Blocked Senders List
■ Administrator-defined, IP-based Allowed Senders List
■ Administrator-defined, IP-based Blocked Senders List
■ Administrator-defined, domain-based Allowed Senders List
83Configuring email filtering
About email filtering
Page 84
■ Administrator-defined, domain-based Blocked Senders List
■ Spam attack
■ Directory harvest attack
■ Safe Senders List (part of the Sender Reputation Service)
■ Open Proxy Senders (part of the Sender Reputation Service)
■ Third Party Services Allowed Senders List
■ Third Party Services Blocked Senders List
■ Content Compliance policies
■ Dropped invalid recipient
■ Spam
■ Blocked language
■ Suspected spam
■ Suspected Spammers (part of the Sender Reputation Service)
■ Sender authentication failure
Note that end user-defined allow/blocked lists have precedence over all other
lists. This may affect your decision regarding whether to enable end user
preferences.
Also, lists that you create have precedence over lists created by Symantec.
However, third party DNS blacklists do not have priority over all Symantec lists.
In the event of a conflict between Open Proxy Senders and an entry from a DNS
blacklist, Open Proxy Senders will “win.”
Creating groups and adding members
Group policies are configurable message management options for an unlimited
number of user groups which you define. Policies collect the spam, virus, and
content filtering verdicts and actions for a group.
Add or remove members from a group
You can specify groups of users basedon emailaddresses, domain names,or LDAP
groups. For each group, you can specify email filtering actions for different
categories of email.
Configuring email filtering
Creating groups and adding members
84
Page 85
Note: To edit a group member, such as to correct a typo, delete the member and
add the member again. There is no edit button for group members.
To create a new Group Policy
1
In the Control Center, click Policies > Group Policies.
This page lists each Group Policy. The Default Group Policy, which contains
all users and all domains, appears last. Although you canadd ormodify actions
for the Default Group Policy, you cannot add members to the Default Group
Policy. You cannot delete or disable the Default Group Policy.
2
On the Group Policies page, click Add.
3
Enter a name in the Group Name box.
4
Click Save.
To add a new member to a Group Policy
1
In the Control Center, click Policies > Group Policies.
2
Click the underlined name of the Group Policy you want to edit.
3
Ensure that the Members tab is displayed, and click Add.
4
Specify members using one or both of the following methods:
■ Type email addresses, domain names, or both in the box. To specify
multiple entries, separate each with a comma, semicolon, or space.
However, do not use a comma and a space, or a semicolon and a space.
Use * to match zero or more characters and ? to match a single character.
To add all recipients of a particular domain as members, type any of the
following:
domain.com
@domain.com
*@domain.com
If you use a wildcard in the domain when specifying a member, be sure to
precede the domain with the @ symbol and precede the @ symbol with a
wildcard, a specific user,or a combination of those. The following examples
show valid uses of wildcards:
user@domain.*
user*@dom*.com
ali*@sub*.domain.com
These examples are not valid, and will not match any users:
85Configuring email filtering
Creating groups and adding members
Page 86
domain.*
@domain.*
dom*.com
sub*.domain.com
■ Check the box next to one or more LDAP groups.
The LDAP groups listed on this page are loaded from your LDAP server.
See Configuring LDAP settings for information about configuring LDAP.
5
Click Add members to add the new member(s).
6
Click Save on the Edit Group page.
To delete a Group Policy member
1
On the Members tab of the Add Group page, check the box next to one or
more email addresses, domains, or LDAP groups, and then click Delete.
2
Click Save on the Edit Group page.
To import Group Policy members from a file
1
On the Members tab of the Add Group page, click Import.
2
Enter the appropriate path and filename (or click Browse to locate the file
on your hard disk), and then click Import.
Separate each domain or email address in the plain text file with a newline.
Below is a sample file:
ruth@example.com
rosa@example.com
ben*@example.com
example.net
*.org
The email addresses in the samples behave as follows:
■ ruth@example.com and rosa@example.com match those exact email
addresses.
■ ben*@example.com matches ben@example.com and
benjamin@example.com, etc.
■ example.net matches all email addresses in example.net.
■ *.org matches all email addresses in any domain ending with .org.
3
Click Save.
Configuring email filtering
Creating groups and adding members
86
Page 87
To export Group Policy members to a file
1
In the Members tab of the Add Group page, click Export.
2
Complete your operating system's save file dialog box as appropriate. LDAP
groups cannot be imported or exported. If you export from a group that
includes LDAP groups, the LDAP groups will be omitted from the export.
Assigning filter policies to a group
By default, groups you create are assigned the default filter policies for spam and
viruses (there is no defaultfor compliance policies). Follow the steps in the sections
below to assign different filter policies to groups. You may first want to create
your own filter policies.
See “Creating virus, spam, and compliance filter policies” on page 94.
Selecting virus policies for a group
Virus policies determine what to do with inbound and outbound messages that
contain any of six categories of threats.
Table 4-5
Virus categories and default actions
Default actionCategory
Clean the messageViruses
Delete the messageMass-mailing worms
Delete the messageUnscannable messages
Prepend [WARNING ENCRYPTED ATTACHMENT NOT
VIRUS SCANNED] to Subject: header.
Encrypted attachments
Prepend [SPYWARE OR ADWARE INFECTED] to Subject:
header.
Spyware or adware
Inbound message: Strip andhold message inSuspect Virus
Quarantine.
Outbound message: Hold message in Suspect Virus
Quarantine.
Suspicious attachments
For a description of each of these categories, see Table 4-1.
See “Creating virus policies” on page 94.
87Configuring email filtering
Assigning filter policies to a group
Page 88
By default, inbound and outbound messages containing a virus or mass-mailing
worm, and unscannable messages, including malformed MIME messages, will be
deleted. You may want to change the default setting for unscannable messages if
you are concerned about losing important messages.
To select virus policies for a group
1
In the Control Center, click Policies > Group Policies.
2
On the Group Policies page, click the group for which you want to select virus
policies.
3
Click the Virus tab.
4
If desired, check Enableinbound virus scanning forthis group to enable the
following six virus policies for incoming email.
5
Select the desired policy from each of the following drop-down lists:
■ Inbound virus policy
■ Inbound mass-mailing worm policy
■ Inbound unscannable message policy
■ Inbound encrypted message policy
■ Inbound suspicious attachment message policy
■ Inbound spyware/adware message policy
6
If desired, check Enable outbound virus scanning for this group to enable
the following six virus policies for outgoing email.
7
Select the desired policy from each of the following drop-down lists:
■ Outbound virus policy
■ Outbound mass-mailing worm policy
■ Outbound unscannable message policy
■ Outbound encrypted message policy
■ Outbound suspicious attachment message policy
■ Outbound spyware/adware message policy
8
Optionally, click View next to any policy to view details of that policy.
9
Click Save.
You cannot change virus policy details from the Edit Group page.
See “Creating virus policies” on page 94.
Configuring email filtering
Assigning filter policies to a group
88
Page 89
Selecting spam policies for a group
Spam policies determine what to do with inbound and outbound messages that
contain spam or suspected spam.
See “Creating spam policies” on page 96.
By default, inbound and outbound spam will be marked up with [Spam] at the
beginning of subject lines, and inbound and outbound suspected spam will be
marked with [Suspected Spam]. Both types of spam will not be deleted by default.
To select spam policies for a group
1
In the Control Center, click Policies > Group Policies.
2
On the Group Policies page, click the group for which you want to select spam
policies.
3
Click the Spam tab.
4
If desired, check Enableinboundspam scanning for this group to enable the
following two spam policies for incoming email.
5
Select the desired policy from each of the following drop-down lists:
■ Inbound spam policy
■ Inbound suspected spam policy
6
If desired, check Enable outbound spam scanning for this group to enable
the following two spam policies for outgoing email.
7
Select the desired policy from each of the following drop-down lists:
■ Outbound spam policy
■ Outbound suspected spam policy
8
Click Save.
You cannot change spam policy details from the Edit Group page.
See “Creating spam policies” on page 96.
Selecting compliance policies for a group
By associating an appropriate compliance policy with a group, you can check
messages for attachment types, keywords, or match regular expressions.
Depending on the message content, you can add annotations, send notifications,
or copy messages to an email address.
See “Creating compliance policies” on page 98.
89Configuring email filtering
Assigning filter policies to a group
Page 90
To select compliance policies for a group
1
In the Control Center, click Policies > Group Policies.
2
On the Group Policies page, click the group for which you want to select
compliance policies.
3
Click the Compliance tab.
4
Check Enable Inbound Content Compliance for this group.
5
Select the desired policy from the Content Compliance Policies drop-down
list.
If desired, click View to see a summary of the compliance policy, and then
click OK to return. As you add compliance policies from the drop-down list,
they are displayed in the bottom list and becomeunavailable in the drop-down
list.
6
Click Add.
7
If desired, add additional policies from the Content Compliance Policies
drop-down list.
8
Configure the outbound compliance policies similarly.
9
Click Save.
You cannot change compliance policy details from the Edit Group page.
Although you can add existing policies to the lists on this page, you cannot
add new compliance policies from this page.
See “Creating compliance policies” on page 98.
Enabling and disabling end user settings
The end user settings determine whether end users in a group can log in to the
Control Center to configure personal Allowed and Blocked Senders Listsand block
or allow email in specified languages. Each end user must have LDAP authorization.
Note: Depending on your system and the group you are editing, you may not be
able to view the End Users tab on the Edit Group page.
See “Requirements for enabling end user settings” on page 91.
To log in, users access the same URL in their browser as Control Center
administrators: https://<hostname>:41443/brightmail. The login and password
for end usersis the same as their LDAP loginand password. For informationabout
supported browsers, see the Symantec Mail Security Installation Guide.
Configuring email filtering
Assigning filter policies to a group
90
Page 91
Note: End users are limited to a total of 200 entries in their combined Allowed
Senders and Blocked Senders Lists.
The Specify language settings check box enables or disables user access to the
language identification offered by Symantec Mail Security, not the Symantec
Outlook Spam Plug-in. If the Symantec Outlook Spam Plug-in is installed and
enabled, end users can set their language preferences using the Options dialog
box accessible from the Symantec Outlook Spam Plug-in toolbar.
Note: The language identification technology employed by Symantec Mail Security
to identify the language of a message isnot foolproof. Note that messagesidentified
to be in a disallowed language are deleted.
Requirements for enabling end user settings
The following requirements must be satisfied before end userscan configure their
own personal Allowed and Blocked Senders Lists and block or allow email in
specified languages:
■ At least one LDAP SyncService server must be configured and enabled.
■ In Settings > LDAP settings, an LDAP source configured for Authentication
or Authentication and Synchronization must be defined and saved.
■ In Settings > Replication settings, a replication schedule must be defined and
enabled.
■ In Policies > Group Policies > Edit Group, the End user preferences must be
enabled for the given group on the End Users tab.
■ The members of the group in question can only be LDAP users, not a locally
defined user (that is, an email address you typed manually).
Note: End user Allowed and Blocked Senders Lists take precedence over most
other filters.
See “About precedence” on page 83.
Precedence issues could impact your decision on whether to enable end user
settings.
To select end user policies for a group
1
In the Control Center, click Policies > Group Policies.
2
On the Group Policies page, click the group for which you want to select
compliance policies.
91Configuring email filtering
Assigning filter policies to a group
Page 92
3
Click the End Users tab.
4
Check Enable end user settings for this group.
5
If desired, check Create Personal Allowed and Blocked Senders Lists.
6
If desired, check Specify language settings.
7
Click Save.
Allowing or blocking email based on language
Using the language identification offered by Symantec Mail Security, you can
block or allow messages written in specified languages for a group. For example,
you can choose to only allow English and Spanish messages, or block messages
in English and Spanish and allow messages in all other languages.
Note: If the Language tab in the Edit Group page is inaccessible, the Symantec
Outlook SpamPlug-in has been enabled. To disable support for the Outlook Plug-in
and enablesupport for built-in languageidentification, set Language Identification
to No on the Spam Settings page. That will make the Language tab accessible.
See “Choosing language identification type ” on page 61.
To allow or block email based on language for a group
1
In the Control Center, click Policies > Group Policies.
2
On the Group Policies page, click the group for which you want to select
compliance policies.
3
Click the Language tab.
4
Click the desired setting.
5
If you chose Only receive mail in the following languages or Do not receive
mail in the following languages, check the box for each desired language.
6
Click Save.
The language identification technology employed by Symantec Mail Security
to identify the language of a message is not foolproof. Note that messages
identified to be in a disallowed language are deleted.
Managing Group Policies
The Group Policy management options let you do the following:
Configuring email filtering
Managing Group Policies
92
Page 93
■ Set Group Policy precedence, the order in which Group Policy membership is
determined when policies are applied.
■ Edit Group Policy membership and actions.
■ Enable and disable Group Policies.
■ Delete Group Policies.
■ View Group Policy information for particular users.
See “Creating groups and adding members” on page 84.
Manage Group Policies
The following sections describe common administrative tasks for Group Policies.
To set Group Policy precedence
◆
Check the box next to a Group Policy, and then click Move Up or Move Down
to change the order in which it is applied.
Note: The Default Group Policy is always the last Group Policy in the list. You
cannot change the precedence of the Default Group Policy.
To edit an existing Group Policy
◆
On the Group Policy page, click the policy name or check the box next to a
Group Policy, and then click Edit.
Add or delete members or change filtering actions for this Group Policy as
you did when you created it.
See “Add or remove members from a group” on page 84.
To enable a Group Policy
◆
Check the box next to a Group Policy, and then click Enable.
To disable a Group Policy
◆
Check the box next to a Group Policy, and then click Disable.
Note: You cannot disable the Default Group Policy.
To delete a Group Policy
◆
On the Group Policies page, check the box next to a Group Policy, and then
click Delete.
93Configuring email filtering
Managing Group Policies
Page 94
To view Group Policy information for a particular user or domain
1
On the Members tab of the Edit Group page, click Find User.
2
Type an email address or domain name in the Email address box.
3
Click Find User.
The Control Center lists the first enabled group in which the specified user
exists, searching in the order that groups are listed on the Group Policies
page.
Creating virus, spam, and compliance filter policies
Use filter policy pages to combine a message characteristic, such as virus, with
an action, such as delete. The initial page you see when you click on Spam, Virus,
or Compliance under Policies > Filter Policies contains a table that indicates the
status of defined virus, spam, or compliance policies.
Table 4-6 describes the options available on the Policy status page.
Table 4-6
Policy status page
DescriptionColumn
Name of the policyVirus/Spam/Content
Compliance Policies
Indicates if the policy is enabled for one or more groupsEnabled
Indicates the directions the policy is applied to: Inbound,
Outbound, or both
Applied to
Number of groups that this policy has been used inNumber of Groups
Creating virus policies
Using the Virus Policies page, you can add, edit, copy, delete, and enable or disable
virus policies.
To add an virus policy
1
In the Control Center, click Policies > Virus.
2
Click Add.
Configuring email filtering
Creating virus, spam, and compliance filter policies
94
Page 95
3
In the Policy name box, type a name for the virus policy.
This name appears on the Virus Policies page, and on the Virus tab when
configuring a Group Policy. Compliance, spam, and virus policy names must
be unique. For example, if you have a compliance policy called XYZ, you can't
have a spam or virus policy called XYZ.
4
Under Apply to, choose where this virus policy should be available:
■ Inbound messages
■ Outbound messages
■ Inbound and Outbound messages
This determines where this virus policy is available on the Virus tab when
configuring a Group Policy. For example, if you choose Inbound messages
and the mass-mailing worm condition on this page, this virus policy is only
available in the Inbound mass-mailing worm policy drop-down list when
configuring a Group Policy.
5
Under Groups, check one or more groups to which this policy should apply.
You can also add an virus policy to a group on the Virus tab of the Edit Group
page.
6
Under Conditions, select one of the following six conditions:
The message contains a virus.If a message contains a
virus
The message contains a mass-mailing worm, a worm that
propagates itself to other systems via email, often by using
the address book of an email client program.
If a message contains a
mass-mailing worm
A message can be unscannable for viruses for a variety of
reasons. For example, if it exceeds the maximum file size
or maximum scan depth configured on the Scanning
Settings page, or if it contains malformed MIME
attachments, it may be unscannable. Compound messages
such as zip files that contain many levels may exceed the
maximum scan depth.
If a message is
unscannable for viruses
The message contains an attachment that cannot be
scanned because it is encrypted.
If amessage contains an
encrypted attachment
The message contains an attachment that, according to
Symantec filters, may contain a virus or other threat.
If a message contains a
suspicious attachment
The message contains spyware or adware.If a message contains
spyware or adware
95Configuring email filtering
Creating virus, spam, and compliance filter policies
Page 96
7
Select the desired action.
See Table 4-2 on page 72.
For some actions you need to specify additional information in fields that
appear below the action.
When using the Save to disk action on Solaris, Linux, or Windows, you must
specify a writeable directory.
8
Click Add Action.
9
If desired, add more actions.
See Table 4-3 on page 79.
10
Click Save.
Determining your suspicious attachment policy
When you choose the condition, “If a message contains a suspicious attachment,”
two additional actions become available:
■ Hold message in Suspect Virus Quarantine
■ Strip and hold in Suspect Virus Quarantine
Both of these actions enable you to make use of the Suspect Virus Quarantine to
delay filtering these messages until a later time, when updated virus definitions
may be available. This provides enhanced protection against new and emerging
virus threats.
By default, these messages are held in the Suspect Virus Quarantine for 6 hours.
You can vary the number of hours on the Settings > Quarantine page, Virus tab.
Changing default virus actions
By default, attachments containing viruses are cleaned. Inbound or outbound
messages containing a mass-mailing worm, unscannable messages, or malformed
MIME messages are deleted. You may want to change the default setting for
unscannable messages if you are concerned about losing important messages.
Creating spam policies
Using the Spam Policies page, youcan add, edit, copy, delete, and enable or disable
spam policies.
To add a spam policy
1
In the Control Center, click Policies > Spam.
2
Click Add.
Configuring email filtering
Creating virus, spam, and compliance filter policies
96
Page 97
3
In the Policy name box, type a name for the spam policy.
This name appears on the Spam Policies page, and on the Spam tab when
configuring a Group Policy. Compliance, spam, and virus policy names must
be unique. For example, if you have a compliance policy called XYZ, you can't
have a spam or virus policy called XYZ.
4
Under Apply to, choose where this spam policy should be available:
■ Inbound messages
■ Outbound messages
■ Inbound and Outbound messages
This determines where this spam policy is available on the Spam tab when
configuring a Group Policy. For example, if you choose Inbound messages
and the spam condition, this spam policy is only available in the Inbound
spam policy drop-down list when configuring a Group Policy.
5
Under Groups, check one or more groups to which this policy should apply.
You can also add a spam policy to a group on the Spam tab of the Edit Group
page.
6
Under Conditions, select one of the following three conditions:
Perform the specified action if a message is determined to
be spam.
If the message is Spam
Perform the specified action if a message might be spam.
The suspected spam levelis adjustable onthe Spam Settings
page.
If the message is
Suspected Spam
Perform the specified action if a message contains either
spam or suspected spam.
If the message is Spam
or Suspected Spam
7
Select the desired action.
See Table 4-2 on page 72.
For some actions you need to specify additional information in fields that
appear below the action.
When using the Save to disk action on Solaris, Linux, or Windows, you must
specify a writeable directory.
8
Click Add Action.
97Configuring email filtering
Creating virus, spam, and compliance filter policies
Page 98
9
If desired, add more actions.
See Table 4-3 on page 79.
10
Click Save.
Creating compliance policies
Using the Content Compliance Policies page, you can add, edit, copy, delete, and
enable or disable compliance policies. You can also change the precedence of
compliance policies by changing their location in the list on this page.
You can create compliance policies based on key words and regular expressions
found in specific areas of a message. Based on policies you set up, you canperform
a widevariety of actionson messages that match against your compliancepolicies.
Compliance policies can be used to:
■ Block email from marketing lists that generate user complaints or use up
excessive bandwidth.
■ Eliminate messages or attachments with specific content, or specific file
attachment types or filenames.
■ Control message volume and preserve disk space by filtering out oversized
messages.
■ Block messages containing certain keywords that match regular expressions
in their headers, bodies, or attachments.
Actions specified for custom filter matches will not override actions resulting
from matches in your Blocked Senders Lists or Allowed Senders Lists. In other
words, if a message's sender matches an entry in your Blocked Senders Lists or
Allowed Senders Lists, compliance policies will have no effect on the message.
See “About precedence” on page 83.
Monitor compliance policies
You can use a compliance folder to monitor violations of a policy. Monitoring
enables you to understand, prevent, respond to, and audit regulatory compliance
and internal governance policy breaches. For example, you can use a compliance
folder to monitor the scale of compliance violations at your company before
adopting a more permanent compliance policy.
When you use the Create an incident action, you canspecify the compliance folder
to which violations of the policy should be routed. You can grant or deny
administrators and compliance officers access to the compliance folder.
Configuring email filtering
Creating virus, spam, and compliance filter policies
98
Page 99
When creating a compliance policy that you want to monitor, in addition to
choosing a compliance folder and specifying the action Create an incident, you
can also include at least one of the following actions:
■ Deliver message normally
■ Deliver message with TLS encryption
■ Delete the message
■ Forward the message
■ Archive the message
You can add other actions to the policy provided they are compatible. If you only
specify the Create an incident action, the message will becopied to thecompliance
folder you chose and also delivered normally.
You should create a specific compliance folder for the type of policy you are
creating. If a compliance folder for an incident is deleted or has not been created
yet, and the incident occurs, the incident goes to the default folder.
Guidelines for creating compliance policy conditions
Keep the following suggestions and requirements in mind as you create the
conditions that make up a filter.
■ To start out, you may want to set your policies so that messages that are
matched by compliance policiesare quarantined or modified instead ofdeleted.
When you are sure the compliance policies are working correctly, you can
adjust the action.
■ Sieve scripts cannot be imported, including those created in previous versions
of Symantec or Brightmail software.
■ There is no limit to the number of conditions per compliance policy.
■ Conditions can't be nested.
■ You can create compliance policies that block or allow email based upon the
sender information but usually it is best to use the Allowed Senders Lists and
Blocked Senders Lists. However, it is appropriate to create compliance policies
if you need to quarantine or keep email based on a combination of the sender
and other criteria, such as the subject or recipient.
■ For outbound compliance policies, if you use Allowed Senders Lists or Blocked
Senders Lists, you will be exempting your employees from your other outbound
compliance policies, because Allowed Senders Lists and Blocked Senders Lists
have higher precedence than compliance policies.
99Configuring email filtering
Creating virus, spam, and compliance filter policies
Page 100
■ Spammers usually "spoof" or forge some of the visible headers and the usually
invisible envelope information. Sometimes they forge header information
using actual email addresses or domains of innocentpeople or companies. Use
care when creating filters against spam you've received.
■ The following considerations apply to keyword text string searches.
■ All testsfor words andphrases are case-insensitive, meaning that lowercase
letters in your conditions match lower- and uppercase letters in messages,
and uppercase letters in your conditions match lower- and uppercase letters
in messages.
inkjet
If you tested that the subject
contains this string
inkjet
Inkjet
INKJET
Then any message subject
containing these strings would be
matched
INKJET
If you tested that a subject
contains this string
inkjet
Inkjet
INKJET
Then any message subject
containing these strings would be
matched
■ Multiple white spaces in an email header or body are treated as a single
space character.
injet cartridge
If you tested that a subject
contains this string
inkjet cartridge
inkjet cartridge
Then any message subject
containing these strings would be
matched
inkjet cartridge
If you tested that a subject
contains this string
injet cartridge
inkjet cartridge
Then any message subject
containing these strings would be
matched
Configuring email filtering
Creating virus, spam, and compliance filter policies
100
Loading...