Symantec 10490452 - Mail Security 8220 Administration Manual

Administration guide

Table of Contents

Quick Links

Download this manual

Symantec Mail Security for

SMTP

Administration Guide

Table of Contents

Troubleshooting

Need help?

Do you have a question about the 10490452 - Mail Security 8220 and is the answer not in the manual?

Questions and answers

Summary of Contents for Symantec 10490452 - Mail Security 8220

Page 1 Symantec Mail Security for SMTP Administration Guide...
Page 2 Symantec Corporation or its affiliates in other countries. Other names may be trademarks of their respective owners. Symantec Mail Security for SMTP 5.0 is protected under U.S. Patent Nos. 6,052,709; 5,999,932; and 6,654,787. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.
Page 3 Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
Page 4 Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...
Page 5: Table Of Contents
Contents Chapter 1 About Symantec Mail Security for SMTP Key features ......................11 Functional overview .................... 12 Architecture ......................13 Where to get more information ................. 14 Chapter 2 Configuring system settings Configuring certificate settings ................ 17 Configuring host (Scanner) settings ..............20 Working with the Services page ..............
Page 6 6 Contents Understanding spam settings ................51 Configuring suspected spam ..............52 Choosing language identification type ............. 52 Software acceleration ................. 53 Configuring spam settings ................. 53 Configuring virus settings .................. 54 Configuring LiveUpdate ................54 Excluding files from virus scanning ............55 Configuring general settings ..............
Page 7 Configuring Suspect Virus Quarantine ............148 Configuring Suspect Virus Quarantine port for incoming email ..148 Configuring the size for Suspect Virus Quarantine ......148 Chapter 7 Testing Symantec Mail Security for SMTP Verifying normal delivery ................151 Verifying spam filtering ...................151 Testing antivirus filtering ................152 Verifying filtering to the Spam Quarantine ..........153...
Page 8 8 Contents Chapter 9 Working with reports About reports ..................... 163 Choosing a report ....................164 About charts and tables ..................172 Selecting report data to track ................172 Setting the retention period for report data ..........173 Running reports ....................173 Saving and editing Favorite Reports ..............
Page 9 Maintaining adequate disk space ............200 Appendix A Feature Cross-Reference New features for all users .................202 Changes for Symantec Mail Security for SMTP users .........203 New feature names ..................204 Discontinued features ................204 Changes for Symantec Brightmail Antispam users ........205 About email filtering and message handling options ........206...
Page 10 10 Contents Appendix D Editing antivirus notification messages Modifying notification files ................231 Changing the notification file character set .......... 232 Editing messages in the notification file ..........232 Notification file contents ................. 233 Glossary Index...
Page 11: About Symantec Mail Security For Smtp
■ Where to get more information ■ Key features Symantec Mail Security for SMTP offers enterprises an easy-to-deploy, comprehensive gateway-based email security solution through the following: Antispam technology – Symantec’s state-of-the-art spam filters assess and ■ classify email as it enters your site.
Page 12: Functional Overview
You can deploy Symantec Mail Security for SMTP in different configurations to best suit the size of your network and your email processing needs. Each Symantec Mail Security for SMTP host can be deployed in the following ways: Scanner – Deployed as a Scanner, a Symantec Mail Security for SMTP host ■...
Page 13: Architecture
About Symantec Mail Security for SMTP Architecture Architecture Symantec Mail Security for SMTP processes a mail message as follows. For the sake of discussion, our sample message passes through the Filtering Engine to the Transformation Engine without being rejected. The incoming connection arrives at the inbound MTA via TCP/IP.
Page 14: Where To Get More Information
Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information. You can visit the Symantec Web site for more information about your product. The following online resources are available: Provides access to the technical support Knowledge www.symantec.com/...
Page 15 About Symantec Mail Security for SMTP Where to get more information Provides access to the Virus Encyclopedia, which www.symantec.com/ contains information about all known threats; avcenter/global/index.html information about hoaxes; and access to white papers about threats...
Page 16 16 About Symantec Mail Security for SMTP Where to get more information...
Page 17: Configuring System Settings
Chapter Configuring system settings System settings apply to the Control Center and to attached and enabled Scanners. This section explains the following: Configuring certificate settings ■ Configuring host (Scanner) settings ■ Testing Scanners ■ Configuring LDAP settings ■ Replicating data to Scanners ■...
Page 18 18 Configuring system settings Configuring certificate settings You can add certificates to the certificate list in the following two ways: Add a self-signed certificate by adding the certificate and filling out the ■ requested information as presented to you at the time. Add a Certification Authority Signed certificate by submitting a certificate ■...
Page 19 Configuring system settings Configuring certificate settings On the Import Certificate page, type the full path and filename or click Browse and choose the file. 10 Click Import. To view or delete a certificate In the Control Center, click Settings > Certificates. Check the box next to the certificate to be viewed or deleted.
Page 20: Configuring Host (Scanner) Settings
20 Configuring system settings Configuring host (Scanner) settings Configuring host (Scanner) settings The following sections describe changes that can be made to individual hosts. Information is available on these topics: Working with the Services page ■ HTTP proxies ■ SMTP Scanner settings ■...
Page 21: Http Proxies
HTTP proxies The Conduit and Symantec LiveUpdate run on each Scanner, and receive filter updates from Symantec. If you need to add proxy and/or other security settings to your server definition, use the steps below. To change or add proxy information In the Control Center, click Settings >...
Page 22: Smtp Scanner Settings
22 Configuring system settings Configuring host (Scanner) settings SMTP Scanner settings A full complement of SMTP settings has been provided to help you define internal and external SMTP configurations for Scanners. Inbound SMTP settings determine how the inbound MTA processes inbound messages. Outbound SMTP settings determine how the outbound MTA processes outbound messages.
Page 23 Configuring system settings Configuring host (Scanner) settings Setting Description Inbound Mail Provides settings for inbound messages. In this area, you can provide Settings the following information: Inbound mail IP address— Location at which inbound ■ messages will be received. Inbound mail SMTP port—Port on which inbound mail is ■...
Page 24 24 Configuring system settings Configuring host (Scanner) settings Setting Description Outbound Mail Provides settings for outbound mail characteristics. In this area, you settings can provide the following information: Outbound mail IP address—Specifies the IP address on which ■ outbound messages are sent. Outbound mail SMTP port—Specifies the port on which ■...
Page 25: Advanced Smtp Settings
Configuring system settings Configuring host (Scanner) settings Advanced SMTP settings Use the MTA Configuration portion of the page to specify the MTA host name. The MTA Host Name gives you the ability to define the Hello banner during the initial portion of the SMTP conversation. Use the following advanced inbound SMTP settings to further define your SMTP configuration: Table 2-1...
Page 26 26 Configuring system settings Configuring host (Scanner) settings Table 2-2 Outbound SMTP advanced setting descriptions Item Description Maximum message Sets the maximum size allowable for a message before it is size in bytes rejected. The default is 10,485,760 bytes. Maximum number Indicates the maximum number of recipients permitted to receive of recipients per this message.
Page 27 Configuring system settings Configuring host (Scanner) settings Table 2-3 SMTP delivery advanced setting descriptions Item Description Maximum number Sets the maximum number of connections allowed to all defined of connections to all internal mail servers. Any additional connection attempts are internal mail servers rejected.
Page 28: Configuring Internal Mail Hosts
28 Configuring system settings Testing Scanners Configuring internal mail hosts You can add or delete internal mail hosts at your site. Configure internal mail hosts Follow these procedures to add or delete internal mail hosts. To add an internal mail host From the Control Center, click Settings >...
Page 29: Configuring Ldap Settings
User and group data is read from the LDAP server and cached in the Control Center and Scanners, but not written back to the LDAP server. Symantec Mail Security for SMTP supports the following LDAP directory types: Windows 2000 Active Directory ■...
Page 30 30 Configuring system settings Configuring LDAP settings Note: When adding an LDAP server that performs synchronization, you can replicate data from the Control Center to attached and enabled Scanners with the Replicate now button. Begin this replication only after initial synchronization has completed successfully as shown on the Status >...
Page 31 Configuring system settings Configuring LDAP settings Table 2-4 LDAP Server Parameters when adding a server Item Description Usage Describes how this LDAP server will be used. Available usage modes are: Authentication ■ Synchronization ■ Authentication and Synchronization ■ You can have only one authentication server defined in the Control Center.
Page 32 32 Configuring system settings Configuring LDAP settings Table 2-4 LDAP Server Parameters when adding a server Item Description Authentication Contains the following options: Query Details Autofill—Places default values in the field for you to modify as ■ needed. Query start (Auth base DN)—Designates the point in the ■...
Page 33 Configuring system settings Configuring LDAP settings Table 2-4 LDAP Server Parameters when adding a server Item Description Synchronization Specifies queries to use for synchronization. Available choices are: Query Details Autofill—Places default values in the field for you to modify as ■...
Page 34 34 Configuring system settings Configuring LDAP settings Not all parameters are available for editing in an LDAP definition. Only the following can be changed after an LDAP server has been defined: Table 2-5 LDAP Server Parameters when editing a server Item Description Administrator...
Page 35 Configuring system settings Configuring LDAP settings Table 2-5 LDAP Server Parameters when editing a server Item Description Authentication Contains the following options: Query Details Autofill—Places default values in the field for you to modify as ■ needed. Query start (Auth base DN)—Designates the point in the ■...
Page 36 36 Configuring system settings Configuring LDAP settings To cancel an LDAP synchronization in progress Click Status > LDAP Synchronization. Click Cancel Synchronization. To delete an LDAP server In the Control Center, click Status > LDAP Synchronization. Check to be sure that no synchronization is processing. You cannot delete a synchronization server while synchronization is running.
Page 37: Replicating Data To Scanners
Configuring system settings Replicating data to Scanners Item Description Read The number of directory entries read from the synchronization server. For a full synchronization, this number is equal to the total number of records from the LDAP source. Added The number of directory entries added from the synchronization server to the Control Center.
Page 38: Starting And Stopping Replication
Replication status information When LDAP data is replicated from the Control Center to one or more Scanners, status information is generated and displayed via the Status interface in Symantec Mail Security for SMTP. To view replication status information ◆ In the Control Center, click Status > Scanner Replication.
Page 39: Troubleshooting Replication
Configuring system settings Replicating data to Scanners The following information is displayed: Item Description Status Status can be any of the following: Idle—Nothing is happening. ■ Started—A replication request has been issued. ■ Cancelled—Either the LDAP synchronization was cancelled manually via clicking Status ■...
Page 40: Configuring Control Center Settings
If replication still stalls, restart the Control Center software and begin the entire cycle again with a full synchronization. Configuring Control Center settings The Symantec Mail Security for SMTP Control Center allows you to configure the following: Control Center administration ■...
Page 41: Control Center Administration
Configuring system settings Configuring Control Center settings Configuring, enabling and scheduling Scanner replication ■ SMTP host ■ System locale ■ Control Center administration You access the Control Center via a Web browser. By default anyone with the correct address and logon information has access from any host. You can choose to limit host access to the Control Center if you wish.
Page 42: Control Center Certificate
42 Configuring system settings Configuring Control Center settings Delete the host control access items from the database. truncate settings_host_access_control About specifying host names for Control Center access When specifying host names for Control Center access, the Control Center allows clients to connect based on the Control Center’s own DNS perspective. If the client’s IP address resolves into a name that is allowed (a “reverse lookup”), then it’s a match and the client is allowed to access the Control Center.
Page 43 Configuring system settings Configuring Control Center settings full synchronization cycle has completed. For information on setting up LDAP services, see “Configuring LDAP settings” on page 29. The replication attributes on the Control Center > Replication Settings page determine how replication operates in your installation. You can determine if replication is to take place, and how often it occurs.
Page 44: Smtp Host
Spam Quarantined messages ■ When the MTA for Symantec Mail Security for SMTP is used, messages that pass through it will be tracked by the message tracking log facilities in the product. In order for the Control Center to know where to send information, you must supply the SMTP host IP address and port.
Page 45: Configuring Email Settings
Address masquerading is a method of concealing email addresses or domain names behind the mail gateway by assigning replacement values to them. Symantec Mail Security for SMTP lets you implement address masquerading on inbound mail, outbound mail, or both. Manage masqueraded entries Follow these steps to add or edit masqueraded entries.
Page 46: Importing Masqueraded Entries
46 Configuring email settings Configuring address masquerading Click Save. To edit a masqueraded entry In the Control Center, click Settings > Address Masquerading. Click the masqueraded address or domain or check a box, and then click Edit. In the Edit Masqueraded Entry page, modify the masqueraded entry as desired.
Page 47: Configuring Aliases
Configuring email settings Configuring aliases To import a list of masqueraded entries In the Control Center, click Settings > Address Masquerading. Click Import. On the Import Masqueraded Entry page, enter or browse to the filename containing the list of masqueraded entries. Click Import.
Page 48 Configuring aliases Alias transformation does not occur for messages passing through ■ Symantec Mail Security for SMTP’s MTA to the Internet. Alias transformation only applies to inbound or internal messages that pass through Symantec Mail Security for SMTP’s MTA. The system’s inbound MTA checks email addresses in the SMTP envelope ■...
Page 49: Importing Aliases
Commas or semi-colons are not valid delimiters. In the import file, each line must contain an alias address followed by one or more destination addresses. Following is a sample import file: oak@example.com quercus@symantec-internetsecurity.com ops@example.com tla@example.com bmi@example.com noadsorspam.com blocksads.com To import aliases In the Control Center, click Settings >...
Page 50: Configuring Local Domains
50 Configuring email settings Configuring local domains Configuring local domains On the Local Domains page, you can view, add, edit, and delete local domain names and email addresses for which inbound messages are accepted. You can also import lists of local domains formatted as described in this section. Work with local domains Use these procedures to manage local domains.
Page 51: Importing Local Domains And Email Addresses
Note: If entries in the import file do not match the required file format, you can download a file containing the unprocessed entries. Understanding spam settings The following types of spam settings are available in Symantec Mail Security for SMTP: Configuring suspected spam ■...
Page 52: Configuring Suspected Spam
1 to 100 for each message, based on techniques such as pattern matching and heuristic analysis. If an email scores in the range of 90 to 100 after being filtered by Symantec Mail Security for SMTP, it is defined as spam.
Page 53: Software Acceleration
You can also type a value in the box. Under Do you want to enable Language Identification, click Yes or No. Click Yes if users will use the Symantec Outlook Spam Plug-in for language identification. Built-in language identification is disabled, and can’t be accessed in the Edit Group page.
Page 54: Configuring Virus Settings
54 Configuring email settings Configuring virus settings Click Save. Configuring virus settings The following types of virus settings are available in Symantec Mail Security for SMTP: Configuring LiveUpdate ■ Excluding files from virus scanning ■ Configuring general settings ■ Configuring LiveUpdate LiveUpdate is the process by which your system receives current virus definitions from Symantec Security Response.
Page 55: Excluding Files From Virus Scanning
To receive Rapid Response updates Click Settings > Virus. Click LiveUpdate. Click Enable Rapid Response updates. Symantec Mail Security for SMTP checks every 10 minutes after this setting is saved. Click Save. Installing non-default definitions Symantec Mail Security for SMTP employs the Intelligent Updater in order to update virus definitions.
Page 56: Configuring General Settings
By default, when an email message arrives addressed to your domain, but is not addressed to a valid user, Symantec Mail Security for SMTP passes the message to the internal mail server. The internal mail server may either accept the...
Page 57: Configuring Scanning Settings
Configuring container settings When Symantec Mail Security for SMTP processes certain zip files and other types of compressed files, these files can expand to the point where they deplete system memory. Such container files are often referred to as “zip bombs.”...
Page 58: Configuring Content Filtering Settings
You can specify this size threshold and the maximum extraction level that Symantec Mail Security for SMTP will process in memory, as well as a time limit for scanning containers. If the configured limits are reached, Symantec Mail Security for SMTP will automatically perform the action designated for the “unscannable”...
Page 59 Configuring email settings Configuring scanning settings maximizes the effect of content filtering, it can also impact the system load and slow down email filtering. To check attachments that are not plain text against your dictionaries Click Settings > Scanning. In Content Filtering Settings, check Enable searching of non-plain text attachments for words in dictionaries.
Page 60 60 Configuring email settings Configuring scanning settings...
Page 61: Configuring Email Filtering
Symantec Mail Security for SMTP provides a wide variety of actions for filtering email, and allows you to either set identical options for all users, or specify different actions for distinct user groups.
Page 62 Mass-mailing worm Email is flagged because it contains a mass-mailing worm, based on current virus filters from Symantec. Unscannable for viruses Email is flagged because it exceeds the container limits configured on the Scanning Settings page, or because it is unscannable for other reasons, such as malformed MIME attachments.
Page 63 Configuring email filtering About email filtering Table 4-1 Filtering verdicts by category (Continued) Filtering Category Verdict Description Attachment type Email is flagged because it contains a specific attachment type. Attachment content Email is flagged because specific text appears in a specific frequency in its attachments.
Page 64 64 Configuring email filtering About email filtering The following table shows the filtering actions available for each verdict. Note: See “Notes on filtering actions” on page 66 for additional limitations. Table 4-2 Filtering actions by verdict Action Description Verdict ● ●...
Page 65 ● ● ● Deliver message to the Deliver the message to end-user Spam folder(s). Requires recipient’s Spam folder use of the Symantec Spam Folder Agent for Exchange or the Symantec Spam Folder Agent for Domino. ● ● ● ● ●...
Page 66: Notes On Filtering Actions
66 Configuring email filtering About email filtering Table 4-2 Filtering actions by verdict (Continued) Action Description Verdict ● Treat as a blocked Process the message using the action(s) specified in the sender domain-based Blocked Senders List. Applies even if the domain-based Blocked Senders List is disabled, and applies to inbound messages only.
Page 67: Multiple Actions
Defining a Group Policy, the administrator assigns members then selects the new virus policy. An email message is received whose recipients include someone in the new Group Policy. Symantec Mail Security for SMTP cleans the message, annotates it, then sends a notification to its intended recipients.
Page 68 68 Configuring email filtering About email filtering The following table lists the limitations on combining actions. Table 4-3 Compatibility of filtering actions by verdict Action Compatibility with other actions Can be added multiple times? Add a header Any except Delete the message Add annotation Any except Delete the message One for header or one for...
Page 69: Multiple Policies
Configuring email filtering About email filtering Table 4-3 Compatibility of filtering actions by verdict (Continued) Action Compatibility with other actions Can be added multiple times? Reject SMTP Can’t be used with other actions connection Remove invalid Any except Delete the message recipients Route the message Any except Delete the message...
Page 70: Security Risks
70 Configuring email filtering About email filtering Security risks Symantec Mail Security for SMTP can detect security risks. Security risks are programs that do any of the following: Provide unauthorized access to computer systems ■ Compromise data integrity, privacy, confidentiality, or security ■...
Page 71: About Precedence
Configuring email filtering About email filtering Table 4-4 Security risk categories included in spyware or adware verdict Category Description Remote access Programs that let a remote user gain access to a computer over the programs Internet to gain information, attack, or alter the host computer. Spyware Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the...
Page 72: Creating Groups And Adding Members
Also, lists that you create have precedence over lists created by Symantec. However, third party DNS blacklists do not have priority over all Symantec lists. In the event of a conflict between Open Proxy Senders and an entry from a DNS blacklist, Open Proxy Senders will “win.”...
Page 73 Configuring email filtering Creating groups and adding members Note: To edit a group member, such as to correct a typo, delete the member and add the member again. There is no edit button for group members. To create a new Group Policy In the Control Center, click Policies >...
Page 74 74 Configuring email filtering Creating groups and adding members These examples are not valid, and won’t match any users: domain.* @domain.* dom*.com sub*.domain.com Check the box next to one or more LDAP groups. ■ The LDAP groups listed on this page are loaded from your LDAP server. “Configuring LDAP settings”...
Page 75: Assigning Filter Policies To A Group
Assigning filter policies to a group Note: The maximum number of entries in the Members list for a Group Policy is 10,000. If you require more than 10,000 entries, contact your Symantec representative for instructions on how to configure MySQL and Tomcat to support more entries.
Page 76 76 Configuring email filtering Assigning filter policies to a group Table 4-5 Virus categories and default actions (Continued) Category Default action Spyware or adware Prepend [SPYWARE OR ADWARE INFECTED] to Subject: header. Suspicious attachments Inbound message: Strip and hold message in Suspect Virus Quarantine.
Page 77: Selecting Spam Policies For A Group
Configuring email filtering Assigning filter policies to a group Outbound suspicious attachment message policy ■ Outbound spyware/adware message policy ■ Optionally, click View next to any policy to view details of that policy. Click Save. Note: You cannot change virus policy details from the Edit Group page. See “Creating virus policies”...
Page 78: Selecting Compliance Policies For A Group
78 Configuring email filtering Assigning filter policies to a group Note: You cannot change spam policy details from the Edit Group page. See “Creating spam policies” on page 85 for information about creating or editing spam policies. Selecting compliance policies for a group By associating an appropriate compliance policy with a group, you can check messages for attachment types, keywords, or regular expressions.
Page 79: Enabling And Disabling End User Settings
The login and password for end users is the same as their LDAP login and password. For information about supported browsers, see the Symantec Mail Security for SMTP Installation Guide. Note: End users are limited to a total of 200 entries in their combined Allowed Senders and Blocked Senders Lists.
Page 80: Allowing Or Blocking Email Based On Language
English and Spanish messages, or block messages in English and Spanish and allow messages in all other languages. Note: If the Language tab in the Edit Group page is inaccessible, the Symantec Outlook Spam Plug-in has been enabled. To disable support for the Outlook Plug-in and enable support for built-in language identification, set Language Identification to No on the Spam Settings page.
Page 81: Managing Group Policies
If you chose the second or third option, check the box for each desired language. Click Save. Note: The language identification technology employed by Symantec Mail Security for SMTP to identify the language of a message is not foolproof. Note that messages identified to be in a disallowed language are deleted.
Page 82: Creating Virus, Spam, And Compliance Filter Policies
82 Configuring email filtering Creating virus, spam, and compliance filter policies Add or delete members or change filtering actions for this Group Policy as you did when you created it. See “Add or remove members from a group” page 72 for more information. To enable a Group Policy ◆...
Page 83: Creating Virus Policies
Configuring email filtering Creating virus, spam, and compliance filter policies Table 4-6 Policy status page (Continued) Column Description Number of Groups Number of groups that this policy has been used in Creating virus policies Using the Virus Policies page, you can add, edit, copy, delete, and enable or disable virus policies.
Page 84 If a message contains a The message contains an attachment that, according to suspicious attachment Symantec filters, may contain a virus or other threat. If a message contains The message contains spyware or adware. spyware or adware Select the desired action.
Page 85: Creating Spam Policies
Configuring email filtering Creating virus, spam, and compliance filter policies deleted. You may want to change the default setting for unscannable messages if you are concerned about losing important messages. See Table 4-5, “Virus categories and default actions,” on page 75. Creating spam policies Using the Spam Policies page, you can add, edit, copy, delete, and enable or disable spam policies.
Page 86: Creating Compliance Policies
86 Configuring email filtering Creating virus, spam, and compliance filter policies Select the desired action. Table 4-2, “Filtering actions by verdict,” on page 64. For some actions you need to specify additional information in fields that appear below the action. Click Add Action.
Page 87 Sieve scripts cannot be imported, including those created in previous ■ versions of Symantec or Brightmail software. There is no limit to the number of conditions per compliance policy. ■ Conditions can’t be nested.
Page 88 88 Configuring email filtering Creating virus, spam, and compliance filter policies Adding conditions to compliance policies Refer to the following tables when creating your compliance policy. Table 4-7 describes the conditions available when creating a compliance policy. Table 4-7 Compliance conditions Condition Test against Examples...
Page 89 Configuring email filtering Creating virus, spam, and compliance filter policies Table 4-7 Compliance conditions (Continued) Condition Test against Examples For all messages All email not filtered by a higher (Not applicable) precedence policy is flagged. For example, if a message matches a spam, virus, sender group, or higher precedence compliance policy, it won’t match the “For all messages”...
Page 90 90 Configuring email filtering Creating virus, spam, and compliance filter policies Table 4-8 shows the additional fields available when you add a condition. Table 4-8 Additional fields for adding conditions Condition Information required Attachment content, Bcc: Choose one of three options: address, Body, Cc: address, Click the first radio button, choose contains or does ■...
Page 91 Configuring email filtering Creating virus, spam, and compliance filter policies Table 4-9 Filter tests (Continued) Test type Description Ends with/does not Equivalent to .*text$ wildcard test using matches exactly. end with Matches exactly/ Exact match for the supplied text (not available for the message does not match body).
Page 92 Note: Symantec Mail Security for SMTP uses two different types of analysis in scanning for messages that match your criteria. If you specify a condition using a regular expression, a regular expression analysis is performed. If you specify a condition using a keyword or dictionary, a text search is performed.
Page 93: Managing Email Firewall Policies
Click Enable or Disable. Managing Email Firewall policies Symantec Mail Security for SMTP can detect patterns in incoming messages to thwart certain types of spam and virus attacks. You can block and allow messages based on email addresses, domains, or IP address. Messages can be...
Page 94: Configuring Attack Recognition
Symantec. Sender authentication provides a way to block forged email. Configuring attack recognition Symantec Mail Security for SMTP can detect the following types of attacks originating from a single SMTP server (IP address). Directory harvest Spammers employ directory harvest attacks to find valid attacks email addresses at the target site.
Page 95: Configuring Sender Groups
“Enabling and disabling end user settings” on page 79. Alternatively, you can deploy the Symantec Outlook Spam Plug-in. With the Symantec Outlook Spam Plug-in, users can easily create personal lists of blocked and allowed senders from within their Outlook mail client. The Plug-in imports information from the Outlook address book to populate the personal Allowed Senders List.
Page 96 96 Configuring email filtering Managing Email Firewall policies Symantec Mail Security for SMTP lets you customize spam detection in the following ways: Define Allowed Senders ■ Symantec Mail Security for SMTP treats mail coming from an address or connection in an Allowed Senders List as legitimate mail. As a result, you ensure that such mail is delivered immediately to the inbox, bypassing any other filtering.
Page 97 If your mail volume is sufficiently high, running incoming mail through a third party database could hamper performance because of the requisite DNS lookups. Symantec recommends that you use the Sender Reputation Service lists instead of enabling third party lists.
Page 98 Lists and Blocked Senders Lists. Domain-based: specify sender addresses or domain names ■ Symantec Mail Security for SMTP checks the following characteristics of incoming mail against those in your lists: MAIL FROM: address in the SMTP envelope. Specify a pattern that ■...
Page 99 IP-based: specify IP connections ■ Symantec Mail Security for SMTP checks the IP address of the mail server initiating the connection to verify if it is on your Allowed Senders Lists or Blocked Senders Lists. Wildcards are not supported. Although you can use network masks to indicate a range of addresses, you cannot use subnet masks that define non-contiguous sets of IP addresses (e.g.
Page 100 Click one of the Blocked Sender groups. Click Add. On the Add Sender Group Members page, supply the information appropriate for the current Blocked Sender group. “How Symantec Mail Security for SMTP identifies senders and connections” on page 98. Click Save.
Page 101 You may need to periodically disable and then re-enable senders from your list for troubleshooting or testing purposes or if your list is not up to date. Symantec Mail Security for SMTP will treat mail from a sender that you’ve disabled just as it would any other message.
Page 102 102 Configuring email filtering Managing Email Firewall policies Click one of the Blocked or Allowed Sender groups, depending on the list that you want to work with. A red x in the Enabled column indicates that the entry is currently disabled. A green check mark in the Enabled column indicates that the entry is currently enabled.
Page 103 Configuring email filtering Managing Email Firewall policies After the header, each line contains exactly one attribute, along with a ■ corresponding pattern. Empty lines or white spaces are not allowed. ■ Lines beginning with # are ignored. ■ Entries terminating with the colon-dash pattern ( ) are disabled;...
Page 104 “Format of allowed and blocked sender file” on page 102. Symantec Mail Security for SMTP merges data from the imported list with the existing sender information. Click Save. Exporting sender information You can export to a single file all the information in your Allowed Senders Lists and Blocked Senders Lists.
Page 105: Configuring Sender Authentication
Symantec Mail Security for SMTP checks the sending IP address against the published DNS record for the named mail server. If the DNS record includes a hard outbound email policy (one that requires compliance), and it does not match the sending IP address, the specified action is taken on the message.
Page 106: Managing Policy Resources
106 Configuring email filtering Managing policy resources If you add Sender Authentication domains, it’s best to specify the highest level domain possible, such as example.com, because subdomains of the specified domain will also be tested for compliance. Warning: Authenticating all domains can lead to significant unnecessary processing load.
Page 107 Configuring email filtering Managing policy resources annotation may be a legal disclaimer or text necessary to comply with government or corporate policy, such as “All email sent to or from this email system may be retained and/or monitored.” How plain text and HTML text is added to messages When specifying an annotation, a plain text version is required, and an HTML version is optional.
Page 108 108 Configuring email filtering Managing policy resources notification. See “Adding and editing notifications” on page 114 for instructions. When you specify the action to add an annotation in a policy, you can choose ■ to prepend the annotation to the beginning of the message body, or append the annotation to the end of the message body.
Page 109: Archiving Messages
X-archive: messages followed by your text. The header may be useful to sort X-archive: archived messages when viewing them with an email client. However, Symantec Mail Security for SMTP itself does not use the header. If multiple X-archive:...
Page 110: Configuring Attachment Lists
110 Configuring email filtering Managing policy resources policies result in archiving the same message, each unique header is X-archive: added to the message. For example, the following archive tag: Docket 53745 adds the following header to the message when it is archived: X-archive: Docket 53745 To specify an archive tag When configuring a virus, spam, or compliance policy, click the Archive the...
Page 111 Configuring email filtering Managing policy resources Add Attachment List page. For the last three choices, all characters are interpreted literally; wildcards are not allowed. Table 4-15 Attachment characteristics for attachment lists Characteristic Description Examples True file type Specifies an attachment type based on direct Microsoft Word for Windows inspection of the type of file.
Page 112: Configuring Dictionaries
A dictionary is a list of words, phrases, or both that messages are checked against when you choose the Any part of the message condition in a compliance policy. Symantec Mail Security for SMTP evaluates matches to a dictionary using substring text analysis, not regular expression analysis.
Page 113 When adding words to a dictionary, keep in mind that some words can be ■ considered both profane and legitimate, depending on the context. Symantec Mail Security does not search for dictionary matches in the HTML ■ headers or tags of HTML messages or HTML attachments.
Page 114: Adding And Editing Notifications
114 Configuring email filtering Managing policy resources Click Save. Editing a dictionary Edit an existing dictionary to add or delete keywords. To edit a dictionary In the Control Center, click Policies > Dictionaries. Click the dictionary that you want to edit. Add or delete keywords as desired.
Page 115 Configuring email filtering Managing policy resources Under Send to, check one or more of the following: Sender Check this box to send the notification to sender listed in the message envelope (not the sender listed in the From: header). Recipients Check this box to send the notification to the recipients listed in the message envelope (not the recipients listed in the To: header).
Page 116 116 Configuring email filtering Managing policy resources...
Page 117: Working With Spam Quarantine
Spam Quarantine provides storage of spam messages and Web-based end-user access to spam. Use of Spam Quarantine is optional. Quarantined messages and associated databases are stored on the Control Center. Symantec recommends Spam Quarantine for user populations of 30,000 users or less.
Page 118: Working With Messages In Spam Quarantine For Administrators
118 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators Note: To understand how Spam Quarantine handles messages sent to distribution lists or aliases, see “Notification for distribution lists/aliases” page 130. Working with messages in Spam Quarantine for administrators This section describes how Spam Quarantine works for administrators.
Page 119 This also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator email address (such as yourself), Symantec, or both. This allows the email administrator or Symantec to monitor the effectiveness of Symantec Mail Security for SMTP.
Page 120 120 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search messages Click Show Filters to search messages for a specific recipient, sender, ◆ subject, message ID, or date range. “Searching messages” on page 123. To navigate through messages Click one of the following buttons to navigate through message list pages: ◆...
Page 121: Administrator Message Details Page
Working with Spam Quarantine Working with messages in Spam Quarantine for administrators Differences between the administrator and user message list pages The pages displayed for administrators and other users on your network have the following differences. Users can only view and delete their own quarantined messages. Quarantine ■...
Page 122 This also removes the message from Spam Quarantine. Depending on how you configured Spam Quarantine, a copy of the message may also be sent to an administrator email address (such as yourself), Symantec, or both. This allows the email administrator or Symantec to monitor the effectiveness of Symantec Mail Security for SMTP.
Page 123: Searching Messages
Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To display full headers To display all headers available to Spam Quarantine, click Display Full ◆ Headers. The full headers may provide clues about the origin of a message, but keep in mind that spammers usually forge some of the message headers.
Page 124 124 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search message envelope “To” recipient Type in the To box to search the message envelope : recipient in all ◆ RCPT TO messages for the text you typed. You can search for a display name, the user name portion of an email address, or any part of a display name or email user name.
Page 125 Working with Spam Quarantine Working with messages in Spam Quarantine for administrators To search using time range Choose a time range from the Time Range list to show all messages from ◆ that time range. Search details The search function is optimized for searching a large number of messages. However, this can lead to unexpected search results.
Page 126: Configuring Spam Quarantine
126 Working with Spam Quarantine Configuring Spam Quarantine The amount of time required for the search is dependent on how many ■ search boxes you filled in and the number of messages in the current mailbox. Searching in the administrator mailbox will take longer than searching in a user’s mailbox.
Page 127: Configuring Spam Quarantine Port For Incoming Email
Working with Spam Quarantine Configuring Spam Quarantine Under Policy name, type Spam Quarantine or a descriptive name of your choice. Under Apply to, click Inbound messages. Under Groups, check the box next to the groups that should have their email quarantined.
Page 128: Configuring Spam Quarantine For Administrator-Only Access
By default, when users click on the Need help logging in? link on the Control Center login page, online help from Symantec is displayed in a new window. You can customize the login help by specifying a custom login help page. This change only affects the login help page, not the rest of the online help.
Page 129: Configuring Recipients For Misidentified Messages
If users or administrators find false positive messages in Spam Quarantine, they can click Release. Clicking Release redelivers the selected messages to the user’s normal inbox. You can also send a copy to a local administrator, Symantec, or both. Note: If you are quarantining messages flagged by content compliance filters, you should copy a local administrator who can review the misidentified messages and make appropriate changes to the content compliance filters.
Page 130: Configuring The User And Distribution List Notification Digests
When Symantec Mail Security for SMTP forwards a spam message sent to a distribution list to Spam Quarantine, the message is not delivered in the intended recipients’...
Page 131 Working with Spam Quarantine Configuring Spam Quarantine If the Include View link box is selected, recipients of the notification digest can view all the quarantined distribution list messages. If the Include Release link box is selected, recipients of the notification digest can release quarantined distribution list messages.
Page 132 132 Working with Spam Quarantine Configuring Spam Quarantine Changing the notification digest templates The notification digest templates determine the appearance of notification messages sent to users as well as the message subject and send from address. The default notification templates are similar to the text listed below. The distribution list notification template lacks the information about logging in.
Page 133 Working with Spam Quarantine Configuring Spam Quarantine Table 5-1 Notification Message Variables Variable Description %USER_NAME% User name of user receiving the notification message. To edit the notification templates, digest subject, and send from address In the Control Center, click Settings > Quarantine. If needed, click on the Spam tab.
Page 134 134 Working with Spam Quarantine Configuring Spam Quarantine To enable notification for distribution lists In the Control Center, click Settings > Quarantine. If needed, click on the Spam tab. Under Notification Settings, click Notify distribution lists. Click Save on the Quarantine Settings page. Selecting the notification digest format The notification digest template determines the MIME encoding of the notification message sent to users as well as whether View and Release links...
Page 135: Configuring The Spam Quarantine Expunger
Working with Spam Quarantine Configuring Spam Quarantine released from Spam Quarantine and sent to the user’s normal inbox. This check box is only available if you choose Multipart (HTML and text) or HTML only notification format. If you remove the variable from the notification digest %NEW_QUARANTINE_MESSAGES% template, the new message summary, including the Release links, won’t be...
Page 136: Specifying Spam Quarantine Message And Size Thresholds
136 Working with Spam Quarantine Configuring Spam Quarantine Choose the desired setting from the Quarantine Expunger frequency drop- down list. Choose the desired setting from the Quarantine Expunger start time drop- down lists. Click Save. Specifying Spam Quarantine message and size thresholds To limit the number of messages in Spam Quarantine or size of Spam Quarantine, configure Spam Quarantine threshold settings.
Page 137: Troubleshooting Spam Quarantine
Working with Spam Quarantine Configuring Spam Quarantine Click Save. Note: No alert or notification occurs if Spam Quarantine thresholds are exceeded. However, you can be alerted when disk space is low, which may be caused by a large number of messages in the Spam Quarantine database. For more information about alerts, see “Configuring alerts and logs”...
Page 138 138 Working with Spam Quarantine Configuring Spam Quarantine from the Scanner to Spam Quarantine are larger than the standard packet size used by MySQL (1 MB). com.mysql.jdbc.PacketTooBigException: Packet for query is too large (3595207 > 1048576) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1554) at com.mysql.jdbc.MysqlIO.send(MysqlIO.java:1540) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1005) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1109) at com.mysql.jdbc.Connection.execSQL(Connection.java:2030)
Page 139 Undeliverable quarantined messages go to Spam Quarantine postmaster If Spam Quarantine can’t determine the proper recipient for a message received by Symantec Mail Security for SMTP, it delivers the message to a postmaster mailbox accessible from Spam Quarantine unless you have specified Delete message sent to unresolved email addresses in Settings >...
Page 140 In the left pane, click Active Directory Schema to select it. Click Action > Operations Master. Check the check box for The Schema may be modified on this Domain Controller. If replication to the Global Catalog cannot be modified as described above, contact your Symantec representative for a work-around.
Page 141 Working with Spam Quarantine Configuring Spam Quarantine Duplicate messages appear in Spam Quarantine You may notice multiple copies of the same message when logged into Spam Quarantine as an administrator. When you read one of the messages, all of them are marked as read.
Page 142 142 Working with Spam Quarantine Configuring Spam Quarantine...
Page 143: Working With Suspect Virus Quarantine
Chapter Working with Suspect Virus Quarantine This chapter includes the following topics: About Suspect Virus Quarantine ■ Accessing Suspect Virus Quarantine ■ Configuring Suspect Virus Quarantine ■ About Suspect Virus Quarantine The Suspect Virus Quarantine provides short-term storage of messages that are suspected to contain viruses.
Page 144: Checking For New Suspect Virus Quarantine Messages
144 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine administrators with full privileges or Manage Quarantine rights (View or Modify) can make all Quarantine setting changes. Users with only 'view' rights for manage quarantine will see the 'Settings' tab, but cannot make changes to those settings, and they cannot release or delete messages.
Page 145 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine To redeliver misidentified messages Click on the check box to the left of a misidentified message and then click ◆ Release to redeliver the message to the intended recipient. This also removes the message from Suspect Virus Quarantine. Note: Releasing messages requires access to the IP address of the Control Center.
Page 146: Searching Messages
146 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine Go to next page of messages Choose up to 500 pages before or after the current page of messages To set the entries per page On the Entries per page drop-down list, click a number. ◆...
Page 147 Working with Suspect Virus Quarantine Accessing Suspect Virus Quarantine To search message envelope “To” recipient Type in the To box to search the message envelope : recipient in all ◆ RCPT TO messages for the text you typed. You can search for a display name, the user name portion of an email address, or any part of a display name or email user name.
Page 148: Configuring Suspect Virus Quarantine
148 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine containing emerson, Emerson, and eMERSOn would all be displayed in the search results. The amount of time required for the search is dependent on how many ■ search boxes you filled in and the number of messages in the current mailbox.
Page 149 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine To configure the size for your Suspect Virus Quarantine Click Settings > Quarantine. Specify your desired values for the options provided in Maximum size of suspect virus quarantine. The default is 10 GB.
Page 150 150 Working with Suspect Virus Quarantine Configuring Suspect Virus Quarantine...
Page 151: Testing Symantec Mail Security For Smtp
Verifying filtering to the Spam Quarantine ■ The following are sample tests by which you can verify that Symantec Mail Security for SMTP is filtering your email as intended. Use these tests as models for additional tests that you can perform periodically.
Page 152: Testing Antivirus Filtering
152 Testing Symantec Mail Security for SMTP Testing antivirus filtering To test spam filtering with subject line modification Create a POP3 account on your MDA. For the SMTP Server setting on this account, specify the IP address of an enabled Scanner.
Page 153: Verifying Filtering To The Spam Quarantine
Verifying filtering to the Spam Quarantine If you configure Symantec Mail Security for SMTP to forward spam messages to Spam Quarantine as described below, you should see spam messages when you enter the Spam Quarantine. There can be a slight delay until the first spam message arrives, depending on the amount of spam received at your organization.
Page 154 154 Testing Symantec Mail Security for SMTP Verifying filtering to the Spam Quarantine http://www.example.com/url-1.blocked/ Send the message. Send a message to the same account that is not spam and that does not contain any viruses. In the Control Center, click the Spam Quarantine tab and click Search.
Page 155: Configuring Alerts And Logs
■ Configuring logs ■ Configuring alerts Alerts are email notifications sent automatically by Symantec Mail Security for SMTP to inform system administrators of conditions potentially requiring attention. You can choose the types of alerts sent, the header shown in From: alerts, and which administrators receive them.
Page 156 Alert settings (Continued) Alert setting Explanation New virus rules are An alert is sent because new virus rules are available for download from Symantec available Security Response. New virus rules are updated daily, Rapid Response rules are updated hourly. A message queue is larger...
Page 157: Viewing Logs
Configuring alerts and logs Viewing logs Configure alerts Follow these procedures to configure alerts. To specify which administrators receive alerts In the Control Center, click Administration. In the Administrators list, click the name of an administrator. Under Administrator, check or uncheck Receive alert notifications. Click Save.
Page 158 158 Configuring alerts and logs Viewing logs Table 8-2 View Logs page (Continued) Item Description Time range (drop-down) Select a time range from the list or create a custom time range. If you have recently changed time zones on the Control Center, this change is not reflected immediately, but requires you to stop and restart Tomcat or to reboot the system.
Page 159: Configuring Logs
Display, wait a few minutes then click Display again. Configuring logs You can configure log settings for Symantec Mail Security for SMTP components on each Scanner in your system. The severity of errors you want written to the log files can be chosen for the following components: Conduit ■...
Page 160 160 Configuring alerts and logs Configuring logs Table 8-3 Log Settings page – Local Log Type (Continued) Item Description Mail Transfer Agent Set the logging level for the Mail Transfer Agent. Apply to All Hosts Apply these log settings to all hosts in your system. Maximum log size If desired, set the maximum size for logs.
Page 161 Configuring alerts and logs Configuring logs For more information, see “Message tracking” on page 184. Warning: Because logging data for each message can impair system performance, you should use this feature judiciously. To configure log settings for remote hosts In the Control Center, click Settings > Logs. Click the Remote tab.
Page 162 162 Configuring alerts and logs Configuring logs...
Page 163: Working With Reports
■ Scheduling reports to be emailed ■ About reports Symantec Mail Security for SMTP reporting capabilities provide you with information about filtering activity at your site, including the following features: Analyze consolidated filtering performance for all Scanners and investigate ■...
Page 164: Choosing A Report
The third column lists the reporting data that you must instruct Symantec Mail Security for SMTP to track before you can generate the specified report. You can choose from a selection of reports, all of which can be customized to include specific date ranges, time period grouping per row, and email delivery.
Page 165 Working with reports Choosing a report Table 9-1 Available Message reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender Domains from which the most messages have been processed. For each Sender domains Domains domain, the total processed and number of virus and spam messages are listed.
Page 166 166 Working with reports Choosing a report Table 9-2 Available Virus reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview A summary of total messages that matched for each virus type. For each None grouping, the virus to total processed percentage, total processed, and number of virus, suspected virus, worm, unscannable, scan error, malware (spyware/adware), encrypted attachment, and malformed MIME messages are listed.
Page 167 Working with reports Choosing a report Table 9-2 Available Virus reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Recipients Email addresses for which the most virus messages have been detected. For Recipients, each email address, the virus to total processed percentage, total Recipient domains processed, and number of virus, worm, and unscannable messages are listed.
Page 168 168 Working with reports Choosing a report Table 9-3 Available Spam reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender SMTP HELO domain names from which the most spam messages have Sender HELO HELO Domains been detected.
Page 169 Working with reports Choosing a report Table 9-4 Available Content Compliance reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Sender Domains from which the most compliance matches have been detected. For Sender domains Domains each domain, the total messages processed and number and percentage of content compliance policies triggered are listed.
Page 170 170 Working with reports Choosing a report Table 9-5 Available Attack reports Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Overview Total messages processed and number and percentage of directory harvest, None spam, and virus attacks versus messages processed. Top Directory IP addresses from which the most directory harvest attacks have been Sender IP...
Page 171 Working with reports Choosing a report Table 9-6 Available Sender Authentication reports (Continued) Report Type: Displays... Required Report Data Storage Options (Reports Settings Page) Top Succeeded Email addresses from which the most successful sender authentication Senders Senders attempts have been detected. For each email address, the total messages processed and number and percentage of successful sender authentication attempts versus authentication attempts are listed.
Page 172: About Charts And Tables
20 items. Selecting report data to track By default, Symantec Mail Security for SMTP tracks data for several basic reports. Before you can generate other reports, you must configure Symantec Mail Security for SMTP to track and store data appropriate for the report. For...
Page 173: Setting The Retention Period For Report Data
Setting the retention period for report data Setting the retention period for report data You can specify the number of days or weeks that Symantec Mail Security for SMTP should keep track of report data. Depending on your organization’s size and message volume, the disk storage requirements for reports data could be quite large.
Page 174: Saving And Editing Favorite Reports
174 Working with reports Saving and editing Favorite Reports To specify a different time period, click Customize, and then click in ■ the Start Date and End Date fields and use the popup calendar to graphically select a time range. You must have JavaScript enabled in your browser to use the calendar.
Page 175: Running And Deleting Favorite Reports
■ For example, perhaps you specified a recipient address that received no mail during the specified period, for a Specific Recipients report. Symantec Mail Security for SMTP is configured to keep data for that report ■ type. “Selecting report data to track”...
Page 176: Sender Helo Domain Or Ip Connection Shows Gateway Information
Internet address. Reports presented in local time of Control Center Symantec Mail Security for SMTP stores statistics in the stats directory on the individual hosts that run Scanners. The date and hour for each set of these statistics are recorded in Greenwich Mean Time (GMT).
Page 177: Recipient Count Equals Message Count
Working with reports Printing, saving, and emailing reports processed count increases by 1, not 12. If a policy for any of the recipients determines that this message is spam, it will also increase the spam count by 1 for that day. The spam count will be 1 no matter how many of the recipients have policies that determine the message is spam.
Page 178: Scheduling Reports To Be Emailed
Schedule, Edit, or Delete Reports Follow these steps to schedule, edit, or delete reports. To schedule a report Ensure that you have configured Symantec Mail Security for SMTP to track the appropriate data for the report. See “Selecting report data to track”...
Page 179 Working with reports Scheduling reports to be emailed In the Control Center, click Reports > Scheduled Reports. Click Add. In the Report Name box, type a name for the report. Using the procedure under “Running reports” on page 173 as a guide, select the desired report and report settings.
Page 180 180 Working with reports Scheduling reports to be emailed Click Save. To delete a scheduled report In the Control Center, click Reports > Scheduled Reports. Check the box next to the scheduled report that you want to delete, and then click Delete.
Page 181: Administering The System
■ Getting status information Symantec Mail Security for SMTP provides a comprehensive means of checking and displaying system, host and message status. Status information is combined with options for changing what is displayed as well as with actions you can take based on the information shown.
Page 182: Overview Of System Information
Last 30 Days graph. Message status The following sections provide information about messages that have been processed and assigned a verdict by Symantec Mail Security for SMTP: Message details ■...
Page 183 Administering the system Getting status information Suspected Spam ■ Content Compliance ■ Columns list the numbers of messages for each of the following time periods: Past Hour ■ Past Day ■ Past Week ■ Past Month ■ Uptime: the period since the software was last started ■...
Page 184 Message Tracking logs page enables you to specify either one or two criteria and related supplementary information as follows: Host—One or more Scanners running Symantec Mail Security for SMTP. In ■ order to find all details about a message, search on all attached Scanners.
Page 185 ■ software initiating the sending of the message and included as a message header. Because the Message ID is not generated by Symantec Mail Security for SMTP the uniqueness of the ID cannot be guaranteed. At times, distributors of spam have used this header to mask the identity of a message originator.
Page 186: Host Status
186 Administering the system Getting status information View or search the message audit log Follow these procedures to view or search the message audit log. To view message tracking information In the Control Center, click Status > Message Tracking. ◆ To search information in the message audit log In the Control Center, click Status >...
Page 187: Ldap Synchronization
Administering the system Getting status information To enable or disable the Conduit, Live Update, Filter Engine or MTA Select a host and click the Status link which reports either Running or ◆ Stopped depending on the status of the service being selected. This will take you to the Services page in Editing Scanners.
Page 188: Log Details
188 Administering the system Managing Scanners Log details You can examine performance logs for Scanners and the Control Center. Log data is based on time range, log type, and error severity. See “Viewing logs” page 157. Scanner replication Status information is available to show you your most recent replication activity.
Page 189: Editing Scanners
Administering the system Managing Scanners Editing Scanners Once you set up a Scanner, you can go back and edit the configuration. For example, you can suspend the flow of mail or enable different components and services. Edit a scanner Follow either of these procedures to edit a scanner. To edit a Scanner In the Control Center, click Settings >...
Page 190: Deleting Scanners
190 Administering the system Managing Scanners Disable or enable a Scanner Follow these procedures to disable or enable a Scanner. To disable a Scanner In the Control Center, click Settings > Hosts. A red x ( ) in the Enabled column indicates that the Scanner is disabled. A green check mark ( ) in the Enabled column indicates that the Scanner is enabled.
Page 191: Administering The System Through The Control Center
Administering the system Administering the system through the Control Center To delete a Scanner In the Control Center, click Settings > Hosts. Check the box next to the scanner you want to delete. Click Delete. Administering the system through the Control Center The following administrative tasks can be performed through the Control Center:...
Page 192: Managing Software Licenses
To license a Symantec product, either browse to or enter the full path and license filename in the Specify a license file edit box.
Page 193: Administering The Control Center
The following sections describe common Control Center administrative tasks. Starting and stopping the Control Center The Control Center is configured to start when Symantec Mail Security for SMTP is turned on and to stop when it is shut down. However, there may be times when you need to manually stop and later start the Control Center, such as to investigate a problem.
Page 194: Checking The Control Center Error Log
194 Administering the system Administering the Control Center Checking the Control Center error log Periodically, you should check the Control Center error log. All errors related to the Control Center are written to the file. Follow the BrightmailLog.log procedure at the end of this section to view it. Each problem results in a number of lines in the error log.
Page 195: Increasing The Amount Of Information In Brightmaillog.log
BrightmailLog.log described below. To increase the detail of logging messages saved into BrightmailLog.log Open the following file in a text editor such as WordPad or vi: On Solaris or Linux: /opt/Symantec/SMSSMTP/tomcat/webapps/brightmail/WEB-INF/ classes/log4j.properties On Windows: C:\Program \ WEB-INF\classes\log4j.properties Find the following line: #log4j.rootLogger=WARN, file...
Page 196: Starting And Stopping Unix And Windows Services
Starting and stopping UNIX and Windows services Although you should perform routine administration using the Control Center, you may occasionally need to start and stop Symantec Mail Security for SMTP services outside of the Control Center. For example, the Control Center itself can’t be stopped using the Control Center.
Page 197 Administering the system Starting and stopping UNIX and Windows services Table 10-1 Windows services Service display Service short name Process in Task Description name Manager SMS IPlanet SMSIPLANETCNASVC iPlanet_CNA.exe Tracks changes in Notification iPlanet/Sun ONE for Agent SyncService SMS Live BMIJLUSVC jlu-controller.exe Downloads updated virus...
Page 198: Starting And Stopping Unix Services
For example: /etc/init.d/bcc stop Periodic system maintenance System maintenance of the Symantec software should be done as part of your regular server maintenance schedule, including the tasks below. Backing up logs data In general, there is no reason to store stale logs. For troubleshooting purposes,...
Page 199: Backing Up The Spam And Virus Quarantine Databases
MySQL. Or you can backup each database separately. If you have a large number of messages in Spam Quarantine, backing up may take some time. Backups can be done while the Symantec software is running. MySQL must be running when you perform backups. For complete instructions on performing backups of MySQL data, see MySQL documentation.
Page 200: Maintaining Adequate Disk Space
Maintaining adequate disk space Use standard file system monitoring tools to verify that you have adequate disk space. Remember that the storage required by certain Symantec Mail Security for SMTP features, such as extended reporting data and Spam Quarantine, can...
Page 201: Appendix A Feature Cross-Reference
About email filtering and message handling options ■ All users will find significant new features in this release of Symantec Mail Security for SMTP. You will also find familiar features, in many cases improved and expanded. In some cases the names of features are the same; in some cases the names have changed, and the changes are noted in this appendix.
Page 202: New Features For All Users
New features for all users New features for all users Table A-1 lists features that are new for both Symantec Mail Security for SMTP users and Symantec Brightmail Antispam users. Table A-1 New features for Symantec Mail Security for SMTP and Symantec Brightmail Antispam...
Page 203: Changes For Symantec Mail Security For Smtp Users
Changes for Symantec Mail Security for SMTP users For users of Symantec Mail Security for SMTP 4.1, Version 5.0 provides a host of expanded and improved capabilities. In addition to the new features listed in Table A-1, additional new features for Symantec Mail Security for SMTP users...
Page 204: New Feature Names
Settings > Virus > Exclude Scanning tab Routing Settings > Hosts > Edit > SMTP tab Discontinued features The following Symantec Mail Security for SMTP 4.1 features are not included in Symantec Mail Security for SMTP 5.0: Auto-generated whitelist ■...
Page 205: Changes For Symantec Brightmail Antispam Users
Changes for Symantec Brightmail Antispam users Although the product name has changed, if you were a Symantec Brightmail Antispam user you will find the user interface for Symantec Mail Security for SMTP 5.0 quite familiar. Most features are named similarly, and the organization of the user interface is quite similar.
Page 206: About Email Filtering And Message Handling Options
About email filtering and message handling options In Symantec Mail Security for SMTP 5.0, there are five types of choices you can make about filtering options. These choices provide much greater flexibility,...
Page 207 Sender Groups: Manage three types of Allowed Sender Lists, specify ■ actions for three types of Blocked Senders Lists, and enable or disable three Symantec-managed Reputation Service lists. Policy Resources: Create sets of data that enable further customization of ■...
Page 208 208 Feature Cross-Reference About email filtering and message handling options...
Page 209: Appendix B Spam Foldering And The Symantec Outlook Spam Plug-In
■ About foldering and the plug-in This chapter tells you how to install and configure the Symantec Outlook Spam Plug-in and spam foldering agents for Microsoft Exchange and Lotus Domino users. The Symantec Outlook Spam Plug-in is an alternative to the personal Allowed Senders and Blocked Senders Lists and language preferences offered by the Control Center.
Page 210: Installing The Symantec Outlook Spam Plug-In
Installing the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in The Symantec Outlook Spam Plug-in makes it easy for Outlook users to submit missed spam and false positives to Symantec. Depending on how you configure the plug-in, user submissions can also be automatically sent to a local system administrator.
Page 211 After performing a simple installation process, users will have a new toolbar in their Outlook window: This is Spam Users click this button to submit the message to Symantec Security Response and move it from their Inbox to their Spam folder...
Page 212: Software Requirements
NT, Windows 2000, Windows XP, and Windows 2003. Note: If you are using Symantec Spam Folder Agent for Exchange, the plug-in retrieves the name of the spam folder from the Symantec Spam Folder Agent for Exchange Inbox Rule. Absent the Symantec Spam Folder Agent for Exchange, the plug-in retrieves the value from the Windows registry.
Page 213 (optional) Open the setup.ini file for editing. This file contains the initial settings for launching the Symantec Outlook Spam Plug-in installation package. All the settings you need to use can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file.
Page 214 214 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Table B-1 Symantec Outlook Spam Plug-in setup variables (Continued) Variable Name Description ALLOWED_CONTACTS If set to 1 (the default) or any non-zero value, treat all entries of the Outlook Contacts folder as members of the Allowed Senders List.
Page 215 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Table B-1 Symantec Outlook Spam Plug-in setup variables (Continued) Variable Name Description DISPLAY_ARE_YOU_SURE_MSGS Specifies whether the confirmation dialog is displayed after a message is submitted. If this variable is set to 1 (the default value) the confirmation message will be displayed.
Page 216 216 Spam foldering and the Symantec Outlook Spam Plug-in Installing the Symantec Outlook Spam Plug-in Table B-1 Symantec Outlook Spam Plug-in setup variables (Continued) Variable Name Description MODIFY_OPTIONS If set to 1 (the default) or any non-zero value, allow users to view/edit the Submissions and Preferences tabs.
Page 217: Configuring Automatic Spam Foldering
Follow these steps to configure the Symantec Spam Folder Agent for Exchange. Note: Symantec Mail Security for SMTP does not support native spam foldering for Exchange 2003. As an alternative, you can deploy the Symantec Spam Folder Agent for Exchange on Exchange 2003 systems.
Page 218: Configuring The Symantec Spam Folder Agent For Domino
When all worker threads have completed, the maintenance flag will be marked as completed. When the time has passed the maintenance end hour, the maintenance flag is reset. If the Symantec Spam Folder Agent for Exchange is restarted during the maintenance window, it will rerun maintenance immediately.
Page 219 Spam foldering and the Symantec Outlook Spam Plug-in Configuring automatic spam foldering After reading the license agreement, click I accept the terms of the license agreement, and then click Next. The Preparing to Install panel is displayed. Complete all prerequisite steps if you haven’t already done so.
Page 220 Domino distributes changes to all other mail servers in your environment as part of the Design task, which runs overnight. The Symantec Spam Folder Agent for Domino will not be visible on each user’s mail file until the following conditions occur: Replication distributes the change to the template on the user’s home mail...
Page 221: Enabling Automatic Spam Foldering
Spam foldering and the Symantec Outlook Spam Plug-in Enabling automatic spam foldering Uninstalling the Symantec Spam Folder Agent for Domino Use the following procedure to uninstall the Symantec Spam Folder Agent for Domino. To uninstall the Symantec Spam Folder Agent for Domino Click Domino Agent in the Installer screen.
Page 222: Enabling Language Identification
222 Spam foldering and the Symantec Outlook Spam Plug-in Enabling language identification Enabling language identification Symantec Mail Security for SMTP must be configured to work with the client- side language processing offered by the Symantec Outlook Spam Plug-in. “Enabling and disabling end user settings”...
Page 223: Appendix C Integrating Symantec Mail Security With Symantec Security Information Manager
Interpreting events in the Information Manager ■ About Symantec Security Information Manager In addition to using the Symantec Mail Security for SMTP logging features, you can also log events to the Symantec Security Information Manager appliance for event management and correlation. Symantec Security Information Manager...
Page 224: Interpreting Events In The Information Manager
For more information about interpreting events in the Information Manager and on the event management capabilities of the Information Manager, see the Symantec Security Information Manager documentation. Symantec Mail Security for SMTP can send the following types of events to the Information Manager: Firewall events ■...
Page 225: Configuring Data Sources
Configuring data sources You must configure the following data sources on the Information Manager to receive events from Symantec Mail Security for SMTP. You can add a new sensor for each data source. Once you have configured these sources, you must distribute the configuration to the Collector for it to take effect.
Page 226: Firewall Events That Are Sent To The Information Manager
Dynamic Filename & Monitor in Real Time Firewall events that are sent to the Information Manager Table C-4 lists the firewall events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-4 Firewall events that are sent to the Information Manager...
Page 227: Message Events That Are Sent To The Information Manager
Permit definition update Message events that are sent to the Information Manager Table C-6 lists the message events that Symantec Mail Security for SMTP can send to the Information Manager. Table C-6 Message events that are sent to the Information Manager...
Page 228: Administration Events That Are Sent To The Information Manager
228 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Administration events that are sent to the Information Manager Table C-7 lists the administration events that Symantec Mail Security for SMTP can send to the Information Manager.
Page 229 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager Table C-7 Administration events that are sent to the Information Manager Event ID Severity Rule Description Event class (SES_EVENT_<Unique ID>) (Reason sent) SES_EVENT_CONFIGURATION_CHANGE Informational symc_config_update...
Page 230 230 Integrating Symantec Mail Security with Symantec Security Information Manager Interpreting events in the Information Manager...
Page 231: Appendix D Editing Antivirus Notification Messages
Modifying notification files The notification files are located at: C:\Program Files\Symantec\SMSSMTP\scanner\etc\ Windows UNIX /opt/Symantec/SMSSMTP/scanner/etc/ The notification file used by Symantec Mail Security for SMTP depends on your locale: Notification.en_US.UTF-8.xml US English Notification.ja_JP.UTF-8.xml Japanese Notification.xml Default for locales that aren’t US English or Japanese...
Page 232: Changing The Notification File Character Set
ISO 8859 http://www.czyborra.com/charsets/iso8859.html. Note: The Notification.xml file also contains a content-transfer-encoding element. However, it is not used. Symantec Mail Security for SMTP chooses the encoding method (quoted-printable or base64) that results in the shortest message. Editing messages in the notification file The notification messages can be edited.
Page 233: Notification File Contents
Notification file contents This section shows the full contents of the Notification.en_US.UTF-8.xml file which contains text for notifications issued by Symantec Mail Security for SMTP as it sidelines and processes messages. The other notification files are similar. You can modify certain text in elements as described in the <advisory>...
Page 234 Notification file contents <advisory name="cant_scan_oless_corrupted_sentence"> The Microsoft document <t name="file_name"/> was not scanned because it is corrupted (Symantec decomposer reports <t name="error"/>). If you are able to open it, use caution when doing so as it may contain embedded files with viruses.</advisory>...
Page 235 </BODY> </HTML> ]]> </advisory> <advisory name="sender_text"> The message you sent has been processed by Symantec AntiVirus. <t name="file_actions"/> You may want to install or update antivirus software on your computer. For more information on antivirus tips and technology, visit http://www.symantec.com Headers of infected message: <t name="message_headers"/>...
Page 236 236 Editing antivirus notification messages Notification file contents </advisory> <advisory name="sender_html"> <![CDATA[ <HTML> <BODY> The message you sent has been processed by Symantec AntiVirus. <PRE> ]]> <t name="file_actions"/> <![CDATA[ </PRE> You may want to install or update antivirus software on your computer. ...
Page 237: Glossary
A component of Symantec Mail Security for SMTP that facilitates communicating configuration information between the Control Center and each Scanner. Allowed Senders List In Symantec Mail Security for SMTP, a list of senders whose messages are omitted from most types of filtering (but not from virus filtering). annotation A phrase or paragraph placed at the beginning or end of the body of an email message.
Page 238 Blocked Senders List. You can configure how messages from blocked senders are handled. Blocked Senders List A list used by Symantec Mail Security for SMTP in filtering email. Email from senders on a Blocked Senders List is processed according to your configuration choices.
Page 239 A list of words and phrases against which email messages can be checked for non- compliant content. Symantec Mail Security for SMTP allows you to create Content Compliance filters that screen email against a specific dictionary. You can use the provided dictionaries, add terms to the provided dictionaries, or add additional dictionaries.
Page 240 In Symantec Mail Security for SMTP, a set of actions that apply to a category of messages. The actions specified in a filter policy are only applied to users who are members of a Group Policy that includes the filter policy. There are three types of filter policies: spam, virus, and content compliance policies.
Page 241 (for example, 123.45.6.24). language identification In Symantec Mail Security for SMTP, a feature that allows you to block or allow messages written in a specified language. For example, you can choose to only allow English and Spanish messages, or block messages in English and Spanish and allow messages in all other languages.
Page 242 See also LAN (local area network). notification 1. In Symantec Mail Security for SMTP, a separate email that can be automatically sent to the sender, recipients, or other email addresses when a specified condition is met. For example, if you have a policy that strips .exe attachments from incoming messages, you...
Page 243 Part of the Sender Reputation Service, Open Proxy Senders is a sender group in Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group.
Page 244 SMTP response code to tell the sending MTA that the message is not accepted. release In Symantec Mail Security for SMTP, an action that end users or administrators can take on messages in the Spam Quarantine database. Releasing removes the message from the Spam Quarantine database and returns the message to the end user’s inbox.
Page 245 Safe Senders A list of IP addresses from which no outgoing email is spam, provided by Symantec based on data from the Probe Network. Part of the Sender Reputation Service, Safe Senders is a sender group in Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group.
Page 246 A collection of one or more computers hosting Symantec Mail Security for SMTP, in which exactly one computer hosts a Control Center, and one or more computers host Scanners. If the site consists of one computer, that computer will include the Control Center and a Scanner.
Page 247 A list of IP addresses from which virtually all of the outgoing email is spam, identified by Symantec based on data from the Probe Network. Part of the Sender Reputation Service, Suspected Spammers is a sender group within Symantec Mail Security for SMTP. You can specify actions to take on messages from each sender group.
Page 248 The Symantec Spam Folder Agent for Domino also allows users to submit missed spam and false positives to Symantec.
Page 249 In Symantec Mail Security for SMTP, a message can be unscannable for viruses for a variety of reasons. For example, if it exceeds the maximum file size or maximum scan depth configured on the Scanning Settings page, or if it contains malformed MIME attachments, it may be unscannable.
Page 250 A series of virus-infected emails from a specific domain. Symantec Mail Security for SMTP allows you to choose an action to perform on these messages; by default messages received from violating senders are deferred.
Page 251: Index
110 advanced SMTP settings 25, 27 attachments agents determining your policy 84 Symantec Spam Folder Agent for Domino 218 use dictionaries to scan 58 Symantec Spam Folder Agent for attachments, Spam Quarantine 121 Exchange 217, 218 Audit ID 185...
Page 252 52, 80 email filtering 61 order 93 email firewall policies 93 types of tests available 90 end user experience, Symantec Outlook Spam Plug- use Perl regular expressions in 91 in 210 Control Center 12 end user settings 79 administer 193...
Page 253 52 firewall virus scanning 56 See email firewall policies host details, status 186 firewall events 226 how Symantec Mail Security appliances work 12 flow, of messages 13 HTML text foldering add to messages 107 configure 217 HTTP proxies 21...
Page 254 254 Index configure aliases and distribution lists 47 archive 109 delete senders from lists 101 configure misidentified message import aliases and distribution lists 49 submissions 129 import Local Routes list 50 configure Spam Quarantine message and size select Sender Reputation Service lists 105 thresholds 136 separate notification templates for, Spam configure Spam Quarantine message retention...
Page 255 Index details, status 183 tailor information on 183 Open Proxy Senders enable 105 Outlook Plug-in. See Symantec Outlook Spam Plug- Rapid Response. See LiveUpdate overview recipients, drop invalid ones 56 architectural 13 redeliver misidentified messages, Spam functional 12 Quarantine 119, 122...
Page 256 192 SMTP host 44 replication 188 software acceleration 53 test 28 software licenses, manage 192 scenarios, configuration 210 software requirements, Symantec Outlook Spam scheduled reports 178 Plug-in 212 delete 180 software versions, checking 188 edit 179 spam filters search...
Page 257 227 Symantec Security Information Manager (SSIM) status host information 186 integrating with 223 LDAP synchronization 187 Symantec Spam Folder Agent for Domino log information 188 configure 218 overview information 182 distribute end-user help 220 processed message information 182...
Page 258 258 Index log details 188 virus definitions system administrator. See administrator non-default 55 system locale 44 virus filters system maintenance 198 configure virus settings 54 create virus policies 83 LiveUpdate 54 Suspect Virus Quarantine 143 tests virus 54 anti-virus filtering 152 virus scanning delivery of legitimate mail 151 exclude files from 55...

This manual is also suitable for:

Mail security

Symantec 10490452 - Mail Security 8220 Administration Manual

Chapter 1 About Symantec Mail Security for SMTP

Chapter 2 Configuring System Settings

Chapter 3 Configuring Email Settings

Chapter 4 Configuring Email Filtering

Chapter 5 Working with Spam Quarantine

Chapter 6 Working with Suspect Virus Quarantine

Chapter 7 Testing Symantec Mail Security for SMTP

Chapter 8 Configuring Alerts and Logs

Chapter 9 Working with Reports

Chapter 10 Administering the System

Appendix A Feature Cross-Reference

Appendix B Spam Foldering and the Symantec Outlook Spam Plug-In

Appendix C Integrating Symantec Mail Security with Symantec Security Information Manager

Appendix D Editing Antivirus Notification Messages

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Symantec 10490452 - Mail Security 8220

Summary of Contents for Symantec 10490452 - Mail Security 8220