Page 1
Symantec Mail Security
for SMTP
Planning Guide
Page 2
Symantec Mail Security for SMTP
Planning Guide
The software described in this book is furnished under a license agreement and
may be used only in accordance with the terms of the agreement.
April 17, 2006
Copyright notice
Copyright © 2006 Symantec Corporation. All rights reserved. Symantec, the Symantec
logo, Symantec TurnTide, and SESA are U.S. registered trademarks of Symantec
Corporation. LiveUpdate, LiveUpdate Administration Utility, Symantec AntiVirus, and
Symantec Security Response are trademarks of Symantec Corporation. Other names may
be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be “commercial computer
software” and “commercial computer software documentation” as defined in FAR
Sections 12.212 and DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com
Printed in the United States of America.
10987654321
Page 3
Technical support
As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ Telephone and Web support components that provide rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for spam and virus definitions, and security signatures
that ensure the highest level of protection
■ Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
for those customers enrolled in the Platinum Support Program
■ Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.
Licensing and registration
If the product that you are implementing requires registration and/or a license
key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,
select the product that you wish to register, and from the Product Home Page,
select the Licensing and Registration link.
Page 4
Contacting Technical Support
Customers with a current support agreement may contact the Technical
Support group via phone or online at http://www.symantec.com/enterprise/
Customers with Platinum support agreements may contact Platinum Technical
Support via the Platinum Web site at https://www-secure.symantec.com/
platinum/
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to http://www.symantec.com,
select the appropriate Global Site for your country, then choose Service and
Support. Customer Service is available to assist with the following types of
issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Page 5
Contents
Chapter 1 Introducing Symantec Mail Security for SMTP
Key features ............................................................................................................ 7
Functional overview .............................................................................................. 8
Architecture ............................................................................................................ 9
New features for all users ................................................................................... 10
Changes for Symantec Mail Security for SMTP users ................................... 11
New feature names ......................................................................................13
Discontinued features ................................................................................. 13
Changes for Symantec Brightmail Antispam users .......................................13
Where to get more information .........................................................................15
Chapter 2 Planning your deployment
General deployment considerations .................................................................17
MTA usage ....................................................................................................17
Configuring Scanners ..................................................................................17
Positioning with other filtering products ................................................ 18
Filtering internal deliveries .......................................................................18
LDAP compatibility .....................................................................................18
Load balancing .............................................................................................19
Adjusting MX records ..................................................................................19
Adjusting RAM and MySQL threads .........................................................19
Deployment models .............................................................................................20
Basic gateway deployment .........................................................................20
Multi-tier gateway deployment .................................................................21
Post-gateway deployment ..........................................................................23
Chapter 3 Configuring message filtering
Understanding email filtering ...........................................................................25
Notes on filtering actions ........................................................................... 25
Deployment considerations ...............................................................................26
Page 6
6 Contents
Chapter 4 Understanding system requirements
Hardware and software requirements ............................................................. 27
Minimum hardware requirements ............................................................ 27
Minimum software requirements ............................................................. 28
Reserved ports ..............................................................................................31
Factors that affect performance .......................................................................32
Hardware components that affect performance ....................................32
Environmental factors that affect performance .................................... 33
Settings that affect performance ..............................................................33
Index
Page 7
Chapter
Introducing Symantec Mail
Security for SMTP
This chapter includes the following topics:
■ Key features
■ Functional overview
1
■ Architecture
■ New features for all users
■ Changes for Symantec Mail Security for SMTP users
■ Changes for Symantec Brightmail Antispam users
■ Where to get more information
Key features
Symantec Mail Security for SMTP offers enterprises an easy-to-deploy,
comprehensive gateway-based email security solution through the following:
■ Antispam technology – Symantec’s state-of-the-art spam filters assess and
■ Antivirus technology – Virus definitions and engines protect your users
■ Content Compliance – These features help administrators enforce corporate
classify email as it enters your site.
from email-borne viruses.
email policies, reduce legal liability, and ensure compliance with regulatory
requirements.
■ Group policies and filter policies – An easy-to-use authoring tool lets
administrators create powerful, flexible ad hoc filters for userss and groups.
Page 8
8 Introducing Symantec Mail Security for SMTP
Functional overview
Functional overview
You can deploy Symantec Mail Security for SMTP in different configurations to
best suit the size of your network and your email processing needs.
A Symantec Mail Security for SMTP host can be deployed in the following ways:
■ Scanner – Deployed as a Scanner, a Symantec Mail Security for SMTP host
filters email. Your installation can have one or many Scanners. Symantec
Mail Security for SMTP runs alongside your email or groupware server(s).
■ Control Center – Deployed as a Control Center, a Symantec Mail Security for
SMTP host is a Web-based configuration and administration center. Use it to
configure and manage email filtering, SMTP routing, system settings, and
all other functions. Your enterprise-wide deployment of Symantec Mail
Security for SMTP can have multiple Scanners but only one Control Center,
from which you configure and monitor all the Scanner hosts.
The Control Center provides status for all Symantec Mail Security for SMTP
hosts in your system, system logs, and extensive customizable reporting.
Use it to configure both system-wide and host-specific details.
The Control Center provides the Setup Wizard, for initial configuration of
all Symantec Mail Security for SMTP instances at your site, and also the
Add Scanner Wizard, for adding new Scanners.
It also hosts the Spam and Suspect Virus Quarantines, for storage of spam
and virus messages respectively. End users can access the Control Center to
view their quarantined spam messages and set their preferences for
language filtering and blocked and allowed senders. Alternatively, you can
configure the Spam Quarantine for administrator-only access.
■ Scanner and Control Center – A single Symantec Mail Security for SMTP
host performs both functions.
Note: Symantec Mail Security for SMTP provides neither mailbox access for end
users nor message storage; it is not intended for use as the only MTA in your
email infrastructure.
Note: Symantec Mail Security for SMTP does not filter messages that don’t flow
through the SMTP gateway. For example, if two mailboxes reside on the same
MS Exchange server, or on different Exchange servers the same organization,
messages will not pass through Symantec Mail Security for SMTP filters.
Page 9
Architecture
Your Symantec Mail Security for SMTP installation processes a email message
as follows. For the sake of discussion, our sample message passes through the
Filtering Engine to the Transformation Engine without being rejected.
9Introducing Symantec Mail Security for SMTP
Architecture
Page 10
10 Introducing Symantec Mail Security for SMTP
New features for all users
■ The incoming connection arrives at the inbound MTA via TCP/IP.
■ The inbound MTA accepts the connection and moves the message to its
inbound queue.
■ The Filtering Hub accepts a copy of the message for filtering.
■ The Filtering Hub consults the LDAP SyncService directory to expand the
message’s distribution list.
■ The Filtering Engine determines each recipient’s filtering policies.
■ The message is checked against Blocked/Allowed Senders Lists defined by
administrators.
■ Virus and configurable heuristic filters determine whether the message is
infected.
■ Content Compliance filters scan the message for restricted attachment types
or keywords, as defined in configurable dictionaries.
■ Spam filters compare message elements with current filters published by
Symantec Security Response to determine whether the message is spam. At
this point, the message may also be checked against end-user defined
Language settings.
■ The Transformation Engine performs actions per recipient based on
filtering results and configurable Group Policies.
New features for all users
Table 1-1 lists features that are new for both Symantec Mail Security for SMTP
users and Symantec Brightmail Antispam users.
Table 1-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam
Category Features Description
Threat
protection
features
Improved Email Firewall Protects against directory harvest attacks, denial of service
attacks, spam attacks, and virus attacks.
Sender Authentication Protects against phishing attacks, using the Sender Policy
Framework (SPF), Sender ID, or both.
Improved virus protection Additional virus verdicts protect against suspected viruses,
spyware and adware, and encrypted attachments.
Email messages that may contain viruses can be delayed in the
Suspect VIrus Quarantine, then refiltered, with updated virus
definitions, if available. This feature can be effective in defeating
virus attacks before they are widely known.
View a continuously updated list available of virus definitions.
Page 11
Changes for Symantec Mail Security for SMTP users
Table 1-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam
Category Features Description
11Introducing Symantec Mail Security for SMTP
Inbound and
outbound
content
controls
Flexible mail
management
True file type recognition for
content compliance filtering
Keywords filtering within
attachments, keyword
frequency filtering
Regular expression filtering Use regular expressions to further customize filter conditions by
Support for third party
archival tools
LDAP integration and
synchronization for policies
Expanded variety of actions
and combinations
Expanded mail controls SMTP connection management, support for secure email (TLS
Aliasing Distribution lists automatically expanded, mail filtered and
Automatically detects file types without relying on file name
extensions or MIME types.
Scan within attachments to find keywords from dictionaries you
create or edit. Specify a number of occurrences to look for.
searching within messages and attachments.
Specify conditions that result in email being sent to an archival
email address or disk location.
Dynamic group population via any of several supported LDAP
servers
More than two dozen actions that can be taken on messages, with
many combinations of multiple actions available.
encryption), user-based routing, address masquerading, invalid
recipient handling, control over delivery queue processing,
support for static routes
delivered correctly for each user
Improved
reporting and
monitoring
Expanded
administration
capabilities
Extensive set of pre-built
reports, scheduled reporting,
additional alert conditions,
remote syslog support
Message tracking View a trail of detailed information about a message, including
IP-based access control Control which hosts and networks can access your Control Center.
Control over Quarantine size
limits
More than 50 graphical reports that you can generate ad-hoc or
on a scheduled basis. Reports can be exported for offline analysis
and emailed.
the filtering processing applied to a message.
Specify user-based and total limits, configure automatic message
deletions.
Changes for Symantec Mail Security for SMTP users
For users of Symantec Mail Security for SMTP 4.1, Version 5.0 provides a host of
expanded and improved capabilities. In addition to the new features listed in
Page 12
12 Introducing Symantec Mail Security for SMTP
Changes for Symantec Mail Security for SMTP users
Table 1-1, additional new features for Symantec Mail Security for SMTP users
only are listed in Table 1-2.
Table 1-2 New features for Symantec Mail Security for SMTP users
Category Features Description
Flexible mail
management
Inbound and
outbound
content controls
Improved
reporting and
monitoring
Expanded
administration
capabilities
Centralized, Webbased administration
Group Policies Create separate inbound and outbound policies for an unlimited number
Expanded
notification
capabilities
Improved
attachment blocking
Aggregated logging
and reporting
Delegated
administration
Use the Control Center to manage all aspects of email management and
spam, virus, and content filtering across all servers with one interface.
of groups of users. You can specify groups of users based on email
addresses, domains, LDAP groups, or IP addresses. For each category of
email, you can specify custom message handling for each group.
Automatically send emails notifying specific persons or groups when
certain message conditions are encountered during message filtering.
Create different notifications for different conditions or user groups.
Strip attachments within container files. Search within attachments
using regular expressions.
Access logs for all messages from all servers via the Control Center.
Manage reports for all servers via the Control Center. Note that many of
the reporting features in SMS for SMTP 4.1 have been replaced in SMS
for SMTP 5.0 by the message tracking feature.
Multiple administrator roles with view only or modify access to different
portions of the management interface.
Group Policies introduce expanded flexibility in mail filtering and message
handling. Group Policies enable you to specify groups of users, based on email
addresses, domains, or IP addresses, and customize mail filtering for each
group. See the Symantec Mail Security for SMTP Administration Guide for more
information.
In addition, if you were using Version 4.1 without Premium AntiSpam, Version
5.0, with or without Premium AntiSpam provides much more extensive
capabilities for customizing both message filtering and the actions taken on
filtered messages.
Page 13
New feature names
Most features in Version 5.0 have similar names to the corresponding Version 4.1
features. Table 1-3 provides a cross-reference between selected Symantec Mail
Security for SMTP 4.1 features and Symantec Mail Security for SMTP 5.0
features that have different names.
Table 1-3 Version 4.1 to Version 5.0
13Introducing Symantec Mail Security for SMTP
Changes for Symantec Brightmail Antispam users
Symantec Mail Security for SMTP 4.1
Feature Name
Accounts Administration
Custom disclaimer Annotation
Scan policy Settings > Virus > Exclude Scanning tab
Routing Settings > Hosts > Edit > SMTP tab
Discontinued features
The following Symantec Mail Security for SMTP 4.1 features are not included in
Symantec Mail Security for SMTP 5.0:
■ Auto-generated whitelist
■ Logging of SMTP conversations
■ Hold Queue, automatic reordering of the Slow Queue
■ Return code support for DNS Blacklists
■ Configurable administrator timeout for the management interface
Symantec Mail Security for SMTP 5.0
Feature Name
Changes for Symantec Brightmail Antispam users
Although the product name has changed, if you were a Symantec Brightmail
Antispam user you will find the user interface for Symantec Mail Security for
SMTP 5.0 quite familiar. Most features are named similarly, and the organization
of the user interface is quite similar. Most of the changes are new features.
For users of Symantec Brightmail Antispam, Symantec Mail Security for SMTP
Version 5.0 provides significant new and expanded capabilities. In addition to
Page 14
14 Introducing Symantec Mail Security for SMTP
Changes for Symantec Brightmail Antispam users
the new features listed in Table 1-1, additional new features for Symantec
Brightmail Antispam users only are listed in Table 1-4.
Table 1-4 New features for Symantec Brightmail Antispam users
Category Features Description
Threat
protection
features
Flexible mail
management
Inbound and
outbound
content controls
Improved virus
processing
Outbound filtering Provides spam, virus, and content compliance filtering on outbound
More flexible Group
Policies
Multiple actions Specify more than one action to take on specific categories of
Expanded content
compliance filtering
capabilities
Attachment blocking Create lists of attachment types to remove. Strip attachments within
Annotations Automatically append or prepend text, such as legal disclaimers or
Notifications Automatically send emails notifying specific persons or groups when
LiveUpdate support for virus definitions, list of file types to exclude
from virus scanning, expanded container limit controls
email messages. Specify different outbound and inbound policies for
each user group.
Use LDAP groups to populate groups for Group Policies.
messages to specific groups of recipients.
Expanded set of actions available on filtered messages, support for
multiple actions on the same messages
container files.
marketing tag lines, to messages.
certain message conditions are encountered during message filtering.
Create different notifications for different conditions or user groups.
Improved
reporting and
monitoring
Expanded
administration
capabilities
Expanded virus
monitoring
Expanded logging Symantec Security Information Manager (SSIM) logging support
Global reject or pause
of message scanning
While the names of features are largely the same, you will find some changes to
the organization of menus. Most importantly, you will now find a Policies menu
at the top level, breaking out Group Policies (under the Settings menu in
Symantec Brightmail Antispam 6.0.3), and including other items as well. See the
Symantec Mail Security for SMTP Administration Guide for an updated
explanation of how settings and policies interact.
Virus outbreak alerts, expanded logging of virus events
During a virus outbreak, you can temporarily pause scanning until
new virus filters are in place.
Page 15
Where to get more information
In addition to this Planning Guide, your Symantec Mail Security for SMTP
product comes with the following documentation:
■ Symantec Mail Security for SMTP Installation Guide
■ Symantec Mail Security for SMTP Administration Guide
■ Symantec Mail Security for SMTP Getting Started
Symantec Mail Security also includes a comprehensive help system that
contains conceptual and procedural information.
You can visit the Symantec Web site for more information about your product.
The following online resources are available:
15Introducing Symantec Mail Security for SMTP
Where to get more information
Provides access to the technical support Knowledge
Base, newsgroups, contact information, downloads,
and mailing list subscriptions
Provides information about registration, frequently
asked questions, how to respond to error messages,
and how to contact Symantec License Administration
Provides product news and updates www.enterprisesecurity.
Provides access to the Virus Encyclopedia, which
contains information about all known threats;
information about hoaxes; and access to white papers
about threats
www.symantec.com/
techsupp/ent/
enterprise.html
www.symantec.com
/licensing/els/help/en/
help.html
symantec.com
www.symantec.com/
avcenter/global/index.html
Page 16
16 Introducing Symantec Mail Security for SMTP
Where to get more information
Page 17
Chapter
Planning your deployment
This chapter includes the following topics:
■ General deployment considerations
■ Deployment models
General deployment considerations
2
This section provides information about integrating Symantec Mail Security for
SMTP into your network.
MTA usage
Symantec Mail Security for SMTP contains a Message Transfer Agent (MTA),
which processes and relays messages to support filtering activities.
Note: Symantec Mail Security for SMTP provides neither mailbox access for end
users nor message storage; it is not suitable for use as the only MTA in your
email infrastructure.
Configuring Scanners
During installation, you can use a wizard to add a Scanner. Depending on your
filtering requirements and messaging environment, you may want to deploy
multiple Scanners and administer them via a single Control Center. In such
cases, you can dedicate Scanners to specific functions. For example, you might
want one Scanner to filter inbound mail and another to filter outbound mail.
Page 18
18 Planning your deployment
General deployment considerations
Positioning with other filtering products
In order for Symantec Mail Security for SMTP’s spam and Content Compliance
filters to function properly, you should avoid placing the product behind other
filtering products (such as content filters) or MTAs that alter or remove preexisting message headers or modify the message body.
Filtering internal deliveries
You can force internal mail through Symantec Mail Security for SMTP to avoid
propagation of viruses and spam generated by email mass-mailing worms that
may have been picked up by individuals via Web browsing or downloading.
LDAP compatibility
Symantec Mail Security for SMTP supports LDAP for Spam Quarantine
authentication and synchronization.
The system’s LDAP SyncService feature synchronizes user, alias, and group data
from your company’s LDAP accessible directories with its own database.
SyncService lets Symantec Mail Security for SMTP re-normalize and index the
data to fit the needs of Scanner, Control Center, and Spam Quarantine while
minimizing impact on your directory infrastructure.
LDAP SyncService supports the following LDAP servers:
■ Windows 2000 Active Directory
■ Windows 2003 Active Directory
■ Sun Directory Server 5.2, Patch 4 (formerly known as the iPlanet
Directory Server) on Solaris 8 and 9, and Red Hat Linux
■ SunOne LDAP Server 5.2 , Patch 4
■ Lotus Domino LDAP Server 6.5
■ Exchange 5.5
■ other (used for authentication only)
Note: Only one LDAP source may be used for authentication. While the same
source may also be used for synchronization purposes, no other LDAP
directories may be used for authentication. This is especially important with
regard to Spam Quarantine. If email is being sent to Spam Quarantine where end
users will then process their quarantined messages, then all end users must
exist in the LDAP source used for authentication.
Page 19
For information on using LDAP SyncService, see the Symantec Mail Security for
SMTP Administration Guide.
Load balancing
Symantec Mail Security for SMTP is not intended to be used for load balancing.
Administrators can associate only one host name or IP address as the MTA to
which email is relayed. You must implement multiple Scanners to perform load
balancing.
Adjusting MX records
When you implement Symantec Mail Security for SMTP in front of a separate
MTA that receives inbound messages, you must to change the DNS mail
exchange (MX) records. The records must point incoming messages to the
system. Symantec Mail Security for SMTP should have a higher priority than
the existing MTA.
19Planning your deployment
General deployment considerations
However, if you simply list Symantec Mail Security for SMTP as a higherweighted MX record in addition to the existing MX record, spammers can look
up the previous MTA’s MX record. This allows them to send spam directly to the
old server, bypassing your spam filtering. To prevent spammers from
circumventing the new spam-filtering servers, you should do one of the
following:
■ Remove the previous MTA’s MX record from DNS.
■ Block off the MTA from the Internet using a firewall.
■ Modify the firewall’s network address translation (NAT) tables to route
external IP addresses to internal non-routable IP addresses. You can then
map from the old server to Symantec Mail Security for SMTP.
■ When naming Symantec Mail Security for SMTP, ensure that the name you
choose does not imply its function. For example, antispam.yourdomain.com,
symantec.yourdomain.com, or antivirus.yourdomain.com are not good
choices.
Adjusting RAM and MySQL threads
The Control Center is a combination of Tomcat and MySQL applications. Tomcat
provides the Web-based interface, and MySQL is the database storage. Their
default configuration performs well in installations with a single Scanner and
low volume email traffic. In installations where multiple Scanners or large
amounts of spam are processed, increasing the amount of RAM allocated to
Page 20
20 Planning your deployment
Deployment models
Tomcat and increasing the number of listener and consumer threads in MySQL
improves performance.
Deployment models
You can deploy Symantec Mail Security for SMTP in the following ways:
■ Basic gateway deployment
■ Multi-tier gateway deployment
■ Post-gateway deployment
Basic gateway deployment
This is the simplest deployment model. Symantec Mail Security for SMTP
resides at the outermost gateway layer, processing inbound and outbound mail,
providing Secure Email Services, and relaying mail to other relay layers or to the
user-facing mail server layer.
On all configured server computers, port 443 must be configured to permit
outbound connections to Symantec to download content updates.
The following figure shows Symantec Mail Security for SMTP deployed at the
gateway, behind a firewall.
Figure 2-1 Basic gateway deployment
Advantages
■ Because spam emanates from the outside world, the gateway is the logical
and effective place to deploy Symantec Mail Security for SMTP.
■ When you deploy the system closer to the gateway, you can minimize mail
processing and storage requirements as well as network bandwidth via
Email Firewall filtering.
Page 21
Considerations
■ Some organizations prefer to have secure gateways with no other services
running. In these environments, all other services run behind the first
gateway layer.
■ Some smaller organizations do not have dedicated gateway servers or a
gateway layer. Instead, they deploy gateway servers and internal mail
servers on the same computers.
■ Symantec Mail Security for SMTP cannot be installed on the server running
Exchange.
Multi-tier gateway deployment
Note: This model may be implemented with one or more Scanner hosts.
21Planning your deployment
Deployment models
The following figure shows Symantec Mail Security for SMTP in a multi-tier
gateway deployment, with multiple Scanners in the DMZ and a Control Center
behind a second firewall.
Figure 2-2 Multi-tier gateway deployment
Advantages
■ This configuration meets a common security audit requirement in that all
data stores are in the second tier, including the Control Center and Spam
Quarantine databases.
■ Inbound traffic may be load balanced across multiple scanners with this
model.
Page 22
22 Planning your deployment
Deployment models
■ Compared with basic gateway deployment, this configuration eliminates a
single point of failure for message scanning.
■ This model allows administrators to take individual Scanners offline for
maintenance without incurring downtime.
■ This scenario enables load balancing of filtered mail across multiple
downstream MTAs.
Considerations
■ This approach requires more administrative overhead and complex
networking than a basic gateway deployment.
■ With increased hardware and maintenance costs, this model could require a
higher total cost of operation.
Page 23
Post-gateway deployment
Note: This model may be implemented with one or more SMTP gateway MTAs
and one or more Scanner hosts.
As shown below, MTAs at the gateway layer accept unfiltered mail from the
Internet then relay it to Symantec Mail Security for SMTP. The system filters
mail from the gateway layer and relays mail to other MTAs downstream.
Figure 2-3 Post-Gateway deployment
23Planning your deployment
Deployment models
Advantages
■ If you have a customized MTA or specific business needs, then running this
configuration may outweigh the extra overhead and loss of functionality.
Considerations
■ This configuration limits Scanner functionality as IP-based defenses are
nullified.
■ Unless the SMTP Gateway is performing filtering, all email is processed by
the gateway (read, stored, and forwarded) then sent to the system, which
must then read, filter, and take some action based on the verdict. Such
redundancy may add overhead, thereby decreasing throughput.
Page 24
24 Planning your deployment
Deployment models
Page 25
Chapter
Configuring message
filtering
This chapter includes the following topics:
■ Understanding email filtering
■ Deployment considerations
3
Understanding email filtering
Symantec Mail Security for SMTP provides a wide variety of actions for filtering
email, and allows you to either set identical options for all users, or specify
different actions for distinct users or groups.
You can specify groups of users based on email addresses, domain names, or
LDAP groups. For each group, you can specify an action or group of actions to
perform, given a particular verdict.
Each category of unwanted email includes one or more verdicts, conclusions
reached on a message by the filtering process. Symantec Mail Security for SMTP
performs actions on a message based on the verdict applied to that message, and
the groups that include the message recipient as a member.
For detailed descriptions of email filtering verdicts, refer to the Symantec Mail
Security for SMTP Administration Guide.
Notes on filtering actions
When configuring email filtering, consider the following limitations:
■ All Virus verdicts except suspicious attachments share the same available
actions. Two additional actions, Delay message delivery and Strip and hold
Page 26
26 Configuring message filtering
Deployment considerations
■ All Spam verdicts share the same available actions.
■ All Content Compliance verdicts share the same available actions.
■ Messages from senders in the Allowed Senders Lists are always delivered
■ When using the Modify the subject action, you can specify the character set
■ When using the Save to disk action on Solaris or Linux, you must specify a
■ By default, inbound and outbound messages containing a virus or mass-
in Suspect Virus Quarantine, are available only for the suspicious
attachment verdict.
directly to end-user mailboxes, bypassing spam filtering.
encoding to use. If the encoding you choose is different than the encoding
used by the original message, either the message or the modified subject
line will not be displayed correctly.
writeable directory.
mailing worm, and unscannable messages, including malformed MIME
messages, will be deleted. You may want to change the default setting for
unscannable messages if you are concerned about losing important
messages. See the Symantec Mail Security for SMTP Administration Guide
for more information.
Deployment considerations
The following table lists deployment considerations for select actions.
Table 3-1 Deployment considerations
Action Consideration
Clean the message If many messages need to be cleaned, there may be high demand on the system.
Delete the message This eliminates the need for spam storage, though users cannot check for
misidentified messages. When you’re comfortable with your system’s low false
positive rate, you may want to configure spam to be deleted.
Deliver message normally This setting is useful for testing. Spam and suspected spam are still counted as
such in message statistics for reports.
Deliver the message to
recipient's Spam folder
Modify the message A modified message will be delivered to end-user mailboxes, unless it contains a
Symantec Mail Security for SMTP supports the Symantec Spam Folder Agent for
Exchange using X-header markup for Microsoft Exchange 5.5 and Exchange 2000
internal messaging systems. The Symantec Spam Folder Agent for Exchange may
also be run on an Exchange 2003 host. Note that Exchange 2000 and Lotus Domino
configurations require installation of lightweight agents to folder spam.
virus or worm.
Page 27
Chapter
Understanding system
requirements
This chapter includes the following topics:
■ Hardware and software requirements
■ Factors that affect performance
4
Hardware and software requirements
This section gives detailed requirements for each supported platform.
Minimum hardware requirements
Hardware requirements vary depending on the number of email users and the
amount of email traffic. The minimum specifications in “Minimum hardware
requirements” on page 28 are suggested guidelines. These apply to computers
with the following software installed:
■ Control Center
■ Scanner
■ Control Center and Scanner
Page 28
28 Understanding system requirements
Hardware and software requirements
Note: The recommended disk space minimums include Spam Quarantine
program files, but not quarantined messages.
Table 4-1 Minimum hardware requirements
Platform Hardware required
Windows ■ Intel Pentium 4 processor or compatible
■ 1 GB RAM minimum (2 GB or more recommended)
■ 512 MB disk space minimum (2 GB or more
recommended)
Solaris
Linux
■ UltraSPARC processor
■ 1 GB RAM minimum (2 GB or more recommended)
■ 512 MB disk space minimum (2 GB or more
■ Intel Pentium IV processor or compatible
■ 1 GB RAM minimum (2 GB or more recommended)
■ 512 MB disk space minimum (2 GB or more
Minimum software requirements
Following are the minimum software requirements for Symantec Mail Secuity
for SMTP.
Note: Symantec Mail Security for SMPTP does not support Scanners running on
different platforms within the same email filtering evinronment; all Scanners
must use the same operating system (for example, Linux or Windows).
Table 4-2 Requirements for Windows
recommended)
recommended)
Windows Platform Requirements
Operating
System
Mail Server/
MTA
■ Windows 2000 Server (SP4)
■ Windows Server 2003 (SP1)
■ Windows Server 2003, Japanese version (SP1)
■ Microsoft Internet Information Services (IIS)
■ Windows SMTP service
The MTA included with Symantec Mail Security for SMTP relays mail
to existing email servers. It does not provide final mail delivery
functions nor client access to mail via POP.
Page 29
Hardware and software requirements
Table 4-2 Requirements for Windows (Continued)
Windows Platform Requirements
Browser A secure Web connection using one of the following browsers:
■ Microsoft Internet Explorer 6.0
■ Firefox 1.5
29Understanding system requirements
Fol deri ng
Support
Privileges and
permissions
Spam Folder Agent: Exchange 5.5, Exchange 2000, or Exchange Server
2003
Symantec Spam Folder Agent for Domino: Lotus Domino 5, 6, or 6.5
Exchange foldering using Spam Confidence Level: Symantec Mail
Security for SMTP must be installed on an Exchange Server 2003
server. Exchange Server 2003 must be installed on the back-end
message store. Users must enable the Junk Mail Filter in Outlook 2003
or Outlook Web Access 2003.
Note: Foldering agents must reside on machines running their
corresponding message server; they cannot run on machines which
also run Symantec Mail Security for SMTP.
For installa tio n: You must be an administrator of the local computer
to install any Symantec Mail Security for SMTP component on that
computer.
After installation: The subfolder where Symantec Mail Security for
SMTP is installed and its subdirectories are created with the default
permissions relative to their location. If security is a concern, and
since the configuration file is accessible via the network, it is
recommended that you verify that the permissions are acceptable after
installation, and modify them if necessary. Ensure that at least local
administrators retain full access to everything, so that the various
system components can continue to function properly.
LDAP Necessary if you want to have LDAP-based group policies or alias
Service Permissions: Except for the Spam Folder Agent, Symantec
Mail Security for SMTP Services run as the Local System Account,
which gives them full access to system information and resources.
Should you wish to change this, it is imperative that the services run
with a user belonging to the local administrators group. You choose the
account that the Spam Folder Agent runs as.
expansion.
Page 30
30 Understanding system requirements
Hardware and software requirements
Table 4-3 Requirements for Solaris/SPARC or Linux
Solaris/SPARC or Linux Platform Requirements
Operating System ■ Sun Solaris 9 or 10
Browser A secure Web connection using one of the following browsers:
Access privileges Root access using su or sudo
■ Red Hat Enterprise Linux AS 3.0 (Update 5)
■ Red Hat Enterprise Linux ES 3.0 (Update 5)
■ Microsoft Internet Explorer 6.0
■ Firefox 1.5
Accounts and
directories
Symantec Mail Security for SMTP software runs as user
mailwall in the bmi group. See the Symantec Mail Security for
SMTP Installation Guide for more information.
Alias Create a mail alias for the mailwall account so that all mail sent
to mailwall is read by an administrator.
Domain name A fully qualified domain name is required for each computer
running the software.
tar program Because the tar file names exceed the 40 character file name
limit of native Solaris tar, GNU tar is required to install
Symantec Mail Security for SMTP on Solaris. GNU tar for
Solaris is available from
http://www.sunfreeware.com
and other Web sites.
LDAP Necessary if you want to have LDAP-based group policies or
alias expansion.
MTA The MTA included with Symantec Mail Security for SMTP
relays mail to existing email servers. It does not provide final
mail delivery functions nor client access to mail via POP.
Page 31
Reserved ports
31Understanding system requirements
Hardware and software requirements
The following tables list ports reserved for Symantec Mail Security for SMTP
components and functions. Reserved ports are classified as either locally bound
(Table 4-4) or external listening (Table 4-5).
Table 4-4 Reserved locally-bound ports
Port Component or function
22 Control Center to internal server connection
3306 MySQL database connection
11000 – 11004
11011 – 11013
41025 Spam Quarantine
41000
Table 4-5 Reserved external listening ports
Port Component or function
21 Control Center to FTP server connection
25
389
3268
5001
8086
41002
LDAP sync
LDAP sync
BMI client
Inbound mail SMTP connection
LDAP server TCP/IP connection
LDAP Global Catalog connection
Relay Hub
SESA agent
Agent
41080
41443
Tomcat HTTP
Tomcat HTTPS connection
Page 32
32 Understanding system requirements
Factors that affect performance
Factors that affect performance
The performance of Symantec Mail Security for SMTP can be affected by many
factors. This section provides guidelines regarding those factors, and
suggestions that may improve performance.
Overall performance involves several factors, some depending on the
configuration and deployment options you choose, and others depending on
external factors, such as the percentage of your organization’s email that is
spam.
Hardware components that affect performance
The components that make up the system affect its performance. Increase
performance by increasing the physical make-up of your system. If you run the
Control Center and Scanner on different computers, consider the following
recommendations:
■ Processing power – Scanners need less disk storage, but powerful CPUs and
memory; especially if virus scanning is enabled.
■ Disk space – The Control Center likely needs much more disk space
(depending on the volume of logging, reporting, and quarantined messages
retained). It should also have a much higher sustained I/O throughput
capacity than what is specified for Scanners.
Consider the following recommendations for computers running Symantec
software:
■ Network – Consider using switched 100 Mb/s fast Ethernet or gigabit
network connections between the Control Center and each Scanner.
■ CPU (speed and type) – increase the number and speed of CPUs per server.
We recommend dual Intel Xeon processors if your email traffic rate warrants
it.
■ RAM (speed and type) – Track memory usage and increase RAM as
necessary to minimize or avoid disk swapping. Tomcat can use as much as
600 MB of RAM when completing certain tasks. MySQL can also use a large
amount of RAM.
■ Disk Type and I/O speeds – Improve MySQL database performance by using
a fast RAID and/or attached disk array. MySQL is used by the Control Center.
Page 33
Environmental factors that affect performance
Historical usage patterns of your particular deployment will affect system
performance. Prior to installation, collect information about your environment
to understand typical usage patterns:
■ Outgoing SMTP connections – This can cause additional overhead by
swelling disk queues with email destined for remote email servers which
may not be immediately accepting new email. Larger queues on disk result
in reduced MTA performance. Ideally, inbound and outbound mail streams
should be configured to work on separate machines.
■ Microsoft Indexing Service – If you are running Windows, stopping or
disabling Microsoft Indexing Service can improve disk I/O time and boost
performance. See your Microsoft Windows documentation for more
information.
■ External MTA performance – If appropriate, determine the performance of
the MTA sending incoming email to your MTA, and the performance of your
gateway MTAs and message store.
33Understanding system requirements
Factors that affect performance
The characteristics of messages sent and received can impact performance. Key
parameters to identify are:
■ Median message size
■ Average number of messages per day
■ Number of messages with attachments
■ Average attachment size
■ Types of attachments
■ Percentage of virus-infected messages in the email traffic
■ Types of end-users (ISP or enterprise)
Settings that affect performance
The choices you make when configuring Symantec Mail Security for SMTP
affect its performance.
Filtering performance considerations
Multiple group policies – If a message has more than one recipient, each with
different group policies, then the Scanner may need to bifurcate the message
(split it into one or more messages) for modification prior to delivery. Bifurcated
messages resulting from many group policies may degrade performance. Use
Page 34
34 Understanding system requirements
Factors that affect performance
group policies as necessary but be aware that using a large number of policies
may affect performance.
Unresolved messages– Deleting quarantined messages with unresolved
recipients can improve performance significantly.
Note: This feature is only available if you are using LDAP for authentication. For
information on configuring LDAP servers and Spam Quarantine, refer to the
Symantec Mail Security for STMP Administration Guide.
Data pruning – Following are recommendations for improving performance by
minimizing data overhead. Note that these numbers are suggestions only. If you
are legally bound to retain data longer, you should consider archiving it and
storing it offline.
■ Set log levels to Warning and specify a 7-day retention limit.
■ Set report retention to 7 days and only store report data that you need.
■ Set Spam Quarantine message retention to 7 days.
Note: For information on these operations, refer to the Symantec Mail Security
for STMP Administration Guide.
Control Center performance considerations
The Control Center is used to start and stop servers; view logs and reports; set
configuration options; backup, restore, and reset system software; and
consolidate statistics, report data, and logs. Consider the following regarding its
configuration:
■ Number of Scanners – The number of Scanners a Control Center collects
logging and statistics from can impact the Control Center's performance. As
you add Scanners to a Control Center, monitor the Control Center's
performance to ensure that it does not degrade to unacceptable levels.
■ Log level – The higher the log levels, the more data the Control Center must
consolidate over the network. Consider keeping log levels relatively low
unless you are troubleshooting. You can also set logs to be expunged more
frequently.
■ Message Tracking – Through message tracking, Symantec Mail Security for
SMTP components create audit events based on the incremental steps an
email message takes in its passage through the mail flow. By viewing the
Message Tracking Log, administrators can determine easily the fate of a
given message.
Page 35
Factors that affect performance
Warning: A typical entry in the Message Tracking Log occupies 800 bytes of
storage space. While occasionally useful, message tracking can degrade
system performance, especially when audit events must be logged and
stored for high volume email traffic. You should use it judiciously.
■ Scheduled reports – Schedule reports for times when utilization is low. Also
bear in mind that advanced reporting can impair performance.
■ Role of Control Center host - In cases where the Control Center host is also a
busy Scanner host, the Scanner and Control Center must share the
resources of a single machine, which may affect performance.
Spam Quarantine and LDAP performance considerations
Consider the following Spam Quarantine and LDAP performance implications.
■ Number of messages expected per day into Spam Quarantine – The more
messages placed in the Spam Quarantine, the larger the database, and the
more processing required. Reduce the maximum size of the Spam
Quarantine database by deleting spam, or by reducing spam retention time.
35Understanding system requirements
■ Number of end users logging into the Spam Quarantine interface – More
connections to end users results in more overhead for the system. Symantec
recommends Spam Quarantine for user populations of 30,000 users or less.
■ LDAP server throughput – LDAP lookups for message recipients against a
limited capacity LDAP server will severely impair Spam Quarantine and
SyncService performance. Ensure that you have adequate capacity on your
LDAP server, and/or consider creating a LDAP server replica.
■ Message queues – Because the Spam Quarantine database is stored on the
Control Center, Spam Quarantine's SMTP server may slow down, causing
the Scanner’s delivery MTA to back up when the destination MTA is
accepting messages either slowly or not at all. If this occurs, some legitimate
mail messages may be delayed.
Page 36
36 Understanding system requirements
Factors that affect performance
Page 37
Index
A
architecture, overview 9
B
balance, load 19
basic gateway deployment 20
browsers, supported 29, 30
C
Control Center 8
performance considerations 34
D
deployment
considerations 17
gateway 20
models 20
multi-tier gateway 21, 22
post-gateway 23
E
email filtering, overview 25
environmental factors that affect performance 33
F
factors that affect performance 32
features 7
discontinued from Symantec Mail Security for
SMTP 4.1 13
name changes 13
Symantec Brightmail Antispam, new or
changed features from 13
Symantec Mail Security for SMTP, new or
changed features 11
filtering
intra-enterprise 18
performance considerations 33
Filtering Engine 10
Filtering Hub 10
filters
email categories for 25
verdicts 25
flow, of messages 9
G
gateway deployment
advantages 20
basic 20
considerations 21
multi-tier 21
general deployment considerations 17
H
hardware requirements 27, 28
help 15
how Symantec Mail Security appliances work 8
K
key features 7
L
LDAP
compatibility 18
performance considerations 35
supported servers 18
load balancing 19
logs, performance impact 34
M
mail flow 9
message filtering
intra-enterprise 18
overview 25
performance considerations 33
MTAs, using additional 17
multi-tier gateway deployment 21
Page 38
38 Index
advantages 21
considerations 22
MX records, adjusting 19
P
performance
Control Center 34
environmental factors 33
factors affecting 32
filtering 33
LDAP 35
log levels 34
settings 33
Spam Quarantine 35
ports, reserved 31
positioning with other filtering products 18
post-gateway deployment 23
advantages 23
considerations 23
R
requirements 27, 28
reserved ports 31
S
Scanners 8
configuring 17
settings that affect performance 33
Spam Quarantine performance considerations 35
supported browsers 29, 30
supported LDAP servers 18
system requirements 27
T
Transformation Engine 9
V
verdicts 25
Loading...