Page 2
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user.
Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...
Page 5
(each a “License Module”) that media containing multiple Symantec products, any accompanies, precedes, or follows this license, and as Symantec software on the media for which You have may be further defined in the user documentation not received permission in a License Module; nor accompanying the Software, Your rights and G.
Software to You. Your sole remedy in the event of a through 227.7202-4, 48 C.F.R. section 52.227-14, and breach of this warranty will be that Symantec will, at other relevant sections of the Code of Federal its option, replace any defective media returned to...
Page 7
IBM License are offered by Symantec alone and not by any other party. 8. Additional Uses and Restrictions: A. If the Software You have licensed is Symantec Mail Security for a corresponding third party product or platform, You may only use that Software for the corresponding product or platform.
What’s new in Symantec Mail Security for SMTP .......... 14 Components of Symantec Mail Security for SMTP ........15 How Symantec Mail Security for SMTP works ..........16 What you can do with Symantec Mail Security for SMTP ......18 Filter email messages .................. 18 Identify spam ....................19 Respond to viruses ..................
Page 10
Accessing the administrative interface ........... 37 Activating product and content licenses ..........38 Routing scanned messages for delivery ........... 40 Stopping and restarting Symantec Mail Security for SMTP ....41 Uninstalling Symantec Mail Security for SMTP ..........41 Chapter 3 Configuring Symantec Mail Security for SMTP Configuring administrator settings ..............
Page 11
Blocking by real-time antispam blacklists ............94 Blocking by a custom blacklist ................96 Identifying spam messages using the heuristic antispam engine ....97 Identifying spam using Symantec Premium AntiSpam ........ 99 Configuring Symantec Premium AntiSpam ..........100 Enabling language identification ............104 Configuring the spam quarantine ..............104...
Page 12
About SESA ......................155 Configuring logging to SESA ................156 Configuring SESA to recognize Symantec Mail Security for SMTP .. 157 Installing the local SESA Agent using the SESA Agent Installer ..158 Installing the SESA Agent manually by command line ....... 162 Configuring Symantec Mail Security for SMTP to log events to SESA ...................
■ About Symantec Mail Security for SMTP Symantec Mail Security for SMTP is a Simple Mail Transfer Protocol (SMTP) server that processes email before sending it to a local mail server for delivery. It can be configured to protect your network in the following ways: Block unwanted email messages.
14 Introducing Symantec Mail Security for SMTP What’s new in Symantec Mail Security for SMTP What’s new in Symantec Mail Security for SMTP Table 1-1 lists the new features in Symantec Mail Security for SMTP. Table 1-1 New features in Symantec Mail Security for SMTP Feature...
Introducing Symantec Mail Security for SMTP Components of Symantec Mail Security for SMTP Components of Symantec Mail Security for SMTP Symantec Mail Security for SMTP consists of several components that work together to protect your network. Table 1-2 describes each component.
SMTP server for further processing and delivery. It also receives outgoing email from your SMTP server and processes it based on the configuration of Symantec Mail Security for SMTP.
Page 17
“Updating virus and spam definitions files” on page 84. By default, when Symantec Mail Security for SMTP detects a virus in an email attachment (that is not a container file), it attempts to repair the infected attachment. If Symantec Mail Security for SMTP cannot repair the attachment, it deletes the attachment by default.
“Setting your filtering policy” on page 125. You can configure Symantec Mail Security for SMTP so that users on the network become aware of its operation only if a virus or content violation is detected. You can also configure Symantec Mail Security for SMTP to send alerts to administrators in the case of system events, and send notifications to administrators and senders when there is virus activity.
Security for SMTP to identify spam. You can specify which criteria to use to identify spam and how those messages should be handled. “Setting your antispam policy” on page 89. Symantec Mail Security for SMTP can be configured to identify spam based on the following: Symantec Premium AntiSpam Service ■...
Page 20
20 Introducing Symantec Mail Security for SMTP What you can do with Symantec Mail Security for SMTP Table 1-4 lists the options for handling unrepairable infected attachments. Table 1-4 Options for handling unrepairable infected attachments Option Description Delete The attachment is deleted from the message.
Symantec Mail Security for SMTP works with other email software products that are running on other local mail servers. After processing messages, Symantec Mail Security for SMTP relays the messages to mail servers according to how you have configured your relay settings.
Page 22
22 Introducing Symantec Mail Security for SMTP What you can do with Symantec Mail Security for SMTP...
You must perform the following pre-installation tasks when appropriate: Install and configure the operating system. ■ “Installing and configuring the operating system” on page 24. Upgrade from earlier versions of Symantec Mail Security for SMTP. ■ “Upgrading from previous versions” on page 24. Configure DNS.
Symantec Mail Security for SMTP automatically adds the period. For example, if exe was in the Include list of the previous version, Symantec Mail Security for SMTP changes it to .exe to the force the configuration into compliance with the...
Version 4.1 does not support high ASCII or DBCS characters in directory names. If you have used high ASCII or DBCS characters for directories in your previous version of Symantec Mail Security for SMTP, you must back up the configuration file for the previous version and copy the file into version 4.1.
MX record. Preventing conflicts with other SMTP servers Because Symantec Mail Security for SMTP is an SMTP server, it must have exclusive access to the TCP/IP port that corresponds to that service. No other SMTP servers can be running on the same port on the same server on which Symantec Mail Security for SMTP is installed.
Installing Symantec Mail Security for SMTP Before you install Preventing conflicts with other software You must stop any other antivirus software on the server on which Symantec Mail Security for SMTP will be installed. After installation, reenable the antivirus protection.
System requirements You must have root or local administrator-level privileges to install Symantec Mail Security for SMTP. You should install Symantec Mail Security for SMTP on its own server. The system requirements for Solaris and Windows 2000/2003 Server are as...
You need root or administrator-level privileges to install Symantec Mail Security for SMTP. A static IP address is required. If you decide to install Symantec Mail Security for SMTP on the same computer as your SMTP server, you must configure Symantec Mail Security for SMTP to listen on the port to which mail clients deliver messages.
30 Installing Symantec Mail Security for SMTP Installing Symantec Mail Security for SMTP Verifying and testing DNS settings Your server must be configured as a DNS client before installing Symantec Mail Security for SMTP. Verify and test DNS settings To verify DNS settings, you must check the TCP/IP properties for your server.
Server) to install Symantec Mail Security for SMTP. Run the installation script or setup program The Symantec Mail Security for SMTP files are included on the installation CD. For Solaris, you must be logged on as root. For Windows 2000/2003 Server, you must be logged on with administrator privileges.
32 Installing Symantec Mail Security for SMTP Installing Symantec Mail Security for SMTP To run the Symantec Mail Security for SMTP setup program on Windows 2000/2003 Server Change (cd) to the location of the installation files. Run Setup.exe. Follow the on-screen instructions.
Page 33
Installing Symantec Mail Security for SMTP Installing Symantec Mail Security for SMTP Table 2-1 Installation directories for Solaris Directory Description Default location ScanDir Contains temporary files that are /tmp/smssmtptemp created during Symantec Mail Security for SMTP scanning. At least 100 MB disk space is recommended.
HTTP server will listen. The number that you specify becomes the port number in the URLs that you use to access the Symantec Mail Security for SMTP interface. The port number that you specify must be different from the HTTPS and SMTP port numbers, exclusive to Symantec Mail Security for SMTP, and not already in use by any other program or service.
You can install the plug-in from the Symantec Mail Security for SMTP CD. The plug-in adds a toolbar to the Outlook window from which users can access the help system.
You can install the Symantec Spam Folder Agent from the Symantec Mail Security for SMTP CD. Note: You must install the agent on the server on which Symantec Mail Security is installed. To install the Symantec Spam Folder Agent On the product CD, click Install Spam Folder Agent.
Security for SMTP. Access the Symantec Mail Security for SMTP administrative interface You can access Symantec Mail Security for SMTP through a browser window, from the Start menu, or by clicking the desktop icon (if it is running in Windows).
SMTP. Activating product and content licenses You must install a license file on each server that is running Symantec Mail Security for SMTP in order to activate your product and content licenses. The product license is required to activate Symantec Mail Security for SMTP scanning operations.
Page 39
If you have questions about licensing, contact Symantec Customer Service at 800-721-3934 or your reseller to check the status of your order. To activate product and content licenses On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Licensing.
You must add a routing list entry for each serviced email domain on your network. If the Symantec Mail Security for SMTP server is not the last hop before the Internet, you might need to use default routing. “Configuring default routing”...
Uninstalling Symantec Mail Security for SMTP Stopping and restarting Symantec Mail Security for SMTP You may need to stop and restart Symantec Mail Security for SMTP. Stopping and restarting the service results in a lost connection to client applications that may be submitting a file for scanning or delivery.
Page 42
Uninstall Symantec Mail Security for SMTP from Windows 2000/2003 Server There may be files and registry entries that are not removed when you uninstall Symantec Mail Security for SMTP. You must manually delete those files and entries. Warning: If you are running other Symantec products, certain shared files, including registry files, should not be deleted.
Page 43
In the Registry Editor window, under My Computer, double-click HKEY_LOCAL_MACHINE. Double-click SOFTWARE. Right-click the Symantec folder, and then click Delete. Do not delete the folder or any shared files from the folder if you are running other Symantec products. In the Confirm Key Delete window, click Yes.
Page 44
44 Installing Symantec Mail Security for SMTP Uninstalling Symantec Mail Security for SMTP...
Chapter Configuring Symantec Mail Security for SMTP This chapter includes the following topics: Configuring administrator settings ■ Configuring connection and delivery options ■ Processing messages in the hold queue ■ Configuring scan options ■ Configuring routing options ■ Configuring alerts ■...
46 Configuring Symantec Mail Security for SMTP Configuring administrator settings Configuring administrator settings The following types of administrator accounts can be set in Symantec Mail Security for SMTP: Administrator: Oversees administration of Symantec Mail Security for ■ SMTP Report-only administrator: Has privileges only to run reports on Symantec ■...
Page 47
Configuring Symantec Mail Security for SMTP Configuring administrator settings To change an administrator password through the administrative interface On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Accounts tab, under Administration Passwords, under Administrator password, in the New password box, type a password for the administrator.
Page 48
In the Confirm box, type the password again. Click Change Password. To enable the report-only administrator account On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Accounts tab, under Administration Settings, check Enable Report- only Administrator account.
Symantec Mail Security for SMTP recognizes those port numbers as already being in use. SMTP options apply to the Symantec Mail Security for SMTP server, which receives email messages for scanning and then forwards the messages for delivery.
Page 50
Configuration. On the Setup tab, under SMTP, in the SMTP port number box, type the port number for the port on which Symantec Mail Security for SMTP listens. The default is 25. If the SMTP port is reset to another port, only email messages that arrive at the other port will be processed.
Configuration. On the Setup tab, under Delivery, in the Number of days drop-down list, select the number of days that Symantec Mail Security for SMTP will attempt to deliver a message. If a message cannot be delivered, it is sent to the slow queue where Symantec Mail Security for SMTP continues to attempt delivery.
Configuring connection and delivery options Configuring HTTP connections The Symantec Mail Security for SMTP software is managed through a Web- based interface. This interface is provided through a built-in Hypertext Transfer Protocol (HTTP) server that is included with the software. This HTTP server is independent of any existing HTTP server that is already installed on your server and is not a general-purpose Web server.
On the Setup tab, in the HTTPS port number box, type the port number of the HTTPS server. The default port number is 8043. The port number must be exclusive to Symantec Mail Security for SMTP and must not already be in use by any other program or service. Click Certificate Management.
Page 54
The Certificate Authority sends your certificate by email to the address that you typed on the Certificate Request page. To install the returned certificate on Symantec Mail Security for SMTP Copy the entire certificate, including the header and footer, that you received from the Certificate Authority.
Acting as your own Certificate Authority If you are able to act as your own Certificate Authority, you need only install a signed certificate that is created from the request that is generated by Symantec Mail Security for SMTP and enable SSL encryption for logons.
To configure the local time zone On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Setup tab, under Local time zone, in the Region drop-down list, select a region.
Page 57
Configuring Symantec Mail Security for SMTP Configuring connection and delivery options To change the temporary files directory location On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration.
If a message causes a system crash three times, it is moved to the hold ■ queue. If Symantec Mail Security for SMTP is configured to hold messages that ■ cannot be processed, those messages are sent to the hold queue.
Page 59
Configuring Symantec Mail Security for SMTP Processing messages in the hold queue To reprocess messages that are in the hold queue On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Hold Queue tab, click Reprocess Messages.
.zip entry. If only .zip is in the Include list and test.zip is sent, no files are scanned because the zip file has been decomposed, and Symantec Mail Security is looking for .zip files.
Page 61
Configuring Symantec Mail Security for SMTP Configuring scan options To configure scan options On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Scan Policy tab, select one of the following: All files regardless of extension ■...
Hold ■ Click Save Changes. Configuring routing options After it scans for viruses, Symantec Mail Security for SMTP routes email messages to your existing hosts for delivery. The routing configurations are as follows: Default routing ■...
Page 63
In the Port box, type the port number of your mail server. The default port number is 25. Click Save. Mail that was destined for your SMTP server goes to Symantec Mail Security for SMTP for processing and then is forwarded to the specified SMTP server for delivery.
An entry (host name, domain, or IP address) by itself ■ An entry by itself means that Symantec Mail Security for SMTP treats email messages that are addressed to that host name, domain, or IP address as local. It does a DNS lookup for the address and delivers it to the address that is specified in the MX record.
Page 65
You can create, edit, and delete local routing list entries. To create local routing entries On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Routing tab, under Local Routing List, click Add.
Page 66
The default port number is 25. Click Save. To edit a local routing list entry On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Routing tab, under Local Routing List, select the case that you want to edit.
Configuring Symantec Mail Security for SMTP Configuring alerts Configuring alerts You can configure Symantec Mail Security for SMTP to send alerts for system events to one or more administrators. If you do not provide an administrator email address, Symantec Mail Security for SMTP prompts you to save any changes.
Page 68
68 Configuring Symantec Mail Security for SMTP Configuring alerts Table 3-2 lists the system events that trigger alerts, their descriptions, and examples of alerts. Table 3-2 Events that trigger alerts Event Description Alert text ServiceStart The service has started. Subject: Service Start Body: The service has been started.
Page 69
Configuring Symantec Mail Security for SMTP Configuring alerts Table 3-2 Events that trigger alerts Event Description Alert text Scan error The engine that handles Subject: Decomposition error decomposition of files has Body: An error occurred encountered an error during during message scanning.
If you do not enter an administrator email address, Symantec Mail Security for SMTP prompts you to enter one each time the Notifications screen is saved. Administrator notifications will not be delivered, despite being enabled, until an address is specified.
Configuring Symantec Mail Security for SMTP Configuring notifications Understanding notification metatags Within the default text of notifications, there are metatags, which act as placeholders for information. You can change text in any notification, but do not alter the metatags, or you will not receive information about the event that triggered the notification.
Configuring logging options Symantec Mail Security for SMTP lets you send logging events to the local computer or to SESA. Local logging (logging of activity to the computer on which Symantec Mail Security for SMTP is running) is enabled by default. For local logging, you can specify how long old logs should be retained, from one week to never delete.
Page 73
Configuring Symantec Mail Security for SMTP Configuring logging options Once enabled, Symantec Mail Security for SMTP logs the following local events to SESA: Logon Subjects blocked ■ ■ Logoff Scan error ■ ■ Definitions updated Sender blocked ■ ■ Object modified Attachment deleted ■...
Warning: The default for the Queue File Save setting is Disable. Do not change this setting unless you are instructed by Symantec Technical Support to do so. Changing the setting can result in undesirable system behavior. To configure queue file save On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration.
Page 75
<InstallDir> is the path of the top-level installation directory, such as var/opt/SMSSMTP or C:\Program Files\Symantec\SMSSMTP. Warning: SMTP Conversation Logging is disabled by default. Do not change this setting unless you are instructed by Symantec Technical Support to do so.
Page 76
76 Configuring Symantec Mail Security for SMTP Configuring queue file save and SMTP conversation logging To configure conversation logging On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Configuration. On the Diagnostics tab, under SMTP Conversation Logging, in the logging...
■ About your antivirus policy Your antivirus policy is determined by how you configure Symantec Mail Security for SMTP to handle email (which file types to scan, which files to quarantine, and when to notify administrators and senders if viruses are found...
78 Setting your antivirus policy Configuring antivirus settings Configuring antivirus settings The antivirus settings in Symantec Mail Security for SMTP let you do the following: Scan for viruses ■ “Enabling virus scanning” on page 78. Handle infected files ■ “Handling infected files”...
Page 79
Setting your antivirus policy Configuring antivirus settings To enable virus scanning On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Antivirus Policy. In the Antivirus Settings window, under Antivirus scanning, ensure that Enable virus scanning is checked.
Bloodhound changes to take effect. Handling infected files Symantec Mail Security for SMTP can handle infected files in a number of ways. Scanning must be enabled and files must be specified for scanning in order for files to be processed.
When the mass mailer cleanup function is enabled in the administrative interface, Symantec Mail Security for SMTP searches for a match between virus name patterns and the signatures that are returned by the antivirus scan. The match is made based on the configuration parameter @m (used by Symantec Security Response to name mass mailer viruses).
“Updating virus and spam definitions files” on page 84. Warning: If you configure Symantec Mail Security for SMTP to forward infected messages to the Central Quarantine, and the Central Quarantine is not running, files accumulate in the quarantine directory and may severely degrade performance.
Configuring outbreak alerts Configuring outbreak alerts You can configure Symantec Mail Security for SMTP to send notifications to one or more email addresses in cases of virus outbreaks. Note: You must enter recipient addresses on the Antivirus Policy > Outbreak Alert tab in order for this function to work.
87. Update virus and spam definitions files You can configure Symantec Mail Security for SMTP to run LiveUpdate one or more days per week. You can change the time of day for the first attempt and the frequency of attempts. You can also update virus and spam definitions manually.
Page 85
Click Save Changes. To update virus definitions manually On the Symantec Mail Security for SMTP administrative interface, in the left pane, click LiveUpdate. In the LiveUpdate window, under Initiate, click LiveUpdate now. Do not resubmit a LiveUpdate request. It may take a few minutes to contact...
Enabling virus definitions updates through Intelligent Updater By default, Symantec Mail Security for SMTP does not support updating virus definitions through Intelligent Updater. To enable updating through Intelligent Updater, you must run a setup script for your platform. This lets multiple Symantec products that run on the same system share virus definitions updates.
Symantec Mail Security for SMTP product CD. If you set up your own LiveUpdate server, you must edit the LiveUpdate configuration for Symantec Mail Security for SMTP to point to the local LiveUpdate server. For more information, contact Symantec Service and Support.
Page 88
88 Setting your antivirus policy Setting up your own LiveUpdate server...
Terms that, when found in messages, identify whether a message is spam You can also create custom and auto-generated whitelists to let Symantec Mail Security for SMTP bypass heuristic and blacklist processing for designated domains and email addresses. (Spam rules still apply.)
Page 91
Setting your antispam policy Creating a custom whitelist To create a custom whitelist On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Whitelist window, on the Custom tab, under Custom whitelist, check Bypass heuristic and blacklist detection for the following domains or email addresses.
If you activate the auto-generated whitelist feature, the email domains of all outgoing messages that are not in your local routing list are captured in a whitelist. Symantec Mail Security for SMTP stores a maximum of 2000 entries in the auto-generated whitelist. When the maximum number of entries is exceeded, it removes the top 50.
Page 93
Enable whitelist generator. Click Save Changes. To manage auto-generated whitelists On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Whitelist window, under List management, select one or more entries, and then select one of the following actions: Add to Custom Whitelist ■...
Blocking by real-time antispam blacklists The most common way of preventing spam is to reject mail that comes from mail servers known or believed to send spam. To limit potential spam, Symantec Mail Security for SMTP can support up to three real-time antispam blacklists.
Page 95
You must check this checkbox to enable this feature. If you do not check this checkbox, Symantec Mail Security for SMTP will not attempt to use this service, even if you type a domain name for the spam service.
Blocking by a custom blacklist Blocking by a custom blacklist You can configure Symantec Mail Security for SMTP to block email by a custom blacklist (which contains the sender’s address or domain). It searches both the envelope From and message From headers to determine string matches.
You may need to adjust these settings after you analyze your results over a period of time. To identify suspected spam messages using the heuristic antispam engine On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy.
Page 98
98 Setting your antispam policy Identifying spam messages using the heuristic antispam engine In the Anti-Spam window, under Activating the heuristic antispam engine, check Enable heuristic anti-spam detection, and then select the engine sensitivity level. Accept the default or type the text that you want to prepend the subject line of suspected spam messages.
Identifying spam using Symantec Premium AntiSpam In addition to providing real-time blacklisting and sender and recipient whitelisting, Symantec Premium AntiSpam uses the following to identify and handle spam: Reputation service Symantec monitors email sources to determine how much of the mail that is sent from those sources is legitimate.
“Enabling language identification” on page 104. Configuring Symantec Premium AntiSpam After you activate your Symantec Premium AntiSpam license, you must enable and configure the service to identify and handle spam and suspected spam. “Activating product and content licenses” on page 38.
Page 101
Setting your antispam policy Configuring Symantec Premium AntiSpam To configure Symantec Premium AntiSpam On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Premium AntiSpam window, on the General tab, under Enablement,...
Page 102
102 Setting your antispam policy Configuring Symantec Premium AntiSpam To identify suspected spam On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Premium AntiSpam window, on the General tab, under Suspected spam scoring, check Treat messages that have a spam score between [ ] and 89 as suspected spam.
Page 103
Click Save Changes. To configure suspected spam handling On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Premium AntiSpam window, on the General tab, under “Suspected Spam” disposition, select one of the following: Drop message ■...
The plug-in is available on the Symantec Mail Security for SMTP installation CD. To enable language identification On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Premium AntiSpam window, on the Spam Quarantine tab, check Enable Language Identification.
Page 105
Spam Quarantine settings, in the Quarantine host, type the IP address of the spam quarantine server. The quarantine host should be the server on which Symantec Mail Security for SMTP is installed. In the Port box, type the port number of the spam quarantine server.
106 Setting your antispam policy Configuring the spam quarantine Go to http://<QuarantineServer>:41080/brightmail/settings/ ■ advanced/editAdvancedSettings.do Under Global Attributes, copy the reinsertion key. ■ Click Save Changes. Creating administrator information You can create one or more administrator accounts through the Brightmail spam quarantine user interface. To access the Brightmail spam quarantine user interface ◆...
Page 107
Setting your antispam policy Configuring the spam quarantine Click Add. In the Add Administrator window, in the User name box, type a name for the administrator. In the Password box, type a password. In the Confirm password box, type the password again. In the Email address box, type the email address for the administrator.
108 Setting your antispam policy Configuring the spam quarantine Configuring alerts An alert is sent to administrators when the spam quarantine has low disk space. You can also specify users to receive the alert. This information is configured through the Brightmail spam quarantine user interface. To access the Brightmail spam quarantine user interface On the Internet, go to http://<QuarantineServer>:41080/brightmail/ ◆...
Page 109
Setting your antispam policy Configuring the spam quarantine To configure LDAP settings for Active Directory On the Internet, go to http://<QuarantineServer>:41080/brightmail/ viewLogin.do User name is admin. Password is brightmail. On the Settings tab, in the left pane, under System Settings, click LDAP. In the LDAP window, under LDAP Server, in the Server box, type the fully qualified domain name or IP address of an Active Directory domain controller, such as dc.example.com.
Page 110
110 Setting your antispam policy Configuring the spam quarantine Under LDAP Server Login, select Anonymous bind or Use the following to specify a user name and password. Unless you have configured Active Directory to allow anonymous access, the Anonymous bind setting does not usually have adequate authentication privileges for the spam quarantine to access the necessary Active Directory information.
Page 111
Setting your antispam policy Configuring the spam quarantine 14 If the test query was unsuccessful, verify the following information: Query filter Ensure that the query filter includes the values from User login name attribute, Primary email attribute, and Email alias attribute as wildcard searches.
Page 112
112 Setting your antispam policy Configuring the spam quarantine In the Password box, type the password for the account. Logon credentials are required. If you do not want to type a user name and password, you must select Anonymous Bind. Click Test Login to verify that the spam quarantine can authenticate against LDAP using the information that you have supplied.
Page 113
Setting your antispam policy Configuring the spam quarantine 14 Click Save. 15 Attempt to log on to the spam quarantine. To configure quarantine settings On the Internet, go to http://<QuarantineServer>:41080/brightmail/ viewLogin.do User name is admin. Password is brightmail. On the Settings tab, in the left pane, under System Settings, click Quarantine.
114 Setting your antispam policy Configuring the spam quarantine In the Quarantine Settings window, under Quarantine System Type, check Administrator-only Quarantine. When administrator-only access is enabled, you can still perform all administrator tasks, which includes redelivering misidentified messages to local users. However, notification of new spam messages is disabled when administrator-only access is enabled.
Page 115
Setting your antispam policy Configuring the spam quarantine To edit the notification templates Beside Notification templates, click Edit to edit the template. In the Send from box, type the email address from which the ■ notification digests should appear to be sent. You should type an address to which users can send questions about the notification digests.
Page 116
116 Setting your antispam policy Configuring the spam quarantine Edit the user notification template, the distribution lists notification template, or both using the following variables: %NEW_MESSAGE_COUNT% Number of new messages in the user’s spam quarantine since the last notification message was sent. %NEW_QUARANTINE_MESSAGES% List of messages in the user’s quarantine since the last notification was sent.
Page 117
Release links, will not be available. Under Misidentified Messages, check Brightmail Logistics and Operations Center (BLOC) to report misidentified messages to Symantec. The BLOC analyzes message submissions to determine if the filters need to be changed. The BLOC will not send confirmation of the misidentified message submission to the administrator or the user who submits the message.
Page 118
The Web page should be accessible from any computer where users will log on to the spam quarantine. If you leave this box empty, when a user clicks Need help logging in, online help from Symantec is displayed in a new window.
In the Port box, type the port number of the computer on which Symantec Mail Security for SMTP listens. Click Save.
Page 120
120 Setting your antispam policy Accessing the spam quarantine To sort messages On the Internet, go to http://<QuarantineServer>:41080/brightmail/ quarantine/viewInbox.do Click the column heading on which you want to sort. A triangle appears in the selected column that indicates ascending or descending sort order.
Page 121
In the To column, check the check box to the left of a misidentified message. Click This is not Spam. If the reinsertion key has been entered in Symantec Mail Security for SMTP, when an administrator clicks This is not Spam, the message is removed from the spam quarantine and delivered to the intended recipient.
(All of these terms=AND. Any of these terms=OR.) To block by custom spam rules On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Anti-spam Policy. In the Spam Rules window, on the Status tab, select Enable message body scanning for both Spam and Content Violation Rules.
Page 123
Setting your antispam policy Blocking by custom spam rules If desired, in the None of these terms box, type the terms to be used to identify that a message is not spam. If a term is in the Not field and a message is sent that has all of the blocked terms (AND/OR portion of rule) but also has a Not term, the message will not be in violation of the rule.
Page 124
124 Setting your antispam policy Blocking by custom spam rules...
Chapter Setting your filtering policy This chapter includes the following topics: About your filtering policy ■ Blocking by content ■ Blocking by container file limits ■ Blocking if an encrypted container is detected ■ Preventing relaying ■ Blocking by custom content rules ■...
About your filtering policy About your filtering policy Your filtering policy is determined by how you configure Symantec Mail Security for SMTP to filter messages (which criteria to use to block messages and attachments and how those blocked messages and attachments should be handled).
Setting your filtering policy Blocking by content Blocking by content Symantec Mail Security for SMTP can be configured to block messages based on the following content: Message size ■ “Blocking by message size” on page 127. Subject line ■ “Blocking by subject line”...
128 Setting your filtering policy Blocking by content In the subject line box, type the subject lines (one per line) that Symantec Mail Security for SMTP should block. You can use the * and ? wildcard characters. The * wildcard character matches 0 or more of any character.
Page 129
Setting your filtering policy Blocking by content Table 6-2 Default extension blocking list File extension Description *.asp Active Server Pages file *.bas Visual Basic® Class module *.bat Batch file *.chm Compiled HTML Help file *.cmd Win32 command script *.com MS-DOS® application *.cpl Control Panel extension *.crt...
Page 130
130 Setting your filtering policy Blocking by content Table 6-2 Default extension blocking list File extension Description *.sct Windows script component *.shb Document shortcut file *.shs Shell scrap object *.url Internet shortcut (Uniform Resource Locator) *.vb VBScript file *.vbe VBScript encoded script file *.vbs VBScript script file *.vsd...
Page 131
Setting your filtering policy Blocking by content To block by file name On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Filtering Policy.
Click Save Changes. Blocking by container file limits You can configure Symantec Mail Security for SMTP to protect against denial- of-service attacks that are associated with overly large container files that take a long time to decompose, or with files that contain multiple compressed files.
Page 133
Setting your filtering policy Blocking by container file limits To block by container file limits On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Filtering Policy. In the Container Limits window, select the container limit descriptors that you want to use for determining exceeded container limits.
134 Setting your filtering policy Blocking if an encrypted container is detected Blocking if an encrypted container is detected You can configure Symantec Mail Security for SMTP to handle encrypted container files. To block if an encrypted container is detected On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Filtering Policy.
“To configure external relay restrictions” on page 136. A source is considered local if Symantec Mail Security for SMTP is running in Allow mode or if the host is listed in the Do not allow list, except for listed hosts list.
Page 136
IP address to specify allowed hosts. For example: *.someplace.com 1.2.3.* 1.2.* If Do not allow is selected, and no hosts are listed, Symantec Mail Security for SMTP rejects all email with a non-local destination. Click Save Changes.
Reject messages with email addresses that contain any of the following characters. In the text box, type one or more characters for which Symantec Mail Security for SMTP will search for email addresses to block. Do not insert spaces or commas between the entries.
Page 138
138 Setting your filtering policy Blocking by custom content rules Click Save Changes. On the Content tab, under Content filtering rules, click Add. Under Custom filtering rule definition, check Enable this custom filtering rule. In the drop-down list, select one of the following: All of these terms ■...
Page 139
Setting your filtering policy Blocking by custom content rules In the Identify messages that contain box, type one or more terms to be used for filtering. Separate all terms with commas. If you want to add phrases, type all words in the phrase without commas between them.
Page 140
140 Setting your filtering policy Blocking by custom content rules...
Generating reports ■ About the Status page When you log on to Symantec Mail Security for SMTP, the Status page is displayed. This page shows system metrics that were calculated from the time of the most recent startup. At the bottom of the window, you can click Refresh to update the display to reflect current, real-time status.
Page 142
Status page. Table 7-1 Status page information Topic Information System status Server and port number for Symantec Mail Security for ■ SMTP. Version number of the product <product license status:Valid ■ or Invalid>.
Page 143
Delivered: Number of outgoing messages that have been ■ delivered (including messages spawned internally by Symantec Mail Security for SMTP, such as bounce messages, delivery failure notifications, and configured notifications). Forwarded: Number of messages that have been forwarded ■...
Spam, Suspected Spam, and Reputation Spam. Generating reports Symantec Mail Security for SMTP generates the following types of reports: Summary: Shows totals for message, infection, and virus activity. When ■ viruses are found, it includes links to more information about the viruses. If the Symantec Premium AntiSpam license is valid, the summary report shows totals for spam, suspected spam, and reputation spam.
Shows the virus name, the number of times that the virus was encountered during the designated time period, and the total number of viruses that were encountered. Selecting a virus name takes you to the Symantec Security Response Web site, where you can view specific data about the virus. Subjects Blocked Appears only when messages have been rejected due to blocked subject lines.
Page 146
146 Logging and reporting Generating reports To generate summary reports On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Reporting. On the Summary Report tab, in the From and To drop-down lists, select the date and time range for the report.
Page 147
Message delivery failures Number of outgoing messages that were returned due to a delivery error Messages completed Number of messages that were processed by Symantec Mail Security for SMTP Encrypted files deleted Number of encrypted files that were deleted Messages quarantined...
Number of viruses that were detected, repaired, deleted, and logged only Generating detail reports A detail report contains all of the events in the Symantec Mail Security for SMTP log. You can configure Symantec Mail Security for SMTP to log entries for various lengths of time.
Page 149
To generate a detail report On the Symantec Mail Security for SMTP administrative interface, in the left pane, click Reporting. On the Detail Report tab, in the From and To drop-down lists, specify the date and time range for the report.
Page 150
Service started Shows the date and time that the Symantec Mail Security for SMTP service started Service start failed Shows the date and time that the Symantec Mail Security for...
Page 151
Connection closed Shows the date and time that the connection was closed, the IP address of the server that connected to the Symantec Mail Security for SMTP server, the connection ID, the last command sent, and the last response sent by the disconnecting server...
Page 152
152 Logging and reporting Generating reports About message actions Table 7-8 lists the message actions. Table 7-8 Message actions Action Description Accepted Shows the date and time that a message was accepted, the From/To information, the subject, the client IP address, the connection ID, and the SMTP ID Dropped Shows the date and time that a message was dropped, From/To...
Page 153
If a spam message is also malformed, the event will be reported only as malformed. (The report will not show a heuristic spam event for the message). Note: This setting will not display if the Symantec Premium AntiSpam license is valid. Mass Mailer cleanup...
Page 154
154 Logging and reporting Generating reports Table 7-9 Blocking actions Action Description Content rule violation Shows the date and time that the violation occurred, the sending client, From/To information, subject, size, SMTP ID, and information for which the rule was triggered. Spam rule violation Shows the date and time that the violation occurred, the sending client, From/To information, subject, size, SMTP ID,...
About SESA In addition to using standard local logging for Symantec Mail Security for SMTP, you can also choose to log events to the Symantec Enterprise Security Architecture (SESA). SESA is an underlying software infrastructure and a common user interface framework. It integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization.
Symantec Mail Security for SMTP. Logging to SESA is activated independently of standard local logging. If you have purchased SESA, you can send a subset of the events that are logged by Symantec Mail Security for SMTP to SESA.
Integrating Symantec Mail Security for SMTP with SESA Configuring logging to SESA Install a local SESA Agent on the computer that is running Symantec Mail ■ Security for SMTP. The local SESA Agent handles the communications between Symantec Mail Security for SMTP and SESA.
The local SESA Agent handles the communications between Symantec Mail Security for SMTP and SESA and is installed on the same computer that is running Symantec Mail Security for SMTP. The local SESA Agent is provided as part of the software distribution package for Symantec Mail Security for SMTP.
Page 159
164. Install the local SESA Agent using the SESA Agent Installer To install the SESA Agent using the SESA Agent installer that Symantec Mail Security for SMTP provides, run the Installer on all computers on which Symantec Mail Security for SMTP 4.1 is installed.
Page 160
160 Integrating Symantec Mail Security for SMTP with SESA Configuring logging to SESA In the Primary SESA Manager IP address or host name box, type the IP address or host name of the computer on which the primary SESA Manager is running.
Page 161
Configuring logging to SESA To install the SESA Agent on Solaris Copy the bin (.bin) file to install the Agent from the Symantec Mail Security for SMTP distribution CD onto the computer, and change directories to the location where you copied the file.
162 Integrating Symantec Mail Security for SMTP with SESA Configuring logging to SESA 10 If you are running a Secondary SESA Manager that is to receive events from Symantec Mail Security for SMTP, do the following: Type the IP address or host name of the computer on which the ■...
Page 163
At the command prompt, type the following: java -jar agentinst.jar -a3067 3067 is a unique product ID to install the Agent for Symantec Mail Security for SMTP. To remove the SESA Agent, you must use the same product ID parameter (for Symantec Mail Security for SMTP, 3067).
SESA also provides centralized reporting capabilities, including graphical reports. The events that are forwarded to SESA by Symantec Mail Security for SMTP take advantage of the existing SESA infrastructure for events. You can create alert notifications for certain events. Notifications include pagers, SNMP traps, email, and operating system event logs.
Integrating Symantec Mail Security for SMTP with SESA Uninstalling the SESA Integration Package Uninstalling the SESA Integration Package To uninstall the SESA Integration Package, you must run the SESA Integration Wizard on each SESA Manager computer that is receiving events from Symantec Mail Security for SMTP 4.1.
Symantec Mail Security for SMTP events. Uninstalling the local SESA Agent The local SESA Agent is automatically uninstalled when you uninstall Symantec Mail Security for SMTP. If more than one product is using the Agent, the uninstall script removes only the Symantec Mail Security for SMTP registration and leaves the Agent in place.