(i ntended for product versi on 4.0 and hi gher) Li nux, BSD and Sol ari s ESET MAIL SECURITY Copyright 2013 by ESET, spol. s r. o. ESET Mail Security was developed by ESET, spol. s r. o. For more information visit www.eset.com. All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without permission in writing from the author. ESET, spol. s r. o. reserves the right to change any of the described application software without prior notice. Worldwide Customer Support: www.eset.com/support REV. 7/2/2013 Contents ..................................................................3 1. Introduction .........................................................................................3 Main functionality 1.1 .........................................................................................3 Key features of the system 1.2 ..................................................................5 2. Terminology and abbreviations ..................................................................6 3. System requirements ..................................................................7 4. Installation ..................................................................9 5. Architecture Overview ..................................................................11 6. Integration with Email Messaging System .........................................................................................12 Bi-directional email message scanning in MTA 6.1 .........................................................................................12 Scanning of inbound email messages 6.2 .........................................................................................12 Scanning of outbound email messages 6.3 .........................................................................................12 Scanning of email messages downloaded from POP3/IMAP server 6.4 .........................................................................................13 Alternative methods of content filtering 6.5 ...........................................................................13 Scanning email messages in CommuniGate Pro 6.5.1 ...........................................................................14 Scanning email messages using AMaViS 6.5.2 ...........................................................................15 Scanning email messages using Novell GroupWise 6.5.3 ..................................................................16 7. Important ESET Mail Security mechanisms .........................................................................................16 Handle Object Policy 7.1 .........................................................................................16 User Specific Configuration 7.2 .........................................................................................17 Blacklist and Whitelist 7.3 .........................................................................................17 Anti-Spam control 7.4 ...........................................................................18 SpamCatcher settings 7.4.1 .........................................................................................21 Samples Submission System 7.5 .........................................................................................21 Scheduler 7.6 .........................................................................................22 Web Interface 7.7 ...........................................................................23 License management 7.7.1 ...........................................................................23 SMTP+Postfix configuration example 7.7.2 ...........................................................................25 Scheduler 7.7.3 ...........................................................................26 Statistics 7.7.4 .........................................................................................26 Remote Administration 7.8 ...........................................................................27 Remote Administration usage example 7.8.1 .........................................................................................29 Logging 7.9 .........................................................................................29 Command-line scripts 7.10 ..................................................................31 8. ESET Security system update .........................................................................................31 ESETS update utility 8.1 .........................................................................................31 ESETS update process description 8.2 .........................................................................................31 ESETS mirror http daemon 8.3 ..................................................................32 9. Let us know ..................................................................33 10. Appendix A. ESETS setup and configuration .........................................................................................33 Setting ESETS for MTA Postfix 10.1 .........................................................................................34 Setting ESETS for MTA Sendmail 10.2 .........................................................................................34 Setting ESETS for MTA Qmail 10.3 .........................................................................................35 Setting ESETS for MTA Exim version 3 10.4 .........................................................................................35 Setting ESETS for MTA Exim version 4 10.5 .........................................................................................36 Setting ESETS for MTA ZMailer 10.6 .........................................................................................36 Setting ESETS for MTA Novell GroupWise 10.7 .........................................................................................37 Setting ESETS for outbound email message scanning 10.8 .........................................................................................37 Setting ESETS for scanning of POP3 communication 10.9 .........................................................................................38 Setting ESETS for scanning of IMAP communication 10.10 ..................................................................39 11. Appendix B. PHP License 3 1. Introduction Thank you for usi ng ESET Mai l Securi ty - the premi er securi ty system for Li nux, BSD and Sol ari s. ESET's state-of-the-art scanni ng engi ne has unsurpassed scanni ng speed and detecti on rates combi ned wi th a very smal l footpri nt that makes i t the i deal choi ce for any server on Li nux, BSD and Sol ari s. 1.1 Main functionality Post Office Protocol filter (POP3) The POP3 fi l ter scans communi cati on between POP3 cl i ents and servers for vi ruses. Simple Mail Transfer Protocol filter (SMTP) The SMTP fi l ter scans communi cati on between SMTP cl i ents and servers for vi ruses. Addi ti onal l y, i t can al so serve as a content fi l ter for the Postfi x MTA. Internet Message Access Protocol filter (IMAP) The IMAP fi l ter scans communi cati on between IMAP cl i ents and servers for vi ruses. Sendmail content filter The Sendmai l content fi l ter accesses mai l messages processed by MTA Sendmai l and scans them for vi ruses. It exami nes and modi fi es content and meta-i nformati on of messages. If an i nfecti on cannot be removed from an emai l message, the message wi l l be rejected. External filter plugin for Communigate Pro The CGP modul e i s an external fi l ter pl ugi n for Communi Gate Pro. It reads emai l fi l enames from stdi n, then requests a scan by ESETS daemon and fi nal l y returns a status. It exami nes (but does not modi fy) emai l content and bl ocks messages wi th i nfi l trati ons i n the emai l body. PIPE module The PIPE i s a si mpl e emai l scanner, that reads emai l from the standard (stdi n) i nput, then requests an ESETS daemon scan. In case content i s accepted, i t i s submi tted to the standard (stdout) output. 1.2 Key features of the system Advanced engine algorithms The ESET anti vi rus scanni ng engi ne al gori thms provi de the hi ghest detecti on rate and the fastest scanni ng ti mes. Multi-processing ESET Mai l Securi ty i s devel oped to run on si ngl e- as wel l as mul ti -processor uni ts. Advanced Heuristics ESET Mai l Securi ty i ncl udes uni que advanced heuri sti cs for Wi n32 worms, backdoor i nfecti ons and other forms of mal ware. Built-In features Bui l t-i n archi vers unpack archi ved objects wi thout requi ri ng any external programs. Speed and efficiency To i ncrease the speed and effi ci ency of the system, ESET Mai l Securi ty's archi tecture i s based on the runni ng daemon (resi dent program) where al l scanni ng requests are sent. Enhanced security Al l executi ve daemons (except esets_dac) run under a non-pri vi l eged user account to enhance securi ty. Selective configuration The system supports sel ecti ve confi gurati on based on the user or cl i ent/server. 4 Multiple logging levels Mul ti pl e l oggi ng l evel s can be confi gured to get i nformati on about system acti vi ty and i nfi l trati ons. Web interface Confi gurati on, admi ni strati on and l i cense management are offered through an i ntui ti ve and user-fri endl y web i nterface. Remote administration The system supports ESET Remote Admi ni strator for management i n l arge computer networks. No external libraries The ESET Mai l Securi ty i nstal l ati on does not requi re external l i brari es or programs except for LIBC. User-specified notification The system can be confi gured to noti fy speci fi c users i n the event of a detected i nfi l trati on or other i mportant events. Low system requirements To run effi ci entl y, ESET Mai l Securi ty requi res just 250MB of hard-di sk space and 256MB of RAM. It runs smoothl y under the 2.6.x Li nux OS kernel versi ons as wel l as under 5.x, 6.x FreeBSD OS kernel versi ons. Performance and scalability From l ower-powered, smal l offi ce servers to enterpri se-cl ass ISP servers wi th thousands of users, ESET Mai l Securi ty del i vers the performance and scal abi l i ty you expect from a UNIX based sol uti on, i n addi ti on to the unequal ed securi ty of ESET securi ty products. 5 2. Terminology and abbreviations In thi s secti on, we wi l l revi ew the terms and abbrevi ati ons used i n thi s document. Note that bol dface font i s reserved for product component names and al so for newl y defi ned terms and abbrevi ati ons. Terms and abbrevi ati ons defi ned i n thi s chapter are expanded on l ater i n thi s document. ESETS ESET Security i s a standard acronym for al l securi ty products devel oped by ESET, spol . s r. o. for Li nux, BSD and Sol ari s operati ng systems. It i s al so the name of the software package contai ni ng the products. ESETS daemon The mai n ESETS system control and scanni ng daemon: esets_daemon. ESETS base directory The di rectory where ESETS l oadabl e modul es contai ni ng the vi rus si gnature database are stored. The abbrevi ati on @BASEDIR@ wi l l be used for future references to thi s di rectory. The @BASEDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow: Linux: /var/opt/eset/esets/lib FreeBSD: /var/lib/esets NetBSD: /var/lib/esets Solaris: /var/opt/esets/lib ESETS configuration directory The di rectory where al l fi l es rel ated to the ESET Mai l Securi ty confi gurati on are stored. The abbrevi ati on @ETCDIR@ wi l l be used for future references to thi s di rectory. The @ETCDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow: Linux: /etc/opt/eset/esets FreeBSD: /usr/local/etc/esets NetBSD: /usr/pkg/etc/esets Solaris: /etc/opt/esets ESETS configuration file Mai n ESET Mai l Securi ty confi gurati on fi l e. The absol ute path of the fi l e i s as fol l ows: @ETCDIR@/esets.cfg ESETS binary files directory The di rectory where the rel evant ESET Mai l Securi ty bi nary fi l es are stored. The abbrevi ati on @BINDIR@ wi l l be used for future references to thi s di rectory. The @BINDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow: Linux: /opt/eset/esets/bin FreeBSD: /usr/local/bin NetBSD: /usr/pkg/bin Solaris: /opt/esets/bin ESETS system binary files directory The di rectory where the rel evant ESET Mai l Securi ty system bi nary fi l es are stored. The abbrevi ati on @SBINDIR@ wi l l be used for future references to thi s di rectory. The @SBINDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow: Linux: /opt/eset/esets/sbin FreeBSD: /usr/local/sbin NetBSD: /usr/pkg/sbin Solaris: /opt/esets/sbin ESETS object files directory The di rectory where the rel evant ESET Mai l Securi ty object fi l es and l i brari es are stored. The abbrevi ati on @LIBDIR@ wi l l be used for future references to thi s di rectory. The @LIBDIR@ val ue (dependi ng on the operati ng system) i s l i sted bel ow: Linux: /opt/eset/esets/lib FreeBSD: /usr/local/lib/esets NetBSD: /usr/pkg/lib/esets Solaris: /opt/esets/lib Note: In a 64-bi t Li nux operati ng system envi ronment there are some 32-bi t l i brari es avai l abl e i n the fol l owi ng di rectory (for exampl e, the libesets_pac.so prel oad l i brary to scan 32-bi t bi nary fi l es): Linux: /opt/eset/esets/lib32 6 3. System requirements The fol l owi ng hardware requi rements must be met before the i nstal l ati on process i n order to run ESET Mai l Securi ty properl y: 250MB of hard-di sk space 256MB of RAM gl i bc 2.3.6 or hi gher 2.6.x Li nux OS kernel versi ons ESET Mai l Securi ty shoul d work on most recent and frequentl y used open-source Li nux di stri buti ons i f the above cri teri a are met. The fol l owi ng Li nux di stri buti ons (x86/x64) are offi ci al l y supported: Red Hat Enterpri se Li nux SUSE Li nux Enterpri se ESET Mai l Securi ty wi l l al so run on the fol l owi ng operati ng systems (but onl y x86, 32-bi t): NetBSD 4 FreeBSD 6, 7, 8 and 9 SUN Sol ari s 10 7 4. Installation After purchasi ng ESET Mai l Securi ty, you wi l l recei ve your authori zati on data (Username, Password and l i cense key). These credenti al s i denti fy you as an ESET customer, and are requi red to downl oad updates for ESET Mai l Securi ty. The Username/ Password data i s al so requi red for downl oadi ng the i ni ti al i nstal l ati on package from our web si te. ESET Mai l Securi ty i s di stri buted as a bi nary fi l e: esets.arch.ext.bin In the bi nary fi l e shown above, ext i s a Li nux, BSD and Sol ari s OS di stri buti on dependent suffi x, i .e., deb for Debi an, rpm for RedHat and SuSE, tgz for other Li nux OS di stri buti ons, fbs7.tgz for FreeBSD 7.x, fbs8.tgz for FreeBSD 8.x, nbs4.tgz for NetBSD 4.xx and sol 10.pkg.gz for Sol ari s 10. The arch val ue represents a computer archi tecture, ei ther i 386 for 32-bi t OS di stri buti ons or amd64, x86_64 for 64-bi t. To i nstal l or upgrade your product, run the ESET di stri buti on scri pt appropri ate for the OS di stri buti on and archi tecture that you have: sh ./esets.i386.deb.bin sh ./esets.i386.fbs8.tgz.bin sh ./esets.amd64.deb.bin sh ./esets.x86_64.rpm.bin Once you accept the product Li cense Agreement, you wi l l be prompted to enabl e or di sabl e the Sampl es submi ssi on system duri ng the i nstal l ati on. Figure 4-1. Installation of ESET Mail Security via Terminal. An i nstal l ati on package esets-version.arch.ext wi l l be created and pl aced i n the current worki ng di rectory. Informati on regardi ng the i nstal l ati on, uni nstal l ati on or upgrade wi l l be di spl ayed onscreen. To compl ete the i nstal l ati on or upgrade of your product, run the newl y created esets-version.arch.ext fi l e usi ng the appropri ate syntax for your OS di stri buti on: Li nux OS: dpkg i esets-4.0.x.i386.deb rpm U esets-4.0.x.i386.rpm BSD OS: pkg_add esets-4.0.x.i386.fbs8.tgz Sol ari s: gunzip esets-4.0.x.i386.sol10.pkg.gz pkgadd d esets-4.0.x.i386.sol10.pkg Note: The procedure wi th an i nstal l ati on package esets-version.arch.ext i s avai l abl e onl y for versi ons 4.0.8 and bel ow. Enabl i ng or di sabl i ng the Sampl es submi ssi on system i s avai l abl e from versi on 4.0.10. Import the l i cense fi l es: @SBINDIR@/esets_lic --import file.lic 8 Enter your Username and Password i nformati on i nto the gl obal secti on of the ESET confi gurati on fi l e usi ng a text edi tor: vi @ETCDIR@/esets.cfg Edi t the ESETS Update options secti on of the ESETS confi gurati on fi l e. av_update_username = "EAV-12345678" av_update_password = "yourpassword" Start mai n daemon servi ce: Li nux OS: /etc/init.d/esets start BSD OS: /usr/local/etc/rc.d/esets.sh start Once the package i s i nstal l ed, you can veri fy that the mai n ESETS servi ce i s runni ng by usi ng the fol l owi ng command: Li nux OS: ps -C esets_daemon BSD OS: ps -ax | grep esets_daemon Sol ari s: ps -A | grep esets_daemon After pressi ng ENTER, you shoul d see the fol l owi ng (or si mi l ar) message: PID TTY TIME CMD 2226 ? 00:00:00 esets_daemon 2229 ? 00:00:00 esets_daemon At l east two ESETS daemon processes are runni ng i n the background. The fi rst PID represents the process and threads manager of the system. The other represents the ESETS scanni ng process. To hel p you easi l y i ntegrate ESET Securi ty wi th your system, you can al so use the ESET Securi ty i nteracti ve automated i nstal l scri pt. You can undo al l changes l ater. A l i st of avai l abl e ESETS i nstal l ati ons/uni nstal l ati ons accordi ng to i mported l i censes wi l l be di spl ayed. @SBINDIR@/esets_setup 9 5. Architecture Overview Once ESET Mai l Securi ty i s successful l y i nstal l ed, you shoul d become fami l i ar wi th i ts archi tecture. Figure 4-1. Structure of ESET Mail Security. The structure of ESET Mai l Securi ty i s shown i n Fi gure 4-1. The system i s compri sed of the fol l owi ng parts: CORE The core of ESET Mai l Securi ty i s the ESETS daemon (esets_daemon). The daemon uses ESETS API l i brary l i besets.so and ESETS l oadi ng modul es em00X_xx.dat to provi de base system tasks such as scanni ng, mai ntenance of the agent daemon processes, mai ntenance of the sampl es submi ssi on system, l oggi ng, noti fi cati on, etc. Pl ease refer to the esets_daemon(8) man page for detai l s. AGENTS The purpose of ESETS agent modul es i s to i ntegrate ESETS wi th the Li nux, BSD and Sol ari s server envi ronment. UTILITIES The uti l i ty modul es provi de si mpl e and effecti ve system management. They are responsi bl e for system tasks such as l i cense management, quaranti ne management, system setup and update. CONFIGURATION Proper confi gurati on i s the most i mportant aspect of your securi ty system; the remai nder of thi s chapter i s dedi cated to expl ai ni ng al l rel ated components. A thorough understandi ng of the esets.cfg fi l e i s al so hi ghl y recommended, as thi s fi l e contai ns i nformati on essenti al to the confi gurati on of ESET Mai l Securi ty. After the product i s successful l y i nstal l ed, al l i ts confi gurati on components are stored i n the ESETS confi gurati on di rectory. The di rectory consi sts of the fol l owi ng fi l es: @ETCDIR@/esets.cfg Thi s i s the most i mportant confi gurati on fi l e, as i t control s al l major aspects of the products functi onal i ty. The esets.cfg fi l e i s made up of several secti ons, each of whi ch contai ns vari ous parameters. The fi l e contai ns one gl obal and several agent secti ons, wi th al l secti on names encl osed i n square brackets. Parameters i n the gl obal secti on are used to defi ne confi gurati on opti ons for the ESETS daemon as wel l as defaul t val ues for the ESETS scanni ng engi ne confi gurati on. Parameters i n agent secti ons are used to defi ne confi gurati on opti ons of modul es used to i ntercept vari ous data fl ow types i n the computer and/or i ts nei ghborhood, and prepare i t for scanni ng. Note that i n addi ti on to the vari ous parameters used for system confi gurati on, there are al so rul es governi ng the organi zati on of the fi l e. For detai l ed i nformati on on the most effecti ve way to organi ze thi s fi l e, pl ease refer to the esets.cfg(5) and esets_daemon(8) man pages, as wel l as rel evant agents' man page. @ETCDIR@/certs Thi s di rectory i s used to store the certi fi cates used by the ESETS web i nterface for authenti cati on. Pl ease see the esets_wwwi(8) man page for detai l s. 10 @ETCDIR@/license Thi s di rectory i s used to store the product(s) l i cense key(s) you have acqui red from your vendor. Note that the ESETS daemon wi l l check onl y thi s di rectory for a val i d l i cense key. @ETCDIR@/scripts/license_warning_script If enabl ed by the Schedul er task named Threat notification, thi s scri pt wi l l be executed 30 days (once per day) before product l i cense expi rati on, sendi ng an emai l noti fi cati on about the expi rati on status to the system admi ni strator. @ETCDIR@/scripts/daemon_notification_script If enabl ed by the Schedul er task named License expiration, thi s scri pt i s executed i n the event of a detected i nfi l trati on by the anti vi rus system. It i s used to send emai l noti fi cati on about the event to the system admi ni strator. 11 6. Integration with Email Messaging System Thi s chapter descri bes the i ntegrati on of ESET Mai l Securi ty wi th a vari ety of known emai l messagi ng systems. It i s extremel y i mportant to understand the basi c pri nci pl es of an emai l messagi ng system (see fi gure 5-1) and how ESET Mai l Securi ty i ntegrates wi th i t. Figure 5-1. Scheme of UNIX OS email messaging system. MTA - Mail Transport Agent A program (e.g., sendmai l , postfi x, qmai l , exi m, etc.) that enabl es the transfer of emai l messages between l ocal and remote domai ns. MDA - Mail Delivery Agent A program (e.g., mai l drop, procmai l , del i ver, l ocal .mai l , etc.) that enabl es the del i very of l ocal l y addressed emai l messages i nto parti cul ar mai l boxes. MUA - Mail User Agent A program (e.g., Mi crosoft Outl ook, Mozi l l a Thunderbi rd, Eudora, etc.) that provi des access to and management of emai l messages, such as readi ng, composi ng, pri nti ng, etc. MAILBOX A fi l e or fi l e structure on a di sk servi ng as the storage space for emai l messages. The emai l server recei ves data communi cati on usi ng SMTP (Si mpl e Mai l Transfer Protocol ) communi cati on. The recei ved message i s transferred by MTA ei ther to another remote emai l messagi ng system or i s del i vered usi ng l ocal MDA i nto a parti cul ar MAILBOX. In most cases, each l ocal network user owns a MAILBOX l ocated on the server. Note that i t i s the responsi bi l i ty of the users l ocal MUA to provi de the functi on of downl oadi ng and correctl y i nterpreti ng the message at the users computer. When retri evi ng data from MAILBOX, the MUA typi cal l y uses POP3 (Post Offi ce Protocol ) or IMAP (Internet Message Access Protocol ) to communi cate wi th the MTA. The SMTP protocol i s used to send data to the Internet. The ESETS operati ng pri nci pl e i s based on data communi cati on i ntercepti on and scanni ng at the vari ous phases of i ts transfer. The i ntercepti on l ocati ons are marked i n fi gure 5-1 by symbol s S1, S2, S3 and S4. S1 - Bi -di recti onal emai l message scanni ng, i .e. content fi l teri ng i n MTA. S2 - Scanni ng of i nbound emai l messages, i .e. messages wi th a target address whi ch i s l ocated i nsi de the l ocal domai n. S3 - Scanni ng of outbound emai l messages, i .e. messages bound to a remote Internet domai n. S4 - Scanni ng of emai l messages bei ng downl oaded from POP3/IMAP server. The remai nder of thi s chapter revi ews methods for i ntegrati ng ESETS wi th a vari ety of supported messagi ng systems. 12 6.1 Bi-directional email message scanning in MTA Bi -di recti onal emai l message scanni ng mode al l ows the user to scan i nbound and outbound emai l messages wi th the same i mpl ementati on al gori thm. The bi -di recti onal content fi l ter method i s MTA dependent. ESET Mai l Securi ty comes wi th fi ve content fi l ters that are bui l t for the most common MTA programs, such as MTA Sendmai l , Postfi x, Exi m, QMai l and ZMai l er and GroupWi se Internet Agent (GWIA). Check that your MTA i s properl y confi gured and runni ng. Then, confi gure ESET Mai l Securi ty for bi -di recti onal emai l message scanni ng by runni ng the fol l owi ng scri pt: @SBINDIR@/esets_setup Sel ect MTA and content fi l ter i nstal l opti ons. The ESETS modul e bei ng used i s al so di spl ayed. Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your approval . The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os are descri bed i n appendi x A of thi s documentati on. 6.2 Scanning of inbound email messages Inbound emai l message scanni ng i s performed duri ng message transfer between MTA and MDA. Incomi ng emai l s are i ntercepted by the esets_mda modul e, scanned by the ESETS daemon and del i vered to MAILBOX usi ng the ori gi nal MDA. As shown i n fi gure 5- 1, vi rus scanni ng can be enabl ed by setti ng the proper confi gurati on of MTA and the esets_mda modul e. ESET Mai l Securi ty supports most common MTA programs, such as MTA Sendmai l , Postfi x, Exi m, QMai l and ZMai l er. ESETS supports any MDA. In parti cul ar, the fol l owi ng MDAs were tested: procmai l , mai l drop, del i ver and l ocal .mai l . Check that your MTA i s properl y confi gured usi ng the ori gi nal MDA and that the MTA i s runni ng. Then confi gure ESET Mai l Securi ty for i nbound emai l message scanni ng by runni ng the fol l owi ng scri pt: @SBINDIR@/esets_setup Sel ect MDA and i nbound i nstal l opti ons. The ESETS modul e used i s al so di spl ayed. Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your approval . The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os are descri bed i n the appendi x A of thi s documentati on. 6.3 Scanning of outbound email messages Outbound emai l message scanni ng i s performed duri ng the transfer of emai l messages between the l ocal MUA and the MTA. Confi gure ESET Mai l Securi ty for outbound emai l message scanni ng by runni ng the fol l owi ng scri pt: @SBINDIR@/esets_setup Sel ect the SMTP i nstal l opti on. Thi s wi l l set the esets_smtp modul e to l i sten on a predefi ned port and redi rect appl i cabl e IP packets. Check the newl y added fi rewal l rul e to see i f any changes are necessary. Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your approval . The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os are descri bed i n appendi x A of thi s documentati on. 6.4 Scanning of email messages downloaded from POP3/IMAP server POP3/IMAP messages scanni ng i s performed duri ng message transfer between MAILBOX and MUA. Al l emai l s requested by POP3/IMAP cl i ents are i ntercepted by the esets_pop3 (or esets_imap) agent modul e and scanned by the ESETS daemon for i nfi l trati ons. ESET Mai l Securi ty supports most common MUA programs, such as Mi crosoft Outl ook, Evol uti on, Mozi l l a Thunderbi rd and others. Note that there i s restri cti on i n ESET Mai l Securi ty functi onal i ty when emai l s are downl oaded by Mozi l l a Thunderbi rd usi ng IMAP communi cati on protocol . An emai l i n thi s case i s requested and downl oaded part by part and bui l t di rectl y by Mozi l l a Thunderbi rd. For thi s reason i t i s not possi bl e to wri te proper i nformati on about the i nfi l trati ons found i nto the header and body of the emai l and thus the functi onal i ty i s deacti vated for thi s MUA. To confi gure ESET Mai l Securi ty to scan emai l messages downl oaded from POP3 or IMAP server, run the fol l owi ng scri pt: @SBINDIR@/esets_setup Sel ect the POP3 or IMAP i nstal l opti on. Thi s wi l l set the gi ven ESETS modul e to l i sten on a predefi ned port and redi rect appl i cabl e IP packets. Check the newl y added fi rewal l rul e to see i f any changes are necessary. Note that the i nstal l er backs up al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your 13 approval . The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed steps for al l possi bl e scenari os are descri bed i n appendi x A of thi s documentati on. 6.5 Alternative methods of content filtering 6.5.1 Scanning email messages in CommuniGate Pro Communi Gate Pro i s the powerful and rel i abl e Uni fi ed Communi cati ons server and esets_cgp i s used for content fi l teri ng (anti vi rus and anti spam fi l teri ng). Esets_cgp onl y al l ows i ncomi ng emai l message scanni ng. Esets_cgp does not al l ow scanned emai l message modi fi cati on and deni es ESETS access to cl ean or del ete i nfected emai l attachments. As a resul t, the ESETS footnote wi th l og and status dependent header fi el ds wi l l not be wri tten i nto the emai l message. Al so, esets_cgp does not provi de mai l sender/reci pi ent i nformati on. Due to thi s, user speci fi c confi gurati ons are unavai l abl e and advanced mai l handl i ng features (accept, defer, di scard, reject) are l i mi ted. Integrating the antivirus Plugin with CommuniGate Pro Pl ease see the Vi rusScan secti on of the Communi Gate Pro manual . Open the General page i n the Settings secti on of the WebAdmi n Interface and cl i ck the Helpers l i nk. In panel Content Filtering create new fi l ter wi th fol l owed val ues: Figure 5-2. Setting of Content Filtering. Next, open the Mai l page i n the Settings secti on of the WebAdmi n Interface, cl i ck the Rules l i nk and add a new rul e as fol l ows: 14 Figure 5-3. Rule Settings. 6.5.2 Scanning email messages using AMaViS AMaVi S (A Mai l Vi rus Scanner) i s a tool that i nterfaces your MTA wi th several anti vi rus scanners. It supports vari ous MTAs and comes i n three branches: amavis, amavisd and amavisd-new. Onl y the amavi sd-new branch i s supported. AMaVi S cooperates wi th ESET Mai l Securi ty by usi ng esets_cli. Before expl ai ni ng the AMaVi S confi gurati ons, the i mpact of the ESET Mai l Securi ty functi onal i ty method i s descri bed. AMaVi S does not al l ow scanned emai l message modi fi cati on and deni es ESETS access to cl ean or del ete i nfected emai l attachments. As a resul t, the ESETS footnote wi th l og and status dependent header fi el ds wi l l not be wri tten i nto the emai l message. Al so, AMaVi S does not provi de mai l sender/reci pi ent i nformati on. Due to thi s, user speci fi c confi gurati ons are unavai l abl e and advanced mai l handl i ng features (accept, defer, di scard, reject) are l i mi ted for esets_cli. Lastl y, AMaVi S onl y scans fi l es; i t cannot use the ESETS anti spam engi ne. Taki ng i nto account these drawbacks, content fi l teri ng usi ng AMaVi S i s recommended onl y i f the system admi ni strator does not requi re the features di scussed above. amavisd-new configuration To i nstal l the product wi th amavisd-new, unpack and i nstal l the source amavi sd-new-2.x.y.tgz i n your i nstal l ati on di rectory. Next, confi gure the product wi th the newl y i nstal l ed amavisd-new. To do thi s, del ete the cl ause for ESET Software ESETS and then repl ace the cl ause for ESET Software ESETS - Cl i ent/Server Versi on i n the fi l e amavi sd.conf wi th the fol l owi ng one: ### http://www.eset.com/ ['ESET Software ESETS Command Line Interface', '@BINDIR@/esets_cli', '{}', [0], [1, 2, 3], qr/virus="([^"]+)"/ ], You may need to i nstal l addi ti onal Perl modul es Archi ve-Tar, Archi ve-Zi p, Berkel eyDB, Compress-Zl i b, Convert-TNEF, Convert- UUl i b, IO-stri ngy, Mai l Tool s, MIME-Base64, MIME-tool s, Net-Server and Uni x-Sysl og from: www.cpan.org/modules The procedure to i nstal l i s as fol l ows: perl Makefile.PL; make; make install After confi gurati on, pl ease fol l ow the recommendati ons for confi guri ng amavisd-new i n the README.mta l ocated i n the Amavi sd- new di rectory accordi ng your mai l server. 15 6.5.3 Scanning email messages using Novell GroupWise Novel l GroupWi se i s a messagi ng and col l aborati ve software pl atform that al so supports emai l management. The pl atform consi sts of the cl i ent and server software, avai l abl e for vari ous pl atforms (i .e. Li nux). The modul e esets_gwia onl y al l ows the scanni ng of i ncomi ng emai l messages. For del i veri ng emai l messages to cl i ents i mmedi atel y, the fol l owi ng GroupWi se agent di rectori es must have set the same paths: Conversi on Di rectory SMTP Queues Di rectory SMTP Servi ce Queues Di rectory To perform thi s, open the Novell ConsoleOne, navi gate to NDS > ESET-NDSTREE > eset > domain > GWIA > Propertiers > Server Directories Settings and set the parti cul ar parameters. There i s an exampl e domai n cal l ed eset featured i n our case. Then restart the GroupWi se agent: /etc/init.d/grpwise restart Figure 5-4. Novell ConcoleOne module settings. To confi gure ESET Mai l Securi ty to scan emai l messages downl oaded from Novel l GroupWi se server, run the fol l owi ng scri pt: @SBINDIR@/esets_setup Sel ect the MTA i nstal l opti on. Thi s wi l l confi gure the GWIA (Novel l GroupWi se Internet Agent) and the esets_gwia modul e parameters and di rectori es, where emai l queues (fi l es) are bei ng scanned and watched. Note that the i nstal l er i s performi ng a backup of al l modi fi ed confi gurati on fi l es and can di spl ay every command that i t wi l l execute after your approval . The backup confi gurati on fi l es shoul d be rei mpl emented after uni nstal l i ng. Detai l ed confi gurati on i s descri bed i n appendi x A of thi s documentati on. 16 7. Important ESET Mail Security mechanisms 7.1 Handle Object Policy The Handl e Object Pol i cy (see fi gure 6-1) mechani sm provi des fi l teri ng for scanned objects based on thei r status. Thi s functi onal i ty i s based on the fol l owi ng confi gurati on opti ons: acti on_av acti on_av_i nfected acti on_av_notscanned acti on_av_del eted For detai l ed i nformati on on these opti ons, pl ease refer to the esets.cfg(5) man page. Figure 6-1. Scheme of Handle Object Policy mechanism. Every processed object i s fi rst handl ed accordi ng to the confi gurati on of the action_av opti on. If thi s opti on i s set to accept (or defer, discard, reject) the object i s accepted (or deferred, di scarded, rejected). If the opti on i s set to scan the object i s scanned for vi rus i nfi l trati ons, and i f the av_clean_mode opti on i s set to yes, the object i s al so cl eaned. In addi ti on, the confi gurati on opti ons action_av_infected, action_av_notscanned and action_av_deleted are taken i nto account to further eval uate object handl i ng. If an accept acti on has been taken as a resul t of these three acti on opti ons, the object i s accepted. Otherwi se, the object i s bl ocked. 7.2 User Specific Configuration The purpose of the User Speci fi c Confi gurati on mechani sm i s to provi de a hi gher degree of customi zati on and functi onal i ty. It al l ows the system admi ni strator to defi ne ESETS anti vi rus scanner parameters based on the user who i s accessi ng fi l e system objects. A detai l ed descri pti on of thi s functi onal i ty can be found i n the esets.cfg(5) man page. In thi s secti on we wi l l provi de onl y a short exampl e of a user-speci fi c confi gurati on. Here, the esets_smtp modul e i s used as a content fi l ter for MTA Postfi x. The functi onal i ty of thi s modul e i s based on the [smtp] secti on i n the ESETS confi gurati on fi l e (esets.cfg). See bel ow: 17 [smtp] agent_enabled = yes listen_addr = "localhost" listen_port = 2526 server_addr = "localhost" server_port = 2525 action_av = "scan" To provi de i ndi vi dual parameter setti ngs, defi ne a user_config parameter wi th the path to the speci al confi gurati on fi l e where the i ndi vi dual setti ng wi l l be stored. In the exampl e bel ow, we create a reference to the speci al confi gurati on fi l e esets_smtp_spec.cfg, whi ch i s l ocated i n the ESETS confi gurati on di rectory. See bel ow: [smtp] agent_enabled = yes listen_addr = "localhost" listen_port = 2526 server_addr = "localhost" server_port = 2525 action_av = "scan" user_config = "esets_smtp_spec.cfg" Once the speci al confi gurati on fi l e i s referenced from wi thi n the [smtp] secti on, create the esets_smtp_spec.cfg fi l e i n the ESETS confi gurati on di rectory and add the appropri ate i ndi vi dual setti ngs. The esets_smtp_spec.cfg fi l e shoul d l ook l i ke thi s: [rcptuser@rcptdomain.com] action_av = "reject" Note that the secti on header i denti fi es the reci pi ent for whi ch the i ndi vi dual setti ngs have been created, and the secti on body contai ns i ndi vi dual parameters for thi s reci pi ent. Thi s confi gurati on wi l l al l ow al l other users attempti ng to access the fi l e- system to be processed normal l y. Al l fi l e system objects accessed by other users wi l l be scanned for i nfi l trati ons, except for the user rcptuser@rcptdomai n.com, whose access wi l l be rejected (bl ocked). 7.3 Blacklist and Whitelist In the fol l owi ng exampl e we demonstrate bl ackl i st and whi tel i st creati on for the esets_smtp content fi l ter for MTA Postfi x confi gurati on. Note that the confi gurati on descri bed i n the previ ous secti on i s used for thi s purpose. To create a bl ackl i st used by esets_smtp, create the fol l owi ng group secti on wi thi n the speci al confi gurati on fi l e esets_smtp_spec.cfg, i ntroduced i n the previ ous secti on. See bel ow: [black-list] action_av = "reject" Next, add the SMTP server to the bl ack-l i st group. To do thi s, the fol l owi ng speci al secti on must be created: [|sndrname1@sndrdomain1.com] parent_id = "black-list" In the exampl e above, sndrname1@sndrdomain1.com i s the emai l address of the sender added to the bl ack-l i st. Al l emai l messages sent from thi s address wi l l now be rejected. When creati ng the whi te-l i st used by esets_smtp, i t i s necessary to create the fol l owi ng group secti on i n the speci al confi gurati on fi l e esets_smtp_spec.cfg. See bel ow: [white-list] action_av = "accept" action_as = "accept" Addi ng the senders emai l address to the l i st i s sel f-expl anatory. The | character i s pl aced i n front of the header name of the speci al secti on for the sender address and i s not pl aced there for the reci pi ent address. For i nformati on regardi ng the speci al header name syntax, refer to the man page of the appropri ate ESETS agent modul e. For esets_smtp, refer to the esets_smtp(1) man page. 7.4 Anti-Spam control The anti -spam system fi l ters spam messages, usi ng dynami c eval uati on of the data fl ow of the emai l del i very process. To el i mi nate spam, ESET Mai l Securi ty uses the anti -spam control mechani sm. Thi s mechani sm can be enabl ed usi ng the action_as parameter. For a ful l descri pti on of the parameter refer to the esets.cfg(5) man page. Note that anti -spam scanni ng can onl y be used for emai l objects. Due to thi s, thi s functi onal i ty i s rel evant onl y for the fol l owi ng modul es: esets_i map, esets_mda, esets_pi pe, esets_pop3, esets_smtp, esets_smfi and esets_cgp. Once anti -spam i s enabl ed i n any of the confi gurati on secti ons, the anti -spam scanni ng engi ne i ni ti al i zes duri ng the mai n scanni ng daemon start-up. Duri ng thi s process, appropri ate anti -spam support modul es are l oaded from the anti -spam cache 18 di rectory. Regul ar updates of the anti -spam database can be admi ni stered usi ng tasks i n Schedul er. Anti -spam functi onal i ty can al so be confi gured usi ng the fol l owi ng confi gurati on fi l e: @ETCDIR@/anti-spam/spamcatcher.conf Note: SpamCatcher i s a tool for spam detecti on. It tracks al l emai l communi cati on on i ts own server and moni tors messages rejected by users. It eval uates thi s and vari ous other data to determi ne whi ch emai l i s l i kel y to contai n spam and sends users a probabi l i ty score for every message they recei ve. It al l ows you to create your own rul es for i denti fyi ng and bl ackl i sti ng spam. Hundreds of rul es can be used to eval uate spam score and bl ock the i ncomi ng spam. The @ETCDIR@/anti-spam/ di rectory contai ns a number of di fferent confi gurati ons stored i n fi l es, that can be used to customi ze the anti -spam engi ne. If you wi sh to start usi ng a parti cul ar confi gurati on, repl ace the defaul t anti -spam confi gurati on stored i n spamcatcher.conf wi th any of the avai l abl e confi gurati on fi l es and then rel oad the ESETS daemon. spamcatcher.conf Is a defaul t confi gurati on fi l e, that contai ns opti mal confi gurati on recommended for typi cal server envi ronment. To di spl ay di fferences between any of the fi l es i n the anti -spam di rectory, use the diff command. For exampl e, i f you wi sh to compare the spamcatcher.conf and the spamcatcher.conf.accurate fi l es use the fol l owi ng command: diff spamcatcher.conf spamcatcher.conf.accurate spamcatcher.conf.accurate Bayesi an Word Token anal ysi s (i .e. spam fi l teri ng usi ng Bayesi an Anal ysi s) i s enabl ed. It i mproves accuracy, but uses more memory and can therefore take sl i ghtl y more ti me to fi ni sh than other methods. The l i mi t of the number of domai ns queri ed agai nst the DNS Bl ock Li st server (DNSBL) i s i ncreased (the dnsbl_max_domains opti on). DNSBLs are most often used to publ i sh addresses of computers or networks l i nked to spammi ng. Sender Policy Framework (SDK) wi th l i ve DNS queri es wi l l be performed. The val ue of the spam_threshold parameter i s i ncreased. Messages wi th spam scores equal to or hi gher than thi s val ue wi l l be rejected. The SpamCompiler versi on 4 i s enabl ed. spamcatcher.conf.fast The number of domai ns queri ed agai nst the DNS Bl ock Li st server i s reduced. The opti on target_throughput al l owi ng you to speci fy throughput i n messages per second i s enabl ed. Cpu usage duri ng rul e fi l e updates i s reduced by i ncreasi ng the si ze of on-di sk cache fi l es. TTL's (Ti me to l i ve) for i nternal DNS and Li veFeed caches are enabl ed. spamcatcher.conf.no_livefeed The livefeed opti on speci fi es whi ch server i s queri ed for Li veFeed requests. Thi s opti on i s di sabl ed i n thi s confi gurati on fi l e. The i nternal cache for DNS requests i s di sabl ed. 7.4.1 SpamCatcher settings The spamcatcher.conf confi gurati on fi l e al l ows you to modi fy several addi ti onal setti ngs that are not avai l abl e i n the ESETS confugrati on fi l e. The setti ngs i n spamcatcher.conf are transparentl y structured and descri bed: Name parameter name Arguments val ues the parameter can be assi gned and thei r syntax Default defaul t parameter val ue Description detai l ed parameter descri pti on Bl ank l i nes and l i nes begi nni ng wi th # are omi tted. A list of the most important settings in spamcatcher.conf Parameter name Details approved_ip_list Li st of approved IP addresses. You can speci fy IPs that shoul d be approved, i .e., i f the fi rst non-i gnored IP i n Recei ved headers matches any address i n thi s l i st, the message scores 0 and no other checks are made. blocked_ip_list Li st of bl ocked IP addresses. You can speci fy IPs that shoul d be bl ocked, i .e., i f any non-i gnored IP i n Recei ved headers matches the address i n thi s l i st, the message scores 100 and no other checks are made. 19 ignored_ip_list Li st of i gnored IP addresses. You can speci fy IPs that shoul d be i gnored duri ng Real -ti me Bl ackhol e Li st (RBL) checks. You shoul d i ncl ude al l i nternal IP addresses wi thi n the fi rewal l not di rectl y accessi bl e from the Internet. Doi ng so prevents unnecessary checks and hel ps i denti fy actual connecti ng IP addresses. Internal IP addresses are al ready ski pped by the engi ne (192.168.x.y and 10.x). rbl_list Li st of Real ti me Bl ackhol e servers to be used when eval uati ng messages. The RBL request checks for presence of a speci fi c IP address on a gi ven RBL server. Subject to these checks are IP addresses i n the Recei ved: secti ons i n the mai l header. The entry format i s as fol l ows: rbl_list=server:response:offset,server2:response2:offset2,... The meani ng of the parameters are expl ai ned bel ow: server RBL server name response RBL server response i f the IP address was found (standard responses are 127.0.0.2, 127.0.0.3, 127.0.0.4., etc.). Thi s parameter i s opti onal , and i f not set, al l answers wi l l be consi dered. offset Val ue from 0 to 100. Infl uences overal l spam score. Standard val ue i s 100, i .e. i n case of a posi ti ve check the message i s assi gned the spam score of 100 and i s eval uated as spam. Negati ve val ues l ower the overal l spam score of a message. Exampl e 1: rbl_list=ent.adbl.org RBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be assi gned a standard offset of 100 and marked as spam. Exampl e 2: rbl_list=ent.adbl.org::60 RBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be assi gned an offset of 60 whi ch i ncreases i ts overal l spam score. Exampl e 3: rbl_list=bx9.dbl.com::85, list.dnb.org:127.0.0.4:35, req.gsender.org::-75 RBL check i s performed usi ng the defi ned servers (from l eft to ri ght). In case of a posi ti ve check on bx9.dbl.com the offset of 85 wi l l be added. If the check on list.dnb.org wi l l be posi ti ve gi vi ng a response of 127.0.0.4 offset of 35 wi l l be used. The offset wi l l not be appl i ed i n cases of answers other than 127.0.0.4. If a check i s posi ti ve on req.gsender.org the spam score wi l l be decreased by 75 poi nt (negati ve val ue). rbl_max_ips Maxi mum IP addresses that can be sent to RBL server check. Total number of RBL requests i s the total amount of IP addresses i n the Recei ved: secti ons i n the emai l header (up to the set l i mi t i n rbl _maxcheck_i ps) mul ti pl i ed by the number of RBL servers set i n the rbl _l i st. The val ue of 0 means there i s no l i mi t to the maxi mum number of IP addresses that can be checked. Thi s parameter i s appl i ed onl y i f the rbl _l i st opti on i s enabl ed (i .e. contai ns a mi ni mum of 1 server). approved_domain_list Is a l i st of domai ns and IP addresses i n the emai l body, that are to be consi dered as al l owed. Do not use to whi tel i st emai l s by sender's domai n! blocked_domain_list Is a l i st domai ns and IP addresses i n the emai l body, that are to be consi dered as permanentl y bl ocked. Thi s i s not a bl ackl i st of sender's addresses! ignored_domain_list Li st of domai ns i n the emai l body, that are to be permanentl y excl uded from DNSBL checks and i gnored. dnsbl_list Li st of DNSBL (DNS-based Bl ackhol e Li st) servers to be used i n checks of domai ns and IP addresses i n the emai l body. Format of entry i s as fol l ows: dnsbl_list=server:response:offset,server2:response2:offset2,... Meani ng parameters used: server DNSBL server name response DNSBL server response i f IP address/domai n was found (standard responses are 127.0.0.2, 127.0.0.3, 127.0.0.4., etc.). Thi s parameter i s opti onal , and i f not set, al l answers wi l l be consi dered. offset 20 Val ue from 0 to 100. Infl uences overal l spam score. Standard val ue i s 100, i .e. i n case of a posi ti ve check the message i s assi gned the spam score of 100 and i s eval uated as spam. Negati ve val ues l ower the overal l spam score of a message. DNSBL checks can have negati ve i nfl uence on server performance due to the fact that every domai n/IP address from the message body i s checked agai nst al l defi ned DNSBL servers and every si ngl e check requi res processi ng a DNS server request. You can reduce the i mpact on system resources by depl oyi ng a DNS cache server for thi s purpose. For the same reason the non-routabl e IP addresses (10.x.x.x, 127.x.x.x, 192.168.x.x) are al so omi tted from DNSBL checks. Exampl e 1: dnsbl_list=ent.adbl.org DNSBL check i s performed agai nst the ent.adbl.org server. If there i s a posi ti ve, the message wi l l be assi gned the defaul t offset 100 (i t wi l l be marked as spam). Exampl e 2: dnsbl_list=ent.adbl.org::60 DNSBL check i s performed usi ng the ent.adbl.org server. If the check i s posi ti ve, the message wi l l be assi gned an offset of 60 whi ch i ncreases i ts overal l spam score. Exampl e 3: dnsbl_list=bx9.dbl.com::85, list.dnb.org:127.0.0.4:35, req.gsender.org::-75 DNSBL check i s performed usi ng the defi ned servers (from l eft to ri ght). If there i s a posi ti ve check on bx9.dbl.com, the offset of 85 wi l l be added. If the check on list.dnb.org wi l l be posi ti ve, gi vi ng a response of 127.0.0.4 an offset of 35 wi l l be used. No offset wi l l be appl i ed i n cases of answers other than 127.0.0.4. If a check i s posi ti ve on req.gsender.org the spam score wi l l be decreased by 75 poi nts (negati ve val ue). home_country_list Li st of countri es, that wi l l be consi dered "home". Messages routed through a country not on thi s l i st wi l l be eval uated usi ng more stri ct rul es (hi gher spam score wi l l be appl i ed). Entry format for countri es i s thei r two character code i n compl i ance wi th ISO 3166. home_language_list Li st of preferred l anguages i .e. l anguages that are the most used i n your emai l messages. Such messages wi l l be eval uated usi ng l ess stri ct rul es (l ower spam score). Entry format for l anguages i s thei r two character code i n compl i ance wi th ISO 639. custom_rules_list Al l ows you to defi ne custom l i sts of rul es and store each l i st to an i ndi vi dual fi l e. Each rul e i s stored on a separate l i ne i n the fi l e i n the fol l owi ng format: Phrase, Type, Confidence, CaseSensitivity Phrase Any text, must not contai n commas (,). Type Can have the fol l owi ng val ues: SPAM, PHISH, BOUNCE, ADULT, FRAUD. If you enter other val ue that those l i sted above, the SPAM val ue wi l l be used automati cal l y. SPAM defi nes phrases that occur i n cl assi cal spam messages (offers of goods and servi ces). PHISH are phrases occurri ng i n fraudul ent messages (phi shi ng), that are ai med at extracti on of confi denti al data (names, passwords, credi t card numbers, etc.) from users. BOUNCE are phrases used i n automati c server responses - Non-Del i very Noti fi cati on (used when spoofi ng sender's address). ADULT represents phrases typi cal for messages offeri ng pornographi c content. FRAUD stands for phrases used i n fraudul ent emai l s (scam) offeri ng suspi ci ous banki ng operati ons (money transfers vi a your account etc.). A typi cal exampl e of thi s spam type i s the so-cal l ed Ni geri an spam. Confidence Val ue from 0 to 100. Defi nes the probabi l i ty of the phrase to be member of a speci fi c spam category (l i sted above). If the Type PHISH has the Confi dence 90, there i s a very hi gh probabi l i ty of the phrase bei ng used i n phi shi ng messages. The hi gher the Confi dence score, the bi gger i mpact i t exerts on the overal l spam score of the message. The Confi dence val ue of 100 presents a speci al case, where the message spam score wi l l al so be 100, i .e. message wi l l be marked as 100% spam. Anal ogi cal l y, i f the val ue i s 0, the message wi l l be marked as not-spam. CaseSensitivity val ues 0 or 1. 0 meani ng the phrase i s case i nsensi ti ve. 1 meani ng the phrase i s case sensi ti ve. Exampl es: replica, SPAM, 100, 0 Dear eBay member, PHISH, 90, 1 return to sender, BOUNCE, 80, 0 21 Other settings enable_spf Thi s opti on enabl es/di sabl es val i dati on by SPF (Sender Pol i cy Framework). Thi s val i dati on method checks the publ i c rul es of a domai n - domai n pol i cy to determi ne whether a sender i s authori zed to send messages from that domai n. enable_all_spf Thi s opti on i s to determi ne whether domai ns not on the spf_l i st or Mai l shel l fi l e can bypass the SPF val i dati on. For thi s opti on to work correctl y, the enable_realtime_spf parameter must be set to yes. enable_realtime_spf If thi s opti on i s enabl ed, DNS requests wi l l be sent i n real -ti me duri ng SPF val i dati on. Thi s can negati vel y i nfl uence the performance (del ays duri ng message eval uati on). spf_list Thi s opti on al l ows you to assi gn i mportance to a speci fi c SPF entry, thus i nfl uenci ng the overal l spam score of a message. spf_*_weight The asteri sk represents 14 possi bl e SPF val i dati on resul ts (see spamcatcher.conf for more detai l s). The val ue entered for thi s parameter i s an offset, that i s then appl i ed to the spam score accordi ng to i ndi vi dual resul t types. If the SPF val i dati on resul ts i s "fai l " the offset from the spf_fail_weight parameter wi l l be appl i ed. Dependi ng on the offset val ue the resul ti ng spam score i s then i ncreased/decreased. spf_recursion_depth Maxi mum nesti ng depth (usi ng the "i ncl ude" mechani sm). The RFC 4408 norm speci fi es thi s l i mi t to 10 (to prevent Deni al -of-Servi ce), however, some SPF records nowadays do not respect thi s l i mi t, as more nesti ng l evel s need to be appl i ed to ful l y sati sfy the SPF request. enable_livefeed_sender_repute If thi s opti on i s di sabl ed, the SPF i nformati on from Li veFeed wi l l be i gnored. 7.5 Samples Submission System The Sampl es submi ssi on system i s an i ntel l i gent ThreatSense.Net technol ogy that col l ects i nfected objects that have been detected by advanced heuri sti cs and del i vers them to the sampl es submi ssi on system server. Al l vi rus sampl es col l ected by the sampl e submi ssi on system wi l l be processed by the ESET vi rus l aboratory and i f necessary, added to the ESET vi rus si gnature database. Note: Accordi ng to our l i cense agreement, by enabl i ng the sampl e submi ssi on system you are agreei ng to al l ow the computer and/or pl atform on whi ch the esets_daemon i s i nstal l ed to col l ect data (whi ch may i ncl ude personal i nformati on about you and/or other users of the computer) and sampl es of newl y detected vi ruses or other threats and send them to ESET vi rus l aboratory. Thi s feature i s di sabl ed by defaul t. Al l i nformati on col l ected wi l l be used onl y to anal yze new threats and wi l l not be used for any other purpose. In order to enabl e sampl i ng, the sampl es submi ssi on system cache must be i ni ti al i zed. Thi s can be achi eved by sel ecti ng samples_enabled i n the [global] secti on of the ESETS confi gurati on fi l e. For more i nformati on on the Sampl es Submi ssi on System and i ts opti ons, pl ease refer to the esets_daemon(8) mane page. 7.6 Scheduler The Schedul er's functi onal i ty i ncl udes runni ng schedul ed tasks at a speci fi ed ti me or on a speci fi c event, managi ng and l aunchi ng tasks wi th predefi ned confi gurati on and properti es and more. Task confi gurati on and properti es can be used to i nfl uence l aunch dates and ti mes, but al so to expand the appl i cati on of tasks by i ntroduci ng the use of custom profi l es duri ng task executi on. The scheduler_tasks opti on i s commented by defaul t, causi ng the defaul t schedul er confi gurati on to be appl i ed. In the ESETS confi gurati on fi l e al l parameters and tasks are semi col on-separated. Any other semi col ons (and backsl ashes) must be backsl ash escaped. Each task has 6 parameters and the syntax i s as fol l ows: i d Uni que number. name Task descri pti on. fl ags Speci al fl ags to di sabl e the speci fi ed schedul er task can be set here. fai l start Instructs what to do i f task coul d not be run on schedul ed date. datespec A regul ar date speci fi cati on wi th 6 (crontab l i ke year-extended) fi el ds, recurrent date or an event name opti on. command Can be an absol ute path to a command fol l owed by i ts arguments or a speci al command name wi th the @ prefi x (e.g. anti -vi rus update: @update). #scheduler_tasks = "id;name;flags;failstart;datespec;command;id2;name2;..."; 22 The fol l owi ng event names can be used i n pl ace of the datespec opti on: start Daemon startup. startonce Daemon startup but at most once a day. engi ne Successful engi ne update. l ogi n Web i nterface l ogon startup. threat Threat detected. notscanned Not scanned emai l or fi l e. l i cexp 30 days before l i cense expi rati on. To di spl ay the current schedul er confi gurati on, use the Web i nterface or run the fol l owi ng command: cat @ETCDIR@/esets.cfg | grep scheduler_tasks For a ful l descri pti on of Schedul er and i ts parameters refer to the Schedul er secti on of the esets_daemon(8) man page. 7.7 Web Interface The web i nterface al l ows user-fri endl y confi gurati on, admi ni strati on and l i cense management of ESET Securi ty systems. Thi s modul e i s a separate agent and must be expl i ci tl y enabl ed. To qui ckl y confi gure the Web Interface, set the fol l owi ng opti ons i n the ESETS confi gurati on fi l e and restart the ESETS daemon: [wwwi] agent_enabled = yes listen_addr = address listen_port = port username = name password = pass Repl ace the text i n i tal i cs wi th your own val ues and di rect your browser to https://address:port (note the https). Logi n wi th username/password. Basi c usage i nstructi ons can be found on the hel p page and techni cal detai l s about esets_wwwi can be found on the esets_wwwi(1) man page. The web i nterface al l ows you to remotel y access the ESETS daemon and depl oy i t easi l y. Thi s powerful uti l i ty makes i t easy to read and wri te confi gurati on val ues. Figure 6-1. ESET Security for Linux - Home screen. The web i nterface wi ndow of ESET Mai l Securi ty i s di vi ded i nto two mai n secti ons. The pri mary wi ndow, that serves to di spl ay the contents of the sel ected menu opti on and the mai n menu. Thi s hori zontal bar on the top l ets you navi gate between the fol l owi ng mai n opti ons: Home provi des basi c system and ESET product i nformati on Licenses i s a l i cense management uti l i ty, see the fol l owi ng chapter for mode detai l s Configuration you can change the ESET Mai l Securi ty system confi gurati on here Control al l ows you to run si mpl e tasks and vi ew gl obal stati sti cs about objects processed by esets_daemon Help provi des detai l ed usage i nstructi ons for the ESET Mai l Securi ty web i nterface Logout use to end your current sessi on 23 Important: Make sure you cl i ck the Save changes button after maki ng any changes i n the Configuration secti on of the web i nterface to save your new setti ngs. To appl y your setti ngs you wi l l need to restart the ESETS daemon by cl i cki ng Apply changes on the l eft pane. 7.7.1 License management You can upl oad a new l i cense usi ng the web i nterface, as shown i n Fi gure 6-2. If you want to di spl ay l i censes i n the consol e, use the fol l owi ng command: @SBINDIR@/esets_lic --list If you want to i mport new l i cense fi l es, use the fol l owi ng command: @SBINDIR@/esets_lic --import *.lic Figure 6-2. ESET Licenses. You can enabl e the l i cense noti fi cati on opti on i n the Schedul er secti on opti ons. If enabl ed, thi s functi onal i ty wi l l noti fy you 30 days pri or to your l i cense expi rati on. Note: If you have a ful l y functi onal ESET Fi l e/Gateway Securi ty for Li nux, BSD and Sol ari s i nstal l ati on and you wi sh to expand i t by addi ng ESET Mai l Securi ty, you wi l l need to set your new username and password for ESET Mai l Securi ty ei ther i n the ESETS confi gurati on fi l e, or i n the web i nterface. Thi s wi l l prevent possi bl e i ssues wi th updates i n ESETS. 7.7.2 SMTP+Postfix configuration example ESETS can be confi gured i n two ways. In thi s exampl e, we wi l l demonstrate how to use both when confi guri ng the SMTP modul e, l eavi ng you the choi ce of your preferred confi gurati on method: Usi ng the ESETS confi gurati on fi l e: [smtp] agent_enabled = yes listen_addr = "localhost" listen_port = 2526 server_addr = "localhost" server_port = 2525 24 Usi ng the web i nterface: Figure 6-3. ESETS - Configuration > SMTP Agent. Al ways remember to save your new confi gurati on by cl i cki ng Save changes. To appl y your new changes, cl i ck the Apply changes button i n the Configuration sections panel . There are vari ous scanner opti ons you can use to customi ze the scanni ng envi ronment: acti ons, l i mi ts, modi fi cati on masks, targets. Here i s an exampl e of a two-way fi l ter based on a spam subject prefi x: [smtp] action_as = "defer" as_eml_subject_prefix = "[SPAM]" Figure 6-4. SMTP Scanner options. 25 7.7.3 Scheduler You can manage the schedul er tasks ei ther vi a ESET confi gurati on fi l e (see chapter Schedul er) or usi ng the web i nterface. Figure 6-5. ESETS - Global > Scheduler. Cl i ck the checkbox to enabl e/di sabl e a schedul ed task. By defaul t, the fol l owi ng schedul ed tasks are di spl ayed: Log maintenance The program automati cal l y del etes ol der l ogs i n order to save hard di sk space. The Schedul er wi l l start defragmenti ng l ogs. Al l empty l og entri es wi l l be removed duri ng thi s process. Thi s wi l l i mprove the speed when worki ng wi th l ogs. The i mprovement wi l l be more noti ceabl e i f the l ogs contai n a l arge number of entri es. Automatic startup file check Scans memory and runni ng servi ces after a successful update of the vi rus si gnature database. Regular automatic update Regul arl y updati ng ESET Mai l Securi ty i s the best method of keepi ng the maxi mum l evel of securi ty on your computer. See ESETS update uti l i ty for more i nformati on. Regular update of AntiSpam modules The peri od after whi ch ESETS wi l l check for avai l abl e anti spam modul e updates. If you do not set thi s schedul ed task, ESETS wi l l not regul arl y update i ts anti spam database. Threat notification By defaul t, each threat wi l l be l ogged i nto sysl og. In addi ti on, ESETS can be confi gured to run an external (noti fi cati on) scri pt to noti fy a system admi ni strator vi a emai l about threat detecti on. License expiration If enabl ed, thi s functi onal i ty wi l l noti fy you 30 days pri or to your l i cense expi rati on. Thi s task wi l l run the @ETCDIR@/scripts/license_warning_script shel l scri pt, whi ch sends an emai l to the emai l address of the root user account. The scri pt can be customi zed to refl ect speci fi c server needs. 26 7.7.4 Statistics You can vi ew stati sti cs for al l of acti ve ESETS agents here. The Statistics summary refreshes every 10 seconds. Figure 6-6. ESETS - Control > Statistics. 7.8 Remote Administration ESETS supports ESET Remote Admi ni strati on for mai l securi ty management i n l arge computer networks. The ESETS Remote Admi ni strati on Cl i ent i s part of the mai n ESETS daemon and performs the fol l owi ng functi ons: Communi cates wi th ERA Server and provi des you wi th system i nformati on, confi gurati on, protecti on statuses and several other features Al l ows cl i ent confi gurati ons to be vi ewed/modi fi ed usi ng the ESET Confi gurati on Edi tor and i mpl emented wi th the hel p of confi gurati on tasks Can perform Update Now tasks Performs On-demand scans as requested, and submi ts the resul ts back to ERA Server Scan Log Note: For thi s opti on to be avai l abl e you must have a val i d l i cense for ESET Fi l e Securi ty. Adds l ogs of notabl e scans performed by the ESETS daemon to Threat Log Sends al l non-debug messages to Event Log These functi onal i ti es are not supported: Fi rewal l Log Remote Instal l Figure 6-7. ERA Console tabs. For more i nformati on, pl ease read the ESET Remote Admi ni strator manual . Thi s manual i s l ocated on our web si te at the fol l owi ng l i nk: http://www.eset.com/documentati on 27 7.8.1 Remote Administration usage example Before commenci ng any remote admi ni strati on process, ensure your system ful fi l l s the three fol l owi ng prerequi si tes: Runni ng ERA Server Runni ng ERA Consol e Enabl e RA Cl i ent i n the ESETS daemon. Ensure that fi rewal l setti ngs do not bl ock traffi c to ERA Server or vi ce versa. To setup the basi cs, speci fy the address of your ERA Server i n the racl_server_addr parameter fi rst. If you are usi ng a password to access the ERA Consol e password, you must edi t the val ue of the racl_password parameter accordi ngl y. Change the val ue of the racl_interval parameter to adjust the frequency of connecti ons to ERA Server (i n mi nutes). You can ei ther use the web i nterface (see al so previ ous chapter) to appl y the new confi gurati on, or you can adjust these parameters i n the [global] secti on of the ESETS confi gurati on fi l e as fol l ows: racl_server_addr = "yourServerAddress" racl_server_port = 2222 racl_password = "yourPassword" racl_interval = 1 Note: Al l appl i cabl e ESET Remote Admi ni strati on Cl i ent vari abl es are l i sted on the esets_daemon(8) man page. The ESETS daemon confi gurati on wi l l be rel oaded and RACL wi l l connect to ERA Server. You wi l l be abl e to see a newl y connected cl i ent i n your ERA Consol e. Press the F5 button (or Menu > View > Refresh) to manual l y refresh the l i st of connected cl i ents. Figure 6-8. ERA Console. By usi ng ERA Consol e you can create a confi gurati on task to ESETS daemon from ERA Consol e: Ri ght-cl i ck the connected Client Name Navi gate to New Task > Configuration Task > Create... Expand the Uni x ESET Securi ty tree For an exampl e of a confi gurati on task by the DAC agent, see bel ow: 28 Figure 6-8. ERA Configuration Editor. The New Task context menu contai ns On-demand scanni ng opti ons (enabl ed/di sabl ed cl eani ng). You can sel ect the desi red product that you wi sh to set the task for i n the On-Demand Scan pop-up wi ndow i n the Configuration Section drop-down menu. Make sure that you sel ect the On-demand Scan task for Unix ESET Security Product opti on (i .e. the product that i s i nstal l ed on your target workstati on). Figure 6-9. ERA On-demand scan. 29 7.9 Logging ESETS provi des system daemon l oggi ng vi a sysl og. Syslog i s a standard for l oggi ng program messages and can be used to l og system events such as network and securi ty events. Messages refer to a faci l i ty: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7 Messages are assi gned a pri ori ty/l evel by the sender of the message: Error, Warning, Summall, Summ, Partall, Part, Info, Debug Thi s secti on descri bes how to confi gure and read the l oggi ng output of sysl og. The syslog_facility opti on (defaul t val ue daemon) defi nes the sysl og faci l i ty used for l oggi ng. To modi fy sysl og setti ngs edi t the ESETS confi gurati on fi l e or use the Web i nterface. Modi fy the val ue of the syslog_class parameter to change the l oggi ng cl ass. We recommend you modi fy these setti ngs onl y i f you are fami l i ar wi th sysl og. For an exampl e sysl og confi gurati on, see bel ow: syslog_facility = "daemon" syslog_class = "error:warning:summall" The name and l ocati on of the l og fi l e depend on your sysl og i nstal l ati on and confi gurati on (e.g. rsysl og, sysl og-ng, etc.). Standard fi l enames for sysl og output fi l es are for exampl e syslog, 'daemon.log', etc. To fol l ow sysl og acti vi ty, run one of the fol l owi ng commands from the consol e: tail -f /var/log/syslog tail -100 /var/log/syslog | less cat /var/log/syslog | grep esets | less If you enabl e ESET Remote Admi ni strati on, ERA l og entri es ol der than gi ven days by the opti on racl_logs_lifetime wi l l be automati cal l y del eted. 7.10 Command-line scripts ESETS commands can be l aunched usi ng the command l i ne manual l y (@SBINDIR@/esets_*) or wi th a batch (".sh") scri pt. ESETS command-l i ne usage: esets_daemon ESET Securi ty Daemon i s the mai n ESETS system control and scanni ng Daemon modul e. It reads al l the ESETS scanner confi gurati on from the mai n ESETS confi gurati on fi l e and provi des al l the mai n tasks. Usage: @SBINDIR@/esets_daemon [OPTIONS..] esets_inst ESET system i ntegrator can be used to di spl ay and opti onal l y execute commands that i ntegrate ESETS wi th your system. Thi s modul e features i nstal l ati on for mta, pop3, i map and smtp. Usage: @SBINDIR@/esets_inst [OPTIONS..] [COMMAND] esets_lic ESETS l i cense management uti l i ty features management opti ons, whi ch al l ow you to di spl ay i nformati on about your l i censes, i mport l i cense fi l es to the l i cense di rectory or remove expi red l i censes. Usage: @SBINDIR@/esets_lic [OPTIONS..] [COMMAND] [FILES..] esets_quar ESETS quaranti ne management uti l i ty modul e al l ows you to i mport any fi l e system object i nto the quaranti ne storage area. Usage: @SBINDIR@/esets_quar ACTIONS [RULES] [OBJECTS..] esets_scan ESET Command-l i ne scanner i s an on-demand anti -vi rus scanni ng modul e, whi ch provi des scanni ng of the fi l e system objects upon user request usi ng command l i ne i nterface. Usage: @SBINDIR@/esets_scan [OPTIONS..] FILES.. esets_set ESETS confi gurati on fi l e SET-up uti l i ty al l ows you to modi fy the ESETS confi gurati on fi l e as requested by gi ven command. Usage: @SBINDIR@/esets_set [OPTIONS..] [COMMAND] esets_setup ESETS setup uti l i ty i s an i nteracti ve automated i nstal l scri pt to hel p you easi l y i ntegrate ESET Securi ty wi th your system. Usage: @SBINDIR@/esets_setup [OPTIONS..] [COMMAND] esets_update ESETS update uti l i ty i s a system uti l i ty for the creati on, update and mai ntenance of the ESETS modul es storage mi rrors as wel l as for update of ESETS system. Usage: @BINDIR@/esets_update [OPTIONS..] 30 The fol l owi ng commands are avai l abl e onl y for ESET Mai l Securi ty. esets_cgp External fi l ter pl ug-i n for Communi Gate Pro, whi ch reads e-mai l fi l enames from standard i nput, requests esets_daemon to scan i t and responds wi th status. Usage: @BINDIR@/esets_cgp [OPTIONS..] esets_cli ESETS Command Li ne Interface modul e, the rol e of whi ch i s to scan al l fi l e system objects that are defi ned as a command l i ne argument(s). Usage: @BINDIR@/esets_cli [OPTIONS..] FILES.. esets_mda ESETS Mai l Del i very Agent wrapper modul e, the rol e of whi chi s to recei ve e-mai l , request esets_daemon to scan i t, and forward the scanned e-mai l to the ori gi nal MDA, si nce thi s modul e i s not a ful l -featured MDA. esets_pipe A si mpl e e-mai l scanner, whi ch reads the mai l from stdi n, requests eset_daemon to scan i t and i f accepted, wri tes i t scanned to standard output. Usage: @BINDIR@/esets_pipe [OPTIONS..] esets_zmfi ZMai l ers contentfi l ter, whi ch scans e-mai l fi l enames read from stdi n, requests esets_daemon to scan i t and responds wi th the status. Usage: @BINDIR@/esets_zmfi [OPTIONS..] 31 8. ESET Security system update 8.1 ESETS update utility To mai ntai n the effecti veness of ESET Mai l Securi ty, the vi rus si gnature database must be kept up to date. The esets_update uti l i ty has been devel oped speci fi cal l y for thi s purpose. See the esets_update(8) man page for detai l s. To l aunch an update, the confi gurati on opti ons av_update_username and av_update_password must be defi ned i n the [global] secti on of the ESETS confi gurati on fi l e. In the event that your server accesses the Internet vi a HTTP proxy, the addi ti onal confi gurati on opti ons proxy_addr, proxy_port must be defi ned. If access to the HTTP proxy requi res a username and password, the proxy_username and proxy_password opti ons must al so be defi ned i n thi s secti on. To i ni ti ate an update, enter the fol l owi ng command: @SBINDIR@/esets_update Note: If you have a ful l y functi onal ESET Fi l e/Gateway Securi ty for Li nux, BSD and Sol ari s i nstal l ati on and you wi sh to expand i t by addi ng ESET Mai l Securi ty, you wi l l need to set your new username and password for ESET Mai l Securi ty ei ther i n the ESETS confi gurati on fi l e, or i n the web i nterface. Thi s wi l l prevent possi bl e i ssues wi th updates i n ESETS. To provi de the hi ghest possi bl e securi ty for the end user, the ESET team conti nuousl y col l ects vi rus defi ni ti ons from al l over the worl d - new patterns are added to the vi rus si gnature database i n very short i nterval s. For thi s reason, we recommend that updates be i ni ti ated on a regul ar basi s. To be abl e to speci fy the frequency of updates, you need to confi gure the @update task i n the scheduler_tasks opti on i n the [global] secti on of the ESETS confi gurati on fi l e. You can al so use the Schedul er to set the update frequency. The ESETS daemon must be up and runni ng i n order to successful l y update the vi rus si gnature database. 8.2 ESETS update process description The update process consi sts of two stages: Fi rst, the precompi l ed update modul es are downl oaded from the ESET server. If av_mirror_enabled i s set to yes i n the [global] secti on of the ESETS confi gurati on fi l e, copi es (or mi rrors) of these update modul es are created i n the fol l owi ng di rectory: @BASEDIR@/mirror av_mirror_pcu al l ows you to downl oad Program Component Update (PCU) modul es for Wi ndows-based ESET securi ty products. These modul es can be mi rrored from the ESET server. Note: To enabl e the mi rror and downl oad PCUs for ESET NOD32 Anti vi rus, ESET Smart Securi ty, ESET Endpoi nt Anti vi rus or ESET Endpoi nt Securi ty, you have to: set your Username and Password for update purposes (as descri bed i n the topi c above), i mport a l i cense for your speci fi c ESET product. The second stage of the update process i s the compi l ati on of modul es l oadabl e by the ESET Mai l Securi ty scanner from those stored i n the l ocal mi rror. Typi cal l y, the fol l owi ng ESETS l oadi ng modul es are created: l oader modul e (em000.dat), scanner modul e (em001.dat), vi rus si gnature database modul e (em002.dat), archi ves support modul e (em003.dat), advanced heuri sti cs modul e (em004.dat), etc. The modul es are created i n the fol l owi ng di rectory: @BASEDIR@ Thi s i s the di rectory where the ESETS daemon l oads modul es from and thus can be redefi ned usi ng the base_dir opti on i n the [global] secti on of the ESETS confi gurati on fi l e. 8.3 ESETS mirror http daemon The http mi rror daemon i n ESET Mai l Securi ty al l ows you to create copi es of update fi l es whi ch can be used to update other workstati ons l ocated i n the network. Creati on of the "mi rror" a copy of the update fi l es i n the LAN envi ronment i s conveni ent, si nce the update fi l es need not be downl oaded from the vendor update server repeatedl y and by each workstati on. They are downl oaded central l y to the l ocal mi rror server and then di stri buted to al l workstati ons, therefore avoi di ng the potenti al ri sk of network traffi c overl oad. Thi s i s al so a typi cal feature of ESET Remote Admi ni strator. The http mi rror daemon needs to be properl y confi gured to start and enabl e the mi rror. In the exampl e bel ow esets_mird i s confi gured to l i sten on port 2221 of a computer wi th the l ocal network IP address 192.168.1.10. The fol l owi ng parameters i n the [mird] secti on of the ESETS confi gurati on fi l e need to be speci fi ed: agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 2221 Opti ons listen_port and listen_addr defi ne the port (defaul t 2221) and address (defaul t: al l l ocal tcp addresses) where the http server l i stens. If you set the val ue of the auth_mode swi tch from 'none' to 'basi c', the mi rror wi l l requi re authenti cati on. The opti ons username and password al l ow the admi ni strator to defi ne the l ogi n and password requi red to access the Mi rror. 32 9. Let us know We hope thi s gui de has provi ded you wi th a thorough understandi ng of the requi rements for ESET Mai l Securi ty i nstal l ati on, confi gurati on and mai ntenance. It i s our goal to conti nual l y i mprove the qual i ty and effecti veness of our documentati on. For addi ti onal assi stance wi th your ESET product, pl ease vi si t our onl i ne Knowl edgebase at the fol l owi ng URL: http://kb.eset.com If you feel that any secti ons i n thi s gui de are uncl ear or i ncompl ete or you are unabl e to resol ve your i ssue, pl ease l et us know by usi ng the support form di rectl y: http://www.eset.com/support/contact We are dedi cated to provi de the hi ghest l evel of support and l ook forward to hel pi ng you shoul d you experi ence any probl ems concerni ng thi s product. 33 10. Appendix A. ESETS setup and configuration 10.1 Setting ESETS for MTA Postfix Inbound email message scanning Warning: Thi s i nstal l ati on i s not compati bl e wi th SELi nux. Ei ther di sabl e SELi nux or proceed to the next secti on. The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before the ori gi nal Postfi x MDA. The MDA to be used (wi th arguments) i s set i n the Postfi x parameter mailbox_command. Note: If the mai l box_command val ue i s empty, Postfi x al one i s del i veri ng mai l . You must i nstal l and confi gure a real MDA (e.g. procmai l ) and use that fi rst for the mai l box_command and arguments (e.g. /usr/bi n/procmai l -d "$USER"). Rel oad Postfi x and make sure i t i s del i veri ng mai l accordi ng to your needs. You may then conti nue wi th the ESETS i nstal l ati on. Take the ful l path to the current Postfi x MDA and set the parameter mda_path i n the [mda] secti on of the ESETS confi gurati on fi l e to: mda_path = "/usr/bin/procmail" Restart the ESETS daemon. Then, repl ace the path to the current Postfi x MDA wi th esets_mda path and add -- -- reci pi ent="$RECIPIENT" --sender="$SENDER" to the arguments, as i n the fol l owi ng exampl e: mailbox_command = @BINDIR@/esets_mda -d "$USER" -- --recipient="$RECIPIENT" --sender="$SENDER" To re-read the newl y created confi gurati on, rel oad Postfi x. Bi-directional email message scanning The objecti ve of thi s i nstal l ati on i s to di vert al l mai l from Postfi x to esets_smtp and get them back to Postfi x. In the [smtp] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameters: agent_enabled = yes listen_addr = "localhost" listen_port = 2526 server_addr = "localhost" server_port = 2525 Restart the ESETS daemon; esets_smtp wi l l be started and wi l l scan al l SMTP communi cati on accepted on listen_addr:listen_port and forward i t to server_addr:server_port. To di vert al l mai l to esets_smtp set the fol l owi ng i n Postfi x: content_filter = smtp:[127.0.0.1]:2526 Note: If the content_filter parameter al ready has a val ue, do not fol l ow these i nstructi ons. Instead, you must i nsert esets_smtp (or other ESETS mai l scanni ng modul e) before or after your current content_fi l ter. Lastl y, set Postfi x to accept mai l on port 2525 and conti nue processi ng i t. To do thi s, add the fol l owi ng entry to the Postfi x master.cf fi l e: localhost:2525 inet n - n - - smtpd -o content_filter= -o myhostname=esets.yourdomain.com -o local_recipient_maps= -o relay_recipient_maps= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 Repl ace yourdomai n.com wi th your hostname. Make sure al l but the fi rst l i ne i s i ndented. To re-read the newl y created confi gurati on, rel oad Postfi x. Note: If you have SELi nux enabl ed, i t wi l l prevent Postfi x from l i steni ng on 2525 (e.g. Fedora Core >= 5), In thi s case, run the fol l owi ng command: semanage -a -t smtp_port_t -p tcp 2525 34 10.2 Setting ESETS for MTA Sendmail Inbound email message scanning Warning: Thi s i nstal l ati on i s not compati bl e wi th SELi nux. Ei ther di sabl e SELi nux or proceed to the next secti on. The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before Sendmai l s ori gi nal MDA. Note: On FreeBSD, Sendmai l may be communi cati ng wi th MDA usi ng LMTP. However, esets_mda does not understand LMTP. If you have FEATURE(l ocal _l mtp) i n hostname.mc, comment i t out now and recreate sendmai l .cf. The currentl y-used MDA can be found i n the fi l e sendmai l .cf i n secti on Ml ocal : parameters P (executabl e) and A (i ts name and arguments). Fi rst, set the mda_path i n the [mda] secti on of the ESETS confi gurati on fi l e to the currentl y used MDA executabl e (Sendmai l s P parameter). Then restart the ESETS daemon. Next, add the l i nes bel ow to the sendmai l .mc fi l e (or `hostname.mc on FreeBSD and Sol ari s) before al l MAILER defi ni ti ons: define('LOCAL_MAILER_PATH', '@BINDIR@/esets_mda')dnl define('LOCAL_MAILER_ARGS', 'esets_mda original_arguments -- --sender $f --recipient $u@$j')dnl In the exampl e above, ori gi nal _arguments i s Sendmai l s A parameter wi thout the name (fi rst word). Lastl y, recreate sendmai l .cf and restart Sendmai l . Bi-directional email message scanning The objecti ve of thi s i nstal l ati on i s to scan al l mai l i n Sendmai l usi ng the esets_smfi fi l ter. In the [smfi] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameters: agent_enabled = yes smfi_sock_path = "/var/run/esets_smfi.sock" Restart the ESETS daemon. Then, add the l i nes bel ow to the sendmai l .mc fi l e (or hostname.mc on FreeBSD) before al l MAILER defi ni ti ons: INPUT_MAIL_FILTER('esets_smfi', 'S=local:/var/run/esets_smfi.sock, F=T, T=S:2m;R:2m;E:5m')dnl Wi th these setti ngs, Sendmai l wi l l communi cate wi th esets_smfi vi a uni x socket /var/run/esets_smfi .sock. Fl ag F=T wi l l resul t i n a temporary fai l ed connecti on i f the fi l ter i s unavai l abl e. S:2m defi nes a 2 mi nute ti meout for sendi ng i nformati on from MTA to the fi l ter, R:2m defi nes a 2 mi nute ti meout for readi ng repl i es from the fi l ter and E:5m sets an overal l 5 mi nute ti meout between sendi ng end-of-message to the fi l ter and wai ti ng for fi nal acknowl edgment. If the ti meouts for the esets_smfi fi l ter are too short, Sendmai l can temporari l y defer the message to the queue and attempt to pass i t through l ater. However, thi s may l ead to conti nuous deferral of the same messages. To avoi d thi s probl em, the ti meouts shoul d be set properl y. You can experi ment wi th Sendmai l s confMAX_MESSAGE_SIZE parameter, whi ch i s the maxi mum accepted message si ze i n bytes. Taki ng i nto account thi s val ue and the approxi mate maxi mum ti me for MTA to process a message of that si ze (thi s can be measured), you can determi ne the most effecti ve ti meout setti ngs for the esets_smfi fi l ter. Lastl y, recreate sendmai l .cf and restart Sendmai l . 10.3 Setting ESETS for MTA Qmail Inbound email message scanning The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before Qmai l s l ocal del i very agent. Assumi ng Qmai l i s i nstal l ed i n the / var/qmai l di rectory, i n the [mda] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameter: mda_path = "/var/qmail/bin/qmail-esets_mda" Restart the ESETS daemon. Create the fi l e /var/qmai l /bi n/qmai l -esets_mda wi th the fol l owi ng content and run chmod a+x on i t: #!/bin/sh exec qmail-local -- "$USER" "$HOME" "$LOCAL" "" "$EXT" "$HOST" "$SENDER" "$1" Thi s wi l l cause esets_mda to cal l Qmai l s l ocal del i very agent. Next, create the fi l e /var/qmai l /bi n/qmai l -start.esets wi th the fol l owi ng content and al so run 'chmod a+x' on i t: #!/bin/sh A="$1"; shift exec qmail-start.orig "|@BINDIR@/esets_mda '$A'"' -- --sender="$SENDER" --recipient="$RECIPIENT"' "$@" 35 Thi s wi l l start Qmai l usi ng esets_mda for l ocal del i veri es. However, the ori gi nal del i very speci fi cati on i s passed to qmai l -l ocal through esets_mda. Note that i n thi s confi gurati on esets_mda wi l l use Qmai l s recogni zed exi t codes (see the qmail-command(8) man page). Lastl y, repl ace qmai l -start usi ng commands: mv /var/qmail/bin/qmail-start /var/qmail/bin/qmail-start.orig ln -s qmail-start.esets /var/qmail/bin/qmail-start Restart Qmai l . Bi-directional email messages scanning The objecti ve of thi s i nstal l ati on i s to i nsert esets_mda before qmai l -queue, whi ch queues al l mai l s before del i very. Assumi ng Qmai l i s i nstal l ed i n the /var/qmai l di rectory, i n the [mda] secti on of the ESETS confi gurati on fi l e, set the fol l owi ng parameter: mda_path = "/var/qmail/bin/qmail-queue.esets" Restart the ESETS daemon. Lastl y, repl ace qmai l -queue usi ng these commands: mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue.esets ln -s @BINDIR@/esets_mda /var/qmail/bin/qmail-queue Restarti ng Qmai l i s unnecessary. Al l messages enqueued from now wi l l be scanned by ESETS. Note that i n thi s confi gurati on esets_mda wi l l use qmai l -queues exi t codes (see the qmail-queue(8) man page). 10.4 Setting ESETS for MTA Exim version 3 Inbound email messages scanning The objecti ve of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for l ocal users. In the [mda] secti on of the ESETS confi gurati on fi l e set the fol l owi ng parameter: mda_path = "/usr/sbin/exim" In the above, /usr/sbi n/exi m i s the ful l path to Exi m bi nary. Restart the ESETS daemon. Next, add the fol l owi ng transport (on any l i ne) to the l i st of Exi m transports: esets_transport: driver = pipe command = @BINDIR@/esets_mda -oi -oMr esets-scanned $local_part@$domain \ -- --sender=$sender_address --recipient=$local_part@$domain user = mail In the above exampl e, mail i s one of Exi ms trusted_users. Now add the fol l owi ng di rector to the top of the l i st of Exi m di rectors: esets_director: driver = smartuser condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}" transport = esets_transport verify = false Thi s wi l l send al l unscanned mai l s for l ocal users to esets_mda; esets_mda wi l l then send them back to Exi m for further processi ng. To re-read the newl y created confi gurati on, restart Exi m. Bi-directional email message scanning The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for al l mai l . Perform al l steps from the previ ous secti on, but al so add thi s router to the top of the Exi m router l i st: esets_router: driver = domainlist route_list = "* localhost byname" condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}" transport = esets_transport verify = false 10.5 Setting ESETS for MTA Exim version 4 Inbound email message scanning The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for l ocal users. In the [mda] secti on of the ESETS confi gurati on fi l e, set thi s parameter: mda_path = "/usr/sbin/exim" 36 or, i f you are usi ng FreeBSD, thi s parameter: mda_path = "/usr/local/sbin/exim" where /usr/sbi n/exi m (or /usr/l ocal /sbi n/exi m) i s the ful l path to the Exi m bi nary. Then restart the ESETS daemon. Add thi s router to the top of the Exi m router l i st: esets_router: driver = accept domains = +local_domains condition = "${if eq {$received_protocol}{esets-scanned} {0}{1}}" transport = esets_transport verify = false and thi s transport (at whatever l ocati on) to the l i st of Exi m transports: esets_transport: driver = pipe command = @BINDIR@/esets_mda -oi -oMr esets-scanned $local_part@$domain \ -- --sender=$sender_address --recipient=$local_part@$domain Thi s wi l l send al l unscanned mai l s for l ocal users to esets_mda; esets_mda wi l l then send them back to Exi m for further processi ng. To re-read the newl y created confi gurati on, restart Exi m. Bi-directional email message scanning The goal of thi s i nstal l ati on i s to create an Exi m transport from esets_mda for al l mai l . Perform al l steps from the previ ous secti on, but omi t thi s l i ne i n esets_router: domains = +local_domains 10.6 Setting ESETS for MTA ZMailer Inbound email message scanning The goal of thi s i nstal l ati on i s to use esets_mda as ZMai l ers l ocal del i very agent. However, you must have a real MDA i nstal l ed, such as procmai l . In the [mda] secti on of the ESETS confi gurati on fi l e, set thi s parameter: mda_path = "/path/to/procmail" and restart the ESETS daemon. Procmai l doesnt support the ful l emai l address as a reci pi ent, so comment out thi s l i ne i n ZMai l ers router.cf prependi ng a #: localdoesdomain=1 Next, i n the local/* cl ause of schedul er.conf, repl ace your current del i very command wi th: command="sm -c $channel esets" and append thi s l i ne to sm.conf (repl ace your.hostname.com wi th your FQDN): esets sSPfn @BINDIR@/esets_mda esets_mda -a $h -d $u -- --sender $g --recipient $u@your.hostname.com Fi nal l y, restart ZMai l er. Bi-directional email messages scanning The goal of thi s i nstal l ati on i s to use esets_zmfi as ZMai l ers SMTP contentfi l ter. Fi rst start the ESETS daemon. Then add thi s l i ne to smtpserver.conf: PARAM contentfilter @BINDIR@/esets_zmfi and restart ZMai l er. Pl ease note that thi s wi l l scan onl y the emai l messages comi ng through the smtpserver. Al so, make sure that your smtp-pol i cy i s fi l teri ng al l emai l accordi ng to your needs. 10.7 Setting ESETS for MTA Novell GroupWise ESETS GroupWi se Internet Agent contentfi l ter modul e scanni ng i s performed usi ng the esets_gwia daemon. The ESETS confi gurati on fi l e In the [gwia] secti on shoul d l ook l i ke thi s: agent_enabled = yes gwia_smtphome = "/var/spool/gwia/esets" gwia_dhome = "/var/spool/gwia/queues" 37 Note: Accordi ng to the Handl e Object Pol i cy, confi gurati on opti ons i n [gwia] secti on such as action_av, action_av_infected, action_as and thei r acti ons defer and reject wi l l be changed to discard. These events wi l l be l ogged i nto sysl og. Ensure that these parameters were set usi ng esets_setup i nstal l er i n gwia.cfg (l ocated i n /opt/novel l /groupwi se/agents/share/) confi gurati on fi l e: --home /opt/novell/groupwise/wpgate/gwia --dhome /var/spool/gwia/queues --smtphome /var/spool/gwia/esets 10.8 Setting ESETS for outbound email message scanning Outbound emai l message scanni ng i s performed usi ng the esets_smtp daemon. In the [smtp] secti on of the ESETS confi gurati on fi l e, set these parameters: agent_enabled = yes listen_addr = "192.168.1.0" listen_port = 2525 listen_addr i s the address of the l ocal network i nterface named i f0. Then, restart the ESETS daemon. The next step i s to redi rect al l SMTP requests to esets_smtp. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool , an appropri ate rul e woul d be: ipchains -A INPUT -p tcp -i if0 --dport 25 -j REDIRECT 2525 If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool , the rul e i s: iptables -t nat -A PREROUTING -p tcp -i if0 --dport 25 -j REDIRECT --to-ports 2525 On FreeBSD, the rul e i s as fol l ows: ipfw add fwd 192.168.1.10,2525 tcp from any to any 25 via if0 in On NetBSD and Sol ari s: echo 'rdr if0 0.0.0.0/0 port 25 -> 192.168.1.10 port 2525 tcp' | ipnat -f - Warning: Your MTA may accept al l connecti ons wi thout extensi ve checki ng from esets_smtp because those connecti ons are l ocal . By usi ng your own fi rewal l rul es, make sure you do not create an open rel ay, i .e., al l ow someone from the outsi de to connect to esets_smtp and use i t as a rel ay SMTP server. 10.9 Setting ESETS for scanning of POP3 communication The POP3 communi cati on scanni ng i s performed usi ng esets_pop3 daemon. In the [pop3] secti on of the ESETS confi gurati on fi l e, set these parameters: agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8110 where listen_addr i s the address of the l ocal network i nterface named i f0. Then restart the ESETS daemon. The next step i s to redi rect al l POP3 requests to esets_pop3. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool , an appropri ate rul e i s: ipchains -A INPUT -p tcp -i if0 --dport 110 -j REDIRECT 8110 If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool , the rul e woul d be: iptables -t nat -A PREROUTING -p tcp -i if0 --dport 110 -j REDIRECT --to-ports 8110 On FreeBSD, the rul e i s as fol l ows: ipfw add fwd 192.168.1.10,8110 tcp from any to any 110 via if0 in On NetBSD and Sol ari s: echo 'rdr if0 0.0.0.0/0 port 110 -> 192.168.1.10 port 8110 tcp' | ipnat -f - 38 10.10 Setting ESETS for scanning of IMAP communication The IMAP communi cati on scanni ng i s performed usi ng the esets_imap daemon. In the [imap] secti on of the ESETS confi gurati on fi l e, set these parameters: agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8143 where listen_addr i s the address of the l ocal network i nterface named i f0. Then restart the ESETS daemon. The next step i s to redi rect al l IMAP requests to esets_imap. If IP-fi l teri ng i s bei ng performed by the i pchai ns admi ni strati on tool an appropri ate rul e woul d be: ipchains -A INPUT -p tcp -i if0 --dport 143 -j REDIRECT 8143 If IP-fi l teri ng i s bei ng performed by the i ptabl es admi ni strati on tool , the rul e i s: iptables -t nat -A PREROUTING -p tcp -i if0 --dport 143 -j REDIRECT --to-ports 8143 On FreeBSD, the rul e i s as fol l ows: ipfw add fwd 192.168.1.10,8143 tcp from any to any 143 via if0 in On NetBSD and Sol ari s: echo 'rdr if0 0.0.0.0/0 port 143 -> 192.168.1.10 port 8143 tcp' | ipnat -f - 39 11. Appendix B. PHP License The PHP Li cense, versi on 3.01 Copyri ght (c) 1999 - 2006 The PHP Group. Al l ri ghts reserved. Redi stri buti on and use i n source and bi nary forms, wi th or wi thout modi fi cati on, i s permi tted provi ded that the fol l owi ng condi ti ons are met: 1. Redi stri buti ons of source code must retai n the above copyri ght noti ce, thi s l i st of condi ti ons and the fol l owi ng di scl ai mer. 2. Redi stri buti ons i n bi nary form must reproduce the above copyri ght noti ce, thi s l i st of condi ti ons and the fol l owi ng di scl ai mer i n the documentati on and/or other materi al s provi ded wi th the di stri buti on. 3. The name PHP must not be used to endorse or promote products deri ved from thi s software wi thout pri or wri tten permi ssi on. For wri tten permi ssi on, pl ease contact group@php.net. 4. Products deri ved from thi s software may not be cal l ed PHP, nor may PHP appear i n thei r name, wi thout pri or wri tten permi ssi on from group@php.net. You may i ndi cate that your software works i n conjuncti on wi th PHP by sayi ng Foo for PHP i nstead of cal l i ng i t PHP Foo or phpfoo 5. The PHP Group may publ i sh revi sed and/or new versi ons of the l i cense from ti me to ti me. Each versi on wi l l be gi ven a di sti ngui shi ng versi on number. Once covered code has been publ i shed under a parti cul ar versi on of the l i cense, you may al ways conti nue to use i t under the terms of that versi on. You may al so choose to use such covered code under the terms of any subsequent versi on of the l i cense publ i shed by the PHP Group. No one other than the PHP Group has the ri ght to modi fy the terms appl i cabl e to covered code created under thi s Li cense. 6. Redi stri buti ons of any form whatsoever must retai n the fol l owi ng acknowl edgment: Thi s product i ncl udes PHP software, freel y avai l abl e from <http://www.php.net/software/>. THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.